[liberationtech] Stephan Faris: The Hackers of Damascus – Businesweek

Tue Nov 27 12:18:41 PST 2012

Very cool.  If you have a distribution list for that, Andrew, please put me
on it.  I'm very interested in this topic, especially since I struggle with
it every day on Twitter.

(For Liberationtech, we're forced to tweet articles sometimes that are not
necessarily at the caliber we would like, simply because the news story --
even when it could have been written better -- is too important not to
disseminate.)

YC

On Tue, Nov 27, 2012 at 12:00 PM, Andrew Haeg <aohaeg at gmail.com> wrote:

> Yosem: I couldn't agree more with you. And, I think along those lines we
> should start thinking of pieces like Stephan's less as the endpoint and
> more a spark for conversation -- a hypothesis, if you will, seeking
> comment, relevant expertise, etc. I invited Stephan to share his response
> for that very reason: so his thinking, and ours, could evolve.
>
> There was once a movement called Precision Journalism<http://www.unc.edu/~pmeyer/book/>that some of us interested in changing how journalism works are dusting off
> and revisiting. It's just what you describe, Yosem -- a method for aligning
> journalistic inquiry and reportage with the scientific method. I hope the
> platform I'm building <http://groundtruth.co> (code named GroundTruth for
> now, but will be renamed soon), will be one tool in the precision
> journalist's toolkit.
>
> - Andrew
>
>
>
>
> On Tue, Nov 27, 2012 at 1:47 PM, Yosem Companys <companys at stanford.edu>wrote:
>
>> Yeah, though I would add that the points you raise, Jillian, apply to
>> journalism in general.
>>
>> As an outsider, I find that journalists look to tell stories they find
>> interesting via selective anecdotes.  But they would do better in most
>> cases applying a scientific method to telling their stories (e.g., using
>> the comparative approach, playing devil's advocate with their arguments and
>> stating why competing explanations don't hold, questioning common sense
>> causality, and backing up their pieces with scientific research).
>>
>> In the early 20th century, doing all of these things would have been
>> quite an undertaking; in the 21st, all the media tools at our disposal make
>> this a cinch.
>>
>> On Tue, Nov 27, 2012 at 11:37 AM, Jillian C. York <jilliancyork at gmail.com
>> > wrote:
>>
>>> I really appreciate Stephan's comments here, but as an insider/outsider
>>> (that is, someone working on this issue closely but who had absolutely
>>> nothing to do with this particular story), I think that the concerns raised
>>> are nonetheless valid.
>>>
>>> It's clear to me that there was no ill-intent on the part of the author,
>>> but the simplification of networks by media is inherently problematic, in
>>> that stories like this are then picked up by funders, government officials,
>>> etc, looking for quick-and-dirty solutions.  While in this case, I don't
>>> take issue with any of the actors Stephan focused on, I could offer up a
>>> dozen prime examples where such oversimplification was indeed harmful or
>>> counterproductive (James Ball's recent piece on circumvention tools<http://www.washingtonpost.com/world/national-security/online-tools-to-skirt-internet-censorship-overwhelmed-by-demand/2012/10/21/390457a2-082d-11e2-858a-5311df86ab04_story.html>in the WaPo comes to mind).
>>>
>>> If we are to move to a productive conclusion from this, I think it's the
>>> need to inform journalists on *why* their simplifications can be so
>>> problematic - which begs questions like, "who is this piece intended to
>>> inform?" and "who will it actually inform?"
>>>
>>> Just my two cents,
>>> Jillian
>>>
>>> On Tue, Nov 27, 2012 at 7:55 AM, Andrew Haeg <aohaeg at gmail.com> wrote:
>>>
>>>> I shared this thread thoughts with the author, Stephan (cc-ed here).
