Newsletter from Kushal

Containing random links to read about privacy, security, programming and FOSS in general. Sometimes about life.

This week a small Indian company made a name for themselves when Citizen Lab reported how they hacked too many people as “hackers for hire”. Nicknamed as “Dark Basin” is the company BellTroX InfoTech Services based out of Delhi. They attacked people from different backgrounds, journalists, NGOs, EU parliament members. You should also read the excellent story from Reuters on the same topic.

Must read

Many of the young readers never read the Hacker Manifesto published in the Phrack back in 1986.

Book for the week

I discovered Practical Typography and enjoyed a lot reading this. The book is filled with various practical tips and details, which we don't think much on a typical day. But, I feel this is something everyone should read at least once.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

Two weeks ago I did a full week Advanced Programming training under David Beazley. I wanted to do a full training under him for over a decade, and I finally managed to do so. In this training we talked about different programming ideas, and used Python to solve in a few things. But, it was not about using Python, but more on how to think about a problem. The course had a lot to digest.

During the training I remembered a question from a non computer science person, they wanted to read/view something to know and understand the basic terms related to Computer Science. This is an almost 8 hours long 41 video course on that topic from Carrie Anne Philbin . It contains the history and many important details.

This week we also had the Tor Browser 9.5 release, which includes many user focused features. I wrote about a few in my blog.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

Facebook buying Gify is one of the biggest stories of this week. This purchase provides Facebook access to many forums or internal chat rooms or Slack channels, which was not possible for them before. People, who care about their privacy, now have to think twice before using any GIFs from them. Signal also allows using GIFs in their messaging system, but they made sure that it does not break people's privacy. Many users asked this question on Twitter this week and Signal was ready :)

On another big news, US Santa Cruz police used surveillance devices from the military on students. This story should remind you that things don't only happen in Hollywood spy movies. The problem is real, and all of our privacy is at risk.

Meanwhile, NSO changed their product's name, and tried to sell it to local US police departments. Another amazing story from Joseph Cox.

Before you close the email (or the tab on the browser), I want you to read this excellent story on Marcus Hutchins by AndyGreenberg. I found the story very detailed with many previously unknown facts about Marcus, but super personal at the same time.

Sandworm is one of the best book I read in 2019 (from the same) author. If you never read yet, please get a copy and read it through. You will not only enjoy the book, and also learn many new facts.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

Last week there were many different big news. We had significant size data breaches to Zoom buying https://keybase.io. Though a few friends are not happy about this acquisition, most of the people just want to wait. To see how this goes. There is a big chance that the Keybase team will stay back and make Zoom better.

In my last newsletter, I pointed out an attack in the wild using Salt Stack. After I sent out the newsletter, there were other instances of the attack using the same vulnerability. Here is a detailed blog post on the Akamai site about the same.

Video for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

This week I want to point you to this video about the Cobol programming language by Professor Mar Hicks. It is 13 minutes long. This means you can learn a bit about history very quickly.

There is also an interview with Ali Gharavi published a few weeks ago. Here he talks about his arrest, detention, and about the court case.

Video for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

In the last few weeks, video conferencing became the primary way to stay in touch. Zoom saw a raise in daily users, 10 million per day, to 300 million per day. The company preferred to focus on usability than security aspects. But this is also when you have security researchers worldwide sitting at home in locked down condition. Becoming the most visible product in the market at this hour has a downside :) People found all sorts of issues in Zoom.

If you are still trying to understand the difference between various video conferencing tools, my friend and colleague Martin Shelton wrote this detailed article listing many of the major tools.

Video for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

Last weekend I was in NULLCON at Goa. It is India's one of the largest security conferences. This year, Micah Lee was the keynote speaker, and he spoke about all the alleged whistleblowers who were prosecuted during the Trump era.

From the last year, the NULLCON organizers are also focused on a special track for media and activists, Micah also did the opening talk in the track, and after that, we had a panel (co-hosted with Hasgeek, organized by Zainab, Anwesha) on the “Anatomy of Internet Shutdowns”, the four panelists were Arjun Venkatraman, Prateek Waghre, Raman Jit Singh Chima, Shehla Rashid Shora. The panelists spoke about the situation in India (which has the world's highest number of shutdowns), and issues people face during the shutdowns.

After the panel, Saikat Datta talked about “Surveillance and journalism”, with many practical examples. The rest of the day, I had my “Digital Security workshop” for the journalists. We went through the basics and also answered the specific questions people had.

I want to especially thank Antriksh, and Prateek and the rest of organizers of NULLCON as they provided this safe space for the journalists and activists to meet, and discuss issues.

If you read the Caravan story about one of the activists from the Bhima-koregaon case you will see the kind of the environment (both legal and digital security-wise) our activists go through. There is a clear presence of malware, and the police decided to skip it altogether.

This also brings our attention to the fights for privacy, and online freedom, especially the Internet Freedom Foundation. We never had a similar organization in India, which works on digital rights and Internet era. To keep the fight on, the organization needs more regular donor members. To all of my Indian readers, if you can, please support the organization by becoming a donor member. The team there is doing an amazing job and needs our support in every way possible.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

I am writing this letter after more than a month. There are too many things I want to write about, but, I am going to keep this one very sort, and focused on attacks over mobile phones. From last night, the biggest news on the Internet is about crown prince of Saudi Arabia sending a malware to the richest person of the world, Jeff Bezos.

The story is on almost every news site. The incident happened using some kind of 0day attack via WhatsApp, and this is not the first time. CitizenLab records more than 100 new abuse cases.

Videos for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

As the news of two malicious Python packages in PyPI spread across the Internet, I started revisiting all the hours our team at Freedom of the Press Foundation spent to think about these exact kind of attacks the ways of mitigation. In this particular case, the attackers used typosquatting to get similar project names and sent in malware-ridden code via the same.

I gave a talk Building reproducible Python applications for secured environments at PyCon US this year on the mitigation processes we follow. In simple words, we verify every source code update by reading the changes manually (with human eyes+tools) and then build and store wheel files on our index. Everything also gets verified via GPG signatures and known sha256sums.

We also publish the verification results on a wiki page and mail to the diff-review mailing list. Feel free to join in there and also let others know.

Video for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

Sharing files securely to others over the network is always a big task. Which tool to use? Should I email or SCP or copy it over to some secret server? Onionshare is a solution which fits in most of the use cases and threat model. The tool works on Linux/Windows/Mac OS. You select the files, and then it will give you an .onion URL, using which your friend can download the files, and you can even mark it for a single time download only.

The infosec folks were talking about not using random USB ports to charge your phone for a long time. You must have seen those ports in the Airport lounge or in cafes. Now, the USA government agencies finally released advisories to let the people know that this is a risky step. Do not use any random cable/port to charge your phone. SyncStop is a small USB device that can help if you have to use ports in different places.

Videos for the week

The Intercept is running a series on the Iran Cables leaks.

You can find me in the fediverse https://toots.dgplug.org/@kushal. Feel free to ask me any questions or start a discussion over there.

Kushal

Enter your email to subscribe to updates.