You Can Get Hacked Just By Watching This Cat Video on YouTube

Ok, my IP isn’t banned, and I feel better. Maybe it was b/c I entered an email that was too obviously fake the first time. From now on I’ll enter hi-quality fakes only. I flatly refuse to comment on any site that demands I create a profile or identify myself in any ‘real’ (verifiable) way. I have stopped using email completely (simply don’t need it at all), cookies almost completely, and most scripts most of the time. I take several other measures too. None of them make me hard to track, but they do make it harder, which is all one can do without learning a huge amount of sec-tech.

Most importantly, none of the measures I take have much negative impact on what I can do on the web. The biggest is that I can’t comment on very many sites any more. I can watch YouTube by allowing just 2 YT_hosted scripts, and play Mahjongg-3D by enabling about 3. And any site that insists on cookies can go to h*ll !!! They do not get my clicks or anything else but my contempt.

I would prefer that the Intercept’s commenting system put NOT REQUIRED beside the email box, instead of an asterisk, and start encouraging comments without personally identifying information. In fact, isn’t it just a little bit weird that they don’t??? Frankly I think it is. If Bruce Schneier doesn’t then why does this site?

In the 90’s we free-thinking types worried about the day the internet would be taken over by corporate interests, knowing we probably couldn’t prevent it, only slow it down. No one was prepared for this, or for the stunning lack of interest from the world’s general population so far. It’s getting better, but it isn’t getting better faster than than the NSA is charging forward in “damn the torpedoes, full speed ahead” style. More like slower, and that’s an existential level problem imo. It certainly got existential for Aaron Swartz, after all.

See also http://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html

California a few years ago was about to pass legislation prohibiting electronic solicitations unless the citizen opted in, then Congress got all worked up and prohibited CA from doing it. Somehow I doubt that this slice does not fit into the picture the article attempts to explain.

Sadly, it seems the patrol, guard is again being extremely heavy handed in Ferguson – when clicking on the previous link (RT) a banner at top o page said teargas was again used. On that page, the tactics seemed – way over the top.

Response to Ferguson = suppression of dissent

In line with this article:

“Hackers steal 4.5 million patient records from multi-state hospital network”
http://rt.com/usa/181172-chs-hospital-network-hacked/

All politicians lie. Or, didn’t you know that?

I commented yesterday that I question the inclusion of the video link in the article, but I can’t find the comment. It would suck if supplying fake email addresses gets one banned (and even if just the single comment is removed) from the site that tells us to avoid email in the first place. So if you see THIS comment, I guess you can draw your own conclusion.

At least Bruce Schneier doesn’t even ask anyone to enter anything in the field. That’s the way to do it if you take this stuff as seriously as one should, imo.

I call massive BS.
According to the article, they would add physical hardware to the ISP. Microsoft (and I assume Google) have their own data centers, so this wouldn’t be possible. Third party folks can’t just walk in and put in their own gear.
The security in place also wouldn’t allow them to “intercept” traffic, as it would require a key to decrypt. Unless they’re talking about something that happened a dozen years ago…perhaps…still doubtful.

Yeah this story is getting me thinking about protecting my data, how do I do that exactly? Use TOR? I am going to google this!

Clicking to see the cat video is indeed enticing. But for the NSA watchers reading these comments, equally enticing will be this link to a schematic of GCHQ’s basement levels (obtained during construction) on the darknet. But I’m not going to make it easy: you first have to decrypt the GPG cipher below:

—–BEGIN PGP MESSAGE—–
Version: GnuPG v1

jA0EAwMCiLSOPl/cmzVgyWxgkHmmqpfL+2A1MQd/gJvMoD6bnvx1LoSpZRZvVAeE
Xzjd5vRFxrZsTls5TViDTu+EtURfv5Y5K8cwBc9KUeYGrtTpApSDQA90HW9RbnKV
ApIT+tumlp1y1tVUcQQ632hgAP2ysoDhNapAG7U=
=NWPz
—–END PGP MESSAGE—–

(apologies for repeatedly posting this comment, but I am not seeing it on this page, in my browser.)