>>>> And here's what he wrote and asked me to share with the group:
>>>>
>>>> "Interesting discussion. Having given it a little thought, it might be
>>>> worth pointing out on the list that John and the other people I interviewed
>>>> were careful to stress, several times over, that they were part of a larger
>>>> community working in this space. Indeed, in reporting this piece I spoke to
>>>> Syrian revolutionaries, international activists, a variety of hackers,
>>>> people at think tanks and research institutions and so on. Some were
>>>> comfortable to be mentioned. Others spoke to me on the explicit condition
>>>> that they not be. In any case, for the purposes of telling what I hope was
>>>> a compelling story, I finally decided to keep the focus on just one small
>>>> slice of the Syrian cyberwar: a handful of representative figures who I
>>>> thought a) illustrated some aspect of the large battle, b) had a direct
>>>> role in the larger effort to neutralize the DarkComet malware and c) were
>>>> willing to share their experiences under their real names. I don't think
>>>> that decision detracts from the other, broader story of this battle as a
>>>> community project. And it certainly doesn't prevent somebody else from
>>>> telling the same tale from that perspective. Just my thoughts, if you don't
>>>> mind passing them on (along with my email address for anybody who might
>>>> want to continue this discussion directly). -s"
>>>>
>>>> As he says, feel free to respond directly to him with your thoughts.
>>>>
>>>> - Andrew
>>>>
>>>>
>>>> On Mon, Nov 26, 2012 at 6:26 AM, John Scott-Railton <railton at ucla.edu>wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> A few thoughts on the article. It uses a thread of one process of
>>>>> dealing with malware and attacks in Syria to tell its story, and highlights
>>>>> a couple of people who collaborate with each other and some of what they
>>>>> have been doing.  It makes for an engaging read.  But for someone who reads
>>>>> it and doesn't know the space this article could be read as suggesting that
>>>>> this group of people is the only game in town.  It isn't.  By far.
>>>>>
>>>>>  The reality is decentralized, diverse and very collaborative.  A
>>>>> community, in other words. And these communities are what make things
>>>>> happen.  There are many networks of Syrians, technologists and folks in the
>>>>> community of activists working on identifying and responding to malware and
>>>>> other electronic attacks against the Syrian opposition. Or those working on
>>>>> analyzing the techniques and tools of surveillance deployed at the network
>>>>> level in SY.  The community process by which Dark Comet was first
>>>>> identified after some false starts and unknown binaries first started
>>>>> floating around the community are a great example. So was the later
>>>>> discussion of Dark Comet and the ethical dimensions of the tool. Props to
>>>>> TCX and their collaborators here, for example. There are many others who've
>>>>> chosen to keep their names out of the media. The work of all of these
>>>>> people contributes to all we know now, and serious progress on a lot of
>>>>> fronts.
>>>>>
>>>>> A final note: I also wanted to acknowledge a particular person whose
>>>>> name was surprisingly missing from the group specifically mentioned in the
>>>>> Bloomberg piece, and who deserves credit for her role:  Eva
>>>>> Galperin, International Freedom of Expression Coordinator  and prolific
>>>>> blogger at EFF who will be familiar to many you as the co-author
>>>>> with Morgan Marquis-Boire on every piece of blogging on SY malware that EFF
>>>>> has posted to date.
>>>>>
>>>>> J
>>>>>
>>>>>
>>>>> On Nov 15, 2012, at 12:02 PM, ilf <ilf at zeromail.org> wrote:
>>>>>
>>>>> http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus
>>>>>
>>>>> Taymour Karim didn’t crack under interrogation. His Syrian captors
>>>>> beat him with their fists, with their boots, with sticks, with chains, with
>>>>> the butts of their Kalashnikovs. They hit him so hard they broke two of his
>>>>> teeth and three of his ribs. They threatened to keep torturing him until he
>>>>> died. “I believed I would never see the sun again,” he recalls. But Karim,
>>>>> a 31-year-old doctor who had spent the previous months protesting against
>>>>> the government in Damascus, refused to give up the names of his friends.
