From rforno at infowarrior.org Wed Jun 1 12:21:02 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jun 2011 13:21:02 -0400 Subject: [Infowarrior] - Northrop Grumman May Have Been Hit by Cyberattack, Source Says Message-ID: <2A2C91BF-ACB2-440A-B42D-04F98B8FA74B@infowarrior.org> EXCLUSIVE: Northrop Grumman May Have Been Hit by Cyberattack, Source Says By Jeremy A. Kaplan http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/ Published June 01, 2011 | FoxNews.com Top military contractor Northrop Grumman Corp. may have been hit by a cyber assault, the latest in a string of alarming attacks against military suppliers, a source within the company told FoxNews.com. Lockheed Martin said its network had been compromised last week, and defense contractor L-3 Communications was targeted recently, as well. Both intrusions involved the use of remote-access security tokens, experts say. On May 26, Northrop Grumman shut down remote access to its network without warning -- catching even senior managers by surprise and leading to speculation that a similar breach had occurred. "We went through a domain name and password reset across the entire organization," the source told FoxNews.com. "This caught even my executive management off guard and caused chaos." "I've been here a good amount of time and they've never done anything this way -- we always have advanced notice," the person said, speculating that the surprise action was a response to a similar network assault. A spokeswoman for the company would not rule out a cyber attack. "We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions," Margaret Mitchell-Jones told FoxNews.com. "As a leader in cybersecurity, Northrop Grumman continuously monitors and proactively strengthens the security of our networks." From Lockheed to L-3 to Northrop Grumman, the pattern of attacks is clear, said Anup Gosh, a former scientist with the Defense Advanced Research Projects Agency (DARPA) and chief scientist with security company Invincea. "What we're seeing are targeted attacks against the defense industry," he told FoxNews.com. "Think about the data and information that those companies have. They have our nation's military technology secrets." Charles Dodd, an information warfare consultant with Nisrad Cyber Research Institute, raised a scary possibility: Unmanned aerial vehicles such as the Predator can be controlled by computers. If hackers access those computers, can they operate those deadly drones? "If adversaries get that technology, we may not be the one that controls those weapons," he told Fox News. The network attacks spiral from a security breach in March, when hackers stole information related to RSA's SecurID access keys. "The RSA attack was very sophisticated, probably executed by people who had plans for what to do with the keys," Gosh told FoxNews.com."Perhaps the RSA keys were used to get onto the Lockheed Martin network." The keys were definitely used to attack L-3, according to a leaked memo obtained by Wired. ?L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information,? an executive at the company wrote. Northrop Grumman is also a SecurID customer, according to Bloomberg News. An RSA spokeswoman said the company was still investigating the various incidents: "The investigation remains ongoing and it would be premature to speculate." A breach is just the first stage in an operation, Gosh pointed out, meaning proprietary information hasn't necessarily been stolen. But that isn't the goal anymore, he said. It used to be, 'let me come through the front door both barrels blazing and grab the money from the vault.' But it's a hell of a lot more lucrative for the adversary to actually go to work inside the bank," he said. http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/ From rforno at infowarrior.org Wed Jun 1 13:46:53 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jun 2011 14:46:53 -0400 Subject: [Infowarrior] - Senators Want To Put People In Jail For Embedding YouTube Videos Message-ID: <262CB60D-6D17-464D-9A41-309BBF95A925@infowarrior.org> Senators Want To Put People In Jail For Embedding YouTube Videos from the not-understanding-the-technology dept http://www.techdirt.com/articles/20110601/01515014500/senators-want-to-put-people-jail-embedding-youtube-videos.shtml Okay, this is just getting ridiculous. A few weeks back, we noted that Senators Amy Klobuchar, John Cornyn and Christopher Coons had proposed a new bill that was designed to make "streaming" infringing material a felony. At the time, the actual text of the bill wasn't available, but we assumed, naturally, that it would just extend "public performance" rights to section 506a of the Copyright Act. Supporters of this bill claim that all it's really doing is harmonizing US copyright law's civil and criminal sections. After all, the rights afforded under copyright law in civil cases cover a list of rights: reproduce, distribute, prepare derivative works or perform the work. The rules for criminal infringement only cover reproducing and distributing -- but not performing. So, supporters claim, all this does is "harmonize" copyright law and bring the criminal side into line with the civil side by adding "performance rights" to the list of things. If only it were that simple. But, of course, it's not. First of all, despite claims to the contrary, there's a damn good reason why Congress did not include performance rights as a criminal/felony issue: because who would have thought that it would be a criminal act to perform a work without permission? It could be infringing, but that can be covered by a fine. When we suddenly criminalize a performance, that raises all sorts of questionable issues. Furthermore, as we suspected, in the full text of the bill, "performance" is not clearly defined. This is the really troubling part. Everyone keeps insisting that this is targeted towards "streaming" websites, but is streaming a "performance"? If so, how does embedding play into this? Is the site that hosts the content guilty of performing? What about the site that merely linked to and/or embedded the video (linking and embedding are technically effectively the same thing). Without clear definitions, we run into problems pretty quickly. And it gets worse. Because rather than just (pointlessly) adding "performance" to the list, the bill tries to also define what constitutes a potential felony crime in these circumstances: the offense consists of 10 or more public performances by electronic means, during any 180-day period, of 1 or more copyrighted works So yeah. If you embed a YouTube video that turns out to be infringing, and more than 10 people view it because of your link... you could be facing five years in jail. This is, of course, ridiculous, and suggests (yet again) politicians who are regulating a technology they simply do not understand. Should it really be a criminal act to embed a YouTube video, even if you don't know it was infringing...? This could create a massive chilling effect to the very useful service YouTube provides in letting people embed videos. http://www.techdirt.com/articles/20110601/01515014500/senators-want-to-put-people-jail-embedding-youtube-videos.shtml From rforno at infowarrior.org Thu Jun 2 07:16:41 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jun 2011 08:16:41 -0400 Subject: [Infowarrior] - War on the internet: the key fronts Message-ID: <20BB2751-129C-40CD-853D-B299930E3EDF@infowarrior.org> (c/o CB.....I couldn't have said this better myself. --- rick) Thursday, 2 June 2011 / 18 comments War on the internet: the key fronts by Bernard Keane