Government vs Corporations: The Battle of Security and Privacy

After Edward Snowden released information that the NSA was tapping into private companies servers and getting their information without their knowledge, corporations have made promises to customers and buffed up security on their servers immensely. Higher levels of encryption, no backdoors, and buffing up servers make it much harder for hackers to break into your sensitive information, but it also keeps the government out.

The United States is currently in or contemplating legal battles with large tech companies such as Apple, Google, and Microsoft to compel them to give them information, break encryptions, or leave them a way in to look at the data themselves. Specifically with Microsoft, the company refuses to hand over data to the government without an Irish warrant because the servers the data is stored in are in Dublin.  Companies aren’t willing to cooperate with the government on this because of the promises they made to their customers and the huge security breaches it could cause leaving possible holes for hackers to steal or tamper with data.

The UK is facing a similar issue where their MI5 is looking for more power from Parliament to keep up with technological advances, and Andrew Parker, Director General of MI5, recently said in an interview that companies have an ethical responsibility to to turn over the information the government wants to them.

Major corporations remain hesitant to readily give over information to the government for fear of backlash from consumers and the fact that the government has not really been truthful with them in the past.  This argument is definitely one that comes down to ethics and we must determine what point we sacrifice too much privacy for the sake of security.  We will have to see what the courts or Congress say on the matter.


– Quinn White

Proxyham and its Disappearance

There are many different technologies to provide anonymous internet access.  While having a private access to the internet is good for many people, it can be critical for journalists and activists.  Tor, using onion routing, and VPNs providing encrypted tunnels for data, just to name a few.  But all these solutions have weaknesses.  With Tor you never know who is running the exit node you use.  There may also be defects in how legitimate exit nodes handle data.  VPN providers may keep logs that they must provide to the government under a court order.  The issue with all these technologies it that they are fully virtual.  There is still a direct network link, however well obfuscated, that leads directly to you.


Photo Courtesy of Ben Caudill and Wired

Benjamin Caudill, the founder of Rhino Security Labs, came up with a solution.  It is called Proxyham.  He calls it a physical proxy, to be used as a compliment to traditional tools such as Tor.  Proxyham is a small device based on a raspberry pi, that contains a tradition 2.4Ghz or 5Ghz wifi radio, as well as a long range 900 Mhz transmitter.  The device can be left near a public hotspot.  It will then forward the wifi connection over 900Mhz, up to 2.5 miles to the real user.  The genius of this solution, is that even if a trace does manage to get through whatever other obfuscation methods you use, investigators will only find the ip address and location of the Proxyham.    “You can have it all the way across town, and worst case scenario the police go barge into the library across town,” Caudill said.  … The internet signal travelling back to the user is at such low frequency, Caudill added, that it’s really hard for anyone to track it down. At that frequency, “the spectrum is crowded with other devices,” such as baby monitors, walkie talkies, and cordless phones. – Wired

Caudill had planned to present at this year’s DefCon next month.  But last Friday, the Twitter feed of Rhino Security Labs posted that the presentation was no longer taking place.  DefCon has also confirmed that Caudill informed them that he was not going to present. Not only is he not presenting at DefCon, the entire project has been canceled, all prototypes destroyed, and research halted.  In a call from Wired, Caudill said he couldn’t say why he canceled the project. He is CEO of his own company, so it wasn’t his employer.  There was speculation that the FCC found fault with how the device used 900 MHz radio, but Caudill refuted this claim, stating that the device transmitted at under the 1 Watt limit.  So far the only explanation that makes any sense is that he is under a gag order by… somebody.  When asked if he had a run in with law enforcement he replied,”No comment.”

As stated by Wired,”Online anonymity tools certainly aren’t illegal. Tools like VPNs have allowed users to obscure their IP addresses for years. The anonymity software Tor is even funded by the U.S. government. But it’s possible that secretly planting a ProxyHam on someone else’s network might be interpreted as unauthorized access under America’s draconian and vague Computer Fraud and Abuse Act.”

So is the government now cracking down on the development of security technology they can’t crack?  Look at what is happening to Apple in relation to iMessage and full device encryption.  They are being punished for using this kind of security.  If it was simply a matter of conforming to the Computer Fraud and Abuse Act, why all the secrecy?

This blog was based on two articles, one by Wired, detailing the disappearance of the project:

And another by Motherboard cited in the Wired post with a more detailed explanation of the initial proposal by Rhino Security Labs:

Edit:  Interesting speculation by hackaday:

Let’s Speculate Why The ProxyHam Talk Was Cancelled

It’s July. In a few weeks, the BlackHat security conference will commence in Las Vegas. A week after that, DEFCON will begin. This is the prime time for ‘security experts’ to sell themselves, tip off some tech reporters, exploit the Arab Spring, and make a name for themselves. It happens every single year.

The idea the ProxyHam was cancelled because of a National Security Letter is beyond absurd. This build uses off the shelf components in the manner they were designed. It is a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges, but so will blowing up a mailbox with some firecrackers.

If you believe the FBI and other malevolent government forces are incompetent enough to take action against [Ben Caudill] and the ProxyHam, you need not worry about government surveillance. What you’re seeing is just the annual network security circus and it’s nothing but a show.

