[liberationtech] Stephan Faris: The Hackers of Damascus – Businesweek

Tue Nov 27 12:37:16 PST 2012

I thought Stephan's piece was way better than many others I've read on the
subject.

As for journalism in general, one pet peave of mine these days is the
pervasive usage of the term "industrial revolution," which gets attached to
any new idea or tech.

Another oft discussed one on this list is the tendency of some journalists
to treat technology as either inherently liberating or Orwellian-dystopian.

Some even assume our program is on the "liberating" camp almost by default,
despite the fact that our use of "liberationtech" is aspirational: It's
about how to make tech move in an asymptotical way towards liberating, not
that we assume that tech is inherently liberating.  That's why we emphasize
both research and design.

For example, anyone who knows my research and my advisers knows that I'm
all about tech in use and how socio-historical context matters, something
generally ignored by many journalists engineers, unless they are trained to
think that way.

Since the 1960s, empirical research in the social psychology of technology
has consistently showed, for example, that technologies are only as good as
the values and affordances imprinted in them by their designers and by the
ways in which people use them.  Despite that, you often see journalists and
engineers (e.g., Singularity Institute) write in a tech-deterministic way
as though technologies are disembodied and have an impact on people's lives
that is independent of their design and use.  (Mathematical economists do
the same, but that is beyond the scope of this email.)

Yosem

On Tue, Nov 27, 2012 at 12:02 PM, Jillian C. York <jilliancyork at gmail.com>wrote:

> Yes, agreed of course, Yosem - but I think that this is a particularly
> delicate field at the moment that also suffers from a lack of informed
> scholarship - which means that popular media are relied upon more than they
> might be elsewhere (though I may be overestimating other fields).
>
>
>
> On Tue, Nov 27, 2012 at 11:47 AM, Yosem Companys <companys at stanford.edu>wrote:
>
>> Yeah, though I would add that the points you raise, Jillian, apply to
>> journalism in general.
>>
>> As an outsider, I find that journalists look to tell stories they find
>> interesting via selective anecdotes.  But they would do better in most
>> cases applying a scientific method to telling their stories (e.g., using
>> the comparative approach, playing devil's advocate with their arguments and
>> stating why competing explanations don't hold, questioning common sense
>> causality, and backing up their pieces with scientific research).
>>
>> In the early 20th century, doing all of these things would have been
>> quite an undertaking; in the 21st, all the media tools at our disposal make
>> this a cinch.
>>
>> On Tue, Nov 27, 2012 at 11:37 AM, Jillian C. York <jilliancyork at gmail.com
>> > wrote:
>>
>>> I really appreciate Stephan's comments here, but as an insider/outsider
>>> (that is, someone working on this issue closely but who had absolutely
>>> nothing to do with this particular story), I think that the concerns raised
>>> are nonetheless valid.
>>>
>>> It's clear to me that there was no ill-intent on the part of the author,
>>> but the simplification of networks by media is inherently problematic, in
>>> that stories like this are then picked up by funders, government officials,
>>> etc, looking for quick-and-dirty solutions.  While in this case, I don't
>>> take issue with any of the actors Stephan focused on, I could offer up a
>>> dozen prime examples where such oversimplification was indeed harmful or
>>> counterproductive (James Ball's recent piece on circumvention tools<http://www.washingtonpost.com/world/national-security/online-tools-to-skirt-internet-censorship-overwhelmed-by-demand/2012/10/21/390457a2-082d-11e2-858a-5311df86ab04_story.html>in the WaPo comes to mind).
>>>
>>> If we are to move to a productive conclusion from this, I think it's the
>>> need to inform journalists on *why* their simplifications can be so
>>> problematic - which begs questions like, "who is this piece intended to
>>> inform?" and "who will it actually inform?"
>>>
>>> Just my two cents,
>>> Jillian
>>>
>>> On Tue, Nov 27, 2012 at 7:55 AM, Andrew Haeg <aohaeg at gmail.com> wrote:
>>>
>>>> I shared this thread thoughts with the author, Stephan (cc-ed here).
