The hack of Microsoft's cloud that resulted in the compromise of government emails was an example of a traditional espionage threat, a senior National Security Agency official said. From a report: Speaking at the Aspen Security Forum, Rob Joyce, the director of cybersecurity at the N.S.A., said the United States needed to protect its networks from such espionage, but that adversaries would continue to try to secretly extract information from each other. "It is China doing espionage," Mr. Joyce said. "It is what nation-states do. We have to defend against it, we need to push back against it. But that is something that happens."

The hackers took emails from senior State Department officials including Nicholas Burns, the U.S. ambassador to China. The theft of Mr. Burns's emails was earlier reported by The Wall Street Journal and confirmed by a person familiar with the matter. Daniel J. Kritenbrink, the assistant secretary of state for East Asia, also had his email hacked, a U.S. official said. The emails of Commerce Secretary Gina Raimondo were also obtained in the hack, which was discovered in June by State Department cybersecurity experts scouring user logs for unusual activity. Microsoft later determined that Chinese hackers had obtained access to email accounts a month earlier.

An anonymous reader quotes a report from The Register: The world got a first glimpse into the US government's far-reaching surveillance of American citizens' communications -- namely, their Verizon telephone calls -- 10 years ago this week when Edward Snowden's initial leaks hit the press. [...] In the decade since then, "reformers have made real progress advancing the bipartisan notion that Americans' liberty and security are not mutually exclusive," [US Senator Ron Wyden (D-OR)] said. "That has delivered tangible results: in 2015 Congress ended bulk collection of Americans' phone records by passing the USA Freedom Act." This bill sought to end the daily snooping into American's phone calls by forcing telcos to collect the records and make the Feds apply for the information.

That same month, a federal appeals court unanimously ruled that the NSA's phone-records surveillance program was unlawful. The American Civil Liberties Union (ACLU) and the New York Civil Liberties Union sued to end the secret phone spying program, which had been approved by the Foreign Intelligence Surveillance Court, just days after Snowden disclosed its existence. "Once it was pushed out into open court, and the court was able to hear from two sides and not just one, the court held that the program was illegal," Ben Wizner, director of the ACLU Speech, Privacy and Technology project, told The Register. The Freedom Act also required the federal government to declassify and release "significant" opinions of the Foreign Intelligence Surveillance Court (FISC), and authorized the appointment of independent amici -- friends of the court intended to provide an outside perspective. The FISC was established in 1978 under the FISA -- the legislative instrument that allows warrantless snooping. And prior to the Freedom Act, this top-secret court only heard the government's perspective on things, like why the FBI and NSA should be allowed to scoop up private communications.

"To its credit, the government has engaged in reforms, and there's more transparency now that, on the one hand, has helped build back some trust that was lost, but also has made it easier to shine a light on surveillance misconduct that has happened since then," Jake Laperruque, deputy director of the Center for Democracy and Technology's Security and Surveillance Project, told The Register. Wyden also pointed to the sunsetting of the "deeply flawed surveillance law," Section 215 of the Patriot Act, as another win for privacy and civil liberties. That law expired in March 2020 after Congress did not reauthorize it. "For years, the government relied on Section 215 of the USA Patriot Act to conduct a dragnet surveillance program that collected billions of phone records (Call Detail Records or CDR) documenting who a person called and for how long they called them -- more than enough information for analysts to infer very personal details about a person, including who they have relationships with, and the private nature of those relationships," Electronic Frontier Foundation's Matthew Guariglia, Cindy Cohn and Andrew Crocker said. James Clapper, the former US Director of National Intelligence, "stated publicly that the Snowden disclosures accelerated by seven years the adoption of commercial encryption," Wizner said. "At the individual level, and at the corporate level, we are more secure."

"And at the corporate level, what the Snowden revelations taught big tech was that even as the government was knocking on the front door, with legal orders to turn over customer data, it was breaking in the backdoor," Wizner added. "Government was hacking those companies, finding the few points in their global networks where data passed unencrypted, and siphoning it off." "If you ask the government -- if you caught them in a room, and they were talking off the record -- they would say the biggest impact for us from the Snowden disclosures is that it made big tech companies less cooperative," he continued. "I regard that as a feature, not a bug."