http://www.crikey.com.au/2011/06/02/war-on-the-internet-1-censorship-harassment-and-attacks/?source=cmailer A widespread and in many ways concerted series of attacks by governments on the internet is underway, one that has increased in scope and complexity since WikiLeaks humiliated the US government and social media helped fuel the Arab Spring. The attacks involve censorship and blocking of access to the internet, the use of judicial systems to harass users, trade treaties to target internet users, physical harassment and punishment of activists, and the manipulation of social media by governments. It?s a fully-fledged war on the internet (not via the internet, which is also going on, as Lockheed Martin can attest). It is fought across multiple fronts, as governments respond to the threat posed by their citizens connecting up with one another and with citizens of other states. And it is being fought in the US, in Europe (especially France) and in Australia, as well as by the world?s worst dictatorships Understanding the differing types of attacks is important in understanding what is driving governments to respond so aggressively to the internet. So it?s important first to develop a taxonomy of attacks on the internet currently underway. 1. Defence against regime change The lesson of the Arab Spring is clear: internet-based media can be tools for regime change. Equally clearly for dictators, controlling the internet, or shutting it down where it can?t be controlled, is a key step in regime survival. China and Iran continue to be the exemplars of states that have demonstrated that if you throw enough resources at censoring the internet you can exercise a degree of control, but both states couple direct control (Iran has aggressively explored ways of undermining the Tor anonymisation software, and now proposes to establish its own version of the internet to prevent the inflow of Western ideas) with harassment and brutalisation of bloggers. Failed Arab regimes have proved less successful at online repression over the last six months, but they?ve employed a suite of tools???attempts to harvest information from social media, or using tools developed by Western companies to filter and monitor online activity, or reducing bandwidth, cutting power or simply switching internet access off as a last resort. Bahrain and Syria have taken to using armies of sockpuppets to flood social media with pro-regime messages and harass legitimate users???an approach in which the US Defense Department is eager to invest. Direct repression and harassment isn?t limited to countries perceived as being dictatorships. As Crikey has noted several times, despite the ?net freedom? rhetoric of the Obama administration, it has engaged in extended harassment of internet activist Jacob Appelbaum, including theft of his IT equipment, for???apparently???the crime of supporting WikiLeaks and being a key Tor developer. 2. National security The post-9/11 development of the surveillance-heavy, rights-lite National Security State, primarily in the US, has seen systematic assaults on internet users in the past, such as the Bush administration?s mass internet surveillance via AT&T. That continues under Obama, who is virtually indistinguishable from his predecessor on national security matters. The FBI recently refused to reveal the names of American ISPs that continue to provide surveillance data on their customers to the Feds, for fear it would make their customers flee in droves. Incidentally, last week, the infamous Patriot Act, which contains a series of assaults on the basics liberties of Americans, was extended on the eve of expiry, amid speculation the Obama administration, like Bush, is using it to justify using mobile phone data to track people. Many national security-related cyber measures, however, are aimed not at nebulous ?terrorism? but at eliminating the potential for embarrassment occasioned by exposure and transparency (which is where this category of attacks most blends into attacks designed to protect regimes). The Obama administration?s Department of Justice is still trying to find a way to split WikiLeaks, which the administration insists has merely caused embarrassment rather than any harm to national security, from the mainstream media in order to prosecute Julian Assange for espionage over the diplomatic cables, and has issued subpoenas to Twitter, Facebook and Google (which only Twitter has contested) in order to obtain details about users who have supported WikiLeaks, including anyone who follows the WikiLeaks Twitter account. WikiLeaks has also prompted a legislative response in the US and Australia. Joe Lieberman introduced a bill in US Congress targeting whistleblower sites, and the Gillard government is specifically amending the Intelligence Act to enable ASIO to legally spy on WikiLeaks. The potential for further unauthorised exposure plainly deeply concerns Western government. Following the recent declaration by the US that cyber attacks may prompt a real-world response, overnight it was revealed NATO is preparing a campaign of ?infiltration and persecution? against Anonymous, which has primarily targeted corporate America via campaigns against the copyright industry and in support of WikiLeaks. However, Anonymous also humiliated the US cyber security industry, which has deep ties with the US defence establishment, through its HBGary crack that revealed an extensive array of embarrassing information. 3. Influential gatekeepers The primary source of governmental attacks on the internet come at the behest of powerful pre-digital commercial sectors keen to protect their legacy business models. The most obvious example is the copyright industry, the world?s most politically powerful industry, which has convinced governments around the world to allow it to outsource its enforcement function???traditionally something the industry itself paid for???to taxpayers. France, with its three-strikes law and a governmental determination to regulate the internet, and the US are the two most activist governments on this. In America, legislation that will establish an internet filter based on the demands on the copyright industry, the PROTECTIP Act, has reached the floor of the Senate, although Senator Ron Wyden has placed a stop on the bill as he did for its predecessor, the COICA bill. The US also tries to use trade treaties like ACTA to enforce the demands of the copyright industry, and is now seeking to do the same via the Trans-Pacific Partnership Treaty. The Department of Homeland Security doesn?t merely shut websites down, it seizes domain names on the basis the sites in question may have linked to material perceived as ?infringing? US copyright laws. The French government is even more stringent, not merely through its ?three-strikes? HADOPI law, but by prosecuting people connected, even indirectly, to file sharing. The French don?t merely operate at the behest of the international copyright industry, but on nationalist grounds as well: its parliament recently updated its 1980s-era ?Lang Law? to enable French publishers to dictate the price e-books are sold for (it?s just over three year since a French court ordered Amazon to stop delivering books for free). Another influential gatekeeper is the legal industry, which by virtue of its governmental status is able to mount its own attacks on the internet, as well as co-opt governments to assist them. Courts across the western world have repeatedly reacted to the internet as an automatic enemy, but the phenomenon is best exemplified by the UK, where the country?s powerful legal industry, strict libel laws and growing tradition of superinjunctions are in direct conflict with the internet. Two weeks ago the UK?s chief justice demanded ways be found to muzzle social media and compared it to child pornography after tens of thousands of people used Twitter to break the superinjunction obtained by Ryan Giggs. English courts have developed a fearsome reputation for restricting online free speech???science writer Simon Singh recently revealed The Age refused to run comments about the absurd scam that is homeopathy because it feared being sued in London. Apart from lawyers and the copyright industry, Australia has its own influential gatekeepers: commercial television broadcasters in Australia have convinced the Federal government to extend the anti-competitive anti-siphoning list to online media. 