>>>> And here's what he wrote and asked me to share with the group:
>>>>
>>>> "Interesting discussion. Having given it a little thought, it might be
>>>> worth pointing out on the list that John and the other people I interviewed
>>>> were careful to stress, several times over, that they were part of a larger
>>>> community working in this space. Indeed, in reporting this piece I spoke to
>>>> Syrian revolutionaries, international activists, a variety of hackers,
>>>> people at think tanks and research institutions and so on. Some were
>>>> comfortable to be mentioned. Others spoke to me on the explicit condition
>>>> that they not be. In any case, for the purposes of telling what I hope was
>>>> a compelling story, I finally decided to keep the focus on just one small
>>>> slice of the Syrian cyberwar: a handful of representative figures who I
>>>> thought a) illustrated some aspect of the large battle, b) had a direct
>>>> role in the larger effort to neutralize the DarkComet malware and c) were
>>>> willing to share their experiences under their real names. I don't think
>>>> that decision detracts from the other, broader story of this battle as a
>>>> community project. And it certainly doesn't prevent somebody else from
>>>> telling the same tale from that perspective. Just my thoughts, if you don't
>>>> mind passing them on (along with my email address for anybody who might
>>>> want to continue this discussion directly). -s"
>>>>
>>>> As he says, feel free to respond directly to him with your thoughts.
>>>>
>>>> - Andrew
>>>>
>>>>
>>>> On Mon, Nov 26, 2012 at 6:26 AM, John Scott-Railton <railton at ucla.edu>wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> A few thoughts on the article. It uses a thread of one process of
>>>>> dealing with malware and attacks in Syria to tell its story, and highlights
>>>>> a couple of people who collaborate with each other and some of what they
>>>>> have been doing.  It makes for an engaging read.  But for someone who reads
>>>>> it and doesn't know the space this article could be read as suggesting that
>>>>> this group of people is the only game in town.  It isn't.  By far.
>>>>>
>>>>>  The reality is decentralized, diverse and very collaborative.  A
>>>>> community, in other words. And these communities are what make things
>>>>> happen.  There are many networks of Syrians, technologists and folks in the
>>>>> community of activists working on identifying and responding to malware and
>>>>> other electronic attacks against the Syrian opposition. Or those working on
>>>>> analyzing the techniques and tools of surveillance deployed at the network
>>>>> level in SY.  The community process by which Dark Comet was first
>>>>> identified after some false starts and unknown binaries first started
>>>>> floating around the community are a great example. So was the later
>>>>> discussion of Dark Comet and the ethical dimensions of the tool. Props to
>>>>> TCX and their collaborators here, for example. There are many others who've
>>>>> chosen to keep their names out of the media. The work of all of these
>>>>> people contributes to all we know now, and serious progress on a lot of
>>>>> fronts.
>>>>>
>>>>> A final note: I also wanted to acknowledge a particular person whose
>>>>> name was surprisingly missing from the group specifically mentioned in the
>>>>> Bloomberg piece, and who deserves credit for her role:  Eva
>>>>> Galperin, International Freedom of Expression Coordinator  and prolific
>>>>> blogger at EFF who will be familiar to many you as the co-author
>>>>> with Morgan Marquis-Boire on every piece of blogging on SY malware that EFF
>>>>> has posted to date.
>>>>>
>>>>> J
>>>>>
>>>>>
>>>>> On Nov 15, 2012, at 12:02 PM, ilf <ilf at zeromail.org> wrote:
>>>>>
>>>>> http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus
>>>>>
>>>>> Taymour Karim didn’t crack under interrogation. His Syrian captors
>>>>> beat him with their fists, with their boots, with sticks, with chains, with
>>>>> the butts of their Kalashnikovs. They hit him so hard they broke two of his
>>>>> teeth and three of his ribs. They threatened to keep torturing him until he
>>>>> died. “I believed I would never see the sun again,” he recalls. But Karim,
>>>>> a 31-year-old doctor who had spent the previous months protesting against
>>>>> the government in Damascus, refused to give up the names of his friends.
