William Friedman’s personal copy of Herbert O. Yardley’s famous The American Black Chamber
Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C by Bruce Schneier, 1996
Code, by Lawrence Lessig
OSS: Simple Sabotage Field Manual, 1944
Tracking Users across the Web via TLS Session Resumption, 2018
Facebook’s Advertising Platform: New Attack Vectors and the Need for Interventions, 2018
(SID Today: Efforts Against Virtual Private Networks Bear Fruit, 2006
NSA: Tracking Targets on Online Social Networks, September, 2009
NSA?: Network Shaping, January, 2007
The Cherry Blossom system provides a means of monitoring the internet activity of and performing software exploits on targets of interest. In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points (APs), to achieve these goals.
Hacking Mobile Phones Using 2D Printed Fingerprints, February, 2016
badWPAD: Slides about Exploit using WPAD files
Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition, 2016
Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding, 2008 (keys for mechanical locks)
NSA?: Tracking Targets through Proxies and Anonymizers (basically, correlation attacks)
SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit: It’s possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdropping microphones – with software alone.
Guessing human-chosen secrets, 2012 (passwords, etc.)
Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone
BadUSB 2.0: USB man in the middle attacks, 2016
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, 2015
Security Analysis of Emerging Smart Home Applications
How to Subvert Backdoored Encryption: Security Against Adversaries that Decrypt All Ciphertexts
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
Gone in Six Characters: Short URLs Considered Harmful for Cloud Services
A Study of MAC Address Randomization in Mobile Devices and When it Fails, 2017
PerfWeb: How to Violate Web Privacy with Hardware Performance Events, 2017
EXTENDING User Guide: The EXTENDING tool is an implant designed for Samsung F Series Smart Televisions.
Biclique Cryptanalysis of the Full AES ("As our attacks are of high computational complexity, they do not threaten the practical use of AES in any way.")
A Critical Evaluation of Website Fingerprinting Attacks
Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
Personal knowledge questions for fallback authentication: Security questions in the era of Facebook (insecurity questions are a bad idea)
EFF: How Unique Is Your Web Browser? (pre-2014 paper from Peter Eckersley, engineer who’s worked on Panopticlick)
(Cross-)Browser Fingerprinting via OS and Hardware Level Features (very disturbing)
vpwns: Virtual Pwned Networks, "the primary goal of this paper is to raise awareness of the inherent risks which come from repurposing off-the-shelf VPN systems to provide strong anonymity."
HackingTeam: Project X: Mass interception of encrypted connections (slides)
You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information, 2018
INTEL-SA-00075 Mitigation Guide (privilege escalation vulnerability in Intel processors)
Online tracking: A 1-million-site measurement and analysis, May 18, 2016
Keystroke Recognition Using WiFi Signals
Mod n Cryptanalysis, with Applications Against RC5P and M6
Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG (“As it turns out…PGP and GnuPG…thereby (fortuitously) foiling the attack.”)
Cryptanalytic Attacks on Pseudorandom Number Generators
Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications
Ricochet Security Assessment (assessment of Ricochet IM client, 2016---Ricochet was revised to fix the issues found)
Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services
All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems
first of 2 PDF files that hash to the same SHA1 hash (demonstrating that SHA1 needs to be retired)
second of 2 PDF files that hash to the same SHA1 hash (demonstrating that SHA1 needs to be retired
Zip Slip (“Zip Slip is a widespread critical archive extraction vulnerability”)
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication (affects Apple devices)
Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, 2013
Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies
RSA Weak Public Keys available on the Internet
Reaping and breaking keys at scale: when crypto meets big data (slides from presentation at DEFCON-26)
Breaking the Bluetooth Pairing – Fixed Coordinate Invalid Curve Attack
DefenseCode Security Advisory Broadcom UPnP Remote Preauth Code Execution Vulnerability, 2013
Blackhat 2018: When everyone’s dog is named Fluffy: Abusing the brand-new security questions in Windows 10 to gain domain-wide persistence
Declaration in Support of Injunction Against Insecure Voting Machines in US State of Georgia, 2018
Complaint: CELLEBRITE vs OXYGEN SOFTWARE and OXYGEN FORENSICS, December, 2015