4. Cultural engineering The desire to engage in the sort of cultural engineering traditionally made possible by the mainstream media is another key form of attack, usually via filtering or censorship intended to prevent the internet from enabling access to perceived socially undesirable (rather than outright criminal) content. Turkey, for example, already has a massive internet filter in place blocking pornography, prostitution and sports gambling sites, including at one stage YouTube. Australia is a stronghold for cultural engineering as well (Australia, along with France, is one of 16 countries ?under surveillance? by Reporters Without Borders on internet regulation). Australia already has laws preventing you from positively discussing euthanasia, drugs or criminal behaviour online, from gambling online (like the US) or accessing pornographic content that is available in the nearest newsagent, and that?s before we get to Labor?s internet filter proposal which is on hold awaiting a review of the RC category. This sort of taxonomy is important because it enables a clearer understanding of what is driving governmental attacks on the internet and how they can best be fought. *Tomorrow: how government attacks differ and why some are far more serious than others From rforno at infowarrior.org Thu Jun 2 09:36:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jun 2011 10:36:59 -0400 Subject: [Infowarrior] - Baltimore MTA Officers Detain Man For Taking Pictures Message-ID: <7C17D7E9-40F4-4FC4-ABDE-F7C24B296C57@infowarrior.org> (also disturbing is how they (incorrectly) cite the 'Patriot Act' as justification -- -rick) MTA Officers Detain Man For Taking Pictures June 1, 2011 6:38 PM http://baltimore.cbslocal.com/2011/06/01/mta-officers-detain-man-for-taking-pictures/ BALTIMORE (WJZ) ? The Maryland Transit Administration says more training may be called for after three MTA officers detained a man for taking pictures at a light rail station. Pat Warren has more on the incident. According to the ACLU, this isn?t the first time MTA Police have overstepped their bounds. In a YouTube posting, Christopher Fussell left the camera rolling when he was confronted by three MTA officers for taking pictures at the Baltimore Cultural Light Rail Station. ?It is my understanding that I am free to take pictures as long as it?s not for commercial purposes but for personal use,? Fussell said in the video. ?Not on state property, not without proper authorization,? an officer said. Fussell: ?From who?? Officer: ?Nobody?s allowed to take pictures.? The MTA admits the officers were in error. ?They can most certainly take photos of our system,? Ralign Wells, the MTA Administrator, said. In addition to being wrong about MTA and state policy, the officer incorrectly cites the Patriot Act. ?Listen, listen to what I?m saying. The Patriot Act says that critical infrastructure, trains, train stations, all those things require certain oversight to take pictures, whether you say they are for personal use or whatever, that?s your story,? the officer said. ?So why don?t you have any signs posted to say I cannot take pictures?? Fussell said. ?Our officers have become very sensitive post 9/11 and we?re trying to see that they understand our passengers and citizens also have a right to take pictures,? Wells said. The officer eventually threatened to take Fussell into custody. ?Do you have Maryland state identification on you?? the officer asked. ?I am not committing a crime,? Fussell said. ?Sir, I?m going to ask you one last time, then I?m going to take you into custody. Do we understand each other?? the officer said. The ACLU considers it harassment by the MTA. ?This is not South Africa under apartheid and in this country, police do not have the right to walk up to you and demand you produce identification to them,? said David Rocah, ACLU. The MTA acknowledges that additional training is in order. ?We?ll look at our training processes, we?ll look at whether any administrative situations need to occur with those officers,? Wells said. The ACLU says it?s been working with the MTA on this very issue for five years, with no satisfactory result. Fussell was detained for more than 40 minutes before MTA Police finally let him go on his way. From rforno at infowarrior.org Thu Jun 2 09:47:04 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jun 2011 10:47:04 -0400 Subject: [Infowarrior] - =?windows-1252?q?U=2ES=2E_P2P_Lawsuit_Shows_Signs?= =?windows-1252?q?_of_a_=91Pirate_Honeypot=92?= Message-ID: <091C5778-5256-4739-AA69-0B35B0AB4516@infowarrior.org> U.S. P2P Lawsuit Shows Signs of a ?Pirate Honeypot? http://torrentfreak.com/u-s-p2p-lawsuit-shows-signs-of-a-pirate-honeypot-110601/ From rforno at infowarrior.org Fri Jun 3 07:17:47 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 08:17:47 -0400 Subject: [Infowarrior] - MI6 attacks al-Qaeda in 'Operation Cupcake' Message-ID: MI6 attacks al-Qaeda in 'Operation Cupcake' British intelligence has hacked into an al-Qaeda online magazine and replaced bomb-making instructions with a recipe for cupcakes. By Duncan Gardham, Security Correspondent 7:16PM BST 02 Jun 2011 http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit ?lone-wolf? terrorists with a new English-language magazine, the Daily Telegraph understands. When followers tried to download the 67-page colour magazine, instead of instructions about how to ?Make a bomb in the Kitchen of your Mom? by ?The AQ Chef? they were greeted with garbled computer code. The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for ?The Best Cupcakes in America? published by the Ellen DeGeneres chat show. Written by Dulcy Israel and produced by Main Street Cupcakes in Hudson, Ohio, it said ?the little cupcake is big again? adding: ?Self-contained and satisfying, it summons memories of childhood even as it's updated for today?s sweet-toothed hipsters.? It included a recipe for the Mojito Cupcake ? ?made of white rum cake and draped in vanilla buttercream?