Originally published at the NAAIJ on May 1st 2015. Check the North American Association of Independent Journalists for the latest updates.

Join the Thunderclap here

Follow us on Twitter @NAAIJ
Like us on Facebook NAAofIJ

The Thunderclap will post a message on your feed along with other supporters on
May 01 at 10:30AM EDT. All credit goes to Organizers: Redditors For Basic Income (/r/BasicIncome) & @2noame. The full text of the Basic Income Thunderclap Campaign follows:

What would you do with a monthly paycheck, separate and in addition to any other paycheck, earned for nothing other than citizenship and sufficient to cover your most basic needs? That’s basic income, and that’s what today should be about.

Popularly known as May Day or Labour Day, May 1st is currently a day to internationally recognize the contributions of the global labor movement
and its many struggles and achievements over the years. However, where unions once
empowered labor and gave us the 40-hour week and the 8-hour day,
globalization and advances in technology have severely eroded the ability of
unions to effect change.

As automation of the workplace continues to the
tune of potentially eliminating half of all current jobs in the next 20 years,
and in addition eroding any sense of financial security or consumer buying power through the growth of part-time jobs, low-paid jobs, freelancing, and zero-hour contracts, unconditional basic income represents the ability to empower labor on
an individual basis. A newly gained ability to say “No” to employers
would have an undeniable effect on employee bargaining power for greater sharing of profits and better
wages, job conditions, hours, benefits, etc.

The achievement of basic
income would be the achievement of a new voluntary contract between employer and
employee, including the empowerment of the employee to become their own
employer by functioning as venture capital for the people. It would mean a new age of greater innovation, productivity, and entrepreneurship,
where all are finally free to pursue the goals they wish to pursue, and all work
could be recognized for its societal value, instead of only paid work
as it stands now. Isn’t it time we started recognizing all the important labor going unpaid?

Basic income is the future of the labor movement, and the policy we must all together now strive for in the 21st century.

There are many ways to support the idea and to help grow the movement for Basic Income. For one, take part in Basic Income Day by supporting this Thunderclap and by changing your profile photos on May 1st. Some more examples:

• Sign a petition
• Join your national advocacy group
• Spread the message on Social Media – Add #Basicincome to your posts and also add the hashtag to your profile photos
• Discuss it – Share Basic Income news with your friends and family and start local meetup groups
• Contact Politicians or the Media – Start to demand it and they will start to listen

Join the growing global movement to create an income floor for everyone.

This is the century of technological emancipation from labor itself. We made it. We’re here. We need only actually embrace it. Unemployment is not something to fear. It is something to welcome.

Without basic income, on the 1st of May we celebrate Human Labour Day.

With basic income, tomorrow we celebrate Machine Labour Day.

Nigel Todman is an Independent Journalist, Technical Consultant, Social Activist, Web Developer and Computer Programmer from Ontario, Canada. Nigel is also the Assistant Webmaster for the NAAIJ. Add him to Facebook and/or Follow him on Twitter E-mail: nigel [at] naaij [dot] org [PGP]

(All links are safe to click, Everything not safe is purposely broken and unclickable)

UPDATE: I’ve ran the code inside a VM now

The original message had a filename of ‘video.html’ and was hosted at AmazonAWS.com – do not click on anything that is that if you receive such a message.

Inside the code there is a leak to a goo.gl shortened URL, This URL was created 10 days ago and at time of writing has 462,570 clicks. The URL redirects to http://facebook.com/profile.php?id= which will bring up the currently logged in users Facebook profile. You can view those statistics here

The virus first determines if you’re on mobile or not, then from there redirects to one of two pages, encrypted of course. I’ve unencrypted them for you here

The video.html sends the victim to tesirmt2 [dot] com/mobil.html on Android/Blackberry or anything that isnt Windows (or isnt able to run and is Windows)

That URL then forcefully sends the victim to the following site: mobile [dot] dollars4ads [dot] com/directclick/?&odata=YWlkPTMxNTQ0JnVpZD0xMzg4

Which in turn sends you into a blackhole of porn site redirects, First using a redirect script at the domain DateForSexyMoments [dot] com which loads what appears to be a landing page url at InstaBang [dot] com with the filename enter.php

This part appears to be solely for revenue generation, no exploit yet.

If on Windows and not blocked, A mockup of the YouTube Facebook page is then displayed.

