Month: January 2015

Translation of letter given by (now arrested) armed gunman to personnel at building of Dutch national news (NOS) broadcasting building

UPDATE 2015-06-19: the Dutch Public Prosecution Service demands 4yr prison sentence for hostage taker at Netherlands Broadcasting Authority (=NOS).

UPDATE 2015-01-29 23:56 UTC+1: turns out the attacker used a fake weapon. Suspect not known to police.

UPDATE 2015-01-29  23:14 UTC+1: BBC story: Gunman arrested at Dutch news broadcaster NOS.

UPDATE 2015-01-29 22:30 UTC+1: it is suggested the attacker is 19-year old Tarik Z. from the town of Pijnacker; freshmen student of chemistry at TU Delft; not listed among known jihadists; NOS anchor is quoted as saying: “confused loner, student who lost parents [EDIT: last week], not a terror-motive”.

UPDATE 2015-01-29 22:05 UTC+1: Attacker seems to suggest affiliation with a hacker collective, claims they were hired by intelligence services. Claims they have seen things that they want to bring to light. It is unclear whether there’s any truth to his claims. The building is now cleared.

A little before 20:00 UTC+1, at which the eight o’clock national TV news starts broadcasting, an armed gunman [EDIT: allegedly Tarik Z. from the Dutch town Pijnacker] entered the building of Dutch broadcasting organization NOS, located at the Media Park in Hilversum, and demanded air time. He has been arrested, and nobody got hurt. Nothing was broadcasted live, but the arrest was recorded by rolling cameras. A photo appeared on Twitter showing a letter the man handed to NOS reporter Martijn Bink. Here is a translation of that text (the second paragraph seems to be text that the gunman wanted the presenter to tell live on television):

When you read this, do not panic. Do not scream and do not warn your colleagues. Act as if nothing is happening. I am heavily armed. If you cooperate, nothing will happen to you. Be aware that I am not acting alone. There are five other and 98 hackers who are ready to carry out a cyber attack. Moreover, eight heavy explosives have been placed in this country that contain radioactive material. If you do not bring me to studio 8 to take over the live broadcast, we are necessitated to act. You do not want to be responsible for that, right? So bring me to studio 8 now, the NOS studio.

We have been taken hostage by heavily armed men [added in handwriting: in studio 8, Media Park Hilversum]. More of them are present in the rest of the country and they have 98 hackers ready to carry out a cyber attack. Also, eight heavy explosives have been placed throughout the country, that contain radioactive material. They want to carry out a live broadcast to tell their story. From the outside it is monitored whether the broadcast can be viewed throughout the Netherlands. Their demands are therefore, among others, 1. This building will not be assaulted. 2. The live broadcast will not be delayed, not interrupted for one second, and not edited. 3. To be clear, no information and no subtitles will be added to the live broadcast. If these demands are met, we will be released. I will repeat this. [repeat]

It is currently [Jan 29th 22:49 CET] unclear to what extent the statements are true or false, and even whether the gun was real or not.

A video fragment is available of the attack, and the gunman, after reportedly having self-identified as belonging to a hacker collective, is saying:

[…inaudible…] will be said, that are very great world affairs. We were, say, hired by intelligence services, and there we saw things that cast doubt on current society. We will now bring those things to light.

Allegedly, NOS personnel was forbidden, via an internal email, to tweet about the affair, or bring information out in any way.

Here is a copy of the video still of the gunman published at http://www.nu.nl/binnenland/3982448/gewapende-man-zendtijd-eist-opgepakt-in-nos-pand.html :

gewapende-man-zendtijd-eist-opgepakt-in-nos-pand

Here is a copy of the photo of the letter shown on Twitter (original source: https://twitter.com/IbHaarsma/status/560883916736065536 ; edited to be more readable and republished at https://twitter.com/FloortjeHVNL/status/560889377153642497/photo/1):

B8it6OFIAAA14sa.jpg_large

EOF

Rooting a Moto E XT1021 phone from an OS X 10.9 system to install SnoopSnitch

UPDATE 2015-01-31: AIMSICD is an alternative to SnoopSnitch that does not require a Qualcomm MSM8210 chipset.