- and the Rocky Road Cupcake ? ?warning: sugar rush ahead!? By contrast, the original magazine featured a recipe showing how to make a lethal pipe bomb using sugar, match heads and a miniature lightbulb, attached to a timer. The cyber attack also removed articles by Osama bin Laden, his deputy Ayman al-Zawahiri and a piece called ?What to expect in Jihad.? British and US intelligence planned separate attacks after learning that the magazine was about to be issued in June last year. They have both developed a variety of cyber-weapons such as computer viruses, to use against both enemy states and terrorists. A Pentagon operation, backed by Gen Keith Alexander, the head of US Cyber Command, was blocked by the CIA which argued that it would expose sources and methods and disrupt an important source of intelligence, according to a report in America. However the Daily Telegraph understands an operation was launched from Britain instead. Al-Qaeda was able to reissue the magazine two weeks later and has gone on to produce four further editions but one source said British intelligence was continuing to target online outlets publishing the magazine because it is viewed as such a powerful propaganda tool. The magazine is produced by the radical preacher Anwar al-Awlaki, one of the leaders of AQAP who has lived in Britain and the US, and his associate Samir Khan from North Carolina. Both men who are thought to be in Yemen, have associated with radicals connected to Rajib Karim, a British resident jailed for 30 years in March for plotting to smuggle a bomb onto a trans-Atlantic aircraft. At the time Inspire was launched, US government officials said ?the packaging of this magazine may be slick, but the contents are as vile as the authors.? Bruce Reidel, a former CIA analyst said it was ?clearly intended for the aspiring jihadist in the US or UK who may be the next Fort Hood murderer or Times Square bomber.? In recent days AQAP fighters have capitalised on chaos in Yemen, as the country teeters on the brink of civil war. Tribal forces marching towards the capital, Sana'a, clashed with troops loyal to President Ali Abdullah Saleh for a third day running yesterday. From rforno at infowarrior.org Fri Jun 3 07:21:51 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 08:21:51 -0400 Subject: [Infowarrior] - Apple: 'Free' can't be used w/our products Message-ID: <2634FE40-14A7-4465-9516-7413E7231EC2@infowarrior.org> Apple tries to put the kibosh on iPad and iPhone giveaways By Philip Elmer-DeWitt June 1, 2011: 4:03 PM ET http://tech.fortune.cnn.com/2011/06/01/apple-tries-to-put-the-kibosh-on-ipad-and-iphone-giveaways/ iPod touches are OK in special circumstances, but only if you buy at least 250 units Apparently, ABC 11 didn't get the memo Earlier this spring, the folks at WTVD-TV, the local ABC affiliate in Durham, N.C., had a bright idea. To drum up interest in the station -- and raise its profile on Facebook, Twitter and Google Buzz -- it organized a sweepstakes contest and gave 11 lucky winners the hottest prize in consumer electronics: an Apple (AAPL) iPad. What the contest organizers didn't realize -- but would have quickly learned if they'd done their due diligence -- was that they'd just run afoul of Apple's Guidelines for Third Party Promotions. Operating on the theory that its brand is one of its most valuable properties, Apple has laid out some pretty strict rules about what companies can and can't do with its products. Among them: (I quote) ? iPad, iPhone and the iPhone Gift Card may not be used in third-party promotions. ? iPod touch is only allowed to be used in special circumstances and requires a minimum purchase of 250 units. ? You may NOT use the Myriad Set font on or in connection with web sites, products, packaging, manuals, or promotional/advertising materials. ? The use of "free" as a modifier in any Apple product reference in a prominent manner (headlines, call- outs, etc.) is prohibited. ? You must submit all marketing materials related to the promotion of Apple products to Apple for review. The two-page document that lists these guidelines -- and many more -- has been around at least since January, but it seems that Apple has begun reaching out to companies to enforce them only recently. Earlier this year, Cult of Mac's Nicole Martinelli counted more than three dozen active iPad sweepstakes and giveaways, including contests run by Mashable, MacMall and Mahalo. None of them, as far as she knows, was ever told not to do it. Apple declined to comment. From rforno at infowarrior.org Fri Jun 3 07:25:04 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 08:25:04 -0400 Subject: [Infowarrior] - Skype protocol reverse engineered, source available for download Message-ID: <7D9FF48E-F916-4B40-8008-E2880EAEB870@infowarrior.org> Skype protocol reverse engineered, source available for download http://skype-open-source.blogspot.com/2011/06/skype-protocol-reverse-engineered.html Hello, I'am Efim Bushmanov a freelance researcher and here is my project files on skype research. While "Wall Street Journal" makes politics and skype today's trend, i want to publish my research on this. My aim is to make skype open source. And find friends who can spend many hours for completely reverse it. Now, most of hard things already done(for 1.x/3.x/4.x versions of skype). Including rc4 and arithmetic compression. You have unique chance to take a look on skype internal protocol and encryption. You will see what it uses strong AES and RSA encryption with public key infrastructure. Here is yet a working "send message to skype" code. However, this is based on old skype 1.4 version protocol, which now slightly changed. Part of this code, idb files and decrypted binares was get from VEST corporation. Common info for first stage research was from EADS.net "vanilla-skype" presentation. Downloads: skype_part1_binaries.zip skype_part2_ida.zip skype_part3_source.zip P.S. Here is a torrent file: http://thepiratebay.org/torrent/6442887 And github: https://github.com/skypeopensource/ From rforno at infowarrior.org Fri Jun 3 07:29:21 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 08:29:21 -0400 Subject: [Infowarrior] - China PLA officers call Internet key battleground Message-ID: China PLA officers call Internet key battleground By Chris Buckley | Reuters ? 7 hours ago http://ca.news.yahoo.com/china-pla-officers-call-internet-key-battleground-043553926.html BEIJING, Jun (Reuters) - China must make mastering cyber-warfare a military priority as the Internet becomes the crucial battleground for opinion and intelligence, two military officers said on Friday, two days after Google revealed hacking attacks that it said came from China. The essay by strategists from the People's Liberation Army's Academy of Military Sciences did not mention Google's statement that hackers apparently based in China had tried to steal into the Gmail accounts of hundreds of users, among them U.S. officials, Chinese rights activists and foreign reporters. Google said on Wednesday that the attacks appeared to come from Jinan, capital of China's eastern Shandong province, home to a signals intelligence unit of the People's Liberation Army. The Chinese Foreign Ministry on Thursday dismissed Google's statement as groundless and motivated by "ulterior motives." The essay by two PLA scholars, Senior Colonel Ye Zheng and his colleague Zhao Baoxian, in the China Youth Daily nonetheless stressed that Beijing is focused on honing its cyber-warfare skills, and sees an unfettered Internet as a threat to its Communist Party-run state. "Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations," they wrote in the Party-run paper. The Chinese military has been conducting simulated cyber battles pitting the "blue army" against "red teams" using virus and mass spam attacks, the PLA newspaper Liberation Army Daily said last month. Last year, contention over Internet policy became an irritant between Beijing and Washington after the Obama administration took up Google's complaints about hacking and censorship from China. Google partly pulled out of China, the world's largest Internet market by users, after the dispute. So far, neither Google nor Washington has outright blamed China for the hacking attacks. Both governments have sought to steady their relations after last year's turbulence, and they may want to avoid another escalating feud. But Secretary of State Hillary Clinton said on Thursday that the "allegations are very serious." DOMINO EFFECT The PLA scholars, Ye