The real issue that the Snowden leaks revealed is that America's "ordinary system of checks and balances doesn't work very well for secret national security programs," Wizner said. "Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."

Russian cybersecurity firm Kaspersky says some iPhones on its network were hacked using an iOS vulnerability that installed malware via iMessage zero-click exploits. From a report: The delivery of the message exploits a vulnerability that leads to code execution without requiring any user interaction, leading to the download of additional malicious from the attackers' server. Subsequently, the message and attachment are wiped from the device. At the same time, the payload stays behind, running with root privileges to collect system and user information and execute commands sent by the attackers.

Kaspersky says the campaign started in 2019 and reports the attacks are still ongoing. The cybersecurity firm has named the campaign "Operation Triangulation" and is inviting anyone who knows more about it to share information. [...] In a statement coinciding with Kaspersky's report, Russia's FSB intelligence and security agency claims that Apple deliberately provided the NSA with a backdoor it can use to infect iPhones in the country with spyware. The FSB alleges that it has discovered malware infections on thousands of Apple iPhones belonging to officials within the Russian government and staff from the embassies of Israel, China, and several NATO member nations in Russia. Despite the seriousness of the allegations, the FSB has provided no proof of its claims.

Time magazine once described Lauren Weinstein as an internet-policy expert and privacy advocate. Also a long-time Slashdot reader, he now brings this cautionary blog post "to share with you an example of what Google account recovery failure means to the people involved..."

In this case it's a 90-year-old woman who "For at least the last decade... was just using the stored password to login and check her email," according to an email Weinstein received: When her ancient iPad finally died, she tried to add the gmail account to her new replacement iPad. However, she couldn't remember the password in order to login.... I don't know if you've ever attempted to contact a human being at google tech support, but it's pretty much impossible. They also don't seem to have an exception mechanism for cases like this.

So she had to abandon hopes of viewing the google photos of her (now deceased) beloved pet, her contacts, her email subscriptions, reminders, calendar entries, etc... [I]t's difficult to know what to say to someone like this when she asks "what can we do now" and there are no options... It's tough to explain that your treasured photos can't be retrieved because you're not the sort of user that Google had in mind.
Weinstein adds "this is by no means the worst such case I've seen — not even close, unfortunately." I've been discussing these issues with Google for many years. I've suggested "ombudspeople", account escalation and appeal procedures that ordinary people could understand, and many other concepts. They've all basically hit the brick wall of Google suggesting that at their scale, nothing can be done about such "edge" cases.
Here's Google's page for providing an alternate recovery email address and phone number. Unfortunately, the 90-year-old woman's account "was created so long ago that she didn't need to provide any 'recovery' contacts at that time," according to the email, "or she may have used a landline phone number that's long been cancelled now..."

Several government cybersecurity agencies united to urge secure-by-design and secure-by-default software. Releasing "joint guidance" for software manufactuers were two U.S. security agencies — the FBI and the NSA — joined with the U.S. Cybersecurity and Infrastructure Security Agency and the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, Netherlands, and New Zealand. "To create a future where technology and associated products are safe for customers," they wrote in a joint statement, "the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers."

The Washington Post reports: Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws, a collection of U.S. and international government agencies said in new guidelines Thursday. [The guidelines also urge rigorous code reviews.]

The "principles and approaches" document, which isn't mandatory but lays out the agencies' views on securing software, is the first major step by the Biden administration as part of its push to make software products secure as part of the design process, and to make their default settings secure as well. It's part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products. It was a key feature of the administration's national cybersecurity strategy, which was released last month and emphasized shifting the burden of security from consumers — who have to manage frequent software updates — to the companies that make often insecure products... The administration has also raised the prospect of legislation on secure-by-design and secure-by-default, but officials have said it could be years away....

The [international affairs think tank] Atlantic Council's Cyber Statecraft Initiative has praised the Biden administration's desire to address economic incentives for insecurity. Right now, the costs of cyberattacks fall on users more than they do tech providers, according to many policymakers. "They're on a righteous mission," Trey Herr, director of the Atlantic Council initiative, told me. If today's guidelines are the beginning of the discussion on secure-by-design and secure-by-default, Herr said, "this is a really strong start, and an important one."

