ZNAK SAGITE — više od fantastike — edicija, časopis, knjižara...

Sjajan tekst o jednom od najpoznatijih spemera svih vremena na arstehnici

http://arstechnica.com/tech-policy/2013/12/the-decade-long-quest-to-stop-spamford-wallace/

Ako se neko uzdao u američki savezni sud da stane u kraj razularenom NSA špijuniranju, sad je neizmerno razočaran:
Federal judge: NSA phone surveillance legal

Quote

A federal judge ruled on Friday that the National Security Agency's bulk collection of millions of Americans' telephone and Internet records is legal and a critical component of the country's effort to combat the threat of terrorism.
The decision by U.S. District Judge William Pauley contrasts with a ruling earlier this month by U.S. District Court Judge Richard Leon and increases the likelihood that the issue will go before the U.S. Supreme Court.
Leon had granted a preliminary injunction against the collecting of phone records, saying the program likely violates the U.S. Constitution's ban on unreasonable search.
The NSA-run programs pick up millions of telephone and Internet records that are routed through American networks each day.
In the 54-page opinion issued in New York, Pauley said the sweeping program "represents the government's counter-punch" to eliminate al-Qaeda's terror network by connecting fragmented and fleeting communications.
"There is no evidence that the Government has used any of the bulk telephony metadata it collected for any purpose other than investigating and disrupting terrorist attacks," he wrote.

The judge further maintained that the program, which sucks up vast amounts of data, is subject to executive and congressional oversight as well as monitoring by the Foreign Intelligence Surveillance Court.

"We are pleased with the decision," Justice Department spokesman Peter Carr said.

In issuing the ruling, Pauley dismissed a lawsuit brought by the American Civil Liberties Union, which had sued after former NSA analyst Edward Snowden leaked details of the secret programs that critics say violate privacy rights.
"We are extremely disappointed with this decision, which misinterprets the relevant statutes, understates the privacy implications of the government's surveillance and misapplies a narrow and outdated precedent to read away core constitutional protections," Jameel Jaffer, ACLU deputy legal director said in a statement.
In hearings last month in New York, an ACLU lawyer had argued that the government's interpretation of its authority under the Patriot Act was so broad that it could justify the mass collection of financial, health and even library records of innocent Americans without their knowledge. A government lawyer had countered that counterterrorism investigators wouldn't find most personal information useful.
The judge acknowledged that the data collection system is far-reaching, and "vacuums up information about virtually every telephone call, to, from or within the United States.
"This blunt tool only works because it collects everything," the judge wrote. "Such a program if unchecked, imperils the civil liberties of the every citizen."

While acknowledging this "natural tension" between protecting the nation and preserving civil liberty, Pauley said the system sweeps up huge quantities of data "by design" and could have helped investigators connect the dots before the Sept. 11 terrorists attacks
"The government learned from its mistake and adapted to confront a new enemy: a terror network capable of orchestrating attacks across the world. It launched a number of counter-measures, including a bulk telephony metadata collection program — a wide net that could find and isolate gossamer contacts among suspected terrorists in an ocean of seemingly disconnected data," he said.
He also found that the right to be free from search and seizures "is fundamental, but not absolute."
"Every day, people voluntarily surrender personal and seemingly-private information to transnational corporations, which exploit that data for profit," Pauley wrote in . Few think twice about it, even though it is far more intrusive than bulk telephony metadata collection.

Contributing: Associated Press

NSA reportedly intercepting laptops purchased online to install spy malware

Quote
According to a new report from Der Spiegel based on internal NSA documents, the signals intelligence agency's elite hacking unit (TAO) is able to conduct sophisticated wiretaps in ways that make Hollywood fantasy look more like reality. The report indicates that the NSA, in collaboration with the CIA and FBI, routinely and secretly intercepts shipping deliveries for laptops or other computer accessories in order to implant bugs before they reach their destinations. According to Der Spiegel, the NSA's TAO group is able to divert shipping deliveries to its own "secret workshops" in a method called interdiction, where agents load malware onto the electronics or install malicious hardware that can give US intelligence agencies remote access.

While the report does not indicate the scope of the program, or who the NSA is targeting with such wiretaps, it's a unique look at the agency's collaborative efforts with the broader intelligence community to gain hard access to communications equipment. One of the products the NSA appears to use to compromise target electronics is codenamed COTTONMOUTH, and has been available since 2009; it's a USB "hardware implant" that secretly provides the NSA with remote access to the compromised machine.

This tool, among others, is available to NSA agents through what Der Spiegel describes as a mail-order spy catalog. The report indicates that the catalog offers backdoors into the hardware and software of the most prominent technology makers, including Cisco, Juniper Networks, Dell, Seagate, Western Digital, Maxtor, Samsung, and Huawei. Many of the targets are American companies. The report indicates that the NSA can even exploit error reports from Microsoft's Windows operating system; by intercepting the error reports and determining what's wrong with a target's computer, the NSA can then attack it with Trojans or other malware.

In response to Der Spiegel's report, Cisco senior vice president John Stewart wrote that "we are deeply concerned with anything that may impact the integrity of our products or our customers' networks," and that the company does "not work with any government to weaken our products for exploitation." Other US companies have fired back against reports of NSA tampering in recent months, including Microsoft, which labeled the agency an "advanced persistent threat" over its efforts to secretly collect private user data within the internal networks of Google and Yahoo.


The Der Spiegel report, which gives a broad look at TAO operations, also highlights the NSA's cooperation with other intelligence agencies to conduct Hollywood-style raids. Unlike most of the NSA's operations which allow for remote access to targets, Der Spiegel notes that the TAO's programs often require physical access to targets. To gain physical access, the NSA reportedly works with the CIA and FBI on sensitive missions that sometimes include flying NSA agents on FBI jets to plant wiretaps. "This gets them to their destination at the right time and can help them to disappear again undetected after even as little as a half hour's work," the report notes.

The NSA currently faces pressure from the public, Congress, federal courts, and privacy advocates over its expansive spying programs. Those programs, which include bulk telephone surveillance of American citizens, are said by critics to violate constitutional protections against unreasonable searches, and were uncovered earlier this year by whistleblower Edward Snowden. Beyond the programs that scoop up data on American citizens, Snowden's documents have also given a much closer look at how the spy agency conducts other surveillance operations, including tapping the phones of high-level foreign leaders.

'ел овако намерно или се отело контроли?

ahahah,

sanjam ja noćas, meho me ubeđuje da pristupim njegovom planetarno poznatom bendu i sviram harfu, a ja kažem: - ne pada mi na pamet da sviram s onima koji ne znaju da primene pitagorinu teoremu!
sreća pa me dete probudilo, kako sam bila besna, bilo bi mrtvih.

Quote from: дејан on 31-12-2013, 17:45:32
'ел овако намерно или се отело контроли?

Otelo se al bilo  mi simpatično pa ostavio.

Quote from: lilit on 31-12-2013, 18:24:34
ahahah,

sanjam ja noćas, meho me ubeđuje da pristupim njegovom planetarno poznatom bendu i sviram harfu, a ja kažem: - ne pada mi na pamet da sviram s onima koji ne znaju da primene pitagorinu teoremu!
sreća pa me dete probudilo, kako sam bila besna, bilo bi mrtvih.

U mom bendu ipak ima jedan inženjer mašinstva, slutim da bi on umeo da se snađe sa PT.

Quote from: lilit on 31-12-2013, 18:24:34
ahahah,

sanjam ja noćas, meho me ubeđuje da pristupim njegovom planetarno poznatom bendu i sviram harfu, a ja kažem: - ne pada mi na pamet da sviram s onima koji ne znaju da primene pitagorinu teoremu!
sreća pa me dete probudilo, kako sam bila besna, bilo bi mrtvih.

Joj lilito kakva nocna mora 

Pa, srećna nova godina, onda.

Srecna Nova i ....svi snovi da se ostvare... !!!!

Carmakers keep data on drivers' locations

Quote

Washington — A government report finds that major automakers are keeping information about where drivers have been — collected from onboard navigation systems — for varying lengths of time. Owners of those cars can't demand that the information be destroyed. And, says the U.S. senator requesting the investigation, that raises questions about driver privacy.
The Government Accountability Office in a report released Monday found major automakers have differing policies about how much data they collect and how long they keep it.
Automakers collect location data in order to provide drivers with real-time traffic information, to help find the nearest gas station or restaurant, and to provide emergency roadside assistance and stolen vehicle tracking. But, the report found, "If companies retained data, they did not allow consumers to request that their data be deleted, which is a recommended practice."
The report reviewed practices of Detroit's Big Three automakers, Toyota Motor Corp., Honda Motor Co. and Nissan Motor Co. It also looked at navigation system makers Garmin and TomTom and app developers Google Maps and Telenav. The report, which didn't identify the specific policies of individual companies, found automakers had taken steps to protect privacy and were not selling personal data of owners, but said drivers are not aware of all risks.
The agency said privacy advocates worry location data could be used to market to individuals and to "track where consumers are, which can in turn be used to steal their identity, stalk them or monitor them without their knowledge. In addition, location data can be used to infer other sensitive information about individuals such as their religious affiliation or political activities."
Sen. Al Franken, D-Minn., who chairs a judiciary committee on privacy and requested the report, said Monday that more work needs to be done to ensure privacy protections for in-car navigation systems and mapping apps. He plans to reintroduce his location privacy legislation sometime this year.
"Modern technology now allows drivers to get turn-by-turn directions in a matter of seconds, but our privacy laws haven't kept pace with these enormous advances," Franken said in a statement. "Companies providing in-car location services are taking their customers' privacy seriously — but this report shows that Minnesotans and people across the country need much more information about how the data are being collected, what they're being used for, and how they're being shared with third parties."
The Alliance of Automobile Manufacturers, the trade group representing Detroit's Big Three automakers, Toyota, Volkswagen AG and other major automakers, said automakers are committed to driver privacy. "Details of the industry's strict privacy policies are traditionally included in our sales and service agreements," spokeswoman Gloria Bergquist said. "That way, we ensure our customers have the opportunity to familiarize themselves with these strict privacy policies."
In addition to navigation systems, there are other ways vehicles can collect information: Event data recorders, known as "black boxes," store data in the event of crashes. Transponders like EZ-PASS transmit location and are used in some instances by law enforcement and for research. Some owners also agree to monitoring of driving habits to qualify for lower insurance rates or to keep tabs on teen drivers.
The report said "companies should safeguard location data, in part, by de-identifying them; that companies should not keep location data longer than needed; and that such data should be deleted after a specific amount of time." It found companies use different de-identification methods that may lead to varying levels of protection. It also found wide variation in how long they keep information.
GM said in a statement, "OnStar takes seriously matters that affect our customers' privacy and operates its services with strong privacy protections and practices." GM spokeswoman Heather Rosenker said the automaker keeps no records of requests for turn-by-turn navigation.
None of the companies told the GAO how long they keep data.
A contractor that works with three of the companies told the GAO that when a consumer requests services, information such as location, vehicle information number and other information may be kept for up to seven years.
Another company said it "retains personally identifiable location data for no more than 24 hours." A representative from another company said that it does not retain such data at all. However, the report said representatives from both those companies said they kept de-identified location data indefinitely.
The GAO also found one developer of mobile apps did not encrypt transmitted information, and the agency was able to view locations and other information such as  passwords. "This developer acknowledged that such data were not encrypted and told us that it had made a decision independent from our review to encrypt the data...," the report said.

The NSA Uses Radio Waves to Monitor 100,000 Computers Without Internet

QuoteAccording to the article, the NSA has been using the technology, called Quantum, since 2008. It uses "covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers," which are "sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target...

Depresivno.... Dizni Vrld prati svaki vaš korak i skuplja podatke o tome šta radite a autor članka ovome pokušava da da određeni pozitivni spin...



You don't want your privacy: Disney and the meat space data race

Quote
Summary: MailChimp Chief Data Scientist is at Disney World this weekend wearing his RFID-equipped MagicBand. Here's how he thinks the practice of digitally tracking consumers in the physical world will reach everywhere from theme parks to our homes.


When my wife and I went backpacking around Europe 10 years ago, we made a vow to each other. After seeing the stunningly blue waters off Greece, the paragliders sailing through the Austrian Alps, the idyllic countryside of Slovenia, we said, "Never will we take our children to Disney World. Why would you need something so manufactured when you have the real world?"
It's 10 years later. And I left for Disney World on Thursday. The thing I didn't understand, which, now that I have three boys, I know in my bones is this: You can't see Buzz Lightyear while backpacking.
Oh well, Walt! You win.
But as a data scientist at a tech company, I have to admit, I'm geeking out over the technology. Disney World is like a petri dish for advanced analytic techniques because the hotels and parks are all tied together in one large, heavily controlled environment. If you ever wanted to star in The Truman Show, a trip to Disney is the next best thing — it feels like a centrally planned North Korea only with more fun, less torture and the same amount of artifice.
From the mundane to the magical, the fact is there's probably an engineer behind the scenes at Disney who has thought through it. Disney has industrial engineers that work on everything from optimal food-and-beverage pricing and laundry facility optimization, to attraction performance and wait-time minimization (the vaunted FASTPASS system).
MagicBands: like magic beans, except they grow data But those tried-and-true efforts at optimization were just the appetizer. Earlier this week, there was a knock on my door and there on my doorstep sat a little bit of hand-delivered magic. I opened the package with the sweaty palms of anticipation because, to me, this package represented a billion-dollar investment by Disney in big data analytics.
That investment is called MagicBands. They're a new technology for the park, and the program officially opened up about a month ago. Disney has thought of everything.


The box in which the bands arrived rivaled Apple in its Incredibles-themed design. Each magic band was tucked in a slot, standing up straight, ready to be put on by the vacationer like some fabled amulet. Each rubber wristband was smartly colored with a soft-touch matte.
But under all that visual appeal, beneath the surface of the band, was the reason for Disney's huge investment: a sophisticated RFID tag. These bands, which are individually coded to each visitor, allow Disney to track individuals wherever they go in the parks and resorts with long-range RFID readers. You check into FASTPASS rides with your band, you purchase food by swiping your band and you use it as a key to your hotel room.
The bands are even uniquely colored and monogrammed with your family members' names so that they won't get switched up. Why? Because they don't want their database to get confused and think that you, a 45-year-old man, rode the teacups instead of your little son Timmy. This is one of the first examples I've seen of physical design (e.g., monogramming and coloring) for the sake of digital data purity.

If ever there was a testimony to the importance big data has achieved in business it's this: We will now shape our physical world to create better streams of digital information.
Mickey thinks you need some Buzz Lightyear time Stop a moment and dream of the MagicBand possibilities.
The pitch that Disney is making is personalization. For each band, for example, Disney asks for the name and birthday of the person who'll be wearing it. So if your kid is having a birthday in the park and there's a character wandering nearby, that character can be notified to sneak up on your kid and creepily wish them a happy birthday individually.
Now, let's dig a little deeper.
What does Disney get out of the deal? In short, it tracks everything you do, everything you buy, everything you eat, everything you ride, everywhere you go in the park. If the goal is to keep you in the park longer so you'll spend more money, it can build AI models on itineraries, show schedules, line length, weather, etc., to figure out what influences stay length and cash expenditure. Perhaps there are a few levers they can pull to get money out of you.