and Zhao, said China has its own fears about the Internet being wielded as a tool for political challenges, and pointed to the anti-authoritarian uprisings across the Arab world as an alarming example. "The targets of psychological warfare on the Internet have expanded from the military to the public," they wrote. The Internet "has become the main battleground of contention over public opinion," they said, citing the "domino effect" across the Middle East and north Africa. China's ruling Communist Party fears it could become one of those dominoes, despite robust economic growth and stringent domestic security and censorship. In February, overseas Chinese websites, inspired by the "Jasmine Revolution" across the Arab world, called for protests across China, raising Beijing's alarm about dissent and spurring a burst of detentions of dissidents and human rights lawyers. Three Chinese dissidents told Reuters their Google email accounts had been infiltrated, although eight others who were contacted said they had no problems. China has also tightened censorship of the Internet, and it already blocks major foreign social websites such as Facebook and Twitter. The PLA scholars said the threats to China come from more than sophisticated intelligence operations on the Internet. "Cyberware is an entirely new mode of battle that is invisible and silent, and it is active not only in wars and conflicts, but also flares in the everyday political, economic, military, cultural and scientific activities." The latest Google hacking attempt follows a series of high-profile hacking cases, including an attack on the U.S. defense giant Lockheed Martin. A U.S. official familiar with progress on the investigation said there was increasing suspicion that attack originated with "someone in China." From rforno at infowarrior.org Fri Jun 3 13:35:02 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 14:35:02 -0400 Subject: [Infowarrior] - Syria shuts off interwebs Message-ID: Syria shuts off interwebs http://www.theregister.co.uk/2011/06/03/syrian_net_cutoff/ By John Leyden ? Get more from this author Posted in Networks, 3rd June 2011 17:31 GMT Syria appears to have begun shutting off internet links to the rest of the world. Approximately two-thirds of all Syrian networks became unreachable by Friday afternoon as part of a process that began early in the morning. Routes to 40 of 59 networks were withdrawn from the global routing tables, leaving the internet in Syria restricted to state-owned SyriaTel, web monitoring firm Renesys reports. Syrian government websites remain reachable, if sluggish, while the web infrastructure of the rest of the country remains dark. SyriaTel's 3G mobile data networks, and smaller independent ISPs including Sawa, INET, and Runnet have effectively been unplugged. A submarine cable from Cyprus supplies the majority of Syria's external telecommunications links. Syria is in the midst of an uprising that began in January and has been accompanied by a bloody crackdown against protesters by the autocratic al-Assad regime. It could be that the brownout of Syrian internet connections represents an attempt by authorities to frustrate attempts by opposition groups from exchanging information and co-ordinating action. Infowar Monitor reported that Syria had recently established a team of pro-government cyberhackers, tasked with hacking and otherwise disrupting opposition websites. The activities of the Syrian Electronic Army are akin to those of Iranian Cyber Army. The Syrian Electronic Army is the first group of its type in the Arab world. Whether or not the group is behind the shutdown is anybody's guess but without access to the web the online battlefield SEA was supposed to be fighting on has effectively been removed from play. ? From rforno at infowarrior.org Fri Jun 3 14:32:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 15:32:25 -0400 Subject: [Infowarrior] - Jim Lehrer's last anchor broadcast tonight Message-ID: <546AA0F2-6A41-4032-9F98-8E696E1C3C74@infowarrior.org> (Yup, I'll be there, too. --- rick) Jim Lehrer on his last turn at PBS anchor desk tonight http://weblogs.baltimoresun.com/entertainment/zontv/2011/06/jim_lehrer_steps_down_from_pbs.html I know where I'll be tonight at dinnertime: In front a TV set tuned to PBS to see Jim Lehrer's last broadcast as a regular anchor on public television. Friday (June 3) is Lehrer's final turn as a regularly scheduled anchor on PBS after 36 years in the job. And to me, that certainly marks the end of an era in TV news -- as well as the loss of a TV presence that I came to count on to help me make sense of an increasingly complex and sometimes confusing crush of unfiltered information. Lehrer's longevity is unprecedented. Walter Cronkite was the anchor and managing editor of the "CBS Evening News" for 19 years. Tom Brokaw filled the same roles on NBC for 22 years. Lehrer has been on the job on public television since 1975 when he started co-anchoring with Robert MacNeil. And he has consistently been a beacon of responsible daily journalism across all that time. No one in TV news takes the journalist's role as a provider of trustworthy information for American voters more seriously than this one-time city editor of the Dallas Times-Herald. Because he will still play have a voice in editorial decisionmaking and appear occasionally on Friday nights on "NewsHour" to moderate the show's popular segment with David Brooks and Mark Shields, I asked Lehrer this week to describe what exactly happens tonight. Is he really stepping down from the anchor desk? I would hate to mischaracterize this moment of passage in a career as storied as Lehrer's. "In personal terms, it's huge for me, because I've been doing the daily, or more or less daily, anchoring for 36 years," the 77-year-old Lehrer said in directly answering my question about the importance of what happens on "NewsHour" Friday night. "To not have that daily responsibility any more is huge," he continued. "It's not unpleasant. It's not a negative. Obviously, this was my decision and I'm getting to do it my way. So, I'm very comfortable about it, and I'm very much at ease about it. But it is huge, and there is no question about it... This is an important milestone in my life." In early May when Lehrer announced that he would be stepping down from the regular rotation of "NewsHour" anchors, it came as a bit of surprise despite his age. That's because he told me in a widely-quoted January interview that he did not see any end in sight. "I'm feeling great, " he said. "I'm not tired. And I still hear the sirens. And as long as I hear the sirens, I'll still be there to find out where the hell they're going." When I asked this week about the seeming change of heart, the University of Missouri graduate said there was no one factor responsible for the decision to end one of the most remarkable runs in TV history tonight. "The reason is just simply that, you know, I have been doing daily journalism for 52 years," he explained. "And I still get a kick out of it, and I always will. But I just need to step back, I need to slow the pace down a little bit here. And I've been slowing the pace down for the last couple of years. And now, I'm just ready to take some of the final steps." Lehrer, a prolific author, says, "I have some more books I want to write. And I want to spend some more time doing other things -- some personal things with my family, and my kids and and my grandkids. You know, stuff like that. It's no huge thing, like, 'Oh my God, I was slobbering on the air and now I have to go away.' If I was, I didn't notice it." Lehrer was away