"It really takes aim at security features as a profit center," which for some companies has led to a lot of financial growth, Herr said. "I do think that's going to rub people the wrong way and quick, but that's good. That's a good fight."
In the statement CISA's director says consumers also have a role to play in this transition. "As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else."

Among other things, the new guidelines say that manufacturers "are encouraged make hard tradeoffs and investments, including those that will be 'invisible' to the customers, such as migrating to programming languages that eliminate widespread vulnerabilities."

An anonymous reader quotes a report from Motherboard: Over the past month, classified Pentagon documents have circulated on 4chan, Telegram, and various Discord servers. The documents contain daily intelligence briefings, sensitive information about Ukrainian military positions, and a handwritten character sheet for a table-top roleplaying game. No one knows who leaked the Pentagon documents or how. They appeared online as photographs of printed pages, implying someone printed them out and removed them from a secure location, similar to how NSA translator Reality Winner leaked documents. The earliest documents Motherboard has seen are dated February 23, though the New York Times and Bellingcat reported that some are dated as early as January. According to Bellingcat, the earliest known instances of the leaks appearing online can be traced back to a Discord server.

At some point, a Discord user uploaded a zip file of 32 images from the leak onto a Minecraft Discord server. Included in this pack alongside highly sensitive, Top Secret and other classified documents about the Pentagon's strategy and assessment of the war in Ukraine, was a handwritten piece of paper that appeared to be a character sheet for a roleplaying game. It's written on a standard piece of notebook paper, three holes punched out on the side, blue lines crisscrossing the page. The character's name is Doctor "Izmer Trotzky," his character class is "Professor Scientist." They've got a strength of 5, a charisma of 4, and 19 rubles to their name. Doctor Trotzky has 10 points in first aid and occult skills, and 24 in spot hidden. He's carrying a magnifying glass, a fountain pen, a sword cane, and a deringer. [...]

But what game is it from? Motherboard reached out to game designer Jacqueline Bryk to find out. Bryk is an award-winning designer of roleplaying games who has worked on Kult: Divinity Lost, Changeling: the Lost, Fading Suns: Pax Alexius, and Vampire: the Masquerade. "I strongly suspect this is Call Of Cthulhu," Bryk said when first looking at the sheet. Call of Cthulhu (COC) is an RPG based on the work of H.P. Lovecraft where players attempt to stave off madness while investigating eldritch horrors. "This is a pretty classic Professor build. The sword cane really clinches it for me. I notice he's currently carrying a derringer and a dagger but took no points in firearms or fighting. I'm not sure which edition this is but it seems like the most he could do with his weapons is throw them." "After some research, Bryk concluded that the game is a homebrewed combination of COC and the Fallout tabletop game based on the popular video game franchise," adds Motherboard. "My best guest here is Fallout: Cthulhu the Homebrew," Bryk said, giving the home designed game a name.

An anonymous reader quotes a report from Motherboard: A security researcher appears to have tracked the physical location of a former top Biden administration official through his apparent usage of AllTrails, a popular hiking app with more than 30 million registered users. The AllTrails records appear to show the official visiting sensitive locations such as the White House, and also suggests the specific house where he or his family lives. By default, AllTrails users' activity is public for anyone to view, including completed trails, maps, and activities. But that convenience and focus on providing a social network style experience comes with potential risks around national security or privacy, depending on the particular user. Whether a public figure like a government official or celebrity, or someone at risk of stalking in general such as someone in an abusive relationship, AllTrails' privacy settings may be something users should consider.

"I found interesting results by searching near the Pentagon, NSA, CIA or White House and then looking at the user's other activity," Wojciech, the security researcher, told Motherboard in an email. Wojciech said they used their own open source intelligence platform as part of the investigative process. They said the tool supports Strava and another app called SportsTracker, and will include AllTrails itself soon. Wojciech sent Motherboard a link to what they believed to be the AllTrails profile of the former top Biden official. Motherboard is not naming the official because they did not respond to requests for comment, and their profile is still publicly accessible.