Or perhaps its models know that your family is staying in a high-dollar luxury Disney resort and that this morning you forked over lots of money at the Cinderella character breakfast. But right now your high-dollar family is stuck in a long line at an attraction. If your family gets too tuckered out or frustrated, you might be inclined to call it a day.
So, a model marks you as a candidate for "encouragement." Within the park, a character is notified to make its way over to your children and entertain them until they can get on the ride. This increases enjoyment, decreases perceived exhaustion, and hopefully keeps you around for more meals, more trinkets and more arcade games.
The research questions that might be answered with this type of tracking data are endless:

   
• What menu items served at breakfast at the resort hotel restaurants will result in the longest stay at the park?
• Do we detect an influx of park-goers into the bathrooms for long stays on the toilet? Perhaps they all ate at the same place, and we can cut off a foodborne illness problem before it gets worse.
• Is there a roller coaster that's correlated with early park departure or a high incidence of bathroom visits? That means less money in the park's pockets. How might that coaster be altered?
• Is there a particular ride and food fingerprint for the type of park visitor that's likely to buy in-park high-dollar merchandise? If so, can we actively get vendors in front of this attendee's eye by moving hawkers to them at just the right time?

The allusion of freedom and agency still exist within the park, but with these bands, you are giving up much of your privacy and freedom to experience something "untailored" in exchange for a better time. Even if that better time is achieved by spending more money.
The future of big data is in meat space "Meat space" (coined by William Gibson in Neuromancer) is a term for the physical world where our bodies (meat) move around and do meat-like things (for example, eat, jog or go clubbin'). The interesting thing about the term is it's a play on "cyber space" — meat space is an internet-first way of viewing the world.
And that internet-first way of seeing the world is what's driving these changes at Disney, casinos, insurance companies, etc. We've been "cookie-ing" people online and tracking their browsing habits for years, and in that contained environment, businesses have seen the value of acting on personal transactional data. But now businesses are taking this approach and applying it to meat space.
Why? Because cyber space is small, it starts and stops at internet-connected devices. Think of the transactions and interactions that are carried out each day in meat space. Think of the money spent in meat space (on your caramel macchiato, for instance).
While not everyone is online all day long, we're all implicitly offline. Wouldn't it be great it we could gather meat space data and use that to tailor the offline experience much like companies now tailor your online experience? "Personalizing your meat space experience" is a gross way of saying "pretty much control your life."
Which is frightening. But that's exactly what companies want to do.


It's not new. It's one of the fundamental goals of marketing. For example, a discount pricing model implemented on airline seats wants to control your booking decisions by adjusting prices. The control is targeted and specific, so you feel pretty good about it.
We now know this is Google's end game. Self-driving cars, Google Glass and the purchase of Nest — Google is dying to get out of your computer and all up in your life. With Nest, Google won't just know how you like your air to feel. It'll know when you're at work and when you're at home. It gets pieces in a data puzzle that is your entire observable life.
Loyalty cards (those things you swipe at the grocery store) were the first salvos into this real-world data gathering. Now, department stores are doing a lo-fi version of MagicBands by tracking the hardware ID on your cell phone's Wi-Fi card as you wander the store.
Hey, look! That's the same Wi-Fi ID as the person who bought a necklace from us last week. Maybe a sales associate should propose a pair of earrings to them?
This is where data science is headed, and it's part of the reason why there aren't enough qualified data analysts to meet demand. The reach of the discipline is moving out of the browser and into every business that can gather data on your life.
But I'd like to keep my meat private, thanks. At this point, I'm sure a lot of you are freaked out by the privacy implications of where all this is headed. Indeed, one journalist just compared what Disney is doing to the recent disclosures about the NSA's own tracking programs. But at the end of that article there's a big glaring difference between the NSA and Disney: "Disney fanatics, for their part, can't wait to get their hands on the [MagicBands]."
We want MagicBands!
We don't want the NSA tracking us, because we get nothing in return. It tries to sell us on "terrorism prevention," but most people don't experience that benefit in a visceral way. But this is not to say Americans won't give up privacy for anything.
On the contrary, Americans are very, very cheap dates. For just a modicum of convenience, entertainment and comfort, I'm happy to give you a list of everyone I call and everywhere I go. That's more than I'm sure the NSA has on me. And despite your privacy concerns, most of you are exactly the same way.
Don't believe me? I recently installed a flashlight app on my phone. In exchange for this app that does no more than turn on my phone's camera flash, I give it my geolocation all day long. Who owns this app? No idea. Probably some Ukranians. What I do know is that this app is worth like $5 to me, and yet that was enough to give these strangers all my info.


Same with Angry Birds (tracks location). Same with LinkedIn (can read AND WRITE my phone call data, can read my "calendar events plus confidential information", etc.). Same with the freaking Shazam app that let's me identify that song playing in the mall. Have you heard of Stylitics? You get your wardrobe mirrored back at you in a virtual closet –whatever that is — and Stylitics gets to sell your clothing data to retailers to better understand where else you shop beside their stores.
We're all wringing our hands over the NSA, and meanwhile we're handing our data as fast as we can to other entities for next to nothing. If the NSA were smart, it would buy Candy Crush Saga, change the permissions, and be done with it.
If we're honest, we give privacy lip service, but we vote with our keypresses and our dollars, and the bands we strap to our wrists.
Expect your future meat space world to feel very much like your cyber space one. The next time your RFID tag lets Mickey know you've got diarrhea, maybe the stall door can make suggestions to you: "Customers who got funnel cake diarrhea also bought Maalox."

Ovo je juče bilo i u našim medijima: NSA koristi telefonske apove da, jelte, špijunira svet. Dakle, Enrgi brdz end šit:

Angry Birds and 'leaky' phone apps targeted by NSA and GCHQ for user data

Quote
• US and UK spy agencies piggyback on commercial data
• Details can include age, location and sexual orientation
• Documents also reveal targeted tools against individual phones


The National Security Agency and its UK counterpart GCHQ have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information across the internet, according to top secret documents.
The data pouring onto communication networks from the new generation of iPhone and Android apps ranges from phone model and screen size to personal details such as age, gender and location. Some apps, the documents state, can share users' most sensitive information such as sexual orientation – and one app recorded in the material even sends specific sexual preferences such as whether or not the user may be a swinger.
Many smartphone owners will be unaware of the full extent this information is being shared across the internet, and even the most sophisticated would be unlikely to realise that all of it is available for the spy agencies to collect.
Dozens of classified documents, provided to the Guardian by whistleblower Edward Snowden and reported in partnership with the New York Times and ProPublica, detail the NSA and GCHQ efforts to piggyback on this commercial data collection for their own purposes.
Scooping up information the apps are sending about their users allows the agencies to collect large quantities of mobile phone data from their existing mass surveillance tools – such as cable taps, or from international mobile networks – rather than solely from hacking into individual mobile handsets.
Exploiting phone information and location is a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities, for example by using phones as triggering devices in conflict zones. The NSA has cumulatively spent more than $1bn in its phone targeting efforts.
The disclosures also reveal how much the shift towards smartphone browsing could benefit spy agencies' collection efforts.


One slide from a May 2010 NSA presentation on getting data from smartphones – breathlessly titled "Golden Nugget!" – sets out the agency's "perfect scenario": "Target uploading photo to a social media site taken with a mobile device. What can we get?"
The question is answered in the notes to the slide: from that event alone, the agency said it could obtain a "possible image", email selector, phone, buddy lists, and "a host of other social working data as well as location".
In practice, most major social media sites, such as Facebook and Twitter, strip photos of identifying location metadata (known as EXIF data) before publication. However, depending on when this is done during upload, such data may still, briefly, be available for collection by the agencies as it travels across the networks.
Depending on what profile information a user had supplied, the documents suggested, the agency would be able to collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, marital status – options included "single", "married", "divorced", "swinger" and more – income, ethnicity, sexual orientation, education level, and number of children.
The agencies also made use of their mobile interception capabilities to collect location information in bulk, from Google and other mapping apps. One basic effort by GCHQ and the NSA was to build a database geolocating every mobile phone mast in the world – meaning that just by taking tower ID from a handset, location information could be gleaned.
A more sophisticated effort, though, relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.
So successful was this effort that one 2008 document noted that "t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."
The information generated by each app is chosen by its developers, or by the company that delivers an app's adverts. The documents do not detail whether the agencies actually collect the potentially sensitive details some apps are capable of storing or transmitting, but any such information would likely qualify as content, rather than metadata.
Data collected from smartphone apps is subject to the same laws and minimisation procedures as all other NSA activity – procedures that the US president, Barack Obama, suggested may be subject to reform in a speech 10 days ago. But the president focused largely on the NSA's collection of the metadata from US phone calls and made no mention in his address of the large amounts of data the agency collects from smartphone apps.
The latest disclosures could also add to mounting public concern about how the technology sector collects and uses information, especially for those outside the US, who enjoy fewer privacy protections than Americans. A January poll for the Washington Post showed 69% of US adults were already concerned about how tech companies such as Google used and stored their information.
The documents do not make it clear how much of the information that can be taken from apps is routinely collected, stored or searched, nor how many users may be affected. The NSA says it does not target Americans and its capabilities are deployed only against "valid foreign intelligence targets".
The documents do set out in great detail exactly how much information can be collected from widely popular apps. One document held on GCHQ's internal Wikipedia-style guide for staff details what can be collected from different apps. Though it uses Android apps for most of its examples, it suggests much of the same data could be taken from equivalent apps on iPhone or other platforms.
The GCHQ documents set out examples of what information can be extracted from different ad platforms, using perhaps the most popular mobile phone game of all time, Angry Birds – which has reportedly been downloaded more than 1.7bn times – as a case study.
From some app platforms, relatively limited, but identifying, information such as exact handset model, the unique ID of the handset, software version, and similar details are all that are transmitted.
Other apps choose to transmit much more data, meaning the agency could potentially net far more. One mobile ad platform, Millennial Media, appeared to offer particularly rich information. Millennial Media's website states it has partnered with Rovio on a special edition of Angry Birds; with Farmville maker Zynga; with Call of Duty developer Activision, and many other major franchises.
Rovio, the maker of Angry Birds, said it had no knowledge of any NSA or GCHQ programs looking to extract data from its apps users.
"Rovio doesn't have any previous knowledge of this matter, and have not been aware of such activity in 3rd party advertising networks," said Saara Bergström, Rovio's VP of marketing and communications. "Nor do we have any involvement with the organizations you mentioned [NSA and GCHQ]."
Millennial Media did not respond to a request for comment.
In December, the Washington Post reported on how the NSA could make use of advertising tracking files generated through normal internet browsing – known as cookies – from Google and others to get information on potential targets.
However, the richer personal data available to many apps, coupled with real-time geolocation, and the uniquely identifying handset information many apps transmit give the agencies a far richer data source than conventional web-tracking cookies.
Almost every major website uses cookies to serve targeted advertising and content, as well as streamline the experience for the user, for example by managing logins. One GCHQ document from 2010 notes that cookie data – which generally qualifies as metadata – has become just as important to the spies. In fact, the agencies were sweeping it up in such high volumes that their were struggling to store it.
"They are gathered in bulk, and are currently our single largest type of events," the document stated.
The ability to obtain targeted intelligence by hacking individual handsets has been well documented, both through several years of hacker conferences and previous NSA disclosures in Der Spiegel, and both the NSA and GCHQ have extensive tools ready to deploy against iPhone, Android and other phone platforms.
GCHQ's targeted tools against individual smartphones are named after characters in the TV series The Smurfs. An ability to make the phone's microphone 'hot', to listen in to conversations, is named "Nosey Smurf". High-precision geolocation is called "Tracker Smurf", power management – an ability to stealthily activate an a phone that is apparently turned off – is "Dreamy Smurf", while the spyware's self-hiding capabilities are codenamed "Paranoid Smurf".
Those capability names are set out in a much broader 2010 presentation that sheds light on spy agencies' aspirations for mobile phone interception, and that less-documented mass-collection abilities.
The cover sheet of the document sets out the team's aspirations:


These are particularly useful to the agency as data is often only weakly encrypted on such networks, and includes extra information such as handset ID or mobile number – much stronger target identifiers than usual IP addresses or similar information left behind when PCs and laptops browse the internet.
The NSA said its phone interception techniques are only used against valid targets, and are subject to stringent legal safeguards.
"The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency," said a spokeswoman in a statement.
"Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true. Moreover, NSA does not profile everyday Americans as it carries out its foreign intelligence mission. We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets.
"Because some data of US persons may at times be incidentally collected in NSA's lawful foreign intelligence mission, privacy protections for US persons exist across the entire process concerning the use, handling, retention, and dissemination of data. In addition, NSA actively works to remove extraneous data, to include that of innocent foreign citizens, as early as possible in the process.
"Continuous and selective publication of specific techniques and tools lawfully used by NSA to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies – and places at risk those we are sworn to protect."
The NSA declined to respond to a series of queries on how routinely capabilities against apps were deployed, or on the specific minimisation procedures used to prevent US citizens' information being stored through such measures.
GCHQ declined to comment on any of its specific programs, but stressed all of its activities were proportional and complied with UK law.
"It is a longstanding policy that we do not comment on intelligence matters," said a spokesman.
"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework that ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position."
• A separate disclosure on Wednesday, published by Glenn Greenwald and NBC News, gave examples of how GCHQ was making use of its cable-tapping capabilities to monitor YouTube and social media traffic in real-time.
GCHQ's cable-tapping and internet buffering capabilities , codenamed Tempora, were disclosed by the Guardian in June, but the new documents published by NBC from a GCHQ presentation titled "Psychology: A New Kind of SIGDEV" set out a program codenamed Squeaky Dolphin which gave the British spies "broad real-time monitoring" of "YouTube Video Views", "URLs 'Liked' on Facebook" and "Blogspot/Blogger Visits".
A further slide noted that "passive" – a term for large-scale surveillance through cable intercepts – give the agency "scalability".

The means of interception mean GCHQ and NSA could obtain data without any knowledge or co-operation from the technology companies. Spokespeople for the NSA and GCHQ told NBC all programs were carried out in accordance with US and UK law.
• This article was amended on 28 January 2014. It referred to martial status, instead of marital status. This has been corrected.

Plus, naravno, kad špijunirate u ime nacionalne bezbednosti, definicija nacionalne bezbednosti može da se proširi i na... industrijsku špijunažu:

Edward Snowden says NSA engages in industrial espionage

Quote
The U.S. National Security Agency is involved in industrial espionage and will grab any intelligence it can get its hands on regardless of its value to national security, former NSA contractor Edward Snowden told a German TV network.
In text released ahead of a lengthy interview to be broadcast on Sunday, ARD TV quoted Snowden as saying the NSA does not limit its espionage to issues of national security and he cited German engineering firm, Siemens as one target.




"If there's information at Siemens that's beneficial to U.S. national interests — even if it doesn't have anything to do with national security  — then they'll take that information nevertheless," Snowden said, according to ARD, which recorded the interview in Russia where he has claimed asylum.
Snowden also told the German public broadcasting network he no longer has possession of any documents or information on NSA activities and has turned everything he had over to select journalists.
He said he did not have any control over the publication of the information, ARD said.
Questions about U.S. government spying on civilians and foreign officials burst into the open last June when Snowden, leaked documents outlining the widespread collection of telephone records and email.