>>>>>
>>>>> It didn’t matter. His computer had already told all. “They knew
>>>>> everything about me,” he says. “The people I talked to, the plans, the
>>>>> dates, the stories of other people, every movement, every word I said
>>>>> through Skype. They even knew the password of my Skype account.” At one
>>>>> point during the interrogation, Karim was presented with a stack of more
>>>>> than 1,000 pages of printouts, data from his Skype chats and files his
>>>>> torturers had downloaded remotely using a malicious computer program to
>>>>> penetrate his hard drive. “My computer was arrested before me,” he says.
>>>>>
>>>>> Much has been written about the rebellion in Syria: the protests, the
>>>>> massacres, the car bombs, the house-to-house fighting. Tens of thousands
>>>>> have been killed since the war began in early 2011. But the struggle for
>>>>> the future of the country has also unfolded in another arena—on a
>>>>> battleground of Facebook (FB) pages and YouTube accounts, of hacks and
>>>>> counterhacks. Just as rival armies vie for air superiority, the two sides
>>>>> of the Syrian civil war have spent much of the last year and a half locked
>>>>> in a struggle to dominate the Internet. Pro-government hackers have
>>>>> penetrated opposition websites and broken into the computers of Reuters
>>>>> (TRI) and Al Jazeera to spread disinformation. On the other side, the
>>>>> hacktivist group Anonymous has infiltrated at least 12 Syrian government
>>>>> websites, including that of the Ministry of Defense, and released millions
>>>>> of stolen e-mails.
>>>>>
>>>>> The Syrian conflict illustrates the extent to which the very tools
>>>>> that rebels in the Middle East have employed to organize and sustain their
>>>>> movements are now being used against them. It provides a glimpse of the
>>>>> future of warfare, in which computer viruses and hacking techniques can be
>>>>> as critical to weakening the enemy as bombs and bullets. Over the past
>>>>> three months, I made contact with and interviewed by phone and e-mail
>>>>> participants on both sides of the Syrian cyberwar. Their stories shed light
>>>>> on a largely hidden aspect of a conflict with no end in sight—and show how
>>>>> the Internet has become a weapon of war.
>>>>>
>>>>> The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the
>>>>> Arab Spring was reaching a crescendo, the government in Damascus suddenly
>>>>> reversed a long-standing ban on websites such as Facebook, Twitter,
>>>>> YouTube, and the Arabic version of Wikipedia. It was an odd move for a
>>>>> regime known for heavy-handed censorship; before the uprising, police
>>>>> regularly arrested bloggers and raided Internet cafes. And it came at an
>>>>> odd time. Less than a month earlier demonstrators in Tunisia, organizing
>>>>> themselves using social networking services, forced their president to flee
>>>>> the country after 23 years in office. Protesters in Egypt used the same
>>>>> tools to stage protests that ultimately led to the end of Hosni Mubarak’s
>>>>> 30-year rule. The outgoing regimes in both countries deployed riot police
>>>>> and thugs and tried desperately to block the websites and accounts
>>>>> affiliated with the revolutionaries. For a time, Egypt turned off the
>>>>> Internet altogether.
>>>>>
>>>>> Syria, however, seemed to be taking the opposite tack. Just as
>>>>> protesters were casting about for the means with which to organize and
>>>>> broadcast their messages, the government appeared to be handing them the
>>>>> keys.
>>>>>
>>>>> Dlshad Othman, a 25-year-old computer technician in Damascus,
>>>>> immediately grew suspicious of the regime’s motives. Young, Kurdish, and
>>>>> recently finished with his mandatory military service, Othman opposed
>>>>> President Bashar al-Assad. Working for an Internet service provider, he
>>>>> knew that Syria—like many other countries, including China, Iran, Saudi
>>>>> Arabia, and Bahrain—controlled its citizens’ access to the Web. The same
>>>>> technology the government used to censor websites allowed it to monitor
>>>>> Internet traffic and intercept communications. Popular services such as
>>>>> Facebook, Skype, Google Maps, and YouTube gave Syria’s revolutionaries
>>>>> capabilities that until a couple of decades ago would have been available
>>>>> only to the world’s most sophisticated militaries. But as long as Damascus
>>>>> controlled the Internet, they’d be using these tools under the eye of the
>>>>> government.