>>>>>
>>>>> It didn’t matter. His computer had already told all. “They knew
>>>>> everything about me,” he says. “The people I talked to, the plans, the
>>>>> dates, the stories of other people, every movement, every word I said
>>>>> through Skype. They even knew the password of my Skype account.” At one
>>>>> point during the interrogation, Karim was presented with a stack of more
>>>>> than 1,000 pages of printouts, data from his Skype chats and files his
>>>>> torturers had downloaded remotely using a malicious computer program to
>>>>> penetrate his hard drive. “My computer was arrested before me,” he says.
>>>>>
>>>>> Much has been written about the rebellion in Syria: the protests, the
>>>>> massacres, the car bombs, the house-to-house fighting. Tens of thousands
>>>>> have been killed since the war began in early 2011. But the struggle for
>>>>> the future of the country has also unfolded in another arena—on a
>>>>> battleground of Facebook (FB) pages and YouTube accounts, of hacks and
>>>>> counterhacks. Just as rival armies vie for air superiority, the two sides
>>>>> of the Syrian civil war have spent much of the last year and a half locked
>>>>> in a struggle to dominate the Internet. Pro-government hackers have
>>>>> penetrated opposition websites and broken into the computers of Reuters
>>>>> (TRI) and Al Jazeera to spread disinformation. On the other side, the
>>>>> hacktivist group Anonymous has infiltrated at least 12 Syrian government
>>>>> websites, including that of the Ministry of Defense, and released millions
>>>>> of stolen e-mails.
>>>>>
>>>>> The Syrian conflict illustrates the extent to which the very tools
>>>>> that rebels in the Middle East have employed to organize and sustain their
>>>>> movements are now being used against them. It provides a glimpse of the
>>>>> future of warfare, in which computer viruses and hacking techniques can be
>>>>> as critical to weakening the enemy as bombs and bullets. Over the past
>>>>> three months, I made contact with and interviewed by phone and e-mail
>>>>> participants on both sides of the Syrian cyberwar. Their stories shed light
>>>>> on a largely hidden aspect of a conflict with no end in sight—and show how
>>>>> the Internet has become a weapon of war.
>>>>>
>>>>> The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the
>>>>> Arab Spring was reaching a crescendo, the government in Damascus suddenly
>>>>> reversed a long-standing ban on websites such as Facebook, Twitter,
>>>>> YouTube, and the Arabic version of Wikipedia. It was an odd move for a
>>>>> regime known for heavy-handed censorship; before the uprising, police
>>>>> regularly arrested bloggers and raided Internet cafes. And it came at an
>>>>> odd time. Less than a month earlier demonstrators in Tunisia, organizing
>>>>> themselves using social networking services, forced their president to flee
>>>>> the country after 23 years in office. Protesters in Egypt used the same
>>>>> tools to stage protests that ultimately led to the end of Hosni Mubarak’s
>>>>> 30-year rule. The outgoing regimes in both countries deployed riot police
>>>>> and thugs and tried desperately to block the websites and accounts
>>>>> affiliated with the revolutionaries. For a time, Egypt turned off the
>>>>> Internet altogether.
>>>>>
>>>>> Syria, however, seemed to be taking the opposite tack. Just as
>>>>> protesters were casting about for the means with which to organize and
>>>>> broadcast their messages, the government appeared to be handing them the
>>>>> keys.
>>>>>
>>>>> Dlshad Othman, a 25-year-old computer technician in Damascus,
>>>>> immediately grew suspicious of the regime’s motives. Young, Kurdish, and
>>>>> recently finished with his mandatory military service, Othman opposed
>>>>> President Bashar al-Assad. Working for an Internet service provider, he
>>>>> knew that Syria—like many other countries, including China, Iran, Saudi
>>>>> Arabia, and Bahrain—controlled its citizens’ access to the Web. The same
>>>>> technology the government used to censor websites allowed it to monitor
>>>>> Internet traffic and intercept communications. Popular services such as
>>>>> Facebook, Skype, Google Maps, and YouTube gave Syria’s revolutionaries
>>>>> capabilities that until a couple of decades ago would have been available
>>>>> only to the world’s most sophisticated militaries. But as long as Damascus
>>>>> controlled the Internet, they’d be using these tools under the eye of the
>>>>> government.