The revelations shocked Germany, a country especially sensitive after the abuses by the Gestapo during the Nazi reign and the Stasi in Communist East Germany during the Cold War.
Reports the NSA monitored Chancellor Angela Merkel's mobile phone have added to the anger in Germany, which has been pushing for a 'no-spy' agreement with the United States, a country it considers to be among its closest allies.
NSA software could help hackers Snowden's claim the NSA is engaged in industrial espionage follows a New York Times report earlier this month that the NSA put software in almost 100,000 computers around the world, allowing it to carry out surveillance on those devices and could provide a digital highway for cyberattacks.
The NSA planted most of the software after gaining access to computer networks, but has also used a secret technology that allows it entry even to computers not connected to the internet, the newspaper said, citing U.S. officials, computer experts and documents leaked by Snowden.
The newspaper said the technology had been in use since at least 2008 and relied on a covert channel of radio waves transmitted from tiny circuit boards and USB cards secretly inserted in the computers.
Frequent targets of the program, code-named Quantum, included units of the Chinese military and industrial targets.
Snowden faces criminal charges after fleeing to Hong Kong and then Russia, where he was granted at least a year's asylum.
He was charged with theft of government property, unauthorized communication of national security information and giving classified intelligence data to an unauthorized person.
© Thomson Reuters, 2014

QuotePlus, naravno, kad špijunirate u ime nacionalne bezbednosti, definicija nacionalne bezbednosti može da se proširi i na... industrijsku špijunažu:

Edward Snowden says NSA engages in industrial espionage

па, мајку му, та индустријска шпиунажа је један од најбитнијих делова њиховог посла!

Moguće, ja sam sve što znam o NSA naučio igrajući Splinter Cell. 

Urnebes. Dejvid Kameron, britanski premijer insistira da se u britansko zakonodavstvo uvedu široka ovlašćenja za praćenje, prisluškivanje i beleženje komunikacija građana, uz obrazloženje da u svim policijskim serijama koje gleda na televiziji, dobri momci na kraju spasu stvar zato što su imali pristup snimcima telefonskih razgovora itd. Fak!


David Cameron Says Snooper's Charter Is Necessary Because Fictional Crime Dramas He Watches Prove It

Quote
You may recall the stories from the past couple years about the so-called "snooper's charter" in the UK -- a system to further legalize the government's ability to spy on pretty much all communications.  It was setting up basically a total surveillance system, even beyond what we've since learned is already being done today.  Thankfully, that plan was killed off by Deputy Prime Minister Nick Clegg.

However, Prime Minister David Cameron is back to pushing for the snooper's charter -- and his reasoning is as stupid as it is unbelievable.  Apparently, he thinks it's necessary because the fictional crime dramas he watches on TV show why it's necessary.  I am not joking, even though I wish I was: > In the most serious crimes [such as] child abduction communications data... is absolutely vital. I love watching, as I probably should stop telling people, crime dramas on the television. There's hardly a crime drama where a crime is solved without using the data of a mobile communications device.

What we have to explain to people is that... if we don't modernise the practice and the law, over time we will have the communications data to solve these horrible crimes on a shrinking proportion of the total use of devices and that is a real problem for keeping people safe. Yes, he just said that.  Because fictional characters on crime drama TV shows make use of data, that's somehow proof that it's necessary.  Perhaps someone can send Cameron a copy of Enemy of the State or any other fictional work showing how the government can abuse such information.  Or, better yet, let's have our side stick with reality, and we can just point to real historical events of governments abusing such information.

Bonus: video na kome se vidi kako GCHQ agenti uništavaju Guardijanovu opremu na kojoj se nalaze podaci dobijeni od Edwarda Snowdena


http://www.theguardian.com/world/video/2014/jan/31/snowden-files-computer-destroyed-guardian-gchq-basement-video

Distopija mikromenadžmenta zaposlenih:


How your boss can keep you on a leash

Quote
Editor's note: CNN Contributor Bob Greene is a bestselling author whose 25 books include "Late Edition: A Love Story"; "When We Get to Surf City: A Journey Through America in Pursuit of Rock and Roll, Friendship, and Dreams"; and "Once Upon a Town: The Miracle of the North Platte Canteen," which has been named the One Book, One Nebraska statewide reading selection for 2014.
(CNN) -- If you're a person who hates it when your supervisor looks over your shoulder at work, you may want to stop reading this column right now.
Because what follows is only going to depress you.
Hitachi, the big electronics company based in Japan, is manufacturing and selling to corporations a device intended to increase efficiency in the workplace. It has a rather bland and generic-sounding name: the Hitachi Business Microscope.


But what it is capable of doing ... well, just imagine being followed around the office or the factory all day by the snoopiest boss in the world. Even into the restroom.
And, the thing is, once you hear about it, you just know that, from a management point of view, it is an innovation of absolute genius.
Here's how it works:
The device looks like an employee ID badge that most companies issue. Workers are instructed to wear it in the office.
Embedded inside each badge, according to Hitachi, are "infrared sensors, an accelerometer, a microphone sensor and a wireless communication device."
Hitachi says that the badges record and transmit to management "who talks to whom, how often, where and how energetically."
It tracks everything.
If you get up to walk around the office a lot, the badge sends information to management about how often you do it, and where you go.
If you stop to talk with people throughout the day, the badge transmits who you're talking to (by reading your co-workers' badges), and for how long.
Do you contribute at meetings, or just sit there? Either way, the badge tells your bosses.
The stated intention of this is to increase productivity and get the most out of employees.
But a case can be made that, however much we worry that the National Security Agency may be peeking into our lives, we should be just as concerned -- or more -- about the potential for corporations to become their own, private NSAs.
And there's not much, in the future, that employees will be able to do about it. With government surveillance, the public can complain that the state has no right to be scrutinizing the lives of its citizens so intrusively. But corporations can make the argument that supervisors have always been encouraged to keep an eye on how workers are spending their time when they're on the clock -- and that electronic tools such as the Business Microscope are simply a 21st-century way to do that.
The employers are paying for their workers' time, the argument will go -- and if the employees don't like being accountable for how they spend that time, they can always choose to work elsewhere.
Hitachi says that by analyzing the "enormous amount of data collected with the Business Microscope, it will be possible to propose methods to improve organizational communication and quantitatively evaluate efficacy." Among the activities the badges record and transmit, according to Hitachi, are "the distance between people talking face-to face" and "an individual's activity level (active or nonactive), which is determined on the basis of subtle movements detected (such as talking, nodding and silence)."
And the sensor badges never sleep. They never take breaks. They don't go to lunch. As H. James Wilson, a senior researcher at Babson Executive Education, wrote in the Wall Street Journal, the badges not only transmit who employees are talking to and how long the conversations go on, but can "also measure how well they're talking to them." If you're in a conference room with colleagues and they are animated participants in a discussion about, say, sales strategy, while you just remain quiet in your seat, the badge knows it.
Businesses have long dreamed of maximum efficiency, and Hitachi says that, since the Business Microscope was first developed in its labs in 2007, "over one million days of human behavior and big data" have been collected.
(You can imagine the surveillance experts at NSA, and at spy agencies for governments around the world, hearing about what Hitachi has come up with, shaking their heads in admiration, and saying: "Boy, those guys are good!")
The long-term question will be whether companies, in the name of workplace output, will want to risk the morale problems that will inevitably arise among employees who are instructed to wear such devices, manufactured either by Hitachi or by other firms that will engineer their own digital tracking machinery. Technology always wins, but victory can come with a price.
And if employees bristle and become resentful about being kept on such a short electronic leash, that could bring about productivity problems of a different sort. Unhappy workers are not motivated to put in extra effort.
Of course, the employees could get up from their desks, congregate in an out-of-the-way corner of the office, and bitterly complain about it all.
But the badges would know.
And tell.

French journalist "hacks" govt by inputting correct URL, later fined $4,000+




A Google search turned up public files that Olivier Laurelli is accused of publishing.

In 2012, French blogger, activist, and businessman Olivier Laurelli sat down at his computer. It automatically connected to his VPN on boot (he owns a small security services company, called Toonux, which was providing a connection via a Panamanian IP address) and began surfing the Web.
Laurelli, who goes by the alias "Bluetouff" in most circles (including on Ars Technica), is something of a presence among the French tech-savvy community. Besides managing Toonux, he also co-founded the French-language activist news site Reflets.info, which describes itself as a "community project to connect journalists and computer networking specialists." As such, Laurelli initiated a Google search on other subjects, but what he stumbled on was perhaps more interesting: a link that led to 7.7 Gb of internal documents from the French National Agency for Food Safety, Environment, and Labor (the acronym is ANSES in French).
Although the documents were openly indexed by Google, Laurelli would soon be in the French government's crosshairs for publishing them. He eventually faced criminal charges, though he was later acquitted of those. However, a separate government agency pursued a civil appeal. And last Tuesday, a French appeals court fined Laurelli 3,000 Euros (or a little over $4,000), meaning he likely made one of the more expensive Google searches to date.
On that fateful night, Laurelli merely used the Linux Wget tool to download all of the contents of the Web directory that he found. He left the files on his drive for a few days and then transferred them to his desktop for more convenient reading (which the French government would later spin as "the accused made backup copies of the documents he had stolen"). A few days later, Laurelli searched through the documents he downloaded and sent some to a fellow Reflets writer, Yovan Menkevick. About two weeks later, a few interesting scientific slides pertaining to nano-substances from the cache were published on Laurelli's site.
He later wrote about how he reacted when discovering the documents—that is, how he faced what at the time was a non-dilemma:

Through a Google search which strictly did not have anything to do with ANSES or with public health, I found myself in the ANSES extranet. Simply by clicking on a search result.

   
• First observation: there are a lot of documents freely available here.
• Second observation: they speak about public health.
• Third observation: L'ANSES is a public establishment.
• Question: Is it that this ought to be public?
• Response: (too) obvious at the time: yes.

...I did it wrong. According to French language site PC Inpact, when ANSES discovered the slides in question on Reflets.info, the agency filed a report with the police, "citing potential 'intrusion into a computer system and data theft from a computer.'" At that point, France's Central Directorate of Interior Intelligence (or DCRI in French) joined the case to investigate how the files had been "hacked."
The DCRI discovered that the files had been downloaded via a Panamanian IP address, and when they discovered that the address was used by a VPN service operated by a Reflets editor, they went after Laurelli. The activist claims that the involvement of the VPN was the tipping point in convincing the investigators that he was guilty or that he at least did something nefarious: "This VPN (in fact above all this Panamanian IP address) is probably one of the strongest elements which had driven the prosecution to pursue a criminal case," he wrote. Laurelli was held in custody for 30 hours before officials indicted him.
Shortly after this, an excerpt from court documents (provided on Laurelli's personal website) shows that ANSES' internal investigation led to an embarrassing discovery: "We [ANSES] have proceeded with internal technical investigations to attempt to identify the method used by the hackers to access and retrieve the documents. Following these analyses, we then found that it was sufficient to have the full URL to access to the resource on the extranet in order to bypass the authentication rules on this server." In other words, the method of hacking was inputting the URL correctly.
Incredibly, although a lower criminal court ruled that Laurelli could not be penalized for accessing data that was not secure, the DCRI decided to appeal the decision. That's after ANSES, the organization from which the documents were "stolen" in the first place, decided not to pursue any civil action. Although the court documents are not yet available, French technology news site Numerama and the French-language version of Slate both quote a baffling scene from the first appeals-court hearing in December 2013, which Mediapart (paywalled link) attended. During those opening arguments, a presiding judge appeared unable to pronounce Google (saying "gogleu" instead) and demonstrated an ignorance of how logins occur. The prosecutor did not help this perception, saying at the hearing, "half the words I heard today, I did not even understand."
The appeals court acquitted Laurelli of fraudulently accessing an information system but saw fit to convict Bluetouff of theft of documents and fraudulent retention of information. The court wrote: "It is well demonstrated that he was conscious of his irregular retention in automated data processing, accessed where he downloaded protected evidence; and that investigations have shown that these data had been downloaded before being... disseminated to others; that it is, in any event, established that Olivier Laurelli made copies of computer files inaccessible to the public for personal use without the knowledge and against the will of its owner"
Although $4,000 may not be a huge amount, Le Point explains that the lack of technical knowledge by the courts is hugely troubling for the French public—especially journalists. "This decision should unsettle all citizens, in particular journalists, who could themselves be convicted much more heavily when they publish documents with the same motive: that of informing."
Laurelli, for his part, seems to be taking everything in stride. "It's huge I am officially a cybercriminal" he tweeted Wednesday morning.
UPDATE: Laurelli ended up admitting in testimony that when he found the documents, he traveled back to the homepage that they stemmed from and found an authentication page. This indicated that the documents were likely supposed to be protected. That admission played a part in his later conviction in the appeals court.

Glen Grinvold objašnjava kako NSA i GCHQ između ostalog koriste ubačene, jelte, elemente, da kontrolišu i truju onlajn diskusije, podmećući ljudima stvari koje nikad nisu uradili, predstavljajući se kao žrtve tih ljudi itd. Ništa, dakle, što i inače nismo naslućivali. Tekst ima gomilu slajdova (Snouden je stvarno bio temeljan) pa ga neću kopirati:


https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/

Snowden: I raised NSA concerns internally over 10 times before going rogue

Quote
Former National Security Agency contractor Edward Snowden said he repeatedly tried to go through official channels to raise concerns about government snooping programs but that his warnings fell on the deaf ears. In testimony to the European Parliament released Friday morning, Snowden wrote that he reported policy or legal issues related to spying programs to more than 10 officials, but as a contractor he had no legal avenue to pursue further whistleblowing.
Asked specifically if he felt like he had exhausted all other avenues before deciding to leak classified information to the public, Snowden responded:

Yes. I had reported these clearly problematic programs to more than ten distinct officials, none of whom took any action to address them. As an employee of a private company rather than a direct employee of the US government, I was not protected by US whistleblower laws, and I would not have been protected from retaliation and legal sanction for revealing classified information about lawbreaking in accordance with the recommended process.

Snowden worked for the CIA before becoming an NSA contractor for various companies. He was working for Booz Allen Hamilton at an NSA facility in Hawaii at the time he leaked information about government programs to the press.
In an August news conference, President Obama said there were "other avenues" available to someone like Snowden "whose conscience was stirred and thought that they needed to question government actions." Obama pointed to Presidential Policy Directive 19 -- which set up a system for questioning classified government actions under the Office of the Director of National Intelligence. However, as a contractor rather than an government employee or officer, Snowden was outside the protection of this system. "The result," Snowden said, "was that individuals like me were left with no proper channels."
Elsewhere in his testimony, Snowden described the reaction he received when relating his concerns to co-workers and superiors. The responses, he said, fell into two camps. "The first were well-meaning but hushed warnings not to 'rock the boat,' for fear of the sort of retaliation that befell former NSA whistleblowers like Wiebe, Binney, and Drake." All three of those men, he notes, were subject to intense scrutiny and the threat of criminal prosecution.
"Everyone in the Intelligence Community is aware of what happens to people who report concerns about unlawful but authorized operations," he said.
The other responses, Snowden said, were similar: suggestions that he "let the issue be someone else's problem." Even the highest-ranking officials he told about his concerns could not recall when an official complaint resulted in the shutdown of an unlawful program, he testified, "but there was a unanimous desire to avoid being associated with such a complaint in any form."
Snowden has claimed that he brought up issues with what he considers unlawful government programs before. The NSA disputes his account, previously telling The Washington Post that, "after extensive investigation, including interviews with his former NSA supervisors and co-workers, we have not found any evidence to support Mr. Snowden's contention that he brought these matters to anyone's attention."
Both Obama and his national security adviser, Susan E. Rice, have said that Snowden should return to the United States and face criminal sanctions for his actions. Snowden was charged with three felonies over the summer and has been living in Russia since fleeing the United States in the wake of the leaks.