Jacob Appelbaum (@ioerror) wrote instructions for modifying a Motorola Moto E phone to install SnoopSnitch and — notably — removing the internal microphone and other sensors to prevent the phone from being used as a remote bug (e.g. the mic being eavesdropped whilst you’re not calling). For fun, I bought the exact model Jacob mentions, a Moto E XT1021, at a Dutch Media Markt store for EUR 103. Modification of the hardware is very simple and demonstrated clearly on Jacob’s page through a series of photos. You need a regular phone Torx screwdriver (a dozen or so of screws need to be removed) and something sharp to pry off both microphones; I used a potato knife (to state the obvious: removing the mic will not hide your call metadata or contents of your phone calls). I left the other sensors untouched for now. The software modification is slightly more involved. Perhaps of use to some, here are the steps it took to root the phone from an OS X 10.9 system, and to install SnoopSnitch (if you find errors or omissions, please contact me, I will correct it). Your mileage may vary.

  1. Get the Android SDK and Motorola’s Moto E drivers for OS X:
  2. Enable USB debugging:
    • Turn on the phone. Go to the “Settings” screen, then to “About phone”. Touch “Build number” entry 7 times to get the “Developer options” menu item to appear under “Settings”. Go there and enable “USB debugging”. On connecting to a computer, a dialog will pop up asking whether to permit USB debugging from that computer: press “OK”.
  3. Unlock the bootloader:
    • Go to https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a , sign in, press “Next”.
    • Boot the phone into fastboot mode by pressing and hold power + volume down for a few seconds, then release. The phone should boot and show the following screen (note: at the top it lists the CPU as a Qualcomm MSM8210):
      Moto-E-XT1021-step1
    • Connect the phone to the computer using the USB cable. The message “USB connected” will appear on the phone.
    • On the computer, run the following commands:
      $ cd $HOME/Library/Android/sdk/platform-tools/
      $ ./fastboot oem get_unlock_data
      ...
      (bootloader) [............ part1 ..........]
      (bootloader) [............ part2 ..........]
      (bootloader) [............ part3 ..........]
      (bootloader) [............ part4 ..........]
      (bootloader) [... part5 ...]
      OKAY [  0.257s]
      finished. total time: 0.257s
      $
    • Append the five parts into one string, and enter it in the input field “Can my device be unlocked?” in the Motorola website, press “Agree”. You should receive an email containing an unlock code.
    • Run:
      $ ./fastboot oem unlock [.....unlock code....]
      ...
      (bootloader) Unlock code = [.....unlock code....]
      (bootloader) Unlock completed! Wait to reboot
      $
  4. Root the phone:
    • Download SuperSU (credits to @ChainfireXDA) and the CWM recovery image (credits to members of the XDA-Developers Moto-E forums), for instance these DDL mirrors:
      $ wget -O SuperSU-v2.45.zip https://cyberwar.nl/d/20150124_MotoE_UPDATE-SuperSU-v2.45_MIRROR.zip 
      [...] 
      $ wget -O cwm6.0.4.9_recovery.img https://cyberwar.nl/d/20150124_MotoE_cwm6.0.4.9_recovery_MIRROR.img 
      [...] 
      $
    • Connect the phone via USB, then put SuperSU on it as follows (don’t forget the trailing “/” in “/sdcard/” or it fails to copy):
      $ ./adb push UPDATE-SuperSU-v2.45.zip /sdcard/ 
      4043 KB/s (4016989 bytes in 0.970s)
      $
    • Disconnect the phone, put it in fastboot mode by pressing and holding power + volume down.
    • Flash the CWM recovery image as follows (note: after running this command, an error message appears on the phone that can be ignored: “Mismatched partition size (recovery)”):
      $ ./fastboot flash recovery cwm6.0.4.9_recovery.img
      target reported max download size of 299892736 bytes
      sending 'recovery' (8146 KB)...
      OKAY [  0.430s]
      writing 'recovery'...
      OKAY [  1.123s]
      finished. total time: 1.553
      $
    • Press volume down, then volume up. The unlocking is now triggered. Wait a few seconds until the “CWM-based Recovery” menu appears. This looks as follows:
      Moto-E-XT1021-step3
    • Press volume down to select “install zip”; then press power.
    • “choose zip from /sdcard” is already selected; press power.
    • Press volume down to select select “0/”, press power, press volume down several times to select “UPDATE-SuperSU-v2.45.zip”, then press power.
    • Press volume down to select “Yes – Install UPDATE-SuperSU-v2.45.zip”, press power.
    • Select “+++++Go Back+++++”, press power.
    • “reboot system now” is selected; press power. When asked “Root access possibly lost. Fix?”, select “No” (default). Press power.
  5. Install SnoopSnitch:
    • Under “Settings”, “Security”, enable “Unknown sources”, and disable “Verify apps” (else the phone will keep asking “Allow Google to regularly check device activity for security problems, and prevent or warn about potential harm?”)
    • Connect your phone to the internet (e.g. via WiFi), then open https://f-droid.org/, click “Download”.
    • Pull down the screen from the top, wait until the FDroid.apk download is complete. Scroll down, press “Install”. When done, click “Open”.
    • Press the magnifying glass, search for “SnoopSnitch”. Press “(+)” to install it. Grant it all the privileges it requests.
  6. DONE.