One trip to the White House in December recorded in AllTrails also shows a nearby apartment building he ended his journey at. More trips recorded that month show the official's other movements throughout Washington D.C. Much of the AllTrails activity relates to when this official was part of the administration. Motherboard searched through the official's AllTrails activity and found multiple hikes starting from the same location. Motherboard then queried public records and found this location was a house registered to the official's family, meaning AllTrails had helped identify where the official or his family may have been living. Motherboard also verified that the official does have an account on AllTrails by attempting to sign up to the service with the official's personal email address. This was not possible because the address was already registered to an account.

The U.S. Supreme Court has declined to hear a bid by the operator of the popular Wikipedia internet encyclopedia to resurrect its lawsuit against the National Security Agency challenging mass online surveillance. From a report: Turning away the Wikimedia Foundation's appeal, the justices left in place a lower court's dismissal of the lawsuit based on the government's assertion of what is called the state secrets privilege, a legal doctrine that can shut down litigation if disclosure of certain information would damage U.S. national security. Represented by the American Civil Liberties Union, Wikimedia Foundation sued in 2015 challenging the legality of the NSA's "Upstream" surveillance of foreign targets through the "suspicionless" collection and searching of internet traffic on data transmission lines flowing into and out of the United States.

An existential fight over the US government's ability to spy on its own citizens is brewing in Congress. And as this fight unfolds, the Federal Bureau of Investigation's biggest foes on Capitol Hill are no longer reformers merely interested in reining in its authority. Many lawmakers, elevated to new heights of power by the recent election, are working to dramatically curtail the methods by which the FBI investigates crime. From a report: New details about the FBI's failures to comply with restrictions on the use of foreign intelligence for domestic crimes have emerged at a perilous time for the US intelligence community. Section 702 of the Foreign Intelligence Surveillance Act (FISA), the so-called crown jewel of US intelligence, grants the government the ability to intercept the electronic communications of overseas targets who are unprotected by the Fourth Amendment. That authority is set to expire at the end of the year. But errors in the FBI's secondary use of the data -- the investigation of crimes on US soil -- are likely to inflame an already fierce debate over whether law enforcement agents can be trusted with such an invasive tool.

Central to this tension has been a routine audit by the Department of Justice's (DOJ) national security division and the office of the director of national intelligence (ODNI) -- America's "top spy" -- which unearthed new examples of the FBI failing to comply with rules limiting access to intelligence ostensibly gathered to protect US national security. Such "errors," they said, have occurred on a "large number" of occasions. A report on the audit, only recently declassified, found that in the first half of 2020, FBI personnel unlawfully searched raw FISA data on numerous occasions. In one incident, agents reportedly sought evidence of foreign influence linked to a US lawmaker. In another, an inappropriate search pertained to a local political party. In both cases, these "errors" were attributed to a "misunderstanding" of the law, the report says. At some point between December 2019 and May 2020, FBI personnel conducted searches of FISA data using "only the name of a US congressman," the report says, a query that investigators later found was "noncompliant" with legal procedures. Further reading: NSA Director Urges Congress To Renew Controversial Intelligence Authority.

guest reader writes: The Open Standards site contains a new paper from Bjarne Stroustrup titled A call to action: Think seriously about "safety"; then do something sensible about it.