Zašto i kako je Lavabit (firma koja je davala korisnicima uslugu zaštite poruka elektronske pošte, koju je koristio i Snowden) zatvoren - vlasnik firme piše za Guardian:

Secrets, lies and Snowden's email: why I was forced to shut down Lavabit

QuoteFor the first time, the founder of an encrypted email startup that was supposed to insure privacy for all reveals how the FBI and the US legal system made sure we don't have the right to much privacy in the first place





My legal saga started last summer with a knock at the door, behind which stood two federal agents ready to to serve me with a court order requiring the installation of surveillance equipment on my company's network.
My company, Lavabit, provided email services to 410,000 people – including Edward Snowden, according to news reports – and thrived by offering features specifically designed to protect the privacy and security of its customers. I had no choice but to consent to the installation of their device, which would hand the US government access to all of the messages – to and from all of my customers – as they travelled between their email accounts other providers on the Internet.
But that wasn't enough. The federal agents then claimed that their court order required me to surrender my company's private encryption keys, and I balked. What they said they needed were customer passwords – which were sent securely – so that they could access the plain-text versions of messages from customers using my company's encrypted storage feature. (The government would later claim they only made this demand because of my "noncompliance".)

Bothered by what the agents were saying, I informed them that I would first need to read the order they had just delivered – and then consult with an attorney. The feds seemed surprised by my hesitation.
What ensued was a flurry of legal proceedings that would last 38 days, ending not only my startup but also destroying, bit by bit, the very principle upon which I founded it – that we all have a right to personal privacy.
In the first two weeks, I was served legal papers a total of seven times and was in contact with the FBI every other day. (This was the period a prosecutor would later characterize as my "period of silence".) It took a week for me to identify an attorney who could adequately represent me, given the complex technological and legal issues involved – and we were in contact for less than a day when agents served me with a summons ordering me to appear in a Virginia courtroom, over 1,000 miles from my home. Two days later, I was served the first subpoena for the encryption keys.
With such short notice, my first attorney was unable to appear alongside me in court. Because the whole case was under seal, I couldn't even admit to anyone who wasn't an attorney that I needed a lawyer, let alone why. In the days before my appearance, I would spend hours repeating the facts of the case to a dozen attorneys, as I sought someone else that was qualified to represent me. I also discovered that as a third party in a federal criminal indictment, I had no right to counsel. After all, only my property was in jeopardy – not my liberty. Finally, I was forced to choose between appearing alone or facing a bench warrant for my arrest.
In Virginia, the government replaced its encryption key subpoena with a search warrant and a new court date. I retained a small, local law firm before I went back to my home state, which was then forced to assemble a legal strategy and file briefs in just a few short days. The court barred them from consulting outside experts about either the statutes or the technology involved in the case. The court didn't even deliver transcripts of my first appearance to my own lawyers for two months, and forced them to proceed without access to the information they needed.

Then, a federal judge entered an order of contempt against me – without even so much as a hearing.
But the judge created a loophole: without a hearing, I was never given the opportunity to object, let alone make any any substantive defense, to the contempt change. Without any objection (because I wasn't allowed a hearing), the appellate court waived consideration of the substantive questions my case raised – and upheld the contempt charge, on the grounds that I hadn't disputed it in court. Since the US supreme court traditionally declines to review decided on wholly procedural grounds, I will be permanently denied justice.
In the meantime, I had a hard decision to make. I had not devoted 10 years of my life to building Lavabit, only to become complicit in a plan which I felt would have involved the wholesale violation of my customers' right to privacy. Thus with no alternative, the decision was obvious: I had to shut down my company.
The largest technological question we raised in our appeal (which the courts refused to consider) was what constitutes a "search", i.e., whether law enforcement can demand the encryption keys of a business and use those keys to inspect the private communications of every customer, even when the court has only authorized them to access information belonging to specific targets.
The problem here is technological: until any communication has been decrypted and the contents parsed, it is currently impossible for a surveillance device to determine which network connections belong to any given suspect. The government argued that, since the "inspection" of the data was to be carried out by a machine, they were exempt from the normal search-and-seizure protections of the Fourth Amendment.
More importantly for my case, the prosecution also argued that my users had no expectation of privacy, even though the service I provided – encryption – is designed for users' privacy.
If my experience serves any purpose, it is to illustrate what most already know: courts must not be allowed to consider matters of great importance under the shroud of secrecy, lest we find ourselves summarily deprived of meaningful due process. If we allow our government to continue operating in secret, it is only a matter of time before you or a loved one find yourself in a position like I did – standing in a secret courtroom, alone, and without any of the meaningful protections that were always supposed to be the people's defense against an abuse of the state's power.

Smart Lights: New LEDS Allow NSA To Spy On Your Every Movement

Smart Lights: New LEDS Allow NSA To Spy On Your Every Movement

двоумио сам се дал да ставим на топик са дроњама или на топик за надзирање, па сам се на крају одлучио да му је овде више место...


у најновијим вестима можемо, поред осталог, сазнати и да ако дроње (у САД данас, а у вашој демократској џамахирији сутра) не слете на ваш посед могу да вас снимају до миле воље.

ево како је главна уредница ио9 проанализирала ово питање а гратис распевавање је званични одговор ФБИ-а сенатору рон полу на питање како агенција оправдава такво коришћење дроња.

иако је крекд изгубио сваки кредибилитет (и то не само имбецилним текстовима о украјини и осталим тренутним свеЦким дешавањима) још увек, понекад, може да се прочита занимљив чланак

5 Terrifying Smartphone Hacks You Won't Believe Are Possible

Quote from: поднаслови

#5. Your Phone's Tilt Sensor Can Sense What You're Typing on Your Computer
#4. Smartphones Can Steal Your Credit Card Information Just by Being Near Them
#3. Fake "Free Charging" Stations May Be Waiting to Ambush You
#2. Fake Cell Towers Can Turn Your Phone into a Remote Listening Device
#1. Big Brother Can Use Your Phone to Spy on You in 3D

Da, ova priča o zapisivanju teksta samo na osnovu vibracija kucanja, o kojoj se govori već mesecima je zastrašujuća.

Inače, ispostavlja se ono što smo svi ionako znali, proces da vas američka vlada proglasi za teroristu i stavi na razne iste za promatranje itd. ne oslanja se ni na nedvosmislene dokaze ni na uopšte, ikakve konkretne činjenice:




The Secret Government Rulebook For Labeling You a Terrorist

Ranije smo pominjali kako na osnovu zvuka kucanja po tastaturi može da se rekonstruiše tekst koji ste kucali, a i znamo da špijuniranje već bar pola veka podrazumeva i osetljivu opremu koja vibracije prozorskih stakala koristi da dekodira govor iz prostorije na kojoj je prozor. Stvari samo postaju sofisticiranije, evo videa kako se rekonstruiše govor na osnovu vizuelnog zapisa vibracija raznih predemta - na primer kesice čipsa:


The Visual Microphone: Passive Recovery of Sound from Video

Zabrinjavajuće. A s druge strane moguće je čak čitati i električne signale u mozgu. Za stotinak godina ćemo za važne stvari prestati da komunicirmo audio i video putem, nego samo elektronski. To makar može da se šifruje. Ugrađivaćemo oplatu oko lobanje i radio transivere, tako da ono što mislimo može da rekonstruiše samo onaj kome je namenjeno.

Ogroman tekst na Wiredu koji je delom priča sa Snowdenom, delom špekulacija o futurističkom NSA cyberwarfare softveru:


http://www.wired.com/2014/08/edward-snowden/

eво још прилога сигурности рачунара...за комплетно праћење тока података потребно вам је мало жице и мало...зноја?!

Stealing encryption keys through the power of touch

QuoteResearchers from Tel Aviv University have demonstrated an attack against the GnuPG encryption software that enables them to retrieve decryption keys by touching exposed metal parts of laptop computers.

There are several ways of attacking encryption systems. At one end of the spectrum, there are flaws and weaknesses in the algorithms themselves that make it easier than it should be to figure out the key to decrypt something. At the other end, there are flaws and weaknesses in human flesh and bones that make it easier than it should be to force someone to offer up the key to decrypt something.

In the middle are a range of attacks that don't depend on flaws on the encryption algorithms but rather in the way they've been implemented. Encryption systems, both software and hardware, can leak information about the keys being used in all sorts of indirect ways, such as the performance of the system's cache, or the time taken to perform encryption and decryption operations. Attacks using these indirect information leaks are known collectively as side channel attacks.

This research is a side-channel attack. The metal parts of a laptop, such as the shielding around USB ports, and heatsink fins, are notionally all at a common ground level. However, this level undergoes tiny fluctuations due to the electric fields within the laptop. These variations can be measured, and this can be used to leak information about encryption keys.

The measurements can be done by directly attaching a digitizer to a metal part of the laptop, but they don't have to be this obvious. The researchers showed that they could retrieve information with connections at the far end of shielded USB, VGA, and Ethernet connections. They also used human touch: a person in contact with metal parts of the laptop can in turn be connected to a digitizer, and the voltage fluctuations can be measured.

The researchers note that this works better in hot weather, due to the lower resistance of sweaty fingers.

While the information retrieval was better when used with high-end lab equipment, the researchers also experimented with using a smartphone connected to Ethernet shielding via its headphone port, and found that this was sufficient to perform some attacks.

The major important source of the voltage variations is the processor. The simplest thing to detect is probably whether the processor is active or sleeping, with the researchers saying that on almost all machines, the difference between an active processor and a processor suspended with the "HLT" instruction could be detected. On many machines, finer grained information was visible. The research recorded the fluctuations with a sample rate of between a few tens of kilohertz, and a few megahertz. These sample rates are far lower than the several gigahertz that processors operate, and so these measurements can't give insight into individual instructions—but this wasn't actually necessary.

During encryption and decryption operations, the processor has to perform certain long-running operations (for example, exponentiation of various large numbers), and these operations caused a consistent, characteristic set of voltage fluctuations. When sampling the voltages at a rate of a few MHz, keys for the RSA and ElGamal encryption algorithms could be extracted in a few seconds.

This attack required a single piece of encrypted data to be decrypted a few times.

Lower sampling rates of a few tens of kilohertz needed an adaptive attack, where multiple, specially chosen pieces of encrypted data are decrypted. The voltage fluctuations reveal a characteristic pattern that varies depending on whether a particular bit of the decryption key is a 1 or a 0. With enough chosen pieces of encrypted data, each bit of the decryption key can be determined.

The researchers have reported their findings to the GnuPG developers, and the software has been altered to reduce some of the information leaked this way. Even with this alteration, the software is not immune to this side channel attack, and different encryption keys can be distinguished from one another. Robust protection is hard to do, because the side-channel is largely a feature of the hardware. Faraday cages can protect against electromagnetic side channels, insulation can protect against this kind of "touching metal parts" attack, and optical fibres can protect against measuring fluctuations in Ethernet connections, but all these drive up costs and are of limited practicality.

Zanimljiva interaktivna mapa koja prikazuje stepen "slobodnosti" interneta u raznim državama sveta. Naravno da je za debatu šta je i kako stvarno slobodno, ali ljudi koji su ovo napravili daju jasne kriterijume pa se može porediti. Nažalost, mnogo zemalja nije uključeno u mapu (još uvek):


https://www.ivpn.net/internet-censorship/

oво је напокон сишло из теорија завера у народ - пресретачи телефонских позива

Mysterious Phony Cell Towers Could Be Intercepting Your Calls

Quote
Like many of the ultra-secure phones that have come to market in the wake of Edward Snowden's leaks, the CryptoPhone 500, which is marketed in the U.S. by ESD America and built on top of an unassuming Samsung Galaxy SIII body, features high-powered encryption. Les Goldsmith, the CEO of ESD America, says the phone also runs a customized or "hardened" version of Android that removes 468 vulnerabilities that his engineering team team found in the stock installation of the OS.
His mobile security team also found that the version of the Android OS that comes standard on the Samsung Galaxy SIII leaks data to parts unknown 80-90 times every hour.  That doesn't necessarily mean that the phone has been hacked, Goldmsith says, but the user can't know whether the data is beaming out from a particular app, the OS, or an illicit piece of spyware.  His clients want real security and control over their device, and have the money to pay for it.


To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as "interceptors," detected by the CryptoPhone 500 around the United States during the month of July alone. (The map below is from August.)  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of "over-the-air" attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.


"Interceptor use in the U.S. is much higher than people had anticipated," Goldsmith says.  "One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas."


Who is running these interceptors and what are they doing with the calls?  Goldsmith says we can't be sure, but he has his suspicions.


"What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.  So we begin to wonder – are some of them U.S. government interceptors?  Or are some of them Chinese interceptors?" says Goldsmith.  "Whose interceptor is it?  Who are they, that's listening to calls around military bases?  Is it just the U.S. military, or are they foreign governments doing it?  The point is: we don't really know whose they are."


Interceptors vary widely in expense and sophistication – but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption.  Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor.  The baseband processor functions as a communications middleman between the phone's main O.S. and the cell towers.  And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers.


"The baseband processor is one of the more difficult things to get into or even communicate with," says Mathew Rowley, a senior security consultant at Matasano Security.  "[That's] because my computer doesn't speak 4G or GSM, and also all those protocols are encrypted.  You have to buy special hardware to get in the air and pull down the waves and try to figure out what they mean.  It's just pretty unrealistic for the general community."


But for governments or other entities able to afford a price tag of "less than $100,000," says Goldsmith, high-quality interceptors are quite realistic.  Some interceptors are limited, only able to passively listen to either outgoing or incoming calls.  But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example.  Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug.  And various ethical hackers have demonstrated DIY interceptor projects, using a software programmable radio and the open-source base station software package OpenBTS – this creates a basic interceptor for less than $3,000.  On August 11, the F.C.C. announced an investigation into the use of interceptors against Americans by foreign intelligence services and criminal gangs.


An "Over-the-Air" Attack Feels Like Nothing


Whenever he wants to test out his company's ultra-secure smart phone against an interceptor, Goldsmith drives past a certain government facility in the Nevada desert.  (To avoid the attention of the gun-toting counter-intelligence agents in black SUVs who patrol the surrounding roads, he won't identify the facility to Popular Science).  He knows that someone at the facility is running an interceptor, which gives him a good way to test out the exotic "baseband firewall" on his phone.  Though the baseband OS is a "black box" on other phones, inaccessible to manufacturers and app developers, patent-pending software allows the GSMK CryptoPhone 500 to monitor the baseband processor for suspicious activity. 


So when Goldsmith and his team drove by the government facility in July, he also took a standard Samsung Galaxy S4 and an iPhone to serve as a control group for his own device.


"As we drove by, the iPhone showed no difference whatsoever.  The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G.  The CryptoPhone lit up like a Christmas tree."