EOF

EU Counter-Terrorism Coordinator seeks mandatory disclosure of encryption keys by EU internet companies & telcos

UPDATE 2015-07-01: Ars Technica reports: “The UK’s prime minister, David Cameron, has re-iterated that the UK government does not intend to “leave a safe space—a new means of communication—for terrorists to communicate with each other.” This confirms remarks he made earlier this year about encryption, when he said: “The question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.””

UPDATE 2015-01-30: the joint statement (.pdf) that followed the meeting does not contain any indication that mandatory disclosure of encryption keys was in fact discussed during the Jan 29/30 meeting. (Which does not imply it was not discussed.)

The EU Counter-Terrorism Coordinator (CTC) wrote input (.pdf, Jan 17) for preparation of the informal meeting of Justice and Home Affairs Ministers in Riga, Latvia on January 29th. On page 10 (of 14) the document addresses access to communication, and explicitly suggests discussing rules to oblige internet companies and telcos operating in the EU to disclose encryption keys:

f) Encryption/interception

Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralized encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible. The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys).

This of course is not unlike the UK Prime Minister reportedly (Jan 13, BBC) stating that there should be no “means of communication” that “we cannot read”; and a few days later, Barack Obama reportedly (Jan 16, WSJ) making statements of similar nature.

It is not clear why the EU CTC’s document mentions “often de-centralized” in the first sentence in the above quote, as “de-centralized encryption” in its usual meaning is not a problem that one would typically address by obliging internet companies and telcos to disclose keys.

We’ll learn more after January 29th.

Related:

EOF

MH17: Dutch Review Committee on Intel & Security Services to investigate role of AIVD and MIVD in decision-making around flight route safety

UPDATE 2015-01-06: news item by AP (preceding and unrelated to this blogpost).

On January 6th 2015, the Dutch Review Committee on the Intelligence & Security Services (CTIVD) announced (in Dutch) that it will carry out an investigation into the role of the Dutch intelligence & security services AIVD (general) and MIVD (military) in decision-making concerning flight route safety. This follows the MH17 disaster of July 2014. The remainder of this post consists of an unofficial translation of the CTIVD’s announcement.

Announcement of investigation into role of AIVD and MIVD in decision-making concerning flight route safety

In a letter of November 21st 2014, the Minister of the Interior and the Minister of Defense have requested the Dutch Review Committee on the Intelligence & Security Services (CTIVD) to investigate the role of the intelligence & security services AIVD and the MIVD in the decision-making concerning safety of flight routes. The Dutch Safety Board has requested the Ministers to commission the CTIVD to start an investigation.

The letter states that following the crash of flight MH17 of Malaysia Airlines of July 17th 2014, the Dutch Safety Board is investigating, among others, the decision-making concerning the establishment of flight routes. During this investigation, three research questions emerged concerning the AIVD and MIVD.