from the anchor desk for three months in 2008 when he underwent heart valve surgery. In December, 2009, the "NewsHour with Jim Lehrer" was renamed the "PBS NewsHour," and he was joined by a panel of anchors that includes Gwen Ifill, Ray Suarez, Jeffrey Brown, Judy Woodruff and Margaret Warner. That quintet remains in place. "I kind of decided a couple of years ago that I wanted to consider kind of gliding away so to speak," Lehrer says. "And, you know, there can be all kinds of false drama involved in who replaces Anchorperson A and Anchorperson B, and I wanted to make damn sure that this did not happen in our situation. So, I kind of prepared the way, the glidepath." Lehrer believes the "NewsHour" still has a vital role to play in American life, despite changes in lifestyle and technology that have radically altered the ritual of evening news viewing. "The thing that people forget is that with all this news coming out -- more and more words, more and more information -- there has to be a trusted source from which this comes," he says."We've spent years developing that trust, and even though people may not sit and watch all these nightly news programs the they used to, they still want to have that source they can trust. They want to be able to say, 'Oh my God, well, this came from PBS or NBC, or fill in the blank, and that means this is something I need to pay attention to on the fact part of it." The word "fact" brings an added sense of intensity to Lehrer's voice: "I mean, there's plenty of stuff out there on opinions and analysis and what people think about things," he says. "But the basic facts are another matter. People hear something on the radio or read it in a blog, but they still want to know what the hell the basic facts of the matter are. And that's the purpose, I believe, that the "Newshour' serves -- providing those facts." The era of fact-based journalism won't end tonight with Lehrer's last regular turn at the PBS anchor desk. But its twilight shadows will certainly deepen with one of its brightest lights signing off. From rforno at infowarrior.org Fri Jun 3 14:48:22 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 15:48:22 -0400 Subject: [Infowarrior] - UN Report Declares Internet Access a Human Right Message-ID: <9C422050-4632-4221-ACD5-9A6C9AC7AC4B@infowarrior.org> A United Nations report said Friday that disconnecting people from the internet is a human rights violation and against international law. The report railed against France and the United Kingdom, which have passed laws to remove accused copyright scofflaws from the internet. It also protested blocking internet access to quell political unrest. < -- > http://www.wired.com/threatlevel/2011/06/internet-a-human-right/ From rforno at infowarrior.org Fri Jun 3 17:27:24 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jun 2011 18:27:24 -0400 Subject: [Infowarrior] - Best Practices for Social Media Verification Message-ID: Best Practices for Social Media Verification Some tips and thoughts from the experts By Craig Silverman Whether you view it as long overdue or just in time, I believe we are starting to see the emergence of best practices for verifying social media content and citizen reports. Recent weeks and months have seen leading practitioners of social media verification and crowdsourced verification share tips and thoughts to help move the discipline forward. Below is a summary of what I?ve collected to date. I?ve teased out the core details from longer blog posts and columns, and encourage you to click through and read the full text of each piece I?ve excerpted. < -- > http://www.cjr.org/the_news_frontier/best_practices_for_social_medi.php?page=all From rforno at infowarrior.org Sat Jun 4 10:52:18 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 4 Jun 2011 11:52:18 -0400 Subject: [Infowarrior] - Fwd: [attrition] Absolute Sownage; A concise history of recent Sony hacks References: Message-ID: Begin forwarded message: > http://attrition.org/security/rants/sony_aka_sownage.html > > Absolute Sownage > A concise history of recent Sony hacks > Sat Jun 4 04:17:33 CDT 2011 > Security Curmudgeon > > Over the last two months, the multi-national Sony Corporation has come under a wide range of attacks from an even wider range of attackers. The backstory about what event prompted who to attack and why will make a mediocre made-for-TV movie someday. This article is not going to cover the brief history of hacks, readers can find details elsewhere. Instead, the following only serves to create an accurate and comprehensive timeline regarding the recent breaches, a cliff notes summary for easy reference. > > [..] > > ______________________________________________ > Attrition Mailing List (http://attrition.org) > From rforno at infowarrior.org Sat Jun 4 10:54:11 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 4 Jun 2011 11:54:11 -0400 Subject: [Infowarrior] - LulzSec Hacks FBI Affiliate Infragard Message-ID: <8BA34F5C-743A-4D2D-AE7A-4FA8DD97DF85@infowarrior.org> LulzSec Hacks FBI Affiliate Infragard http://www.anonnewsnet.com/2011/06/lulzsec-hacks-fbi-affiliate-infragard.html LulzSec is at it again, bringing a whole new batch of stick-it-to-the-man. In its most recent activity, LulzSec has defaced the website of Infragard Atlanta, the Atlanta branch of a cooperative between the FBI and public assets. The site was replaced with a YouTube video of an exploitable meme, depicting a Russian disco enthusiast named Dimitri being interviewed by a journalist, with LulzSec-specific "subtitles." The hack is part of LulzSec's self-promoted "Fuck FBI Friday," as noted on its Twitter feed (which has, over the past three days, soared from only a few thousand to over 37,000 at the time of this writing, mostly due to publicity over its hacking of NPR and placing a fake story about Tupac Shakur alive and well in New Zealand). LulzSec has also shown active disdain for reporters attempting to interview them, promising to violate at least one reporter's orifice of choice, telling them "Gtfo, fucking media bullshit" and that "The twitter is all you're getting." LulzSec has shown hostility towards the FBI before, but there was no indication that the FBI or Infragard were to be targets of hacking before today. This may be an opportunistic form of hacking that can strike virtually anywhere, whereas AnonOps' strategy revolved around one particular regime at a time. This makes LulzSec much more capable of striking many, many targets without warning or even without provocation. Whereas AnonOps has been devoted to fighting authoritarian regimes and its own self-preservation, LulzSec is less committed to specific fights and thus able to move more freely. But in a more general sense, LulzSec reveals a broader facet of internet culture and society: from virtually anywhere, free-wheeling anarchistic technolibertarians can and will do things explicitly for the shits and giggles, and even when the authorities think they've tracked down one group, another batch of crackers has brushed up on their skills and is ready to start causing chaos. Organizations (or anti-organizations) like LulzSec and Anonymous build off of the built-up outrage at governments and corporations, who increasingly exert more influence on our daily lives. In a way, they're not dissimilar to a forest fire, spreading at every available point until the situation becomes "unmanageable." While governments and corporations have been putting out the small fires for decades, they haven't been dealing with the underlying resentment and pressure building up, until it finally reaches a tipping point and engulfs the