Though the standard Apple and Android phones showed nothing wrong, the baseband firewall on the Cryptophone set off alerts showing that the phone's encryption had been turned off, and that the cell tower had no name – a telltale sign of a rogue base station.   Standard towers, run by say, Verizon or T-Mobile, will have a name, whereas interceptors often do not.


Some devices can not only capture calls and texts, but even actively control the phone and send spoof texts.
And the interceptor also forced the CryptoPhone from 4G down to 2G, a much older protocol that is easier to de-crypt in real-time.  But the standard smart phones didn't even show they'd experienced the same attack. 


"If you've been intercepted, in some cases it might show at the top that you've been forced from 4G down to 2G.  But a decent interceptor won't show that," says Goldsmith.  "It'll be set up to show you [falsely] that you're still on 4G.  You'll think that you're on 4G, but you're actually being forced back to 2G."


So Do I Need One?


Though Goldsmith won't disclose sales figures or even a retail price for the GSMK CryptoPhone 500, he doesn't dispute an MIT Technology Review article from this past spring reporting that he produces about 400 phones per week for $3,500 each.  So should ordinary Americans skip some car payments to be able to afford to follow suit?


It depends on what level of security you expect, and who you might reasonably expect to be trying to listen in, says Oliver Day, who runs Securing Change, an organization that provides security services to non-profits.


"There's this thing in our industry called "threat modeling," says Day.  "One of the things you learn is that you have to have a realistic sense of your adversary. Who is my enemy?  What skills does he have?  What are my goals in terms of security?"


If  you're not realistically of interest to the U.S. government and you never leave the country, then the CryptoPhone is probably more protection than you need. Goldsmith says he sells a lot of phones to executives who do business in Asia.  The aggressive, sophisticated hacking teams working for the People's Liberation Army have targeted American trade secrets, as well as political dissidents.


Day, who has written a paper about undermining censorship software used by the Chinese government, recommends people in hostile communications environments watch what they say over the phone and buy disposable "burner" phones that can be used briefly and then discarded.


"I'm not bringing anything into China that I'm not willing to throw away on my return trip," says Day.


Goldsmith warns that a "burner phone" strategy can be dangerous.  If Day were to call another person on the Chinese government's watch list, his burner phone's number would be added to the watch list, and then the government would watch to see who else he called.  The CryptoPhone 500, in addition to alerting the user whenever it's under attack, can "hide in plain sight" when making phone calls.  Though it does not use standard voice-over-IP or virtual private network security tools, the CryptoPhone can make calls using just a WI-FI connection -- it does not need an identifiable SIM card.  When calling over the Internet, the phone appears to eavesdroppers as if it is just browsing the Internet.

препоручио бих да испратите и линкове унутар текста

још један везан чланак - плус историја НСА праћења (до сада позната јавности)

QuoteThe US government, with assistance from major telecommunications carriers including AT&T, has engaged in a massive illegal dragnet surveillance of domestic communications and communications records of millions of ordinary Americans since at least 2001. Since this was first reported on by the press and discovered by the public in late 2005, EFF has been at the forefront of the effort to stop it and bring government surveillance programs back within the law and the Constitution.

History of NSA Spying Information since 2005 (See EFF's full timeline of events here)

News reports in December 2005 first revealed that the National Security Agency (NSA) has been intercepting Americans' phone calls and Internet communications. Those news reports, combined with a USA Today story in May 2006 and the statements of several members of Congress, revealed that the NSA is also receiving wholesale copies of American's telephone and other communications records. All of these surveillance activities are in violation of the privacy safeguards established by Congress and the US Constitution.

In early 2006, EFF obtained whistleblower evidence (.pdf) from former AT&T technician Mark Klein showing that AT&T is cooperating with the illegal surveillance. The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails web browsing and other Internet traffic to and from AT&T customers and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed, "this isn't a wiretap, it's a country-tap."

Secret government documents, published by the media in 2013, confirm the NSA obtains full copies of everything that is carried along major domestic fiber optic cable networks.  In June 2013, the media, led by the Guardian and Washington Post started publishing a series of articles, along with full government documents, that have confirmed much of what was reported in 2005 and 2006 and then some. The reports showed-and the government later admitted -that the government is mass collecting phone metadata of all US customers under the guise of the Patriot Act. Moreover, the media reports confirm that the government is collecting and analyzing the content of communications of foreigners talking to persons inside the United States, as well as collecting collecting much more, without a probable cause warrant. Finally, the media reports confirm the "upstream" collection off of the fiberoptic cables that Mr. Klein first revealed in 2006. (See EFF's How It Works page here for more)

EFF Fights Back in the Courts

EFF is fighting these illegal activities in the courts. Currently, EFF is representing victims of the illegal surveillance program in Jewel v. NSA, a lawsuit filed in September 2008 seeking to stop the warrantless wiretapping and hold the government and government officials behind the program accountable. In July 2013, a federal judge ruled that the government could not rely on the controversial 'state secrets' privilege to block our challenge to the constitutionality of the program. This case is being heard in conjunction with Shubert v. Obama, which raises similar claims. Also in July, 2013, EFF filed another lawsuit, First Unitarian v. NSA, based on the recently published FISA court order demanding Verizon turn over all customer phone records including who is talking to whom, when and for how long—to the NSA. This so-called "metadata," especially when collected in bulk and aggregated, allows the government to track the associations of various political and religious organizations. The Director of National Intelligence has since confirmed that the collection of Verizon call records is part of a broader program.

In addition to making the same arguments we made in Jewel, we argue in Unitarian First Unitarian v. NSA that this type of collection violates the First Amendment right to association. Previously, in Hepting v. AT&T, EFF filed the first case against a cooperating telecom for violating its customers' privacy. After Congress expressly intervened and passed the FISA Amendments Act to allow the Executive to require dismissal of the case, Hepting was ultimately dismissed by the US Supreme Court.

Preteko si me sa ovim, taman sam se spremao da okačim isto.  Videćemo koliko Amerikance sve to uopšte potresa jer godinu i kusur dana posle Snowdenovih otkrića i teških trenutaka za NSA u kojima su povremeno direktno lagali kongres, ne primećuje se da postoji nekakav opštenarodni pokret za očuvanje privatnosti. Uglavnom se bune liberalni političari i tehnička inteligencija, ali to mu je to.

ми овде смо савршено анестезирани, како онда они не би били са свим благодетима модерног света?!

но од кад је сноуден у москви, кренуо је озбиљан војно-политички пичвајз, мислим да се тим пребегом десио својеврстан quickening нагомиланих потенцијалних глобалних сукоба интереса.
тако да тај пребег не видим само као локалну (САД) фусноту већ једно од озбиљнијих поглавља будуће историје.   

First US appeals court hears argument to shut down NSA database

Quote
Six days after the first Snowden leak appeared on the front pages of newspapers worldwide, the American Civil Liberties Union filed a lawsuit to stop the mass surveillance by US intelligence agencies. A New York federal judge ruled against the ACLU in December. Today, ACLU lawyers made a second effort, making their case to a three-judge panel on the US Court of Appeals for the 2nd Circuit. It's the first time a US Appeals Court has considered whether the "bulk telephony" database is constitutional.
Oral arguments stretched on for nearly two hours this morning, an unusually long argument for the US Court of Appeals for the 2nd Circuit, which often gives just 10 or 15 minutes to each side for oral argument in an appeal case. C-SPAN was allowed to record and broadcast the full proceeding, another unusual step in an appeals court that's nearly always closed to cameras. The proceedings can be viewed on C-SPAN's website.
ACLU v. Clapper is one of three cases challenging mass surveillance that are now headed to appeals courts. Another case, Klayman v. Obama, was filed in Washington, DC federal courts just one day after the surveillance revelations. In that case, DC-based US District Judge Richard Leon ruled that the NSA's spying technology was "almost Orwellian" and likely unconstitutional.
A third case, Smith v. Obama, was filed later, and also resulted in the NSA program being upheld. It's now headed to the 9th Circuit, joined by the ACLU and Electronic Frontier Foundation.
In a blog post accompanying today's argument, ACLU lawyer Alex Abdo suggested that even getting the issues debated in the open was a step forward.
"The legal challenges are also significant for the simple fact that they have forced the government to defend its program in public," he wrote. "For over a decade, the government has thwarted all attempts at public judicial review of the legality of the surveillance programs it inaugurated in the aftermath of 9/11."
"The injury is ongoing" Today's extensive questioning, which focused on just a few of the questions raised in both sides' briefs, didn't suggest in any obvious way how the three-judge panel might rule.
Abdo spoke first, making his case that the broad collection program warrants an injunction.
"If Section 215 [of the Patriot Act] permits bulk collection, it would be permitted not just for phone records but for any records," he said. "Not just in the context of terrorism, but in the context of any crime involving more than one person."


"If the government were to get FISA Court approval before entering a query, would that essentially end the controversy here?" asked Senior Judge Robert Sack.
"We would love it if the government ended bulk collection of Americans' phone records," said Abdo. He continued:

If the government did that, and purged the records it currently has, that would resolve everything put at issue by our preliminary injunction motion. But that is not the current state of affairs. It would be unwise to expect this Congress or the next to act... the injury is ongoing on a daily basis. Even if Congress acts in several months, we're entitled to a remedy today.

Senior Judge Robert Sack asked if the prudent thing might not be to wait. "Might we not say—great, we agree with you, but there's other litigation going on," he said. "We want to let the Supreme Court have a kick at the ball. Does it make sense to say, here are our views—and then wait until the DC Circuit speaks, and the Supreme Court has an opportunity to speak? Before actually making an order, an injunction? Suppose we're wrong, and someone blows up a subway train?"
It would be well within the court's authority to act now, said Abdo.
Much of Abdo's argument centered around the issue of whether the warrantless phone database should be legal under the 4th Amendment, which bans "unreasonable" searches without a warrant. The government has argued that "pen registers," which capture which numbers are called by a telephone, are legal under a 1979 case, Smith v. Maryland. That's the precedent that Leon essentially said wasn't appropriate for the digital age, when he ruled against the NSA.
Circuit Judge Gerald Lynch suggested they put aside Smith v. Maryland for a minute. Even without that precedent, "isn't there still quit a bit to the government's argument—that in this context, there's not much expectation of privacy in this record?" He continued:

In the opening of your brief you have this nice parade of horribles, all the things that the government could find out. Whether it's likely someone was HIV positive, or had an abortion. But couldn't Verizon find out those things if it chose? And go into the records it has, and determine the same kind of search, of the same kind of private information?

"I don't think our contract provides for unlimited access to our call records," said Abdo. "No one has ever suggested that Verizon's ability to listen to the content of our communications means we have no expectation of privacy."
"How, without any fact-finding at all, can we begin to know whether this is reasonable or not?" asked Sacks.
Fact-finding isn't necessary, said Abdo, in part because President Barack Obama has already acknowledged—by his openness to intelligence reforms—that the government doesn't need a vast telephony database to fight terror. "The government has conceded there are alternative, less intrusive means," he said.
"If the president thought that, then why did he send his lawyers here to say that you should lose?" asked Lynch.
Questions of intent "This case concerns an intelligence program that has been considered and approved by all three branches of government," said Assistant Attorney General Stuart Delery, arguing for the government.
The collection of "call detail records" was "twice reauthorized without change, after Congress was briefed on this very program."
"It also allows [the intelligence agencies] to build a historical repository for some period of time," and to see connections between users of different telephone companies, said Delery. "Going in, the government doesn't know which of the metadata might reveal an important connection to a known terrorist."


"So you're saying they're not relevant, really, to an investigation right now," said Lynch. "You're saying that you want to have them in case they become relevant."
Both Sacks and Lynch questioned the idea that Congress had OK'd the program in any kind of straightforward way.
"I wonder how valid the ratification argument is when you're dealing with secret law," said Sacks. "I'm not sure that ratification carries as much baggage as you want it to, until June of 2013, when people knew what was going on."
Delery pushed forward with his argument that Congress had understood and approved the programs. He even noted the oblique 2011 warnings about spying made by Sens. Ron Wyden (D-OR) and Mark Udall (D-CO), as proof that Congress had known what they were doing.
"The intelligence committees were briefed over time, and in advance of reauthorization in both 2010 and 2011, the executive branch provided a briefing paper to be made available to all members [of the House of Representatives] in 2010, before the ratification, and of all Senators in 2011."
"I would find this a lot more reassuring if it were subject to an adversary process," said Sacks.

"As Your Honor may be aware, changes to the program [under consideration] would include provisions that allow for the kind of approach you're talking about," said Delery. "These [databases] can only be queried for counter-terrorism purposes, and then only when the selection term is connected, associated with a specified foreign terrorist organization."
Abdo was allowed to get in the last word with a short rebuttal.
"Ratification... is not a game of 'gotcha' with Congressional intent," he said. "Many members of Congress weren't aware of the program. Those that were, weren't provided legal analysis of the program. And those that were, weren't allowed to discuss it with their colleagues or constituents."
Update 9/3: Story changed to reflect that Smith v. Obama is also on appeal.

NSA i GCHQ planiraju da mapiraju ceo internet.



Treasure Map: The NSA Breach of Telekom and Other German Firms

QuoteWhen it comes to choosing code names for their secret operations, American and British agents demonstrate a flare for creativity. Sometimes they borrow from Mother Nature, with monikers such as "Evil Olive" and "Egoistic Giraffe." Other times, they would seem to take their guidance from Hollywood. A program called Treasure Map even has its own logo, a skull superimposed onto a compass, the eye holes glowing in demonic red, reminiscent of a movie poster for the popular "Pirates of the Caribbean" series, starring Johnny Depp.