I’m just now getting to the Javascript in this page. It is starting to look like this is where the Facebook propagation code is…

In this page there is a reference to the 33Across ‘Traffic and Monetization’ Platform in a JavaScript file called tc.js

Also on this page is a small.js …

I’ve been using FireFox w\ NoScript allowing the sites one by one, No exploit has triggered as of yet. Installing Chrome now.

What I’m trying to do currently is get the Video Controller request to fire, It looks like that is when the payload is dropped.

Of course on Chrome it fires right away.

Poorly worded broken english, Now we’re getting somewhere!

Cancelling the request puts us back to the start. And the background changes red as if to tell us we’ve done something wrong — Facebook does this all the time right?

Time to take the plunge, Installing malware… Now we get Green, Green means good.

It appears as if I’ve found the ‘Malware Campaign Control Center’ full of scripts and logs. Different loaders for different environments. Different campaigns and phishing attacks.

I’m going to contact a few people and hand this off now. I’ll add my passive analysis below.
—
From what I’ve been able to gather from my passive analysis prior to running in VM …

The exploit appears to target the Chrome Web Store, The clicks are entirely from systems using Google’s Chrome Web browser. The following unique string is passed in a webstore URL

“ldjfedjbfpfcjiklocflohdkmbofokoe”

This appears to be the Chrome Developer ‘ItemID’, This is stored in the variable ‘okkkkk’ and is called with the chrome.webstore.install() function.

That ItemID has been removed since it was discovered, A second message almost identical was sent about an hour later, Following the same methods a new ItemID has been discovered. (I’ve just reported it for abuse.)

“ofmhgagdimpdbfbealjicdmedmjmdgol”

Whether the victim is on a mobile device or not, The victim will be on Facebook (The link is sent over the Facebook service), in the body tag the function chromex(); is called which in turn calls chrome.webstore.install(), It appears as if a request to install a ‘Video Controller’ relies on social engineering inside the chromex() function. chromex() is called at every possible opportunity to do so.

Still have yet to find the code that causes it to propagate to other users on Facebook, Been using strictly passive code analysis so far. Might jump inside VM and allow an infection and examine some binaries and what I’m assuming will be an interesting Chrome extension.

If you found this writeup useful, Feel free to tip me some BitCoins at 18j2Env7QokhGG5MccS3LPBKnjsko6u4NQ

Originally published by The Fifth Column News on Mar 18th, 2015 under a Creative Commons Attribution-Share Alike 3.0 License.

Ft. Meade, MD (TFC) – Back in June 2014 I wrote an article; Don’t Ask for your Privacy, Take it back for the Reset the Net campaign.

“The hope of this campaign is to emerge in a post June 5th world with a more secure standard of communications.”

The only reason why mass surveillance works is because most of our communications are being sent in plain text, as easily read as you are reading this very article. Whether this is done willingly by the service provider or maliciously by the Government using devices and exploits without their knowledge, Encryption will keep (some of) your rights in tact, for now.

While I do admit there is a modest barrier to entry into the realm of secure communications, there is a number of ‘Out of the Box’ solutions emerging to attempt to reduce this barrier. I will detail these still in development solutions in the footer, and cover some of the more established solutions that require a small amount of setup next. (With a pictorial guide)

Secure instant messaging: Pidgin (w OTR plugin, Mobile users Get ChatSecure for Android or ChatSecure for iOS.)
Hide your IP (with exceptions!): Tor (Mobile users Get Orbot for Android.)
Encrypted GSM/SMS: TextSecure & RedPhone (Android only, iOS users get Signal 2.0)

On the complaints about Tor, Let me detail a few of the weakness that exist in Tor so that you may be able to understand its strengths. Tor was (initially) developed and funded by the US Government to give itself plausible deniablity for its own illegal and malicious actions against businesses and countries worldwide. If only the US Government used Tor it wouldn’t be very Anonymous, So it has to be a free for all to provide anonymity. That said, The Government doesn’t like supporting malicious actors other than itself. So, Darknet sites (The .onion network) were attacked. The reason this attack worked is for two reasons. One, Using Tor in a browser provides a wide attack vector via the Flash and JavaScript scripting engines. A script in Flash or JavaScript can report back the IP Address in the context of that code, before it passes over Tor. This is because the code is running locally in your browser and not on the server which does not know your IP address. Two, If every Tor node you are using is in fact owned by the US Government, a top-down view of all US Government nodes can in theory reveal your IP as an educated guess, but it is not conclusive.