>>>>>
>>>>> Shortly after the Syrian revolution began in March 2011, Othman’s
>>>>> political views cost him his job. He decided to dedicate himself full time
>>>>> to the opposition, joining the Syrian Center for Media and Freedom of
>>>>> Expression in Damascus to document violence against journalists in the
>>>>> country. He also began teaching his fellow activists ways to stay safe
>>>>> online. Othman instructed them how to encrypt e-mails and encouraged them
>>>>> to use tools like Tor software, which enables anonymous Web browsing by
>>>>> rerouting traffic through a series of distant servers. When Tor turned out
>>>>> to be too slow to live-stream protests or scenes of government attacks
>>>>> against civilians, Othman began purchasing accounts on virtual private
>>>>> networks (VPNs) and sharing them with his friends and contacts. A VPN is
>>>>> basically a tunnel inside the public Internet that allows users to
>>>>> communicate in a secure fashion. For a monthly fee, you can buy access to
>>>>> servers that create encrypted paths between computers; the VPN also
>>>>> disguises the identities and locations of your machine and others on the
>>>>> network. Spies can’t read e-mails sent via VPN, and they have a hard time
>>>>> figuring out where they came from.
>>>>>
>>>>> Othman’s efforts worked at first, but very quickly Damascus blocked
>>>>> off-the-shelf VPNs and upgraded its Internet filters in ways that made the
>>>>> VPNs inoperative. By the summer of 2011, Othman had become frustrated with
>>>>> the Western VPN providers, which he felt were too slow to adapt to the
>>>>> government’s crackdowns. He bought space on outside servers, set up VPNs of
>>>>> his own, and began actively managing them to make sure safe connections
>>>>> remained available.
>>>>>
>>>>> Othman was still training and equipping activists in October 2011 when
>>>>> he made a nearly fatal mistake. He gave an on-camera interview to a British
>>>>> journalist who was later arrested with the footage on his laptop. Warned by
>>>>> a friend through a Facebook message, Othman turned off his phone, removed
>>>>> its SIM card—a precaution to avoid being tracked—and hid in a friend’s
>>>>> Damascus apartment. He never went home. A month and a half later, at the
>>>>> urging of activists who worried his arrest would compromise their entire
>>>>> network, he escaped across the border to Lebanon. “I had been a source of
>>>>> safety for my friends,” he says. “I didn’t want to become a source of
>>>>> danger.”
>>>>>
>>>>> The struggle for Syria has transcended borders. In early 2011, from
>>>>> his office at the University of California at Los Angeles, John
>>>>> Scott-Railton, a 29-year-old graduate student in Urban Planning, joined the
>>>>> revolutions in North Africa and the Middle East. Scott-Railton, working on
>>>>> a dissertation on how poor communities in Senegal were adapting to climate
>>>>> change, had spent time in Egypt and had close friends there. When
>>>>> revolutionaries in Cairo occupied Tahrir Square, he set his studies aside.
>>>>> Working through his contacts in the country, he helped Egyptians evade
>>>>> Internet censors and get their message out to the world by calling
>>>>> protesters on the phone, interviewing them, and publishing their views on
>>>>> Twitter. Later, when the Arab Spring spread to Libya, he did the same, this
>>>>> time working with Libyans in the diaspora to broaden his reach.
>>>>>
>>>>> In Syria, Scott-Railton recognized that the task would be different.
>>>>> Once Assad’s government lifted restrictions on the Internet, activists were
>>>>> having little trouble getting their voices heard; graphic videos alleging
>>>>> government atrocities were lighting up Facebook and YouTube. The challenge
>>>>> would be keeping them safe. “If we’re going to talk about how important the
>>>>> Internet has been in the Arab Spring, we need to think about how it also
>>>>> brings a whole new set of vulnerabilities,” says Scott-Railton. “Otherwise,
>>>>> we’re going to be much too optimistic about what can be done.”