Treasure Map is anything but harmless entertainment. Rather, it is the mandate for a massive raid on the digital world. It aims to map the Internet, and not just the large traffic channels, such as telecommunications cables. It also seeks to identify the devices across which our data flows, so-called routers.
Furthermore, every single end device that is connected to the Internet somewhere in the world -- every smartphone, tablet and computer -- is to be made visible. Such a map doesn't just reveal one treasure. There are millions of them.
The breathtaking mission is described in a Treasure Map presentation from the documents of the former intelligence service employee Edward Snowden which SPIEGEL has seen. It instructs analysts to "map the entire Internet -- Any device, anywhere, all the time."
Treasure Map allows for the creation of an "interactive map of the global Internet" in "near real-time," the document notes. Employees of the so-called "FiveEyes" intelligence agencies from Great Britain, Canada, Australia and New Zealand, which cooperate closely with the American agency NSA, can install and use the program on their own computers. One can imagine it as a kind of Google Earth for global data traffic, a bird's eye view of the planet's digital arteries.
Battlefield Map
In addition to monitoring one's own networks as well as those belonging to "adversaries," Treasure Map can also help with "Computer Attack/Exploit Planning." As such, the program offers a kind of battlefield map for cyber warfare.
The New York Times reported on the existence of Treasure Map last November. What it means for Germany can be seen in additional material in the Snowden archive that SPIEGEL has examined.
Treasure Map graphics don't just provide detailed views of German cable and satellite networks. Red markings also reveal to agents which carriers and internal company networks FiveEyes agencies claim to have already accessed. Of particular interest from the German perspective are two "Autonomous Systems" (AS) -- networks -- marked in red. They are labeled Deutsche Telekom AG and Netcologne, a Cologne-based provider.
The legend for the graphics in question explains the meaning behind the red markings: "Red Core Nodes: SIGINT Collection access points within AS." SIGINT refers to signals intelligence. In other words, networks marked with a red dot are under observation.
Regional provider Netcologne operates its own fiber-optic network and provides telephone and Internet services to over 400,000 customers. The formerly state-owned company Telekom, of which the German government still owns a 31.7 percent stake, is one of the dozen or so international telecommunications companies that operate global networks, so-called Tier 1 providers. In Germany alone, Telekom provides mobile phone services, Internet and land lines to 60 million customers.
According to the logic of the undated Treasure Map documents, that would mean that the NSA and its partner agencies are perhaps not only able to monitor the networks of these companies and the data that travels through them, but also the end devices of their customers. Where exactly the NSA gained access to the companies' networks is not made clear in the graphics. The red-marked AS of Deutsche Telekom by itself includes several thousand routers worldwide.
'Completely Unacceptable'
The German company is also active in the US and Great Britain. Furthermore, it is part of the TAT14 telecommunications cable consortium; the cable runs via Great Britain to the east coast of the US. "The accessing of our network by foreign intelligence agencies," says a Telekom spokesperson, "would be completely unacceptable."
Because Netcologne is a regional provider, it would seem highly likely that the NSA or one of its Treasure Map partners accessed the network from within Germany. That would be a clear violation of German law and potentially another NSA-related case for German public prosecutors. Thus far, the only NSA-related casecurrently being investigated is the monitoring of Chancellor Angela Merkel's mobile phone.
Several weeks ago, SPIEGEL shared a GCHQ document with both companies in order to give them an opportunity to look into the alleged security breaches themselves. The security departments of both firms say they launched intensive investigations but failed to find suspicious mechanisms or data streams leaving the network.
Telekom and Netcologne are not the first German companies to have been successfully hacked by Anglo-American intelligence agencies, according to their own documents. In March, SPIEGEL reported on the large-scale attack by the British agency GCHQ on German satellite teleport operators Stellar, Cetel and IABG. Such providers offer satellite Internet connections to remote regions of the world. All three companies are marked red on the Treasuremap graphic, meaning that the NSA and its partner agencies have, according to their documents, internal "Collection Access Points."
SPIEGEL also contacted 11 non-German providers marked in the documents to request comment. Four answered, all saying they examined their systems and were unable to find any irregularities. "We would be extremely concerned if a foreign government were to seek unauthorized access to our global networks and infrastructure," said a spokesperson for the Australian telecommunications company Telstra.
'Key Staff'
Just how far GCHG and NSA go to improve their secret map of the Internet and its users can be seen in the example of Stellar.
The document describing the attack on the business, part of the so-called Mittelstand of small- to medium-sized companies that form the backbone of the German economy, originates from the Network Analysis Center of Britain's GCHQ, which is based in Bude along the Atlantic coast in Cornwall. The document lists "key staff" at the company. The document states they should be identified and "tasked." "Tasking" somebody in signals intelligence jargon means that they are to be targeted for surveillance. In addition to CEO Christian Steffen, nine other employees are named in the document.
The attack on Stellar has notable similarities with the GCHQ surveillance operation targeting the half-state-owned Belgian provider Belgacom, which SPIEGEL reported on in the summer of 2013. There too, the GCHQ Network Analysis department penetrated deeply into the Belgacom network and that of its subsidiary BICS by way of hacked employee computers. They then prepared routers for cyber-attacks.
SPIEGEL reporters visited Stellar at its offices in Hürth, near Cologne, and presented passages of the documents in question to the CEO as well as three other employees cited by the British. A video of the visit can be seen here.
Among other things, Steffen and his colleagues were able to recognize in the GCHQ document a listing for their central server including the company's mail server, which the attackers appear to have hacked.
The document also includes details about the concrete findings of the spying efforts, including an internal table that shows which Stellar customers are being served by which specific satellite transponders. "Those are company secrets and sensitive information," said Stellar's visibly shocked IT chief, Ali Fares, who is himself cited as an employee to be "tasked."
'Fuck!'
Any remaining sanguinity is lost at the point the Stellar officials see the password for the central server of an important customer in the intelligence agency documents. The significance of the theft is immense, Fares says. The information, he continues, could allow the agencies to cut off Internet access to customers in, for example, Africa. It could also allow them to manipulate links and emails.
CEO Steffen commented on the document with a terse "Fuck!" He considers it to be final proof that his company's systems were illegally breached. "The hacked server stood behind our company's own firewall," he said. "The only way of accessing it is if you first successfully break into our network." The company in question is no longer a customer with Stellar.
When asked if there are any possible reasons that would prompt Britain, an EU partner country, to take such an aggressive approach to his company, Steffen just shrugged his shoulders, perplexed. "Our customer traffic doesn't run across conventional fiber optic lines," he said. "In the eyes of intelligence services, we are apparently seen as difficult to access." Still, he argues, "that doesn't give anyone the right to break in."
The founder and CEO of Stellar says he has no intention of letting this pass. "A cyber-attack of this nature is a clear criminal offense under German law," he said. "I want to know why we were a target and exactly how the attack against us was conducted -- if for no other reason than to be able to protect myself and my customers from this happening again." Six weeks ago, Steffen wrote a letter to the British government asking for an explanation, but he has not received an answer. Both GCHQ and NSA have likewise declined comment on the matter.
   Meanwhile, Deutsche Telekom's security division has conducted a forensic review of important routers in Germany, but has yet to detect anything. Volker Tschersich, who heads the security division, says it's possible the red markings in Treasure Map can be explained as access to the Tat14 cable, in which Telekom occupies a frequency band in Britain and the US. At the end of last week, the company informed Germany's Federal Office for Information Security of SPIEGEL's findings. The classified documents also indicate that other data from Germany contributes to keeping the global treasure map current. Of the 13 servers the NSA operates around the world in order to track current data flows on the open Internet, one is located somewhere in Germany.
Like the other servers, this one, which feeds data into the secret NSA network is "covered" in a data center.
  NSA and GCHQ Treasure Map Documents The following selection of NSA and GCHQ documents pertain to Treasure Map and the access to internal networks of German and non-German companies achieved via the program. SPIEGEL has redacted them to obscure the most sensitive information.

   
• Satellite Teleport Knowledge -- Stellar
• Bad Guys Are Everywhere -- Treasure Map Presentation
• Treasure  Map Announces a New Release

http://nsasimulator.com/

QuoteNSA Simulator.com is a website which embeds the video feeds of various security cams streamed open on the web. We do not host any illegal content and only stream the content which is already public. We are just making the browsing easy. We have scripts which find and insert live webcams and then we have automated checking systems which removed the feed from index if it is down. Please note, this website is not created to break into other privacy. The aim is to show everyone that security measures are needed to be taken to avoid hackers from gaining access to their systems.

Eh, Australija....

Metadata, uključujući istoriji brauzovanja interneta može da bude dostupna na zahtev suda - ali u građanskim parnicama 



Oz gov lets slip: telco metadata might be available to civil courts

Quote
A series of slips by the nation's top cop followed by communications minister Malcolm Turnbull has made Australia's data retention bill even more of a potential horror than it seemed when it was introduced last week.It started with the Australian Federal Police commissioner Andrew Colvin saying that stored telecommunications metadata could be used to go after people who infringe copyright online. That statement, made on October 30, was unequivocal – he used the word "absolutely".


It's always a bad idea for police to rashly tell the world what they really think.
The first response came from Senator George Brandis, who said that the data retention bill is all about criminal, not civil matters. Turnbull similarly explained that outfits like the AFP and ASIO aren't interested in copyright infringement (not that Colvin's use-case can't happen, only that two specific agencies aren't going to try to use the data that way).
That became the chorus-sheet, with Colvin toeing the "not interested" line on ABC Radio.
Perhaps feeling the heat, Turnbull then clarified the position further, telling ZDNet's Josh Taylor that if film studios want to use metadata to sue Torrenters, they won't be able to do their dirty work through the police, but would have to ask the courts to give them access to it.
At which point, it looks like each successive explanation has made things just that little bit worse.
It's not only that Turnbull's timing is shocking, since ISPs are right now resisting legal action trying to force them to reveal subscriber information through the courts to a copyright troll.
It's that there's nothing in any of the statements – Turnbull's, Colvin's, or Brandis' – that confines any such court process to copyright. The data is there, and accessible through the courts.
By whom, exactly? How much data could a court open up to a smart and well-funded litigant?
How would the average individual, without access to Philip Street lawyers, resist having their data swept up by someone demanding access to their metadata? Today, the IP address assigned to you or I isn't available to be pettifogged by a lawyer because it doesn't exist. Will it be the same tomorrow?
With injudicious statements, ill-conceived legislation, and its desire to metasplain its way out of trouble, the federal government has told the world: your metadata will be available to the civil courts.
And lawyers are already gathering, telling the ABC's PM program that metadata could be demanded in family law cases and insurance cases. Instead of creating the government-control beloved of conservative states, the government has created a honeypot for the scummiest practitioners of the legal profession. Personally, I fear them more than I fear most hackers.
Two senior cabinet ministers, Brandis and Turnbull, aggregate such outrageous incompetence that they couldn't predict this, and they're both lawyers.
There's also the assertion that copyright infringements aren't of interest to the AFP, which is only half true. As the government's IP Australia Website explains here:

The Copyright Act 1968 similarly provides for criminal sanctions. Under this Act it is an offence to:
 

   
• knowingly import, possess, sell, distribute or commercially deal with an infringing copy
• offer for sale infringing copies of computer programs
• transmit a computer program to enable it to be copied when received.

If there were a criminal copyright infringement investigation in hand, rather than a merely civil complaint, a target's metadata would be in the mix. "Absolutely", as AFP commissioner Colvin honestly put it, before the backpeddaling began.
What's depressing is that Australians probably won't take to the streets about this issue. It's unlikely they'll read even a handful of the stories about the data retention regime. And thus does a country sleepwalk into a Stasi-like regime.

British Spies Are Free to Target Lawyers and Journalists

Quote
British spies have been granted the authority to secretly eavesdrop on legally privileged attorney-client communications, according to newly released documents.
On Thursday, a series of previously classified policies confirmed for the first time that the U.K.'s top surveillance agency Government Communications Headquarters (pictured above) has advised its employees: "You may in principle target the communications of lawyers."
The U.K.'s other major security and intelligence agencies—MI5 and MI6—have adopted similar policies, the documents show. The guidelines also appear to permit surveillance of journalists and others deemed to work in "sensitive professions" handling confidential information.
The documents were made public as a result of a legal case brought against the British government by Libyan families who allege that they were subjected to extraordinary rendition and torture in a joint British-American operation that took place in 2004. After revelations about mass surveillance from National Security Agency whistleblower Edward Snowden last year, the families launched another case alleging that their communications with lawyers at human rights group Reprieve may have been spied on by the government, hindering their ability to receive a fair trial.
In a statement on Thursday, Reprieve's legal director Cori Crider said that the new disclosures raised "troubling implications for the whole British justice system" and questioned how frequently the government had used its spy powers for unfair advantage in court.
"It's now clear the intelligence agencies have been eavesdropping on lawyer-client conversations for years," Crider said. "Today's question is not whether, but how much, they have rigged the game in their favor in the ongoing court case over torture."
Rachel Logan, a legal adviser at rights group Amnesty International, said that spying on lawyers affords the U.K. government an "unfair advantage akin to playing poker in a hall of mirrors."
"It could mean, amazingly, that the government uses information they have got from snooping on you, against you, in a case you have brought," Logan said. "This clearly violates an age-old principle of English law set down in the 16th century—that the correspondence between a person and their lawyer is confidential."
In the U.S., the NSA has also been caught spying on lawyers. Earlier this year, the agency was forced to reassure attorneys that it "will continue to afford appropriate protection to privileged attorney-client communications acquired during its lawful foreign intelligence mission in accordance with privacy procedures required by Congress, approved by the Attorney General, and, as appropriate, reviewed by the Foreign Intelligence Surveillance Court."
In the U.K., the oversight of intelligence agencies is undoubtedly far more lax.
According to the documents released Thursday, in at least one case legally privileged material that was covertly intercepted by a British agency may have been used to the government's advantage in legal cases. One passage notes that security service MI5 identified an instance in which there was potential for "tainting" a legal case after secretly intercepted privileged material apparently ended up in the hands of its lawyers.
The policies state that the targeting of lawyers "must give careful consideration to necessity and proportionality," but the GCHQ policy document adds that each individual analyst working at the agency is "responsible for the legality" of their targeting, suggesting that a large degree of personal judgement is involved in the process. Notably, there is no judicial oversight of eavesdropping conducted by GCHQ or other British security agencies; their surveillance operations are signed off by a senior politician in government, usually the Foreign or Home Secretary.
The categories that allow the agencies to spy on lawyers or others working with "confidential" material, such as journalists, are extremely broad. One policy document from GCHQ notes:

If you wish the target the communications of a lawyer or other legal professional or other communications that are likely to result in the interception of confidential information you must:
Have reasonable grounds to believe that they are participating in or planning activity that is against the interests of national security, the economic well-being of the UK or which in itself constitutes a serious crime.

In practice, this could mean that any lawyer or an investigative journalist working on a case or story involving state secrets could be targeted on the basis that they are perceived to be working against the vaguely defined national security interests of the government. Any journalists or lawyers working on the Snowden leaks, for instance, are a prime example of potential targets under this rationale. The U.K. government has already accused anyone working to publish stories based on the Snowden documents of being engaged in terrorism—and could feasibly use this as justification to spy on their correspondence.
GCHQ declined to comment for this post, referring a request from The Intercept to the government's Home Office. A Home Office spokesperson said: "We do not comment on ongoing legal proceedings."

Da li sakupljanjem metapodataka možemo biti identifikovati kao "jedinstven" korisnik interneta? Zapravo, da, ovaj sajt pomaže da vidite  "otisak prsta" vašeg browsera i odgovara na jednostavno pitanje: da li me neko može pratiti:


https://amiunique.org/

jupiii, unikatan sam!

UPS!