Complaint: THOMAS DRAKE and DIANE ROARK and ED LOOMIS J. KIRK WIEBE and WILLIAM BINNEY vs NSA
NSA’s response to Jason Leopold’s FOIA request of May 30, 2014
Complaint: LARRY KLAYMAN vs BARACK HUSSEIN OBAMA II et al
Transcript of Manning Court Martial, AM June 3, 2013
AFFIDAVIT IN SUPPORT OF APPLICATION FOR ARREST WARRANT: Reality Winner Case, June 25, 2017
CRIMINAL COMPLAINT: Reality Winner Case, June 5, 2017
EFF Amicus Brief, CONSUMER CELLULAR, INC. v. CONSUMERAFFAIRS.COM, INC., CONSUMERS UNIFIED, LLC, AND DAVID ZACHARY CARMAN
US FTC Order to Facebook, July, 2012
US v. Jay Michaud: Declaration of FBI Agent Daniel Alfin (Playpen prosecution)
Amicus Curiae Brief for Backpage v. Thomas J. Dart
ORDER DENYING MOTION TO DISMISS AS TO THE MERITS OF PLAINTIFF’S CLAIMS, DANIEL MATERA v GOOGLE (Gmail spying)
Complaint, class action lawsuit against Google, about Gmail spying
non-response to FOIA request from Cryptome’s John Young about Ed Snowden and CIA
Complaint, ACLU v Clapper, et al, June 11, 2013
Testimony of Daniel J. Weitzner: Hearing on “Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives” April 19, 2016
Twitter v. LORETTA E. LYNCH, Attorney General of the United States, 2015
Letter to DHS Secretary from Rep. Lofgren about Tor exit node at public library
Public records request Amazon Rekognition
Charge Sheet: Chelsea Manning
Poitras v. DHS, et al complaint
Poitras v. DHS, et al answer to complaint
Criminal complaint in Boston Marathon bombing case
Google court motion about disclosing data about FISA orders received
Manhattan District Attorney: Smartphone Encryption and Public Safety, 2018 (anti-encryption)
China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking, 2018
OPEN LETTER IN SUPPORT OF THE RECENTLY DISCLOSED NSA PROGRAMS, June 2013 (govt. officials support programs outed by Snowden)
Presidential Policy Directive: PD-20, October, 2012, released by Snowden
REPORT OF THE MANHATTAN DISTRICT ATTORNEY’S OFFICE ON SMARTPHONE ENCRYPTION AND PUBLIC SAFETY, November, 2015
Senate Select Committee on Intelligence: Committee Study of the Central Intelligence Agency’s Detention and Interrogation Program, 2014
FBI: Anarchist Extremism Overview, 2011
PREVENTING VIOLENT EXTREMISM IN SCHOOLS, 2016
STATISTICAL TRANSPARENCY REPORT Regarding Use of National Security Authorities
NSA Report on Russian Spearfishing during 2016
Vulnerabilities Equities Policy and Process (originally secret/noforn, somewhat censored, undated)
Letter from Senators about use of facial recognition by Supreme Court Police
FISA/NSA Talking Points (issued the day after the first Snowden revelations)
Legal Authority for the Recently Disclosed NSA Activities, 2005
EPIC: inBloom database destroys student privacy
Cobham Tactical Communications and Surveillance Catalog, 2014
Wolfie Christl, Sarah Spiekermann: Networks of Control, 2016
Report on dangers and opportunities posed by large search engines, particularly Google, September, 2007
Eyes Wide Open, by Privacy International, about 5 Eyes Governments and Surveillance
Bullrun Briefing Sheet from GCHQ
NSA for Kids (from watchingover.us)
This is the second part of our whitepaper “En Route with Sednit”, which covers the Sednit’s group activities since 2014. (The Sednit group is also known as APT28, Fancy Bear and Sofacy)
Surveillance, Data and Embodiment: On the Work of Being Watched
CHILLING EFFECTS: ONLINE SURVEILLANCE AND WIKIPEDIA USE
FBI: GRIZZLY STEPPE – Russian Malicious Cyber Activity, December 29, 2016
Amassing Student Data and Dissipating Privacy Rights, 2013
Towards Construction Based Data Hiding: From Secrets to Fingerprint Images, 2018 — New Type of Steganography
A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, Version 0.9.3. November, 2015.
Against the Law: Countering Lawful Abuses of Digital Surveillance, Huang and Snowden’s Introspection Engine
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud, 2017
Riffle, an anonymizing network meant to be more resistant to traffic analysis than Tor
Enabling Secure Web Payments with GNU Taler (anonyous Internet banking)
DIME: Dark Internet Mail Environment (from Lavabit founder and friends)
Applied Crypto Hardening, 2014
Tor: Myths and Facts (from EFF)
cMix: Anonymization by High-Performance Scalable Mixing ("cMix is a suite of cryptographic protocols that can replace today’s dominant chat systems, offering superior confidentiality and anonymity, while providing comparable performance to users.")
Post-quantum key exchange – a new hope, 2016
OnionCat – A Tor-based Anonymous VPN, December 18, 2008
twister - a P2P microblogging platform, 2013
Seeking Anonymity in an Internet Panopticon, 2008 ("Toward this end, we offer a high-level view of the Dissent project, a “clean-slate” effort to build practical anonymity systems embodying a collective model for anonymous communication.")