Bjarne reacts to an NSA report about Software Memory Safety since the report excludes C and C++ as unsafe. Bjarne does not consider any of the report's choices for "safe" languages as superior to C++ for the range of uses he cares about.
From Bjarne's response: I have worked for decades to make it possible to write better, safer, and more efficient C++. In particular, the work on the C++ Core Guidelines specifically aims at delivering statically guaranteed type-safe and resource-safe C++ for people who need that without disrupting code bases that can manage without such strong guarantees or introducing additional tool chains. For example, the Microsoft Visual Studio analyzer and its memory-safety profile deliver much of the CG support today and any good static analyzer (e.g., Clang tidy, that has some CG support) could be made to completely deliver those guarantees at a fraction of the cost of a change to a variety of novel "safe" languages.
Bjarne also complains that in the NSA's document, "'safe' is limited to memory safety, leaving out on the order of a dozen other ways that a language could (and will) be used to violate some form of safety and security." There is not just one definition of "safety", and we can achieve a variety of kinds of safety through a combination of programming styles, support libraries, and enforcement through static analysis.... I envision compiler options and code annotations for requesting rules to be enforced. The most obvious would be to request guaranteed full type-and-resource safety.
Bjarne notes that if you work in application domains which prioritize performance over type safety, you could "apply the safety guarantees only where required and use your favorite tuning techniques where needed." Partial adoption of some of the rules (e.g., rules for range checking and initialization) is likely to be important. Gradual adoption of safety rules and adoption of differing safety rules will be important. If for no other reason than the billions of lines of C++ code will not magically disappear, and even "safe" code (in any language) will have to call traditional C or C++ code or be called by traditional code that does not offer specific safety guarantees.

Ignoring the safety issues would hurt large sections of the C++ community and undermine much of the other work we are doing to improve C++.
The article also contains the following references for consideration:
- Design Alternatives for Type-and-Resource Safe C++.
- Type-and-resource safety in modern C++.
- A brief introduction to C++'s model for type- and resource-safety.
- C++ Core Guidelines, safety profiles.

NSA Director and head of U.S. Cyber Command Gen. Paul Nakasone said in remarks on Thursday that intelligence authorities up for renewal later this year have played a key role in protecting the United States against cyberattacks. From a report: Nakasone's remarks at a virtual meeting of the Privacy and Civil Liberties Oversight Board offered a preview of what is expected to be an intense political fight later this year to renew Section 702 of the Foreign Intelligence Surveillance Act -- a law that provides U.S. intelligence agencies wide-ranging authorities to conduct surveillance of foreign persons located abroad and which civil liberties advocates argue is in desperate need of greater transparency.

Section 702 will expire at the end of the year unless Congress acts, and on Thursday Nakasone made the case that "the authority plays an outsized role in protecting our nation." He said, "we have saved lives because of 702," adding that the law has been used to counter ransomware threats, including those against critical infrastructure and a foreign operation trying to steal sensitive U.S. military information. The political fight over reauthorization has yet to heat up, but as the newly elected Republican majority seeks to investigate federal government probes of former President Donald Trump and his associates, the renewal of Section 702 could emerge as a central flashpoint between the GOP and national-security agencies.

Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability." Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue....

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."

Thanks to Slashdot reader joshuark for sharing the article.

The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks. From a report: The flaw, tracked as CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool, and are both popular in enterprise networks. The critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices -- no passwords needed. Citrix also says the flaw is being actively exploited by threat actors. "We are aware of a small number of targeted attacks in the wild using this vulnerability," Peter Lefkowitz, chief security and trust officer at Citrix, said in a blog post. "Limited exploits of this vulnerability have been reported." Citrix hasn't specified which industries the targeted organizations are in or how many have been compromised.

An anonymous reader quotes a report from Techdirt: "In an enormous breakthrough for those seeking transparency and accountability to the shadowy surveillance industry, the Swiss Government has been forced to publish the list of export licenses for surveillance technologies and other equipment, including details of their cost and destination," [reports The Unwanted Witness.] "The decision by the Federal Information and Data Protection Commissioner comes on the heels of consistent pressure from Privacy International, Swiss journalists, and several Members of Parliament on policymakers, government officials, and companies in Switzerland over the past year and a half. The commissioner's decision was the result of a FOI challenge filed against the State Secretariat for Economic Affairs (SECO) for its refusal to reveal information regarding the destination of the pending exports for surveillance technologies."