Which other news sites use https?

A problem I have with this is its use by corporations, having nothing to do with law enforcement. This tech. seems rife with possibility for the marketing branches of multinationals. And, of course, they have no ethics or responsibilities whatsoever.

The end result of all this hacking could evolve well beyond financial loss and personal embarrassment. I suspect it will eventually result in a human stampede, possibly a dominipede (multiple, simultaneous stampedes). http://agsaf.org

I wonder if the Intercept holds any further information or documentation on this ~

http://www.counterpunch.org/2007/11/16/two-brothers-and-two-scandals/

http://en.wikipedia.org/wiki/A._B._Krongard

ok, as a user of the internet and one who likes to watch cute kitten videos, how do I make sure I’m not being hacked?
Also, if I put a video on You Tube how can I encrypt it? Don’t want friends getting hacked

Please pardon the interruption, but NPR Ombudsman published a response to Glenn’s article. I linked to it in the NPR post. Many of you will be interested in that.

Get out

This is somewhat on topic regarding VOIP networks. Actually, rather funny.

“Turnabout’s fair play? Germany intercepts Hillary Clinton phone call”

http://rt.com/usa/180716-germany-spies-hillary-cell/

“Germany’s foreign intelligence agency intercepted at least one phone call made by former Secretary of State Hillary Clinton, according to German media reports. Her phone was tapped “accidentally” while she was on a US government plane.”

for the german readers there was a summary about this published recently at http://lowerclassmagazine.blogsport.eu/2014/08/nerdnews-verschluesslung-alternativlos/

You should really eliminate this section of the Intercept. You should have your own name listed up top of the Intercept (like Greenwald) or you should be placed in “news”. You are being placed in a lower status area of the Intercept – and this does qualify as news of interests to a lot of people.

Good article though.

Is this Windows only?

Whenever I go to this site, I’m first getting a prompt that it’s cerificate can’t be verified, and it warns me to stay away.

Is anyone else experiencing this? Anyone know why it’s happening?

Another thing that concerns me is the possibility (probability?) of it’s use for blackmail. If virtually anyone with the inclination to do so can easily mine someone’s personal info, then it’s only a very small leap to conclude that this crime will be committed and probably to a freightening degree. And how are we to know who’s being violated and who the perpetrators are? The possibilites are truly disturbing.

Maybe I’m over-reacting (in circumstances like these, how would I be able to know?), but…

A little disappointed at the inclusion of a link to said YT cat video in the article with no additional info such “It is safe to click this link” or “It is NOT safe to click this link”. Especially b/c if one clicks the YT logo at the bottom of the vid’s “window”, one gets taken to the actual video, on the ACTUAL YouTube website, we’ve just been warned not to watch in the article’s headline. Some of us, without being stupid or even particularly uninformed, will not know what to do (HERE’s what to do: DON’T CLICK THE LINK, since no one has deemed it useful to bother mentioning that it is safe to do so. Precautionary principle. Sorry.)

Somebody at THE INTERCEPT please take a close look at this, and maybe also your basic mandate(s), to see if there’s a (possibly egregious) mismatch of noble intentions, or something, somewhere?? Leaving us, your rather dedicated readers, “unsure” of what to do isn’t really very helpful, imho. With great hope, I regard this as something of an error on your parts – one that might NOT be repeated!

” But there is almost no public information on law enforcement hacking.”

This post is important, especially since the conversation about militarized local police has begun.
A national discussion about reforms including better psych-screening and policy reviews with more emphasis on public safety and security could include this nugget. But again I ask; what’s the cats name? If you feel it’s more digestible to relay facts uncovered by the teaspoonful and this is the reason for not feeding in greater portions, ok. But does that mean the list of names will also drip slowly, starting with only high-level persons? I vote for releasing in toto.