>>>>>
>>>>> The first documented attack in the Syrian cyberwar took place in early
>>>>> May 2011, some two months after the start of the uprising. It was a clumsy
>>>>> one. Users who tried to access Facebook in Syria were presented with a fake
>>>>> security certificate that triggered a warning on most browsers. People who
>>>>> ignored it and logged in would be giving up their user name and password,
>>>>> and with them, their private messages and contacts.
>>>>>
>>>>> In response, Scott-Railton began nurturing contacts in the Syrian
>>>>> opposition, people like Othman with wide networks of their own. “It wasn’t
>>>>> that different from the strategy I had worked out in Libya: Figure out who
>>>>> was trustworthy and then slowly build up,” he says. In the meantime, he
>>>>> contacted security teams at major American technology companies whom he
>>>>> could alert when an attack was detected. Scott-Railton declined to name
>>>>> specific companies but confirmed he was in touch with security experts at
>>>>> some of the biggest brand names. In the past year and a half,
>>>>> pro-government hackers have successfully targeted Facebook pages, YouTube
>>>>> accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, and Skype.
>>>>>
>>>>> Scott-Railton’s involvement in the Syrian cyberwar wasn’t high-tech.
>>>>> Over several months, he set himself up as a bridge between two worlds,
>>>>> passing reports of hacking on to various companies who could investigate
>>>>> attacks on their users, take down bogus websites, and configure browsers to
>>>>> flag suspect sites as potential threats.
>>>>>
>>>>> For Syrians, the system provided a quick, sure way to limit damage as
>>>>> attempts to break into accounts affiliated with the opposition became more
>>>>> sophisticated. For tech companies, it was an opportunity to address
>>>>> violations as they happened—though those violations have also exposed the
>>>>> vulnerabilities of some of the world’s most popular social networking
>>>>> services.
>>>>>
>>>>> Facebook, which in 2011 responded to hacking attempts in Tunisia by
>>>>> routing communications through an encrypted server and asking users to
>>>>> identify friends when logging in, wouldn’t comment on what, if anything,
>>>>> the company is doing in Syria. Contacted by Bloomberg Businessweek, a
>>>>> spokesperson provided a statement saying: “Security is a top priority for
>>>>> Facebook and we devote significant resources to helping people protect
>>>>> their accounts and information, wherever they live and whatever the
>>>>> circumstances. … We will respond quickly to reports—whether from formal or
>>>>> informal channels—about worrying and problematic security threats from
>>>>> groups, organizations and, on occasion, from governments.”
>>>>>
>>>>> As the war intensified, the cyberattacks waged by pro-government
>>>>> Syrian hackers became more ambitious. In the weeks before his arrest in
>>>>> December 2011, Karim, the young doctor, had begun to suspect his hard drive
>>>>> had been compromised. His Internet bill—which in Syria varies according to
>>>>> the traffic being used—had more than quadrupled, though he still isn’t sure
>>>>> exactly how his computer was infected. He suspects the malware may have
>>>>> been transmitted by a woman using the name Abeer who contacted him on Skype
>>>>> last autumn and sent him photos of herself. Another possibility is a man
>>>>> who sent Karim an Excel spreadsheet and said he could provide monetary
>>>>> support for the revolution.
>>>>>
>>>>> In prison, Karim’s captors mentioned both people. His interrogators
>>>>> knew about his high Internet bills, as well: “The policeman told me, ‘Do
>>>>> you remember when you were talking to your friend and you told him you had
>>>>> something wrong and paid a lot of money? At that time we were taking
>>>>> information from your laptop.’ ”
>>>>>
>>>>> Before the Syrian revolution, Karim had never participated in
>>>>> politics. “I would just go to work and then go home,” he says. But the Arab
>>>>> Spring awakened something inside him, and when demonstrators gathered for a
>>>>> second week of major demonstrations, Karim joined them. The first protest
>>>>> he attended was also the first in which the regime deployed the army to
>>>>> crush dissent, killing dozens of demonstrators across the country. Shortly
>>>>> afterward, Karim signed up to man field hospitals, caring for wounded
>>>>> activists. The worst injuries were from snipers, he recalls. “Sometimes
>>>>> people would be shot in the back, and they’d be paralyzed. Sometimes we
>>>>> found bullets in the face, and all the bones in the face were broken. When
>>>>> we found people shot in the abdomen, sometimes we couldn’t do anything
>>>>> because we didn’t have the proper equipment.”