The beneficiary of this release by SECO is, of course, everyone who's interested in government accountability and transparency, especially when it involves an area of government work that tends to shrouded in often impenetrable secrecy. The most direct beneficiary -- Swiss news agency Tagblatt -- has plenty to say about the release of this information, including how much SECO simply did not want to reveal the countries Swiss surveillance tech providers sell to. (The following was translated by Google Translate, so apologies for the clunky English.) The Seco does not act entirely voluntarily: Our newspaper only received the list after it requested access to the administration in 2013 based on the principle of transparency. At the end of 2014, the federal data protection officer recommended granting access, although Seco wanted to refuse this. [The Data Protection Commissioner] picks [Seco's] arguments to pieces. It didn't even provide a minimal justification. But that's not all: Seco was unable to prove why the announcement of the recipients was affecting Switzerland's foreign policy relations.

The technology these countries acquired from Swiss tech purveyors are IMSI catchers -- cell tower spoofers capable of forcing all phones in the area to connect to it so investigators can locate sought devices or (if enabled) intercept communications. Twenty-one export licenses were issued in 2014, with the list encompassing a long list of human rights abusers. [...] The approved list for full licenses doesn't exactly suggest a whole lot of discretion from Swiss IMSI manufacturers. Nor does it say much about SECO, which allowed these sales (and demonstrations) to happen. The list of denied license applications (which includes Russia, Yemen, and Turkmenistan) suggests some restraint by SECO. But the fact that Swiss spy tech makers requested the licenses shows they are just as willing to sell to terrible governments as other surveillance tech purveyors who've made international headlines repeatedly. (Yes, we're talking about Israel's NSO Group. And, to a lesser extent, Italy's Hacking Team.) "And it's not just IMSI catchers," says Techdirt's Tim Cushing. "Plenty of human rights violators were on the list of potential customers for internet surveillance tech sold by Swiss companies. That those violators were unable to access this tech is largely due to the Snowden leaks, which forced a lot of countries to look more closely at their own spying efforts and surveillance contractors."

"That's a pretty nasty group of customers to want to sell to. And that the companies appear to have been deterred by a series of leaks suggests they were more motivated by potential backlash from the Snowden revelations, rather than any sense of responsibility or propriety."

In closing, Cushing writes: "You don't have to sell to the worst governments in the world. But, like far too many other surveillance tech purveyors, Swiss companies seemed more than willing to sell powerful spy tech to governments they knew with certainty would abuse it."

Beerismydad shares a report from the Associated Press: Former U.S. intelligence contractor Edward Snowden, who fled prosecution after revealing highly classified surveillance programs, has received a Russian passport and taken the citizenship oath, Russian news agencies quoted his lawyer as saying Friday. Lawyer Anatoly Kucherena was reported as saying that Snowden got the passport and took the oath on Thursday, about three months after Russian President Vladimir Putin granted him citizenship.

The reports did not specify whether Snowden has renounced his U.S. citizenship. The United States revoked his passport in 2013, leading to Snowden being stranded in a Moscow airport for weeks after arriving from Hong Kong, aiming to reach Ecuador. Russia eventually granted him permanent residency. He married American Lindsay Mills in 2017 and the couple has two children. Further reading: Should the U.S. Pardon Edward Snowden?

In an press release published earlier today, the National Security Agency (NSA) says it will be making a strategic shift to memory safe programming languages. The agency is advising organizations explore such changes themselves by utilizing languages such as C#, Go, Java, Ruby, or Swift. From the report: The "Software Memory Safety" Cybersecurity Information Sheet (PDF) highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts. "Memory management issues have been exploited for decades and are still entirely too common today," said Neal Ziring, Cybersecurity Technical Director. "We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors."

Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program's performance over time, and program crashes. NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations. The full report is available here (PDF).

A former National Security Agency employee was arrested on Wednesday for spying on the U.S. government on behalf of a foreign government. Nextgov reports: Jareh Sebastian Dalke, 30, was arrested in Denver, Colorado after allegedly committing three separate violations of the Espionage Act. Law enforcement allege that the violations were committed between August and September of 2022, after he worked as a information systems security designer at the agency earlier that summer. Dalke allegedly used an encrypted email account to leak sensitive and classified documents he obtained while working at the NSA to an individual who claimed to have worked for a foreign government.