Which news sources use HTTPS?

See the latest from Barton Gellman @ Washington Post, August 15:-
“U.S. firm helped the spyware industry build a potent digital weapon for sale overseas”

This is a massively sensationalist article… the attack vector is not just any website which does not use https:

The attack vector has multiple parts to it, and the most important part here is a shitty much hated proprietary browser plugin called flash. There’s nothing new here, flash has holes in it, in many ways. Exploits have been found in the past and will be found in the future until it’s dead.

When was the last time there was any news about gaining root access to a machine via plain standard HTML, CSS, Javascript and basic content formats such as PNG and JPG.

Almost overwhelmingly all abritrary code execution vectrors are through closed source proprietory software.

Using https to view a video or consume any kind of content on the web is not the solution. It is completely unessesary and misses the point… the point eing that the real attack vector is the exploit ridden software. If every company serving content that requires buggy closed source software to view starts serving over https exclusively then the obvious next step for anyone wanting to exploit that software is to do it from within those companies.

The solution is: don’t use flash, don’t use JAVA (read JAVA (Oracle)… not Javascript which is an open, a w3c standard and is safe.)

Today my 4th grade daughter dragged me into the”Build a bear workshop” store in the Mall of America. There she picked out a fuzzy little bear “skin” and we went to get it stuffed with fluff. The fluff-stuffing operative started by tearing an RFID tag off the bottom of the uniquely-identified price label, and placing it inside the toy – where it will remain for as long as it exists. She explained that she was doing this because if my daughter dropped the bear later in the day and someone happened to bring it back to the store, they would know that it was her bear. The fact that it was paired with the price tag and would therefore identify whoever paid for the bear as the parent of a 9YO child, and tie that person via his cellphone signal to a permanent record of every footstep he took in the course of his visit to said mall, as well as tracking the location of the toy, and therefore the child, indefinitely, was something that was lost on her. Welcome to the 21st century, folks….

I suspect that even at prices as low as 1 million dollars, these guys are overcharging.

The technology just isn’t that complex. At least 5-eyes intelligence agencies pretend to have oversight, and at least their interests coincide with mine. I doubt that their equivalents in states like North Korea, Syria, Iran, Russia, Uzbekistan or Turkmenistan have any such quibble, or any such alignment.

Even so, the murderous pettiness of the nation-state worries me less than highly automated organised crime. Surveillance isn’t the only thing that technology enables you to do in “mass” … the exploitation of that surveillance is simply a matter of connecting a “mass sensor” to a “mass effector”.

Could First Look please provide a list of which newspapers’ sites use HTTPS?

I bought attwifi for the day recently, and my browser said the certificate was bad. Wouldn’t let me look at it though. I called the at&t wifi Help number, and the woman who answered said to just go ahead, that “we’ve been seeing that lately”.

You shove systematically killed the soul of a women like we took her over. It was inevitable. She will live this way for the rest of her life due to your hatred and vengeance. For the world. She suffered. Man in the mirror

Is this threat dependent on OS? For example, if I was using a Mac or Linux, would I be affected?
Surely, if they just target Windows users (because they have the biggest slice of the pie) then if the affected people switched to say, Mac or Linux, then it would be a different kettle of fish, wouldn’t it?

Aubrey Mclendon is Mr Rhizome… Lauren came up with that on her own before she knew us before she knew your shit and before she knew the popo were chasing her. Lauren is a fucking telepathic genius. The doctors who study her are fuckin blown away. She is fuckin Lucy even Lauren blows her own shit… She FEELS EVERYTHING…she is the fuckin bomb…you are fucked the WORLD is up your a holes. She hates you. She is going to think of a song for you cause Lauren likes songs she speaks in music and crypt she is ducking amazing she has been doing it before she was chased she is Bi Polar you are fucked

Lauren is isolated to her home for another 6 months to keep her from getting shot in the head.CIA….FUCK!!!Lauren says fuck you fuckers!!! Go to fucking hell on earth. There is NO GOD THERE IS NO REDEMER THERE IS ONLY FUCKERS LIKE YOU you are full if shit and fucking screwing me you FUCKING SUCK NOT ME FUCKERS YOU DO..