These research questions are:

  • What is the formal structure between the AIVD and MIVD and the parties relevant to aviation safety, such as airlines, air traffic control and the Ministries concerning information sharing on threats to safety?
  • What are the specific activities carried out by the AIVD and MIVD in exchanging information with parties relevant to aviation?
  • What information did the AIVD and MIVD have about the safety situation in Eastern Ukraine prior to the crash of the MH17, and to what extent did they share the information with parties relevant to aviation safety? What were the considerations to share, or not to share?

The CTIVD decided it will meet the request of the Ministers. Different than usual according to the Dutch Intelligence & Security Act of 2002 (Wiv2002), the CTIVD will report its findings directly to the Dutch Safety Board. This has been requested by the Ministers. In accordance with the CTIVD’s method of investigation, the CTIVD strives to deliver its report during the spring of 2015. The Dutch Safety Board will publish its own findings together with the CTIVD’s findings.

This announcement accompanies a letter (.pdf, in Dutch) sent by the CTIVD to Parliament, and the letter (.pdf, in Dutch) sent by the Ministers to the CTIVD. Neither document contains information beyond what is presented in the above translation.

EOF

Dutch Review Committee on the Intelligence and Security Services (CTIVD) involves group of academics in oversight process

On December 23rd 2014, the Dutch Review Committee on the Intelligence and Security Services (CTIVD) sent a letter (.pdf, in Dutch) to prime minister Mark Rutte, announcing a knowledge network of academics that agreed to be consulted by the CTIVD. Several of the members of this network have been asked to be available to provide feedback on the contents, coherence and relevance of (draft) oversight investigation plans, reports, and advices; their names will be disclosed following the outcomes of the security screenings. The remainder of this post consists of an unofficial translation of the CTIVD’s letter.

Subject: Knowledge network and feedback group concerning the CTIVD

Article 76 of the Dutch Intelligence & Security Act of 2002 (Wiv2002) provides the Dutch Review Committee on the Intelligence and Security Services (CTIVD) the power to commission experts to perform certain tasks, if such is necessary for its proper functioning. The CTIVD hereby informs you about the way in which it uses this authority as of December 1st 2014. The CTIVD aims to carry out independent investigations into the lawfulness of the activities carried out by the AIVD and MIVD, to provide insight into properly balancing national security and privacy. To ensure robust and future-proof oversight, it is necessary to closely monitor the relevant technological, legal and societal developments. The CTIVD has established an knowledge network consisting of several experts to support that. The knowledge network must advise and inform the CTIVD on said developments. The experts participate on personal capacity. The knowledge network meets at least three times a year, for instance around the establishment of annual plans and evaluation, or on the occasion of relevant events. The CTIVD can thus use the input provided by the knowledge network for prioritizing, deciding, and focusing investigations. The knowledge network currently consists of seven experts, namely:

  • Nico van Eijk (professor of information law, specialized in telecommunications law, University of Amsterdam)
  • Bob de Graaff (professor of intelligence & security studies, Utrecht University, and professor of intelligence and security, Netherlands Defense Academy (NLDA))
  • Constant Hijzen (teacher of national security, Leiden University)
  • Mireille Hildebrandt (professor of IT and rule of law, Radboud University)
  • Bart Jacobs (professor software security & correctness, Radboud University)
  • Rick Lawson (professor of European law, and dean of faculty of law, Leiden University)
  • Erwin Muller (professor of security & law, and vice-chair of the Dutch Safety Board, Leiden University)

The CTIVD asked several of the experts to also be available to advise, at an early stage, on the contents, coherence and relevance of (draft) oversight investigation plans, reports, and advices. The CTIVD will involve individual members to provide feedback, per investigation, depending on their field of expertise. By involving experts at an early stage of investigations, their input has a direct effect of the set up of investigations and oversight reports. This means that the experts may be exposed to state secrets. Although drafts of secret appendices to oversight reports will not be presented to the experts, and the experts will not be involved in case investigations or hearings of persons, the experts may access documents that have not (yet) been declassified by the relevant Minister. Security screenings at the A level [=highest level for non-officials] will be carried out in consultation with the AIVD. The names of the persons involved in providing feedback will be announced following the outcome of the screenings. Not until then, the experts will be involved in investigations.

The honorarium for the experts is in accordance with the Decision fees advisory boards and committees.

This is an excellent development.

EOF