Using Tor outside of a browser and not on the Darknet/.onion network will defeat this attack. Me personally, when I use Tor. I exclude all nodes that reside in a FVEY (Five Eyes) Member country. That is US, CA, AU, UK and NZ. I use an open source project called AdvTor to do this.

Pidgin is a messaging client that supports numerous protocols. The one I will focus on is XMPP, previously known as Jabber. The XMPP server I use is creep.im, You can add me using [email protected]. Here is a list of many XMPP servers.

There is no reason Pidgin shouldn’t be the MSN or ICQ of this decade. Most people have resigned to using Facebook for their messaging needs, But this is a horribly insecure centralized target for … pretty much everyone. XMPP allows you to use any number of servers in any number of countries to route your conversations thru, all with full encryption.

Here is a quick pictorial on how to get started with Pidgin (w OTR plugin

Click Add…

Fill out the form as shown below, using your own username and password.

I am using Tor in this example. Simply Install Tor and run it, The defaults will work. If you don’t want to do this, select ‘No Proxy’. The main benefit here with Tor (or any proxy) is maintaining your location security from whomever you selected to handle your chat (creep.im in the example).

If all goes well you will get this screen. This is your actual registration so remember your password.

Confirmation that all is well.

Add your first buddy. Feel free to add myself, [email protected] or the demo account I just made [email protected]

When someone adds you, This is what it will look like.

The OTR plugin gives further security by providing even more encryption and buddy authentication via secret phrases and questions. But even just using Pidgin over say regular Facebook is a huge improvement.

With the OTR plugin installed, Go to Tools -> Plugins in Pidgin, Select ‘Off the Record Messaging and hit ‘Configure Plugin’ – Now press ‘Generate’

If all goes well.

Now you will notice a new menu when chatting with Buddies and some new notices

There are a variety of methods of ‘authenticating’ a buddy. The simplest is ‘Manual Fingerprint Verification’ – For your first time encountering people, this is good. It will ensure that your communicating with the same person on the same machine you originally added.

Alternatively there is a secret question and answer. This is good for people you know well. If you know them well enough you won’t even need to tell them the answer

And thats all there is to getting started with Pidgin.

Want to use XMPP on your phone? Get ChatSecure for Android. iOS users get Signal 2.0

A project that is currently in development I’ve been keeping an eye on is uTox. It allows for sharing of your desktop, a webcam, pictures, or just regular chat. All securely with encryption by design. Even better is that it is ‘zero configuration’ – You open it and you start chatting. No account or signup or registration.

From their Github

“With the rise of governmental monitoring programs, Tox, a FOSS initiative, aims to be an easy to use, all-in-one communication platform that ensures their users full privacy and secure message delivery.

..

The goal of this project is to create a configuration-free P2P Skype replacement. “Configuration-free” means that the user will simply have to open the program and will be capable of adding people and communicating with them without having to set up an account. There are many so-called Skype replacements, but all of them are either hard to configure for the normal user or suffer from being way too centralized.”

Windows uTox Updater (installs uTox if it isn’t already)

You will end up with a ridiculously long ‘Tox ID’ – For example, mine is 1E64DB1DFAEA2DBDE2204826CE649DA8A6BEC90C93BA16B7F557228B48FF234A1CD1876F268C. You can make this more human readable at www.ToxMe.se My human readable Tox ID is [email protected]

Another project worth watching is BitTorrent Inc’s Bleep which is basically the same thing as uTox. Currently Bleep ‘looks’ better, but Tox has many more functions at the moment. Add me on Bleep with this slightly less ridiculously long string: 32969203ae7c11f935ea0b3b561656eed0d891d57da9ecf7641e91a50769cc69

Governments will eventually break these encryptions or make them ‘illegal’ and brand everyone using them a thought criminal and/or terrorist. But until that happens, Any one of these tools are effective ways to thwart mass surveillance and take back at least a little bit of your privacy. For now.

Check out my other article on mass surveillance. As well as some great talks from NSA Whistleblower Edward Snowden

Nigel Todman is an Independent Journalist, Technical Consultant, Social Activist, Web Developer and Computer Programmer from Ontario, Canada. Add him to Facebook and/or Follow him on Twitter E-mail: veritas [at] vts-tech [dot] org [PGP]

Download [PNG/PDF]

Verify the authenticity of this certificate at https://verify.edx.org/cert/e1fc04413dc14c04ae58c388094aa7e5