>>>>>
>>>>> Shortly after the Syrian revolution began in March 2011, Othman’s
>>>>> political views cost him his job. He decided to dedicate himself full time
>>>>> to the opposition, joining the Syrian Center for Media and Freedom of
>>>>> Expression in Damascus to document violence against journalists in the
>>>>> country. He also began teaching his fellow activists ways to stay safe
>>>>> online. Othman instructed them how to encrypt e-mails and encouraged them
>>>>> to use tools like Tor software, which enables anonymous Web browsing by
>>>>> rerouting traffic through a series of distant servers. When Tor turned out
>>>>> to be too slow to live-stream protests or scenes of government attacks
>>>>> against civilians, Othman began purchasing accounts on virtual private
>>>>> networks (VPNs) and sharing them with his friends and contacts. A VPN is
>>>>> basically a tunnel inside the public Internet that allows users to
>>>>> communicate in a secure fashion. For a monthly fee, you can buy access to
>>>>> servers that create encrypted paths between computers; the VPN also
>>>>> disguises the identities and locations of your machine and others on the
>>>>> network. Spies can’t read e-mails sent via VPN, and they have a hard time
>>>>> figuring out where they came from.
>>>>>
>>>>> Othman’s efforts worked at first, but very quickly Damascus blocked
>>>>> off-the-shelf VPNs and upgraded its Internet filters in ways that made the
>>>>> VPNs inoperative. By the summer of 2011, Othman had become frustrated with
>>>>> the Western VPN providers, which he felt were too slow to adapt to the
>>>>> government’s crackdowns. He bought space on outside servers, set up VPNs of
>>>>> his own, and began actively managing them to make sure safe connections
>>>>> remained available.
>>>>>
>>>>> Othman was still training and equipping activists in October 2011 when
>>>>> he made a nearly fatal mistake. He gave an on-camera interview to a British
>>>>> journalist who was later arrested with the footage on his laptop. Warned by
>>>>> a friend through a Facebook message, Othman turned off his phone, removed
>>>>> its SIM card—a precaution to avoid being tracked—and hid in a friend’s
>>>>> Damascus apartment. He never went home. A month and a half later, at the
>>>>> urging of activists who worried his arrest would compromise their entire
>>>>> network, he escaped across the border to Lebanon. “I had been a source of
>>>>> safety for my friends,” he says. “I didn’t want to become a source of
>>>>> danger.”
>>>>>
>>>>> The struggle for Syria has transcended borders. In early 2011, from
>>>>> his office at the University of California at Los Angeles, John
>>>>> Scott-Railton, a 29-year-old graduate student in Urban Planning, joined the
>>>>> revolutions in North Africa and the Middle East. Scott-Railton, working on
>>>>> a dissertation on how poor communities in Senegal were adapting to climate
>>>>> change, had spent time in Egypt and had close friends there. When
>>>>> revolutionaries in Cairo occupied Tahrir Square, he set his studies aside.
>>>>> Working through his contacts in the country, he helped Egyptians evade
>>>>> Internet censors and get their message out to the world by calling
>>>>> protesters on the phone, interviewing them, and publishing their views on
>>>>> Twitter. Later, when the Arab Spring spread to Libya, he did the same, this
>>>>> time working with Libyans in the diaspora to broaden his reach.
>>>>>
>>>>> In Syria, Scott-Railton recognized that the task would be different.
>>>>> Once Assad’s government lifted restrictions on the Internet, activists were
>>>>> having little trouble getting their voices heard; graphic videos alleging
>>>>> government atrocities were lighting up Facebook and YouTube. The challenge
>>>>> would be keeping them safe. “If we’re going to talk about how important the
>>>>> Internet has been in the Arab Spring, we need to think about how it also
>>>>> brings a whole new set of vulnerabilities,” says Scott-Railton. “Otherwise,
>>>>> we’re going to be much too optimistic about what can be done.”