entire apparatus of power. From rforno at infowarrior.org Sat Jun 4 21:18:16 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 4 Jun 2011 22:18:16 -0400 Subject: [Infowarrior] - OT: Poetic Justice Message-ID: <92DDC2BD-DCCF-49AD-A7AA-D3AB49CC1543@infowarrior.org> Bank of America Gets Pad Locked After Homeowner Forecloses On It 10:23 AM, Jun 4, 2011 | comments Kelly Heffernan-Tabor http://www.digtriad.com/news/watercooler/article/178031/176/Florida-Homeowner-Forecloses-On-Bank-Of-America Collier County, Florida -- Have you heard the one about a homeowner foreclosing on a bank? Well, it has happened in Florida and involves a North Carolina based bank. Instead of Bank of America foreclosing on some Florida homeowner, the homeowners had sheriff's deputies foreclose on the bank. It started five months ago when Bank of America filed foreclosure papers on the home of a couple, who didn't owe a dime on their home. The couple said they paid cash for the house. The case went to court and the homeowners were able to prove they didn't owe Bank of America anything on the house. In fact, it was proven that the couple never even had a mortgage bill to pay. A Collier County Judge agreed and after the hearing, Bank of America was ordered, by the court to pay the legal fees of the homeowners', Maurenn Nyergers and her husband. The Judge said the bank wrongfully tried to foreclose on the Nyergers' house. So, how did it end with bank being foreclosed on? After more than 5 months of the judge's ruling, the bank still hadn't paid the legal fees, and the homeowner's attorney did exactly what the bank tried to do to the homeowners. He seized the bank's assets. "They've ignored our calls, ignored our letters, legally this is the next step to get my clients compensated, " attorney Todd Allen told CBS. Sheriff's deputies, movers, and the Nyergers' attorney went to the bank and foreclosed on it. The attorney gave instructions to to remove desks, computers, copiers, filing cabinets and any cash in the teller's drawers. After about an hour of being locked out of the bank, the bank manager handed the attorney a check for the legal fees. "As a foreclosure defense attorney this is sweet justice" says Allen. Allen says this is something that he sees often in court, banks making errors because they didn't investigate the foreclosure and it becomes a lengthy and expensive battle for the homeowner. CBS News From rforno at infowarrior.org Sun Jun 5 17:32:04 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 5 Jun 2011 18:32:04 -0400 Subject: [Infowarrior] - Escaping the Clutches of the Financial Markets Message-ID: http://www.spiegel.de/international/europe/0,1518,druck-766518,00.html 06/03/2011 05:31 PM Dignity and Democracy Escaping the Clutches of the Financial Markets An Essay by Dirk Kurbjuweit In today's Europe, the people are no longer in control. Instead, politicians have become slaves to financial institutions and the markets. We are partly to blame -- and changes are urgently needed to nurse European democracy back to health. We are doing well. In fact, we're doing splendidly. The economy is booming, with 1.5 percent growth in the first quarter. We are as prosperous as we were before the crisis, which has finally been overcome. Congratulations are in order for everyone. The banks, Deutsche Bank above all, deserve particular congratulations. In the first quarter, it earned ?3.5 billion ($5.1 billion) in pretax profits in its core business, and by the end of the year the bank will likely report a record ?10 billion in pretax profits, its best results ever. That number is expected to rise to ?11 billion or even ?12 billion in two or three years. Less than three years after the peak of the crisis, it seems as if it never happened. That is true of the economy, but it also true of us as economic subjects. But is that all we are? No, we are also citizens and participants in a democratic society. As such, we have no reason to be celebrating. Instead, we ought to be sad and outraged. Democracy, after all, is not doing splendidly, or even well. It is gradually becoming a casualty of the financial crisis. Rage Directed at Politicians Trouble is brewing all over Europe. Young people with little hope for the future are protesting in Spain. In France, 1.4 million copies were sold of a manifesto titled "Be Outraged." Young Frenchmen and -women are devising utopias that extend well beyond civil society because they no longer expect anything from it. A deep depression has descended upon Greece, combined with a rage directed at politicians and the rest of Europe. In Germany, this is what politicians are hearing from their citizens today: "You spent billions to rescue the banks, and now I'm supposed to be footing the bill? Forget it!" Hardly anyone is willing to put up with their politicians any more. And German leaders have lost support -- and some of their own legitimacy. They seem helpless, unable to come to grips with the euro crisis. They meet in Brussels, and they talk, argue and adopt resolutions, and yet nothing improves. Greece isn't getting out of its hole, Ireland and Portugal are teetering on the brink, and Spain and Italy are heavily indebted to a dangerous degree. And no politician is providing leadership. And then there were the lies. Jean-Claude Juncker, the prime minister of Luxembourg, had his spokesman deny that a meeting of European Union finance ministers on the Greek crisis was taking place, even though that meeting was in fact taking place. It wasn't the kind of lie that frequently crops up in politics: the broken campaign promise. Rather, it was more crass type of untruth: the denial of a reality. Juncker no longer had the courage to speak the truth. He was guided by fear of the financial markets. His lie was a capitulation of politics. Things Will Have to Change This is what is so disturbing about the current situation: the fact that politicians seem so helpless and powerless. They have been given a new master, and it's not us, the people, who tend to intervene in milder ways. Rather, it's the ruthless financial markets. The markets drive politicians even further into anxiety, weakness, incapacity and lies. Those who govern us are now being governed by the banks. That's the situation. We could decide that we don't care because the economic figures are so good. But that would mean we are happy to play the role of the economic subject, to invest and spend money, all the while abandoning the original promise of democracy. Or we can say: We refuse to relinquish our role and political masters. But if that's our decision, things will have to change. How has this happened? What are the consequences? And how do we extricate ourselves from this situation? The Reasons: Greed and a Dissolute Lifestyle Would it be erroneous to say that those who are now at the top are the ones who caused the whole disaster in the first place? That would include Deutsche Bank, whose CEO, Josef Ackermann, has just announced such magnificent financial figures. When Ackermann was asked how concrete the bank's willingness is to contribute to solving the crisis, a November article in the German financial daily Handelsblatt says he replied by saying the issue is taking a "very unfortunate turn at the moment." The markets, Ackermann added, have reacted negatively to this debate. His remarks could be seen as a threat: Those who make demands will quickly find themselves up against the banks. At Deutsche Bank's annual meeting last Thursday, Ackermann crowed that the bank was in the process of "bringing in the harvest." But the harvest of what? And from what seed? Investment