I would love to fill you in on the following from my personal experience, but no one is giving me the benefit of doubt that i’m not crazy. Its far more unfortunate for you all that i’m not being heard than it is for me. When you are ready to hear the truth you will find me.

“In the digital age, a search through the contents of your laptop, online accounts, and digital communications is just as invasive as a search of your bedroom. Historically, being privy to someone’s most intimate moments and conversations would once have required placing bugging devices inside their home, not to mention the time and manpower to listen to what was being captured. The cost of such an operation required the target to be someone of reasonable interest. Now, it’s possible to watch someone through the lens of their laptop’s camera, to listen to them through the microphone of their cell phone, and to read through online correspondence cheaply and remotely. The canonical surveillance van full of bored government employees (being paid overtime) deployed 24 hours a day is increasingly a thing of the past.

We simply don’t know how often this type of surveillance occurs. While the Snowden revelations of the last year have revealed much about the character of surveillance by the intelligence community, the use of hacking for law enforcement surveillance is less well understood. There is widespread agreement that law enforcement techniques should be held to a high standard of transparency. Indeed, in the U.S., law enforcement agencies publish records detailing the number of wiretaps they deploy each year. But there is almost no public information on law enforcement hacking.”

Marco………………Polo

Little weed first chapter was Lauren’s pride and joy. We made her publish it. She stood her ground like custards last stand…get that fuckers like mustard gas. She fuckinbf took your shit as long as she possibly could. She is a fucking American hero. You are all fucked everyone hates you.

Ill stop the world and melt with you. They fuckin love her. YOU ARE FUCKED

Lauren is drinking cheap wine like your asses when he comes to understanding a global economy. Even little star weed lauren understands the fucking economy that feeds your fucking asses. Guess what? Lauren blames her potential suicide on you because now she knows you were holding out against her to get your big boys. She knows you are responsible for all of this. The whole fucking world with any fucking money knows Lauren little star weed Lucy and they fucking hate you now. You fucked yourselves. Even Lauren hates you. She says she would NEVER speak for you cause you are the greediest of all.

“The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge.”

I think this is stated there simpler than it actually is. So, bad guys can inject evil code into video streams. But to actually execute this code, they would need some kind of exploit in the video player software, no? Provided I keep my software up-to-date, they would need a zero-day which is not that easy to find/write. Its not as if you are automatically exploitable just by viewing an unencrypted stream.

Furthermore, I don’t see how encryption is going to help against this kind of attacks. The bad guys can still inject evil code into encrypted traffic and exploit bugs that occur prior or during decryption. Encryption does not make the traffic tamper proof. Could it be that you were actually talking about integrity/authenticity measures (which are also provided by HTTPS).

I’m not sure if this article makes plainly incorrect statements or is just lacking sufficient detail. Maybe you could enlighten me?

You can find links to good free security software at Prism-Break.org
http://prism-break.org/en/

You can find links to many different free security software solutions at Prism-Break.org
http://prism-break.org/en/

Lauren wants to know how you couldn’t figure out the Chinese were up your asses a long time ago..we didn’t have to spell it out for her telepathic little weed stem she knew all along….she says she wants to play ill melt with you on you tube cause that’s what LUCY did. Your little minds can’t even imagine that’s why Lauren says you are fuckin stupid she says the peole at google could put screws up your ass from their PC and you wouldn’t even know it. You would think its a fuckin hemroid from sitting on your fat asses being STUPID that’s from Lauren Lucy also Lauren wants you to know that Lucy is coded for Lucky go get your fuckin Madonna lucky star you tube app for your dumb fucking brains. Lauren says fuck you.