New Snowden documents show that the NSA and its allies are laughing at the rest of the world  

Posle Kameronove izjave da vlasti treba da imaju uvid u enrkiptovanu komunikaciju građana i da bi provajderi i imejl kompanije trebalo da im to omoguće, Obama se pridružio sentimentu:



Obama Sides with Cameron in Encryption Fight       

Quote
President Barack Obama said Friday that police and spies should not be locked out of encrypted smartphones and messaging apps, taking his first public stance in a simmering battle over private communications in the digital age.
Apple, Google GOOGL +1.28% and Facebook FB +1.53% have introduced encrypted products in the past half year that the companies say they could not unscramble, even if faced with a search warrant. That's prompted vocal complaints from spy chiefs, the Federal Bureau of Investigation and, this week, British Prime Minister David Cameron.
Obama's comments came after two days of meetings with Cameron, and with the prime minister at his side.
"If we find evidence of a terrorist plot... and despite having a phone number, despite having a social media address or email address, we can't penetrate that, that's a problem," Obama said. He said he believes Silicon Valley companies also want to solve the problem. "They're patriots."
In the U.S., governments have long been able to access the contents of electronic communication, including phone calls, consumer email and social media, typically with warrants, through wiretaps and from technology companies themselves.
But the law that governs these practices is dated and doesn't mandate tech firms incorporate such features into modern apps. In the post-Edward Snowden era, many technology firms have turned encryption and "zero-knowledge" into marketing buzzwords.
The president on Friday argued there must be a technical way to keep information private, but ensure that police and spies can listen in when a court approves. The Clinton administration fought and lost a similar battle during the 1990s when it pushed for a "clipper chip" that would allow only the government to decrypt scrambled messages.
That's a notable shift for the president. "He sounded more like Jim Comey than anything else the White House has said in the past couple of months," said Stewart Baker, former general counsel at the National Security Agency, referring to the FBI director, who has criticized the tech companies' new encryption policies.
Security experts have long argued such systems would hobble many anti-hacking tools, leaving computers exposed. For instance, if an encryption algorithm has a master key, it is inherently weaker because it's possible for an outsider to steal that master key and crack the code.
Obama must now choose between competing priorities: the security of private information, or the ability of law enforcement to gather intelligence, said Christopher Soghoian, principal technologist at the American Civil Liberties Union.
Earlier in his remarks Friday, the president talked about new efforts by Britain and the U.S. to fight hackers attacking private sector companies.
"How in the same speech can you talk about taking steps to improve cybersecurity and complain about encryption," Soghoian said.
Baker, the former NSA lawyer, called that argument a "red herring."
"We expect companies to be able to help with this," he said. "That doesn't mean that you always have to write bad cryptography."

A sudija u Španjolskoj navodi korišćenje enkripcije kao moguć indikator da ste umešani u terorizam.

Range-R radar allows police to 'see' through walls and inside homes


Law enforcement agencies have been secretly equipping their officers with special Range-R radar devices that allow them to peer through the walls to detect movement on the other side, expanding the extent of government surveillance.

Quote"The idea that the government can send signals through the wall of your house to figure out what's inside is problematic, Technologies that allow the police to look inside of a home are among the intrusive tools that police have."

"The Marshals Service routinely pursues and arrests violent offenders based on pre-established probable cause in arrest warrants for serious crimes."

на једном месту окупљене неке од најбољих апликација за 'интернет сигурност' за ваш андроид (иос?)

TextSecure (Android)
RedPhone / Signal (Android / iOS)
Orbot + Orweb (Android)
ChatSecure (Android / iOS)
Prey (all platforms)


виа фацтолабс

Pa vi sad vidite:

The Great SIM Heist

How Spies Stole the Keys to the Encryption Castle

https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

Quote


AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is "Security to be Free."

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider's network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

As part of the covert operations against Gemalto, spies from GCHQ — with support from the NSA — mined the private communications of unwitting engineers and other company employees in multiple countries.

Gemalto was totally oblivious to the penetration of its systems — and the spying on its employees. "I'm disturbed, quite concerned that this has happened," Paul Beverly, a Gemalto executive vice president, told The Intercept. "The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again, and also to make sure that there's no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers." He added that "the most important thing for us now is to understand the degree" of the breach.

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. "Once you have the keys, decrypting traffic is trivial," says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. "The news of this key theft will send a shock wave through the security community."
Beverly said that after being contacted by The Intercept, Gemalto's internal security team began on Wednesday to investigate how their system was penetrated and could find no trace of the hacks. When asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Beverly said, "I am totally unaware. To the best of my knowledge, no."

According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto's internal networks, planting malware on several computers, giving GCHQ secret access. We "believe we have their entire network," the slide's author boasted about the operation against Gemalto.

Additionally, the spy agency targeted unnamed cellular companies' core networks, giving it access to "sales staff machines for customer information and network engineers machines for network maps." GCHQ also claimed the ability to manipulate the billing servers of cell companies to "suppress" charges in an effort to conceal the spy agency's secret actions against an individual's phone. Most significantly, GCHQ also penetrated "authentication servers," allowing it to decrypt data and voice communications between a targeted individual's phone and his or her telecom provider's network. A note accompanying the slide asserted that the spy agency was "very happy with the data so far and [was] working through the vast quantity of product."

The Mobile Handset Exploitation Team (MHET), whose existence has never before been disclosed, was formed in April 2010 to target vulnerabilities in cellphones. One of its main missions was to covertly penetrate computer networks of corporations that manufacture SIM cards, as well as those of wireless network providers. The team included operatives from both GCHQ and the NSA.

While the FBI and other U.S. agencies can obtain court orders compelling U.S.-based telecom companies to allow them to wiretap or intercept the communications of their customers, on the international front this type of data collection is much more challenging. Unless a foreign telecom or foreign government grants access to their citizens' data to a U.S. intelligence agency, the NSA or CIA would have to hack into the network or specifically target the user's device for a more risky "active" form of surveillance that could be detected by sophisticated targets. Moreover, foreign intelligence agencies would not allow U.S. or U.K. spy agencies access to the mobile communications of their heads of state or other government officials.

"It's unbelievable. Unbelievable," said Gerard Schouw, a member of the Dutch Parliament, when told of the spy agencies' actions. Schouw, the intelligence spokesperson for D66, the largest opposition party in the Netherlands, told The Intercept, "We don't want to have the secret services from other countries doing things like this." Schouw added that he and other lawmakers will ask the Dutch government to provide an official explanation and to clarify whether the country's intelligence services were aware of the targeting of Gemalto, whose official headquarters is in Amsterdam.

Last November, the Dutch government proposed an amendment to its constitution to include explicit protection for the privacy of digital communications, including those made on mobile devices. "We have, in the Netherlands, a law on the [activities] of secret services. And hacking is not allowed," Schouw said. Under Dutch law, the interior minister would have to sign off on such operations by foreign governments' intelligence agencies. "I don't believe that he has given his permission for these kind of actions."

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. "Gaining access to a database of keys is pretty much game over for cellular encryption," says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is "bad news for phone security. Really bad news."

AS CONSUMERS BEGAN to adopt cellular phones en masse in the mid-1990s, there were no effective privacy protections in place. Anyone could buy a cheap device from RadioShack capable of intercepting calls placed on mobile phones. The shift from analog to digital networks introduced basic encryption technology, though it was still crackable by tech savvy computer science graduate students, as well as the FBI and other law enforcement agencies, using readily available equipment.

Today, second-generation (2G) phone technology, which relies on a deeply flawed encryption system, remains the dominant platform globally, though U.S. and European cellphone companies now use 3G, 4G and LTE technology in urban areas. These include more secure, though not invincible, methods of encryption, and wireless carriers throughout the world are upgrading their networks to use these newer technologies.

It is in the context of such growing technical challenges to data collection that intelligence agencies, such as the NSA, have become interested in acquiring cellular encryption keys. "With old-fashioned [2G], there are other ways to work around cellphone security without those keys," says Green, the Johns Hopkins cryptographer. "With newer 3G, 4G and LTE protocols, however, the algorithms aren't as vulnerable, so getting those keys would be essential."

The privacy of all mobile communications — voice calls, text messages and Internet access — depends on an encrypted connection between the cellphone and the wireless carrier's network, using keys stored on the SIM, a tiny chip smaller than a postage stamp, which is inserted into the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. SIM cards can be used to store contacts, text messages, and other important data, like one's phone number. In some countries, SIM cards are used to transfer money. As The Intercept reported last year, having the wrong SIM card can make you the target of a drone strike.

SIM cards were not invented to protect individual communications — they were designed to do something much simpler: ensure proper billing and prevent fraud, which was pervasive in the early days of cellphones. Soghoian compares the use of encryption keys on SIM cards to the way Social Security numbers are used today. "Social security numbers were designed in the 1930s to track your contributions to your government pension," he says. "Today they are used as a quasi national identity number, which was never their intended purpose."

Because the SIM card wasn't created with call confidentiality in mind, the manufacturers and wireless carriers don't make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. "I doubt anyone is treating those things very carefully," says Green. "Cell companies probably don't treat them as essential security tokens. They probably just care that nobody is defrauding their networks." The ACLU's Soghoian adds, "These keys are so valuable that it makes sense for intel agencies to go after them."

As a general rule, phone companies do not manufacture SIM cards, nor program them with secret encryption keys. It is cheaper and more efficient for them to outsource this sensitive step in the SIM card production process. They purchase them in bulk with the keys pre-loaded by other corporations. Gemalto is the largest of these SIM "personalization" companies.

After a SIM card is manufactured, the encryption key, known as a "Ki," is burned directly onto the chip. A copy of the key is also given to the cellular provider, allowing its network to recognize an individual's phone. In order for the phone to be able to connect to the wireless carrier's network, the phone — with the help of the SIM — authenticates itself using the Ki that has been programmed onto the SIM. The phone conducts a secret "handshake" that validates that the Ki on the SIM matches the Ki held by the mobile company. Once that happens, the communications between the phone and the network are encrypted. Even if GCHQ or the NSA were to intercept the phone signals as they are transmitted through the air, the intercepted data would be a garbled mess. Decrypting it can be challenging and time-consuming. Stealing the keys, on the other hand, is beautifully simple, from the intelligence agencies' point of view, as the pipeline for producing and distributing SIM cards was never designed to thwart mass surveillance efforts.

One of the creators of the encryption protocol that is widely used today for securing emails, Adi Shamir, famously asserted: "Cryptography is typically bypassed, not penetrated." In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force. While the NSA and GCHQ have substantial resources dedicated to breaking encryption, it is not the only way — and certainly not always the most efficient — to get at the data they want. "NSA has more mathematicians on its payroll than any other entity in the U.S.," says the ACLU's Soghoian. "But the NSA's hackers are way busier than its mathematicians."

GCHQ and the NSA could have taken any number of routes to steal SIM encryption keys and other data. They could have physically broken into a manufacturing plant. They could have broken into a wireless carrier's office. They could have bribed, blackmailed or coerced an employee of the manufacturer or cellphone provider. But all of that comes with substantial risk of exposure. In the case of Gemalto, hackers working for GCHQ remotely penetrated the company's computer network in order to steal the keys in bulk as they were en route to the wireless network providers.

SIM card "personalization" companies like Gemalto ship hundreds of thousands of SIM cards at a time to mobile phone operators across the world. International shipping records obtained by The Intercept show that in 2011, Gemalto shipped 450,000 smart cards from its plant in Mexico to Germany's Deutsche Telekom in just one shipment.

In order for the cards to work and for the phones' communications to be secure, Gemalto also needs to provide the mobile company with a file containing the encryption keys for each of the new SIM cards. These master key files could be shipped via FedEx, DHL, UPS or another snail mail provider. More commonly, they could be sent via email or through File Transfer Protocol, FTP, a method of sending files over the Internet.

The moment the master key set is generated by Gemalto or another personalization company, but before it is sent to the wireless carrier, is the most vulnerable moment for interception. "The value of getting them at the point of manufacture is you can presumably get a lot of keys in one go, since SIM chips get made in big batches," says Green, the cryptographer. "SIM cards get made for lots of different carriers in one facility." In Gemalto's case, GCHQ hit the jackpot, as the company manufactures SIMs for hundreds of wireless network providers, including all of the leading U.S.— and many of the largest European — companies.

But obtaining the encryption keys while Gemalto still held them required finding a way into the company's internal systems.

TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys. They did this by utilizing the NSA's X-KEYSCORE program, which allowed them access to private emails hosted by the SIM card and mobile companies' servers, as well as those of major tech corporations, including Yahoo and Google.

In effect, GCHQ clandestinely cyberstalked Gemalto employees, scouring their emails in an effort to find people who may have had access to the company's core networks and Ki-generating systems. The intelligence agency's goal was to find information that would aid in breaching Gemalto's systems, making it possible to steal large quantities of encryption keys. The agency hoped to intercept the files containing the keys as they were transmitted between Gemalto and its wireless network provider customers.

GCHQ operatives identified key individuals and their positions within Gemalto and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations, "he would certainly be a good place to start." They did not claim to have decrypted the employee's communications, but noted that the use of PGP could mean the contents were potentially valuable.

The cyberstalking was not limited to Gemalto. GCHQ operatives wrote a script that allowed the agency to mine the private communications of employees of major telecommunications and SIM "personalization" companies for technical terms used in the assigning of secret keys to mobile phone customers. Employees for the SIM card manufacturers and wireless network providers were labeled as "known individuals and operators targeted" in a top-secret GCHQ document.

According to that April 2010 document, "PCS Harvesting at Scale," hackers working for GCHQ focused on "harvesting" massive amounts of individual encryption keys "in transit between mobile network operators and SIM card personalisation centres" like Gemalto. The spies "developed a methodology for intercepting these keys as they are transferred between various network operators and SIM card providers." By that time, GCHQ had developed "an automated technique with the aim of increasing the volume of keys that can be harvested."

The PCS Harvesting document acknowledged that, in searching for information on encryption keys, GCHQ operatives would undoubtedly vacuum up "a large number of unrelated items" from the private communications of targeted employees. "[H]owever an analyst with good knowledge of the operators involved can perform this trawl regularly and spot the transfer of large batches of [keys]."

The document noted that many SIM card manufacturers transferred the encryption keys to wireless network providers "by email or FTP with simple encryption methods that can be broken ... or occasionally with no encryption at all." To get bulk access to encryption keys, all the NSA or GCHQ needed to do was intercept emails or file transfers as they were sent over the Internet — something both agencies already do millions of times per day. A footnote in the 2010 document observed that the use of "strong encryption products ... is becoming increasingly common" in transferring the keys.

In its key harvesting "trial" operations in the first quarter of 2010, GCHQ successfully intercepted keys used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan. But, the agency noted, its automated key harvesting system failed to produce results against Pakistani networks, denoted as "priority targets" in the document, despite the fact that GCHQ had a store of Kis from two providers in the country, Mobilink and Telenor. "t is possible that these networks now use more secure methods to transfer Kis," the document concluded.

From December 2009 through March 2010, a month before the Mobile Handset Exploitation Team was formed, GCHQ conducted a number of trials aimed at extracting encryption keys and other personalized data for individual phones. In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries. In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they'd compiled 300,000. "Somali providers are not on GCHQ's list of interest," the document noted. "[H]owever, this was usefully shared with NSA."

The GCHQ documents only contain statistics for three months of encryption key theft in 2010. During this period, millions of keys were harvested. The documents stated explicitly that GCHQ had already created a constantly evolving automated process for bulk harvesting of keys. They describe active operations targeting Gemalto's personalization centers across the globe, as well as other major SIM card manufacturers and the private communications of their employees.

A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets. In the future, the agency predicted, it would be capable of processing more than 50 million per second. The document did not state how many keys were actually processed, just that the NSA had the technology to perform such swift, bulk operations. It is impossible to know how many keys have been stolen by the NSA and GCHQ to date, but, even using conservative math, the numbers are likely staggering.

GCHQ assigned "scores" to more than 150 individual email addresses based on how often the users mentioned certain technical terms, and then intensified the mining of those individuals' accounts based on priority. The highest-scoring email address was that of an employee of Chinese tech giant Huawei, which the U.S. has repeatedly accused of collaborating with Chinese intelligence. In all, GCHQ harvested the emails of employees of hardware companies that manufacture phones, such as Ericsson and Nokia; operators of mobile networks, such as MTN Irancell and Belgacom; SIM card providers, such as Bluefish and Gemalto; and employees of targeted companies who used email providers, such as Yahoo and Google. During the three-month trial, the largest number of email addresses harvested were those belonging to Huawei employees, followed by MTN Irancell. The third largest class of emails harvested in the trial were private Gmail accounts, presumably belonging to employees at targeted companies.