The ProxyHam is this year’s BlackHat and DEFCON pre-game. A marginally interesting security exploit is served up to the tech media and devoured. This becomes a bullet point on the researcher’s CV, and if the cards land right, they’re able to charge more per hour. There is an incentive for researchers to have the most newsworthy talk at DEFCON, which means some speakers aren’t playing the security game, they’re playing the PR game.

In all likelihood, [Ben Caudill] only figured out a way to guarantee he has the most talked-about researcher at DEFCON. All you need to do is cancel the talk and allow tech journos to speculate about National Security Letters and objections to the publication of ProxyHam from the highest echelons of government.

If you think about it, it’s actually somewhat impressive. [Ben Caudill] used some routers and a Raspberry Pi to hack the media. If that doesn’t deserve respect, nothing does.

UK’s attacked with “malvertising”

match, a website that helps people find the perfect “match” has recently been attacked with so-called “malvertising.” Only the United Kingdom version of so far has been hit with “malvertising.” Senior security researcher at Malwarebytes, Jérôme Segura told’s advertising about the malware. He told them that their channel was used to host a crimeware toolkit called Angler Exploit Kit (AEK). AEK is used to exploit a person’s PC by finding unpatched flaws on the PC. The Angler Exploit Kit is also known to be linked with Bedep ad fraud Trojan as well as CryptoWall ransomware. The same malvertising attacked another site called Plenty of Fish, which is owned by The malvertising works by disguising as a regular ad on, and when a user clicks the ad, it installs malware onto the user’s PC or mobile device.

After being alerting of these attacks, UK’s has suspended all advertisements on their site and app until the issue is resolved. A spokeswoman of said, “We advise all users to protect themselves from this type of cyber-threat by updating their anti-virus/anti-malware software.” The attack did not lose much money, because the CPM or cost per thousand impressions was only 36 cents. What this means is that for every 1000 computers or other devices shown the ad, the malware ad was only 36 cents.

Many companies are now trying to find and report ransomware like the one that has attacked Ransomware can be distributed in many forms such as, phishing emails, exploit kits, spam, and malvertising. Ransomware can lock up an infected computer and steal a users personal information and demand a ransom to get their information back, thus the name. is yet to fix this issue and is continuing to try to do so.


Author: Matthew J. Schwartz

By: Niccolo Dechicchio

Are baby monitors the new targets for hackers?

Rapid 7 released reports the beginning of this month describing newfound vulnerabilities in baby monitors. Theses faulty monitors, from several different manufactures, were found to leak predictable information, backdoor credentials and privilege escalation. Hackers have the ability to tap into these baby monitors since little security measures are taken to protect the content stored or tied to them.

According to this article by Richard Adhikari “Backdoor credentials — the vulnerability most frequently found — showed up in five products from different manufacturers.” This finding tells me that manufactures do not have proper restrictions on encrypting information on these monitors.

So what’s the big deal if hackers have access to the baby monitors in your house, it’s not like a great deal of financial or personal information is tied to it right? No, it’s not like they are accessing that type of information but what can be leaked by hacking into these monitors include: video and audio from the device; from a live stream or previously recorded clips, according to Mark Stanislav, senior security consultant for global services at Rapid7. No parent aware of these capability cyber intruders have would allow for a device in their home in which a stranger could watch their child.

“In the race to market and bring products to consumers, inattention to security is likely to be an issue”, said Craig Spiezle, executive director of the Online Trust Alliance. It is morally wrong for companies to make production of their product more important that the security of the device. Manufacturers “need to look at the risk and vulnerability and areas for abuse…. they need to design in the ability to patch or remediate once the product leaves their factory”, alleged Craig Spiezle. The problem only gets worse if you consider other uses of these defective products in the business sphere, compromised devices could be used to spy on people in their offices.


Author: Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it’s all leading.

By: Lisa Hornak

Stingray Use In Baltimore

Stingray’s are a device that act like a cell tower and are used to intercept phone and text signals. They are about $400,000 and are useful in helping to solve serious crimes.This article focuses on the use of stingrays in Baltimore. Previously, the FBI forced users of this device to sign a non-disclosure agreement; meaning that if police officers used it, they could not talk of its use. However, recently the FBI has stated that the police can talk about its use; this is a big deal because now all the cases in which stingrays are used are being published. Additionally, it has now come to light that stingrays are being used in petty crime cases such as theft. While the stingrays help facilitate the process of catching someone who has committed such a crime, it also interferes with innocent bystanders’ phones. In doing so, some believe that it is a violation of their rights. The devices do not discriminate when it comes to collecting information so innocent people are concerned for theirs. Some senators are also targeting stingrays by trying to pass a bill that would require warrants before their use. So far, stingrays have been used in over 4,300 cases in Baltimore alone. What does that mean for the rest of the country?

The problem that most people are concerned with is that the stingrays collect information on people who are innocent as well as guilty. This means that everyone who is connected to the stingray will have their information potentially read or used by the police. This is a huge security problem because there are no defenses for us against it currently nor are there laws to protect the citizens. In my opinion, the policies behind the use of stingray’s need reform because right now, people who are directly involved are in danger of having their valuable information exposed.

Thomas, Coburn