Pisces: Anonymous Communication Using Social Networks
Bitmessage: A Peer‐to‐Peer Message Authentication and Delivery System, 2012
ENCRYPTION: Securing Our Data, Securing Our Lives (very elementary)
A Randomized High-Security Cipher Combining Deniability with Pencil-and-Paper Decryption
On a new fast public key cryptosystem, 2015
Evading Censorship with Browser-Based Proxies (by Dingledine and others)
HORNET: High-speed Onion Routing at the Network Layer, 2015
DNSChain + okTurtles, 2014
Dust: A Blocking-Resistant Internet Transport Protocol
Forward Secure Asynchronous Messaging from Puncturable Encryption
A Certified E-Mail Protocol
Secure Applications of Low-Entropy Keys
Protecting Secret Keys with Personal Entropy
Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol Still vaporware
Proactively Accountable Anonymous Messaging in Verdict (DC nets)
Draft of Oakland, California ordinance requiring police to get permission to acquire surveillance equipment
Growing Up Digital, 2016
Armed with Technology: The Effects on Fatal Shootings of Civilians by the Police, 2016
The Future of Ideas: The Fate of the Commons in a Connected World, Lawrence Lessig, 2001
How to Explain Zero-Knowledge Protocols to Your Children
A RIDDLE WRAPPED IN AN ENIGMA ("…certain peculiarities in the wording and timing of the statement have puzzled many people and given rise to much speculation concerning the NSA, elliptic curve cryptography (ECC), and quantum-safe cryptography. Our purpose is to attempt to evaluate some of the theories that have been proposed.")
2017 Reuters Tracking - Cybersecurity Poll 3 31 2017
Reclaim Your Name: Keynote by Commissioner Julie Brill, FTC, July, 2013
OMG CYBER! THIRTEEN REASONS WHY HYPE MAKES FOR BAD POLICY, November, 2014
The Terrorism Delusion: America’s Overwrought Response to September 11
Americans and Cybersecurity: Many Americans do not trust modern institutions to protect their personal data – even as they frequently neglect cybersecurity best practices in their own personal lives, 2017
Framework for Improving Critical Infrastructure Cybersecurity, 2014
EFF: Digital Privacy at the U.S. Border: PROTECTING THE DATA ON YOUR DEVICES AND IN THE CLOUD
EFF: Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices, 2011
EFF: Re: Labeling Practices in Digital Content Marketplaces (indicate DRM on the label)
EU-US-NGO-letter-Safe-Harbor-11-15
Facebook Subpoena / Search Warrant Guidelines, 2008
An Analysis of China’s “Great Cannon”
Guerilla Open Access Manifesto, Aaron Swartz, 2008
MATT BLAZE, testimony to US House, “DECIPHERING THE DEBATE OVER ENCRYPTION”
IBM X-Force Threat Intelligence Quarterly, 3Q 2015 (ransomeware, Tor, etc.)
Written evidence regarding Investigatory Powers Bill (British ISP writing in opposition to Snoopers' Charter)
Is Privacy Dead?, by Bob Sullivan
Under Surveillance: Examining Facebook’s Spiral of Silence Effects in the Wake of NSA Internet Monitoring
Appeal in Lavabit case, 2014
Lightweight Props on the Weak Security of EPC Class-1 Generation-2 Standard (RFID standard)
Chelsea E. Manning: A Proposed Bill to abolish the Foreign Intelligence Surveillance Court and improve Information Network Security through sharing while protecting privacy
Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
The Moral Character of Cryptographic Work, Phillip Rogaway
CIA: (C//NF) Network Operations Division Cryptographic Requirements, TOP SECRET//SI//NOFORN, leaked on WikiLeaks
Records of the National Security Agency/Central Security Service in the National Archives, 1917-93
NSA procedures for targeting under FISA section 702
Proposed law in New York that would have required cell phones to be defective by design: that is vulnerable to "hacking" (supposed to support police investigations)
Director’s Message: NSA in the Media - Intelligence Gathering Practices, 2005 (government spying on phone calls)
Privacy Risks with Facebook’s PII-based Targeting: Auditing a Data Broker’s Advertising Interface
The Santa_Clara_Principles on Transparency and Accountability in Content Moderation
CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data
CONIKS: Bringing Key Transparency to End Users
Snowden’s Box The human network behind the biggest leak of all
NIST: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (This is the infamous “backdoored” PRNG.)
“I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy
THE DECLINING HALF -LIFE OF SECRETS And the Future of Signals Intelligence
leaflet introducing Tor
Third-Party Web Tracking: Policy and Technology
Spy Software Gets a Second Life on Wall Street
Worldwide Cryptographic Products Survey - Sheet1
Coping with Surprise in Great Power Conflicts
TERRORISM AND BATHTUBS: COMPARING AND ASSESSING THE RISKS
The Cautious Path to Strategic Advantage: HOW MILITARIES SHOULD PLAN FOR AI
Proposed face surveillance system and proposed “Physical Security Information Management System”
Job One for Space Force: Space Asset Cybersecurity
ElsieFour: A Low-Tech Authenticated Encryption Algorithm For Human-to-Human Communication