The individual who received the documents was later revealed to be an undercover FBI agent. Dalke was arrested in September upon arriving at the location where he and the undercover agent agreed to exchange documentation for $85,000 in compensation. "Dalke told that individual that he had taken highly sensitive information relating to foreign targeting of U.S. systems, and information on U.S. cyber operations, among other topics," the press release from the Department of Justice reads. "To prove he had access to sensitive information, Dalke transmitted excerpts of three classified documents to the undercover FBI agent. Each excerpt contained classification markings." "Should Dalke be found guilty, his sentence could include the dealth penalty or any term of years up to life imprisonment," notes the report.

New submitter nunya_bizns writes: President Vladimir Putin on Monday granted Russian citizenship to former U.S. intelligence contractor Edward Snowden, nine years after he exposed the scale of secret surveillance operations by the National Security Agency (NSA). Snowden, 39, fled the United States and was given asylum in Russia after leaking secret files in 2013 that revealed vast domestic and international surveillance operations carried out by the NSA, where he worked. U.S. authorities have for years wanted him returned to the United States to face a criminal trial on espionage charges.

A U.S. intelligence agency gained access to China's telecommunications network after hacking a university, Chinese state media claimed Thursday. CNBC reports: The U.S. National Security Agency used phishing -- a hacking technique where a malicious link is included in an email -- to gain access to the government funded Northwestern Polytechnical University, the Global Times alleged, citing an unnamed source. American hackers stole "core technology data including key network equipment configuration, network management data, and core operational data," and other files, according to the Global Times. As part of the NSA's hack, the agency infiltrated Chinese telecommunications operators so that the U.S. could "control the country's infrastructure," the Global Times alleged. The Global Times, citing its unnamed source, reported that more details about the attack on Northwestern Polytechnical University will be released soon. China first disclosed the alleged attack on the Northwestern Polytechnical University earlier this month. "The agency also accused the U.S. of engaging in 'tens of thousands' of cyberattacks on Chinese targets," adds CNBC.

An anonymous reader quotes a report from Motherboard: On Tuesday, 40 civil rights groups published an open letter calling on MGM Television executives to cancel the studio's upcoming reality show Ring Nation, which will feature former NSA employee and comedian Wanda Sykes presenting humorous surveillance footage captured from Ring doorbell cameras. The groups say the studio is "normalizing and promoting Amazon Ring's dangerous network of surveillance cameras," which, along with the Neighbors app, "violate basic privacy rights, fuel surveillance-based policing that disproportionately targets people of color and threatens abortion seekers, and enables vigilantes to surveil their neighbors and racially profile bystanders."

There's just one potential problem with the well-intentioned campaign: Amazon owns Ring, producer Big Fish Entertainment, and distributor MGM, and it also owns the Prime Video streaming service should it need somewhere to air it. It also has specific partnerships with thousands of police departments around the country should they happen to prove useful. This tower of vertical integration means that Ring Nation is a show designed from the ground up to leverage Amazon's vast monopoly to push its own product on Americans, and it also means that it will probably (but not definitely) be impossible to kill. There's very little chance that MGM executives will push back on the project when it's probably exactly the type of thing Amazon imagined being able to do when it spent $8.5 billion on a merger with MGM this year. "Ring Nation is not a comedy but rather a propaganda strategy to normalize and further digitize racial profiling in our communities. Truthfully the cognitive dissonance about the dangers of these tools is a real concern. It's striking to see a host who has been such a vocal supporter of racial justice protesters defend the very tech that was used to surveil activists during the uprisings in 2020," said Myaisha Hayes, campaign strategy director at Cancel Ring Nation co-organizer Media Justice, in a statement.

"The Ring Nation reality-TV series is anything but funny. It weaponizes the joy of our daily lives in an attempt to manufacture a PR miracle for scandal-ridden Amazon," Evan Greer, director of co-organizer Fight for the Future, said in a statement. "By normalizing surveillance, it will teach our children to relinquish their privacy in exchange for a quick laugh. In the coming weeks, Fight for the Future, Media Justice, and our org partners will be mobilizing our supporters and forming a loud and fearless coalition of civil rights groups to cancel Ring Nation," Greer said.

The show is set to launch on Sept. 26, though it hasn't been announced which networks will carry it.