>>>>>
>>>>> The first documented attack in the Syrian cyberwar took place in early
>>>>> May 2011, some two months after the start of the uprising. It was a clumsy
>>>>> one. Users who tried to access Facebook in Syria were presented with a fake
>>>>> security certificate that triggered a warning on most browsers. People who
>>>>> ignored it and logged in would be giving up their user name and password,
>>>>> and with them, their private messages and contacts.
>>>>>
>>>>> In response, Scott-Railton began nurturing contacts in the Syrian
>>>>> opposition, people like Othman with wide networks of their own. “It wasn’t
>>>>> that different from the strategy I had worked out in Libya: Figure out who
>>>>> was trustworthy and then slowly build up,” he says. In the meantime, he
>>>>> contacted security teams at major American technology companies whom he
>>>>> could alert when an attack was detected. Scott-Railton declined to name
>>>>> specific companies but confirmed he was in touch with security experts at
>>>>> some of the biggest brand names. In the past year and a half,
>>>>> pro-government hackers have successfully targeted Facebook pages, YouTube
>>>>> accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, and Skype.
>>>>>
>>>>> Scott-Railton’s involvement in the Syrian cyberwar wasn’t high-tech.
>>>>> Over several months, he set himself up as a bridge between two worlds,
>>>>> passing reports of hacking on to various companies who could investigate
>>>>> attacks on their users, take down bogus websites, and configure browsers to
>>>>> flag suspect sites as potential threats.
>>>>>
>>>>> For Syrians, the system provided a quick, sure way to limit damage as
>>>>> attempts to break into accounts affiliated with the opposition became more
>>>>> sophisticated. For tech companies, it was an opportunity to address
>>>>> violations as they happened—though those violations have also exposed the
>>>>> vulnerabilities of some of the world’s most popular social networking
>>>>> services.
>>>>>
>>>>> Facebook, which in 2011 responded to hacking attempts in Tunisia by
>>>>> routing communications through an encrypted server and asking users to
>>>>> identify friends when logging in, wouldn’t comment on what, if anything,
>>>>> the company is doing in Syria. Contacted by Bloomberg Businessweek, a
>>>>> spokesperson provided a statement saying: “Security is a top priority for
>>>>> Facebook and we devote significant resources to helping people protect
>>>>> their accounts and information, wherever they live and whatever the
>>>>> circumstances. … We will respond quickly to reports—whether from formal or
>>>>> informal channels—about worrying and problematic security threats from
>>>>> groups, organizations and, on occasion, from governments.”
>>>>>
>>>>> As the war intensified, the cyberattacks waged by pro-government
>>>>> Syrian hackers became more ambitious. In the weeks before his arrest in
>>>>> December 2011, Karim, the young doctor, had begun to suspect his hard drive
>>>>> had been compromised. His Internet bill—which in Syria varies according to
>>>>> the traffic being used—had more than quadrupled, though he still isn’t sure
>>>>> exactly how his computer was infected. He suspects the malware may have
>>>>> been transmitted by a woman using the name Abeer who contacted him on Skype
>>>>> last autumn and sent him photos of herself. Another possibility is a man
>>>>> who sent Karim an Excel spreadsheet and said he could provide monetary
>>>>> support for the revolution.
>>>>>
>>>>> In prison, Karim’s captors mentioned both people. His interrogators
>>>>> knew about his high Internet bills, as well: “The policeman told me, ‘Do
>>>>> you remember when you were talking to your friend and you told him you had
>>>>> something wrong and paid a lot of money? At that time we were taking
>>>>> information from your laptop.’ ”
>>>>>
>>>>> Before the Syrian revolution, Karim had never participated in
>>>>> politics. “I would just go to work and then go home,” he says. But the Arab
>>>>> Spring awakened something inside him, and when demonstrators gathered for a
>>>>> second week of major demonstrations, Karim joined them. The first protest
>>>>> he attended was also the first in which the regime deployed the army to
>>>>> crush dissent, killing dozens of demonstrators across the country. Shortly
>>>>> afterward, Karim signed up to man field hospitals, caring for wounded
>>>>> activists. The worst injuries were from snipers, he recalls. “Sometimes
>>>>> people would be shot in the back, and they’d be paralyzed. Sometimes we
>>>>> found bullets in the face, and all the bones in the face were broken. When
>>>>> we found people shot in the abdomen, sometimes we couldn’t do anything
>>>>> because we didn’t have the proper equipment.”