>>>>>
>>>>> When it came to the Internet, Karim was typical of many of his fellow
>>>>> activists: enthusiastic, naive, and all too often complacent where security
>>>>> was concerned. “Sometimes we’d say to each other, ‘If there was no
>>>>> Internet, there would be no revolution,’ ” he says.
>>>>>
>>>>> Just 18 percent of Syrians use the Internet, and government
>>>>> restrictions along with sanctions by the U.S. and Europe have limited
>>>>> Syrians’ access to updated software and antivirus programs. Karim
>>>>> occasionally used the Tor application recommended by Othman but found the
>>>>> connection too slow for video. A friend in Qatar sent him a link to a
>>>>> secure VPN, but he wasn’t able to download the necessary software.
>>>>>
>>>>> On Dec. 25, 2011, Karim met with a group of doctors to put the final
>>>>> touches on a plan to better coordinate the opposition’s field hospitals.
>>>>> The next day he spoke with a friend on Skype and agreed to meet him to film
>>>>> a Christmas video he hoped would be a show of unity between faiths. When he
>>>>> left his safe house, the police were waiting for him. They knew where they
>>>>> would find him and where he was going. “Skype was the best way for us, for
>>>>> communication,” he says. “We heard that Skype was very safe and that nobody
>>>>> can hack it, and there is no virus for Skype. But unfortunately, I was the
>>>>> first victim of it.”
>>>>>
>>>>> In a statement to Bloomberg Businessweek, a spokesperson for Skype,
>>>>> which is owned by Microsoft (MSFT), said, “Much like other Internet
>>>>> communication tools with a very large user base—be it e-mail, IM, or
>>>>> Voip—Skype has been used by persons with malicious intent to trick or
>>>>> manipulate people into following nefarious links. … This is an ongoing,
>>>>> industrywide issue faced by all peer-to-peer software companies. Skype is
>>>>> committed to the safety and security of its users, and we are taking steps
>>>>> to help protect them.”
>>>>>
>>>>> Karim spent 71 days in Syrian detention before being released on bail
>>>>> pending a military trial. After his release he fled the country, sneaking
>>>>> from village to village until he arrived in Jordan. There he discovered
>>>>> that many other activists had been contacted by the woman named Abeer. A
>>>>> few weeks after his release, he received a message from her on Facebook
>>>>> offering to send him more pictures. He refused.
>>>>>
>>>>> In January 2012, less than a month after Karim’s arrest, Othman—by
>>>>> then in Lebanon—came across a laptop belonging to an international aid
>>>>> worker. The worker believed the laptop had been compromised. After making a
>>>>> preliminary analysis, Othman sent an image of the entire hard drive to
>>>>> Scott-Railton. Among the people Scott-Railton reached out to was a
>>>>> dreadlocked New Zealander named Morgan Marquis-Boire, a security engineer
>>>>> at Google (GOOG) in California. In his spare time, Marquis-Boire had begun
>>>>> investigating cyberattacks on opposition figures in the Middle East after
>>>>> being approached by activists who saw him speak at a conference. “I’m a
>>>>> firm believer in the facilitation of freedom of expression on the
>>>>> Internet,” he says. “The censorship that occurs when people are afraid to
>>>>> speak is actually the most powerful type of censorship that’s available.”
>>>>>
>>>>> Marquis-Boire, 33, wasn’t the first person to analyze the infected
>>>>> hard drive, but his examination was deep and thorough. The laptop, he
>>>>> determined, had been successfully hacked three times in rapid succession.
