[security-news] Bulletin #4 - August 12th, 2002

security-news-admin at resist.ca security-news-admin at resist.ca
Mon Aug 12 10:54:50 PDT 2002 

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

August 12th, 2002

There is no how-to included in this week's bulletin owing to a lack of
time all around. Submissions of security how-tos are particularly welcome
since they take the most time to put together - they can be send to
secure at resist.ca for inclusion in this bulletin. 

**********************************
Security-news: Issue #4 - Contents
**********************************
* Security tip of the week: Dealing with police at the door
* Updates to security.tao.ca
* News & Analysis: Unleashing the FBI - Cointelpro Redux
* News & Analysis: Unions Sell Out to TIPS, Cozy Up With Government
* News & Analysis: SSL defeated in IE and Konqueror

*****
Security Tip of the Week: Dealing with police at the door
*****
If the police, csis or the fbi come to your door *without a warrant
of any kind* you are not legally obligated to talk to them. Do not act
suspiciously or aggressively (these things may give an officer a legal
right to enter your home under grounds of "suspicion"), but do act firmly
and let them know that you are not interested in talking to them. DO NOT
let them into the house house. Once you have invited them in it is
dificult to get them to leave - and they may find reasons to come back
with a warrant later on once inside. (more info at
http://security.tao.ca/personal/investigations.shtml)

*****
Updates to http://security.tao.ca
*****
No major updates this week, but we've posted some interesting stories on
the front page. We'd like more content in some of our sections, so if you
feel like writing for the site, please let us know!

*****
News & Analysis: Unleashing the FBI - Cointelpro Redux
August 6th, 2002 (Real Audio)
*****

The FBI's mishandling of leads prior to September 11th and lethargy in
pursuing the anthrax killer have been widely reported. Less coverage has
been given, however, to the bureau's dismissal of other acts of terrorism,
death threats and assaults against US citizens, and the FBI's attempts to
silence its critics. The assault against Barbara Bocek, a case worker for
a Native American tribe in Washington State, and volunteer Guatemala
Country Specialist for Amnesty International is a case in point. In May
this year, Bocek had been bound and gagged in her car. After initially
discrediting Bocek's account, the FBI now suggests that Jennifer Harbury,
the human rights advocate whose work over the last 10 years implicated the
CIA and State Department in the abduction and torture of her Guatemalan
husband, is a possible suspect. 

Radio story in RealAudio format at
http://stream.realimpact.org/rihurl.ram?file=webactive/freespeech/fsrn20020806.ra&start="10:51.3"

Security-news note: CointelPro-like operations have never ceased, although
the program was officially ended when it was exposed by anonymous document
leak. One of the best sites out there for information about ongoing
counter intelligence operations in the US is at 
http://www.derechos.net/paulwolf/cointelpro/cointel.htm

*****
News and Analysis: Unions Sell Out to TIPS, Cozy Up With Government
August 7, 2002
*****

NEW YORK  A type of neighborhood anti-terror program launched by the Bush
administration will be up and active this month in 10 cities across the
country and some of those recruited could be neighborhood truck drivers,
utility employees and train conductors. 
Those are just some of the jobs taken by Teamsters union members, which
has signed up to help the Justice Department with its Operation TIPS. 

TIPS -- the Terrorism Information and Prevention System -- is one of the
core elements of President Bush's Citizen Corps Program. The national
system for reporting suspicious and potentially terrorist-related activity
is predicated on the assistance of do-good local citizens who would be in
positions to witness unusual or suspicious activity in public
places. Volunteers will hand tips over to the Justice Department via a
toll-free hotline or online. 

The Teamsters union is throwing its support behind Operation TIPS not only
as a means to show its nonpartisan stripes, but to lend an effort to
homeland security, said Teamsters spokesman Rob Black. 

Read the rest of this article at
http://www.infoshop.org/inews/stories.php?story=02/08/07/2509994
also read: On the Subject of Informants
http://www.infoshop.org/inews/stories.php?story=02/07/20/1282119

Security-news note: A number of people complained when this story went up
on infoshop because they felt it made Teamsters unionized workers look
bad, and this TIPS deal is being made by the union executive, not the
workers themselves. While this is true, it is the responsibility of people
inside unions and workplaces to protest the decisions of those who claim
to speak for them. Unions in the US and Canada (and certainly everywhere
else in the world) are ongoing subjects of investigation by state
governments. Union leaders in the global South are routinely murdered 
for their organizing activities (and don't think the CIA hasn't been
involved in some of that!). For a large union like the Teamsters to
cozy up to the state security apparatus is unconscionable and a sell out
to unions everywhere.

*****
News & Analysis: SSL defeated in IE and Konqueror
August 12, 2002 - taken from the register online
*****

A colossal stuff-up in Microsoft's and KDE's implementation of SSL (Secure
Sockets Layer) certificate handling makes it possible for anyone with a
valid VeriSign SSL site certificate to forge any other VeriSign SSL site
certificate, and abuse hapless Konqueror and Internet Explorer users with
impunity. 

In more detail, we have a certificate chain issue discovered by Mike
Benham of thoughtcrime.org. A chain is formed when an intermediate
certificate is trusted between server and client. Supposedly, the
intermediate is accepted only if it's signed by the certificate authority
as safe for the purpose. If it's merely signed by another certificate's
key, it ought not to be trusted, or at least the user should be
warned. Unfortunately, due to a preposterous security engineering
oversight, IE and Konqueror don't bother to check this, so if a tricky
site owner signs an intermediate cert with another valid cert, users will
be none the wiser. 

To read the rest of this article - go to
http://www.theregister.co.uk/content/4/26620.html

Security-news note: Apparently Mozilla is not vulnerable to this security
weakness - but we're not sure about Netscape. It generally seems a good
idea however to stop using Internet Explorer or Konqueror is you want to
be sure that your connection is being protected by SSL (secure socket
layer).

***************************************************************
Security-news <security-news at resist.ca>
Good security is no substitute for good sense!
To unsub go to http://resist.ca/mailman/listinfo/security-news
***************************************************************

More information about the security-news mailing list