>>>>>
>>>>> When it came to the Internet, Karim was typical of many of his fellow
>>>>> activists: enthusiastic, naive, and all too often complacent where security
>>>>> was concerned. “Sometimes we’d say to each other, ‘If there was no
>>>>> Internet, there would be no revolution,’ ” he says.
>>>>>
>>>>> Just 18 percent of Syrians use the Internet, and government
>>>>> restrictions along with sanctions by the U.S. and Europe have limited
>>>>> Syrians’ access to updated software and antivirus programs. Karim
>>>>> occasionally used the Tor application recommended by Othman but found the
>>>>> connection too slow for video. A friend in Qatar sent him a link to a
>>>>> secure VPN, but he wasn’t able to download the necessary software.
>>>>>
>>>>> On Dec. 25, 2011, Karim met with a group of doctors to put the final
>>>>> touches on a plan to better coordinate the opposition’s field hospitals.
>>>>> The next day he spoke with a friend on Skype and agreed to meet him to film
>>>>> a Christmas video he hoped would be a show of unity between faiths. When he
>>>>> left his safe house, the police were waiting for him. They knew where they
>>>>> would find him and where he was going. “Skype was the best way for us, for
>>>>> communication,” he says. “We heard that Skype was very safe and that nobody
>>>>> can hack it, and there is no virus for Skype. But unfortunately, I was the
>>>>> first victim of it.”
>>>>>
>>>>> In a statement to Bloomberg Businessweek, a spokesperson for Skype,
>>>>> which is owned by Microsoft (MSFT), said, “Much like other Internet
>>>>> communication tools with a very large user base—be it e-mail, IM, or
>>>>> Voip—Skype has been used by persons with malicious intent to trick or
>>>>> manipulate people into following nefarious links. … This is an ongoing,
>>>>> industrywide issue faced by all peer-to-peer software companies. Skype is
>>>>> committed to the safety and security of its users, and we are taking steps
>>>>> to help protect them.”
>>>>>
>>>>> Karim spent 71 days in Syrian detention before being released on bail
>>>>> pending a military trial. After his release he fled the country, sneaking
>>>>> from village to village until he arrived in Jordan. There he discovered
>>>>> that many other activists had been contacted by the woman named Abeer. A
>>>>> few weeks after his release, he received a message from her on Facebook
>>>>> offering to send him more pictures. He refused.
>>>>>
>>>>> In January 2012, less than a month after Karim’s arrest, Othman—by
>>>>> then in Lebanon—came across a laptop belonging to an international aid
>>>>> worker. The worker believed the laptop had been compromised. After making a
>>>>> preliminary analysis, Othman sent an image of the entire hard drive to
>>>>> Scott-Railton. Among the people Scott-Railton reached out to was a
>>>>> dreadlocked New Zealander named Morgan Marquis-Boire, a security engineer
>>>>> at Google (GOOG) in California. In his spare time, Marquis-Boire had begun
>>>>> investigating cyberattacks on opposition figures in the Middle East after
>>>>> being approached by activists who saw him speak at a conference. “I’m a
>>>>> firm believer in the facilitation of freedom of expression on the
>>>>> Internet,” he says. “The censorship that occurs when people are afraid to
>>>>> speak is actually the most powerful type of censorship that’s available.”
>>>>>
>>>>> Marquis-Boire, 33, wasn’t the first person to analyze the infected
>>>>> hard drive, but his examination was deep and thorough. The laptop, he
>>>>> determined, had been successfully hacked three times in rapid succession.