The GCHQ program targeting Gemalto was called DAPINO GAMMA. In 2011, GCHQ launched operation HIGHLAND FLING to mine the email accounts of Gemalto employees in France and Poland. A top-secret document on the operation stated that one of the aims was "getting into French HQ" of Gemalto "to get in to core data repositories." France, home to one of Gemalto's global headquarters, is the nerve center of the company's worldwide operations. Another goal was to intercept private communications of employees in Poland that "could lead to penetration into one or more personalisation centers" — the factories where the encryption keys are burned onto SIM cards.

As part of these operations, GCHQ operatives acquired the usernames and passwords for Facebook accounts of Gemalto targets. An internal top-secret GCHQ wiki on the program from May 2011 indicated that GCHQ was in the process of "targeting" more than a dozen Gemalto facilities across the globe, including in Germany, Mexico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore.

The document also stated that GCHQ was preparing similar key theft operations against one of Gemalto's competitors, Germany-based SIM card giant Giesecke and Devrient.

On January 17, 2014, President Barack Obama gave a major address on the NSA spying scandal. "The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don't threaten our national security and that we take their privacy concerns into account in our policies and procedures," he said.

The monitoring of the lawful communications of employees of major international corporations shows that such statements by Obama, other U.S. officials and British leaders — that they only intercept and monitor the communications of known or suspected criminals or terrorists — were untrue. "The NSA and GCHQ view the private communications of people who work for these companies as fair game," says the ACLU's Soghoian. "These people were specifically hunted and targeted by intelligence agencies, not because they did anything wrong, but because they could be used as a means to an end."

THERE ARE TWO basic types of electronic or digital surveillance: passive and active. All intelligence agencies engage in extensive passive surveillance, which means they collect bulk data by intercepting communications sent over fiber-optic cables, radio waves or wireless devices.

Intelligence agencies place high-power antennas, known as "spy nests," on the top of their countries' embassies and consulates, which are capable of vacuuming up data sent to or from mobile phones in the surrounding area. The joint NSA/CIA Special Collection Service is the lead entity that installs and mans these nests for the United States. An embassy situated near a parliament or government agency could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials. The U.S. embassy in Berlin, for instance, is located a stone's throw from the Bundestag. But if the wireless carriers are using stronger encryption, which is built into modern 3G, 4G and LTE networks, then intercepted calls and other data would be more difficult to crack, particularly in bulk. If the intelligence agency wants to actually listen to or read what is being transmitted, they would need to decrypt the encrypted data.

Active surveillance is another option. This would require government agencies to "jam" a 3G or 4G network, forcing nearby phones onto 2G. Once forced down to the less secure 2G technology, the phone can be tricked into connecting to a fake cell tower operated by an intelligence agency. This method of surveillance, though effective, is risky, as it leaves a digital trace that counter-surveillance experts from foreign governments could detect.

Stealing the Kis solves all of these problems. This way, intelligence agencies can safely engage in passive, bulk surveillance without having to decrypt data and without leaving any trace whatsoever.

"Key theft enables the bulk, low-risk surveillance of encrypted communications," the ACLU's Soghoian says. "Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It's like a time machine, enabling the surveillance of communications that occurred before someone was even a target."

Neither the NSA nor GCHQ would comment specifically on the key theft operations. In the past, they have argued more broadly that breaking encryption is a necessary part of tracking terrorists and other criminals. "It is longstanding policy that we do not comment on intelligence matters," a GCHQ official stated in an email, adding that the agency's work is conducted within a "strict legal and policy framework" that ensures its activities are "authorized, necessary and proportionate," with proper oversight, which is the standard response the agency has provided for previous stories published by The Intercept. The agency also said, "[T]he UK's interception regime is entirely compatible with the European Convention on Human Rights." The NSA declined to offer any comment.

It is unlikely that GCHQ's pronouncement about the legality of its operations will be universally embraced in Europe. "It is governments massively engaging in illegal activities," says Sophie in't Veld, a Dutch member of the European Parliament. "If you are not a government and you are a student doing this, you will end up in jail for 30 years." Veld, who chaired the European Parliament's recent inquiry into mass surveillance exposed by Snowden, told The Intercept: "The secret services are just behaving like cowboys. Governments are behaving like cowboys and nobody is holding them to account."

The Intercept's Laura Poitras has previously reported that in 2013 Australia's signals intelligence agency, a close partner of the NSA, stole some 1.8 million encryption keys from an Indonesian wireless carrier.

A few years ago, the FBI reportedly dismantled several transmitters set up by foreign intelligence agencies around the Washington, D.C. area, which could be used to intercept cellphone communications. Russia, China, Israel and other nations use similar technology as the NSA across the world. If those governments had the encryption keys for major U.S. cellphone companies' customers, such as those manufactured by Gemalto, mass snooping would be simple. "It would mean that with a few antennas placed around Washington, D.C., the Chinese or Russian governments could sweep up and decrypt the communications of members of Congress, U.S. agency heads, reporters, lobbyists and everyone else involved in the policymaking process and decrypt their telephone conversations," says Soghoian.

"Put a device in front of the U.N., record every bit you see going over the air. Steal some keys, you have all those conversations," says Green, the Johns Hopkins cryptographer. And it's not just spy agencies that would benefit from stealing encryption keys. "I can only imagine how much money you could make if you had access to the calls made around Wall Street," he adds.

THE BREACH OF Gemalto's computer network by GCHQ has far-reaching global implications. The company, which brought in $2.7 billion in revenue in 2013, is a global leader in digital security, producing banking cards, mobile payment systems, two-factor authentication devices used for online security, hardware tokens used for securing buildings and offices, electronic passports and identification cards. It provides chips to Vodafone in Europe and France's Orange, as well as EE, a joint venture in the U.K. between France Telecom and Deutsche Telekom. Royal KPN, the largest Dutch wireless network provider, also uses Gemalto technology.

In Asia, Gemalto's chips are used by China Unicom, Japan's NTT and Taiwan's Chungwa Telecom, as well as scores of wireless network providers throughout Africa and the Middle East. The company's security technology is used by more than 3,000 financial institutions and 80 government organizations. Among its clients are Visa, Mastercard, American Express, JP Morgan Chase and Barclays. It also provides chips for use in luxury cars, including those made by Audi and BMW.

In 2012, Gemalto won a sizable contract, worth $175 million, from the U.S. government to produce the covers for electronic U.S. passports, which contain chips and antennas that can be used to better authenticate travelers. As part of its contract, Gemalto provides the personalization and software for the microchips implanted in the passports. The U.S. represents Gemalto's single largest market, accounting for some 15 percent of its total business. This raises the question of whether GCHQ, which was able to bypass encryption on mobile networks, has the ability to access private data protected by other Gemalto products created for banks and governments.

As smart phones become smarter, they are increasingly replacing credit cards and cash as a means of paying for goods and services. When Verizon, AT&T and T-Mobile formed an alliance in 2010 to jointly build an electronic pay system to challenge Google Wallet and Apple Pay, they purchased Gemalto's technology for their program, known as Softcard. (Until July 2014, it previously went by the unfortunate name of "ISIS Mobile Wallet.") Whether data relating to that, and other Gemalto security products, has been compromised by GCHQ and the NSA is unclear. Both intelligence agencies declined to answer any specific questions for this story.

PRIVACY ADVOCATES and security experts say it would take billions of dollars, significant political pressure, and several years to fix the fundamental security flaws in the current mobile phone system that NSA, GCHQ and other intelligence agencies regularly exploit.

A current gaping hole in the protection of mobile communications is that cellphones and wireless network providers do not support the use of Perfect Forward Secrecy (PFS), a form of encryption designed to limit the damage caused by theft or disclosure of encryption keys. PFS, which is now built into modern web browsers and used by sites like Google and Twitter, works by generating unique encryption keys for each communication or message, which are then discarded. Rather than using the same encryption key to protect years' worth of data, as the permanent Kis on SIM cards can, a new key might be generated each minute, hour or day, and then promptly destroyed. Because cellphone communications do not utilize PFS, if an intelligence agency has been "passively" intercepting someone's communications for a year and later acquires the permanent encryption key, it can go back and decrypt all of those communications. If mobile phone networks were using PFS, that would not be possible — even if the permanent keys were later stolen.

The only effective way for individuals to protect themselves from Ki theft-enabled surveillance is to use secure communications software, rather than relying on SIM card-based security. Secure software includes email and other apps that use Transport Layer Security (TLS), the mechanism underlying the secure HTTPS web protocol. The email clients included with Android phones and iPhones support TLS, as do large email providers like Yahoo and Google.

Apps like TextSecure and Silent Text are secure alternatives to SMS messages, while Signal, RedPhone and Silent Phone encrypt voice calls. Governments still may be able to intercept communications, but reading or listening to them would require hacking a specific handset, obtaining internal data from an email provider, or installing a bug in a room to record the conversations.

"We need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages," says Soghoian.

Nama koji otiske prstiju dajemo državnoj oružanoj sili čim zađemo u punoletstvo je sve ovo normalno, ali nekim delovima sveta je priličan šok ovo kako u Pakistanu odlučuju da - sprečavanja terorizma radi - prikupe otiske prstiju velikog broja populacije. Naime - bez davanja otisaka prstiju nema više korišćenja moblinog telefona:


Pakistanis face a deadline: Surrender fingerprints or give up cellphone

Quote
ISLAMABAD, Pakistan — Cellphones didn't just arrive in Pakistan. But someone could be fooled into thinking otherwise, considering the tens of millions of Pakistanis pouring into mobile phone stores these days.
In one of the world's largest — and fastest — efforts to collect biometric information, Pakistan has ordered cellphone users to verify their identities through fingerprints for a national database being compiled to curb terrorism. If they don't, their service will be shut off, an unthinkable option for many after a dozen years of explosive growth in cellphone usage here.
Prompted by concerns about a proliferation of illegal and untraceable SIM cards, the directive is the most visible step so far in Pakistan's efforts to restore law and order after Taliban militants killed 150 students and teachers at a school in December. Officials said the six terrorists who stormed the school in Peshawar were using cellphones registered to one woman who had no obvious connection to the attackers.
[Related: After years of delays, Pakistan cracks down on violent Islamists]
But the effort to match one person to each cellphone number involves a jaw-dropping amount of work. At the start of this year, there were 103 million SIM cards in Pakistan — roughly the number of the adult population — that officials were not sure were valid or properly registered. And mobile companies have until April 15 to verify the owners of all of the cards, which are tiny chips in cellphones that carry a subscriber's personal security and identity information.




In the past six weeks, 53 million SIMs belonging to 38 million residents have been verified through biometric screening, officials said.
"Once the verification of each and every SIM is done, coupled with blocking unverified SIMs, the terrorists will no longer have this tool," said a senior Interior Ministry official, who was not authorized to speak publicly about the government's security policy. "The government knows that it's an arduous job, both for the cellular companies and their customers, but this has to be done as a national duty."
[Related: Pakistan announces a national plan to fight terrorism]


As Pakistan's decade-long struggle against Islamist extremism has stretched on, residents have grown accustomed to hassles such as long security lines and police checkpoints. Now they must add the inconvenience of rushing into a retail store to keep their phones on.
"I spend all day working and sometimes have to work till late in the night. . . . I cannot afford to stand in line for hours to have my SIM verified," said Abid Ali Shah, 50, a taxi driver who was waiting to be fingerprinted at a cellphone store. "But if I don't do it, my phone is my only source of communication that I have to remain in touch with my family."
Though Pakistan's first cellphone company launched in 1991, there was only sparse usage until the turn of the 21st century. Since then, the number of cellphone subscribers has grown from about 5 million in 2003 to about 136 million today, according to the Pakistan Telecommunications Authority.
The mobile phone subscription rate now stands at about 73 percent, roughly equal to the rate in neighboring India, according to the World Bank. It's even common for Pakistanis in remote or mountainous areas, where electricity can be sporadic and few have access to vehicles, to own a cellphone.
With 50 million more SIM cards left to be verified, phone companies are dispatching outreach teams deep into the countryside and mountains to notify customers of the policy.
"It's a massive, nationwide exercise with a tight deadline, but hopefully we will be able to verify our customers by the April deadline," said Omar Manzur, an executive at Mobilink, which has 38 million customers in Pakistan. "We have sent out 700 mobile vans all across Pakistan to reach out to these far-flung areas, the villages and small towns."
One region that appears largely unaffected by the plan is the immediate area around the Pakistan-Afghanistan border, where many Islamist militants have historically sought refuge. Pakistani cellphone networks generally do not provide service to those areas, and residents try to get coverage from Afghan networks, officials said.


Cellphone owners' fingerprints are being matched with those on file in a national database the government began creating in 2005. Those whose prints are not in the database must first submit them to the National Database & Registration Authority. Some residents, including several million Afghan refugees not eligible for citizenship, also have to obtain a court affidavit attesting they will properly use their cellphones.
Over the years, several countries, including South Africa and India, have implemented broad systems for obtaining and storing residents' biometric information. But analysts and communications experts say they can't recall a country trying to gather biometrics as rapidly as Pakistan is doing.
"In a country like this, where the infrastructure is not available in many areas, this looks unprecedented," said Wahaj us Siraj, the chief executive officer of Nayatel, a major Pakistani Internet supplier.
Once the nationwide verification process is complete, police and intelligence officials will have a much easier time tracing the origins of crimes or terrorist attacks, said Ammar Jaffri, the former deputy director of Pakistan's Federal Investigation Agency.
Jaffri noted that cellphones have often been used to detonate explosive devices in Pakistan. Authorities are also struggling to curb extortion carried out by criminals, often affiliated with banned militant groups, who make threatening phone calls demanding money.
Jaffri said Pakistanis should just accept that a SIM card "becomes part of you" and that any privacy concerns do not override government regulation of airwaves.
"We have new technology now, and we shouldn't be afraid of these things, we should face it," said Jaffri, president of the Pakistan Information Security Association. "Watching people when they move, it's natural: Every country does it. "
As they show up at cellphone stores, some Pakistanis are learning firsthand just how lax Pakistan had been in tracking SIM cards.
At a Mobilink office in Islamabad, Muhammad Safdar, 30, was told that six different SIM cards were attached to his name.



"I think some of my friends had my ID card number," Safdar said. "Earlier it was very easy to simply redeem that number and get a SIM issued in that name."
Ghulam Rasool, a 24-year-old Afghan citizen living here, waited in line only to learn that the SIM card he had bought at a fruit market four years ago was now illegal. 
"Before, no one asked, but now they are, and it has to be in my name," said Rasool, who emerged from the Mobilink office with a new phone number. "Everyone has my old number, and now I have to contact hundreds of people" in both Pakistan and Afghanistan.
Still, many Pakistanis are taking the process in stride, saying they are willing to do whatever it takes to reduce terrorism. They are skeptical, however, that this will be the answer to ending a war that has killed more than 50,000 Pakistani residents and soldiers over the past 13 years.
"If this can bring peace, it's okay," said Khan Gul, his thumb still stained with blue ink. "But I am wondering how a mobile phone verification can bring peace."