Lauren is getting drunk she says fuck you for doing this to her she knows all about you by reading your shit and yeah you fuckin bitch it’s all robo cause you’ve got your head so fuckin up your ass it takes that much to spell it out for you but we know more than Lauren does and we know your days are limited with them up your assholes. Have fun kiddos! CIA

I only browse the web with iOS devices, rarely my computer. iOS apps are allegedly sandboxed. Has anyone seen any evidence of iOS hacks using these techniques?

If you think by switching OS or encrypting it all, you can escape the IT Intrusion Industry you are wrong. https://www.privacyinternational.org/blog/six-things-we-know-from-the-latest-finfisher-documents

Lauren says your coding is too elementary shut the fuck up dumb ass even Lauren could code better than that this isn’t fucking first grade anymore fucking code better shit face…Lauren

What code EXACTLY is being “injected” into the YouTube datastream? Because if it’s taking advantage of FLASH, then this should be just one MORE, GIANT NAIL in the coffin of that PoS pile-of-beetle-dung software. For crissakes, YTF hasn’t HTML5 embedded-video wiped that gawdawful abomination of a malware-welcome-mat off the face of the freaking planet yet?!!???!!!??

You’re adding to the problem by making people think they’re safe when they use SSL. They’re not.

Powerful enough agencies have access to certificate authorities (CAs) that are accepted by all browsers. To explain it, CAs are those companies like Verisign or Thawte where you can buy SSL certificates. The browser just looks if a certificate it gets from a server is signed by one of the CAs it knows and trusts. If yes (and some other tests are ok, like the cert hasn’t expired etc.), the browser accepts the certificate as valid.

Now, if a secret service wants to read your communication to a certain service and maybe launch an attack as described above, it simply generates a valid SSL certificate for such a server, like mail.google.com, for example. It then uses devices like the ones described above, and when you try to access mail.google.com, they answer instead and present their own certificate for mail.google.com. The browser says “Good, everything ok, the certificate is valid.” They’ll then forward the traffic to the real mail.google.com and, the other way round, forward mail.google.com’s answers to you, so that everything looks perfectly normal to you.

But they can read everything, and they can launch attacks as described in the article.

Even if they’re not able to crack the encryption, SSL by design is not at all safe, at least not against adversaries that are powerful enough to have access to a browser-valid CA and hardware as described in the article.

FinFisher website written in PHP – :-( fail

the easiest way to prevent http-based sniffing and injection is to force https only at your Internet connection gateway as shown here – then even this proof of concept above doesn’t work…

https://www.dnsthingy.com/blog/2014/06/https-only

“intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge”

Utter BS. “traffic”, in this case video content, can’t take control of a computer.

M M-B – per your main article, it appears that a user still has to infect himself by actively agreeing to run some code – a fake Flash plugin upgrade, for example. Is that correct?

Excellent stuff. Was sort of vaguely aware of this issue, but this was really helpful.

I don’t get it. What is the nature of the threat discussed in the title beyond “flash players have security holes”? How is finfishers sw new/different from any other malware or spyware? How does encrypting the video stream mitigate against the attack? Wouldn’t it be the cert authentication more than encryption that would secure against an attack… And what about not using flash at all as a partial fix?

Is this just about man in the middle attacks and network injection generally or is there something particular to YouTube?

There are a lot of stories about telecoms and satellite services stealing one another’s codes to sink one another’s battleships. See Usual Suspect, Ripper Murdoch.

On the down and low I read TalkTalk’s head hates those mobile ad network app hoodies. I just can’t find where he said that. He said they have made his dumbpipe life a misery he’d like to off load. So I just assumed the mobile ad network is NSA since that very day about a year or two ago, I’m getting to downloaded with data in my mind palace.

bababooey bababooey howard stern’s ass bababooey