>>>>> The first piece of malware had arrived on Dec. 26, 2011, during the early
>>>>> hours of Karim’s detention. It had been sent to the computer’s owner
>>>>> through Karim’s Skype account, embedded in the proposal for the
>>>>> coordination of field hospitals he had finalized the night before his
>>>>> arrest.
>>>>>
>>>>> The malware, DarkComet, was a remote access “trojan.” It allowed its
>>>>> sender to take screenshots of the victim’s computer, monitor her through
>>>>> the video camera, and log what she typed. Every digital move the laptop’s
>>>>> owner made was being recorded—and the reports were being routed back to an
>>>>> IP address in Damascus.
>>>>>
>>>>> The network Scott-Railton had set up was faced with a new challenge.
>>>>> The people behind the attacks were no longer casting a wide net and waiting
>>>>> to see who they caught. They were specifically targeting revolutionaries
>>>>> such as Karim and his contacts. Security experts at major tech companies
>>>>> can restore access to hacked accounts or issue takedown orders when hackers
>>>>> set up fake versions of their websites. But there’s little they can do for
>>>>> a user whose computer has been captured by hackers.
>>>>>
>>>>> Scott-Railton and his collaborators began to study their opponent.
>>>>> Syrians like Othman with close contacts to the opposition began gathering
>>>>> suspicious files that might contain malware and funneling them to
>>>>> Scott-Railton. He passed them on to Marquis-Boire, who published his
>>>>> findings in blog posts for the Electronic Frontier Foundation, an advocacy
>>>>> organization based in San Francisco that promotes civil liberties on the
>>>>> Internet. A pattern soon emerged. The attacks used code widely available
>>>>> online. In the case of the DarkComet trojan that had been sent from Karim’s
>>>>> computer, the malware had been developed by a French hacker in his twenties
>>>>> named Jean-Pierre Lesueur who offered it as a free download on his website.
>>>>>
>>>>> What made the hacks so effective was their deviousness. Malware was
>>>>> discovered in a fake plan to help protesters besieged in the city of
>>>>> Aleppo; in a purported proposal for the formation of a post-revolution
>>>>> government; and on Web pages that claimed to show women being raped by
>>>>> Syrian soldiers.
>>>>>
>>>>> Whenever possible, the people behind the attacks would use a
>>>>> compromised account to spread the malware further. In April 2012, the
>>>>> Facebook account of Burhan Ghalioun, then the head of the Syrian
>>>>> opposition, was taken over and used to encourage his more than 6,000
>>>>> followers to install a trojan mocked up to look like a security patch for
>>>>> Facebook.
>>>>>
>>>>> Scott-Railton’s network allowed antivirus companies to update their
>>>>> software so it would recognize the malware and warn Syrian activists. Once
>>>>> Marquis-Boire identified DarkComet, a group of hackers who went by the name
>>>>> Telecomix began putting pressure on its creator, Lesueur, to take it down.
>>>>> In February 2012, less than a month after the trojan had been discovered,
>>>>> he released a patch that would remove his program from an infected
>>>>> computer. “i was totally shocked to see that the syrian gouv used my tool
>>>>> to spy other people,” he wrote in a typo-laden post on his personal blog.
>>>>> “Since now 4 years i code DarkComet for people that are interested about
>>>>> security, people that wan’t to get an eye on what their childs doing on the
>>>>> internet, for getting an eye to notified employees, to administrate their
>>>>> own machines, for pen testing but NOT AS A WAR WEAPON.”
>>>>>
>>>>> In July, Lesueur took the program down altogether. The weapon that had
>>>>> been launched from Karim’s computer—and very likely the one that landed him
>>>>> in jail—had been disarmed.