>>>>> The first piece of malware had arrived on Dec. 26, 2011, during the early
>>>>> hours of Karim’s detention. It had been sent to the computer’s owner
>>>>> through Karim’s Skype account, embedded in the proposal for the
>>>>> coordination of field hospitals he had finalized the night before his
>>>>> arrest.
>>>>>
>>>>> The malware, DarkComet, was a remote access “trojan.” It allowed its
>>>>> sender to take screenshots of the victim’s computer, monitor her through
>>>>> the video camera, and log what she typed. Every digital move the laptop’s
>>>>> owner made was being recorded—and the reports were being routed back to an
>>>>> IP address in Damascus.
>>>>>
>>>>> The network Scott-Railton had set up was faced with a new challenge.
>>>>> The people behind the attacks were no longer casting a wide net and waiting
>>>>> to see who they caught. They were specifically targeting revolutionaries
>>>>> such as Karim and his contacts. Security experts at major tech companies
>>>>> can restore access to hacked accounts or issue takedown orders when hackers
>>>>> set up fake versions of their websites. But there’s little they can do for
>>>>> a user whose computer has been captured by hackers.
>>>>>
>>>>> Scott-Railton and his collaborators began to study their opponent.
>>>>> Syrians like Othman with close contacts to the opposition began gathering
>>>>> suspicious files that might contain malware and funneling them to
>>>>> Scott-Railton. He passed them on to Marquis-Boire, who published his
>>>>> findings in blog posts for the Electronic Frontier Foundation, an advocacy
>>>>> organization based in San Francisco that promotes civil liberties on the
>>>>> Internet. A pattern soon emerged. The attacks used code widely available
>>>>> online. In the case of the DarkComet trojan that had been sent from Karim’s
>>>>> computer, the malware had been developed by a French hacker in his twenties
>>>>> named Jean-Pierre Lesueur who offered it as a free download on his website.
>>>>>
>>>>> What made the hacks so effective was their deviousness. Malware was
>>>>> discovered in a fake plan to help protesters besieged in the city of
>>>>> Aleppo; in a purported proposal for the formation of a post-revolution
>>>>> government; and on Web pages that claimed to show women being raped by
>>>>> Syrian soldiers.
>>>>>
>>>>> Whenever possible, the people behind the attacks would use a
>>>>> compromised account to spread the malware further. In April 2012, the
>>>>> Facebook account of Burhan Ghalioun, then the head of the Syrian
>>>>> opposition, was taken over and used to encourage his more than 6,000
>>>>> followers to install a trojan mocked up to look like a security patch for
>>>>> Facebook.
>>>>>
>>>>> Scott-Railton’s network allowed antivirus companies to update their
>>>>> software so it would recognize the malware and warn Syrian activists. Once
>>>>> Marquis-Boire identified DarkComet, a group of hackers who went by the name
>>>>> Telecomix began putting pressure on its creator, Lesueur, to take it down.
>>>>> In February 2012, less than a month after the trojan had been discovered,
>>>>> he released a patch that would remove his program from an infected
>>>>> computer. “i was totally shocked to see that the syrian gouv used my tool
>>>>> to spy other people,” he wrote in a typo-laden post on his personal blog.
>>>>> “Since now 4 years i code DarkComet for people that are interested about
>>>>> security, people that wan’t to get an eye on what their childs doing on the
>>>>> internet, for getting an eye to notified employees, to administrate their
>>>>> own machines, for pen testing but NOT AS A WAR WEAPON.”
>>>>>
>>>>> In July, Lesueur took the program down altogether. The weapon that had
>>>>> been launched from Karim’s computer—and very likely the one that landed him
>>>>> in jail—had been disarmed.
>>>>>
>>>>> The cyberwar in Syria rages on. Othman and others like him spend hours
>>>>> fending off attacks on their VPNs. He says he knows of at least two
>>>>> activists who were detained and killed after their computers were
>>>>> undermined. Scott-Railton continues to relay reports of compromised
>>>>> accounts and fake Web pages to contacts in the tech industry. “Every day, I
>>>>> get contacted by Syrians with security concerns,” he says. Marquis-Boire is
>>>>> doing his best to trace the attacks back to their source.