>>>>>
>>>>> The cyberwar in Syria rages on. Othman and others like him spend hours
>>>>> fending off attacks on their VPNs. He says he knows of at least two
>>>>> activists who were detained and killed after their computers were
>>>>> undermined. Scott-Railton continues to relay reports of compromised
>>>>> accounts and fake Web pages to contacts in the tech industry. “Every day, I
>>>>> get contacted by Syrians with security concerns,” he says. Marquis-Boire is
>>>>> doing his best to trace the attacks back to their source.
>>>>>
>>>>> Since Karim’s release from detention and his escape from Syria earlier
>>>>> this year, he has lived in Jordan. When he recently ran a scan on his new
>>>>> computer, he found he had been infected once again. “I receive thousands of
>>>>> e-mails, videos, and requests and images from activists and friends,” he
>>>>> says. “And there are a lot of people who I don’t know who they are.” In
>>>>> July the Syrian Electronic Army, a pro-government group, released what it
>>>>> said were 11,000 user names and passwords of “NATO supporters,” meaning
>>>>> members of the Syrian opposition.
>>>>>
>>>>> In October, I attempted to contact the Syrians involved in the
>>>>> government’s cyberwar. Before doing so, I changed most of my passwords. I
>>>>> set up two-step verification on my Gmail account, an extra layer of
>>>>> security that makes it harder for hackers to take over an account remotely.
>>>>> I installed the Tor Browser Bundle and updated the WordPress software on my
>>>>> website. And then I dropped a line on Twitter to @Th3Pr0_SEA, an account
>>>>> that describes itself as belonging to the leader of the Special Operations
>>>>> Department of the Syrian Electronic Army, the most visible virtual actor on
>>>>> the government side. @Th3Pr0_SEA wrote back soon after, and we agreed to
>>>>> meet on Google Chat. Minutes later, somebody tried to reset the password of
>>>>> my Yahoo Mail account.
>>>>>
>>>>> @Th3Pr0_SEA wouldn’t tell me much about himself. Two members of his
>>>>> organization had been kidnapped and murdered by members of the opposition,
>>>>> he said, after posting under their real names on Facebook. He told me he
>>>>> had been a student when the uprising began. When I asked his religion, he
>>>>> answered, “i’m Syrian :)”
>>>>>
>>>>> Researchers have described the Syrian Electronic Army as a
>>>>> paramilitary-style group working in coordination with the country’s secret
>>>>> services and linked to the Syrian Computer Society, a government
>>>>> organization once headed by Assad himself before he became president. In
>>>>> our chat, @Th3Pr0_SEA denied the connection, repeating the group’s claims
>>>>> that it’s not an official entity and that its membership is unpaid,
>>>>> motivated only by patriotism. When I asked why the group’s website was
>>>>> hosted on servers owned by the Syrian Computer Society, he answered that
>>>>> his group paid for the service. “If we host our website outside of Syria
>>>>> servers, it will get deleted and probably hacked,” he wrote.
>>>>>
>>>>> Before I finished my interview with @Th3Pr0_SEA, I asked him whether
>>>>> he had been the one who tried to reset my Yahoo password. He denied it. “i
>>>>> think someone saw you,” he said, “when you talked me on twitter.” He also
>>>>> told me, “there is a big surprise from Special Operations Department coming
>>>>> soon, but i can’t tell you anything about it.”
>>>>>
>>>>> --
>>>>> ilf
>>>>>
>>>>> Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht
>>>>> weg!
>>>>>  -- Eine Initiative des Bundesamtes für Tastaturbenutzung
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>>
>>>>> John Scott-Railton
>>>>> www.johnscottrailton.com
>>>>>
>>>>> PGP key ID: 0x3e0ccb80778fe8d7
>>>>> Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
>>>>>
>>>>>
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>>
>>> --
>>> US: +1-857-891-4244 | NL: +31-657086088
>>> site:  jilliancyork.com <http://jilliancyork.com/>* | *
>>> twitter: @jilliancyork* *
>>>
>>> "We must not be afraid of dreaming the seemingly impossible if we want
>>> the seemingly impossible to become a reality" - *Vaclav Havel*
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121127/60049346/attachment.html>