>>>>>
>>>>> Since Karim’s release from detention and his escape from Syria earlier
>>>>> this year, he has lived in Jordan. When he recently ran a scan on his new
>>>>> computer, he found he had been infected once again. “I receive thousands of
>>>>> e-mails, videos, and requests and images from activists and friends,” he
>>>>> says. “And there are a lot of people who I don’t know who they are.” In
>>>>> July the Syrian Electronic Army, a pro-government group, released what it
>>>>> said were 11,000 user names and passwords of “NATO supporters,” meaning
>>>>> members of the Syrian opposition.
>>>>>
>>>>> In October, I attempted to contact the Syrians involved in the
>>>>> government’s cyberwar. Before doing so, I changed most of my passwords. I
>>>>> set up two-step verification on my Gmail account, an extra layer of
>>>>> security that makes it harder for hackers to take over an account remotely.
>>>>> I installed the Tor Browser Bundle and updated the WordPress software on my
>>>>> website. And then I dropped a line on Twitter to @Th3Pr0_SEA, an account
>>>>> that describes itself as belonging to the leader of the Special Operations
>>>>> Department of the Syrian Electronic Army, the most visible virtual actor on
>>>>> the government side. @Th3Pr0_SEA wrote back soon after, and we agreed to
>>>>> meet on Google Chat. Minutes later, somebody tried to reset the password of
>>>>> my Yahoo Mail account.
>>>>>
>>>>> @Th3Pr0_SEA wouldn’t tell me much about himself. Two members of his
>>>>> organization had been kidnapped and murdered by members of the opposition,
>>>>> he said, after posting under their real names on Facebook. He told me he
>>>>> had been a student when the uprising began. When I asked his religion, he
>>>>> answered, “i’m Syrian :)”
>>>>>
>>>>> Researchers have described the Syrian Electronic Army as a
>>>>> paramilitary-style group working in coordination with the country’s secret
>>>>> services and linked to the Syrian Computer Society, a government
>>>>> organization once headed by Assad himself before he became president. In
>>>>> our chat, @Th3Pr0_SEA denied the connection, repeating the group’s claims
>>>>> that it’s not an official entity and that its membership is unpaid,
>>>>> motivated only by patriotism. When I asked why the group’s website was
>>>>> hosted on servers owned by the Syrian Computer Society, he answered that
>>>>> his group paid for the service. “If we host our website outside of Syria
>>>>> servers, it will get deleted and probably hacked,” he wrote.
>>>>>
>>>>> Before I finished my interview with @Th3Pr0_SEA, I asked him whether
>>>>> he had been the one who tried to reset my Yahoo password. He denied it. “i
>>>>> think someone saw you,” he said, “when you talked me on twitter.” He also
>>>>> told me, “there is a big surprise from Special Operations Department coming
>>>>> soon, but i can’t tell you anything about it.”
>>>>>
>>>>> --
>>>>> ilf
>>>>>
>>>>> Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht
>>>>> weg!
>>>>>  -- Eine Initiative des Bundesamtes für Tastaturbenutzung
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>>
>>>>> John Scott-Railton
>>>>> www.johnscottrailton.com
>>>>>
>>>>> PGP key ID: 0x3e0ccb80778fe8d7
>>>>> Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
>>>>>
>>>>>
>>>>> --
>>>>> Unsubscribe, change to digest, or change password at:
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>>
>>> --
>>> US: +1-857-891-4244 | NL: +31-657086088
>>> site:  jilliancyork.com <http://jilliancyork.com/>* | *
>>> twitter: @jilliancyork* *
>>>
>>> "We must not be afraid of dreaming the seemingly impossible if we want
>>> the seemingly impossible to become a reality" - *Vaclav Havel*
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> US: +1-857-891-4244 | NL: +31-657086088
> site:  jilliancyork.com <http://jilliancyork.com/>* | *
> twitter: @jilliancyork* *
>
> "We must not be afraid of dreaming the seemingly impossible if we want the
> seemingly impossible to become a reality" - *Vaclav Havel*
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121127/862c74b1/attachment.html>