banking alone is expected to contribute ?6 billion to the anticipated ?10 billion in annual profits. Have we already forgotten that excessively greedy investment banking triggered the financial crisis in the first place? Deutsche Bank played a key role in that process. The United States government is suing a subsidiary of Deutsche Bank, accusing it of pursuing "reckless mortgage lending practices." Yet Ackermann continues to shape policy worldwide. As one of the major players on the financial markets, he is partly responsible for determining whether and under what conditions nations can borrow money. The rating agencies also continue to participate in world politics, seemingly unperturbed as they issue credit ratings on which the fate of entire nations hinge because they determine the interest rates for government bonds. Belgium is in danger of losing its AA+ rating, and Fitch Ratings has just revised its outlook on Belgium from "stable" to "negative." Have we already forgotten that the big rating agencies were partly responsible for the financial crisis because of their positive valuations of bundles of assets that contained toxic securities? Blame and Brazenness So this is what the new masters look like. They were substantially to blame for part one of the financial crisis and is being brazen in part two. They are extremely jumpy, greedy and only interested in numbers. Those numbers inform the way they control and drive politics. But why do politicians allow themselves to be controlled and driven? Why don't they simply shake off the unforgiving dominance of the financial markets? The answer is that they can't because the political world is dependent on the banks, and it has only itself to blame. Greece would not have fallen into the maelstrom of the financial crisis if it hadn't been deeply in debt. Greece has borrowed more money than it can handle, and it constantly needs to borrow even more. It has become addicted to credit because of its own dissolute lifestyle. As a result, the country has become a pawn of rating agencies, interest rates and the calculations of men like Ackermann. In principle, this applies to all countries in the euro zone, including Germany. Although the German finance minister can easily service all loans, he too is dependent on ratings, interest rates and Ackermann's calculations. Through the euro, Germany is entangled with Greece, Ireland and Portugal, and its own financial situation isn't spectacular enough to eliminate all concerns. The German government cannot simply do what it thinks best. It must constantly take pains to avoid being pulled into the maelstrom itself. The Clutches of the Markets Now, policies of immoderation -- the urge to impose as few burdens as necessary on citizens while giving them as much as possible -- is coming home to roost. Such policies gave us a high standard of living; but now, partly as a result of the euro, it has delivered us into the clutches of the financial markets. As such, it isn't just the banks that are at fault for the current disaster. Politicians also deserve their share of the blame. But that isn't the whole story either. We, the citizens, are also culpable. Don't we expect high returns from financial institutions, and don't we expect a smaller tax burden from the government while receiving generous subsidies and social benefits? In other words, the financial and euro crisis are a reflection of our own wishes. We play a role in the behavior of banks and politicians because they also seek to fulfill our wishes so that they can win us over as customers or voters. Consequences: Dangers to Democracy The public is becoming mistrustful of politicians. Citizens feel treated unfairly when politicians fulfill the banks' wishes with billions in bailouts while ignoring the wishes of citizens. Why does the German government buy up 25 percent of ailing Commerzbank, but not 25 percent of a struggling bakery around the corner or of that other cash-strapped enterprise, the family with three children? One could say that it's because Commerzbank is so large and important to the financial system -- too big to fail -- but that doesn't alleviate our discomfort with an unfair situation. The power of the executive in Germany, the Chancellery, is increasing at the expense of the legislative, the Bundestag. Chancellor Angela Merkel pushed the first bank bailout package through the country's two houses of parliament, the Bundestag and the Bundesrat, in only five days. The chancellor is pursuing a policy she says is "without an alternative," negotiating bailout packages with the other European Union leaders that the Bundestag is expected to rubber-stamp. But alternatives are vital to a democracy, as is discussion, correct policy and a parliament that keeps the government in check. But all of this is lost in the constant pursuit of new bailout packages. Worse than Ever Yet even as governments gain power relative to national parliaments, they don't have the strength to stabilize the euro. After each meeting in Brussels, the crisis takes a small break. But then it re-emerges, worse than ever before. One could see the whole thing as a duel between politicians and the financial markets -- but if it is, the politicians aren't looking good. The economy has all the advantages. Financial companies are not obligated to serve the general good. They are under no pressure to legitimize their actions, they operate in a secretive way, and they pursue a clear goal that they are wildly determined to achieve: high yields. Politics, by contrast, particularly on the European level, is cumbersome. National leaders must legitimize their actions and reconcile conflicting interests and goals, and they must do so under the watchful eye of the public. They grapple doggedly over the euro, and sometimes things get ugly. But they are almost never successful. Besides, democracy is based on the word. Without free speech and the open exchange of views and ideas, democracy is impossible. Secrecy is the domain of authoritarian states. But at the moment, European politicians cannot speak openly about one of their most important issues, the euro. All it takes is a few words uttered by a finance minister for the banks to react with the extreme sensitivity. They immediately shift billions in assets, often to the detriment of entire nations. Words have become expensive, and that makes them dangerous. Seeking Refuge in Lies As a result, politicians are watching what they say. Pretty much everyone recognizes that it would be fair to involve the banks in the rehabilitation of Greece. But hardly any politicians dare to pursue such a course with any consistency. The banks and investment firms now play the role once held by the gods. Hardly anyone dares to criticize them, and fear of their wrath guides the behavior of politicians. Many are reluctant to speak frankly, while others seek refuge in lies. Under such conditions, democracy has lost its dignity. And that is dangerous. The foundation of any dictatorship is the tacit or open threat of violence against citizens. Their fear supports the system. The basis of democracy is respect among citizens. Their approval supports the system. If this approval disappears, democracy crumbles. Solutions: Humility and Dignity The task now is that of regaining the primacy of politics -- a job for everyone. The banks have no reason to be boastful. They were saved, and they owe their survival to politicians. If politicians had not acted in 2008, possibly even more banks would have collapsed. Now the financial industry must do its part to rescue endangered nations. A lender is partly responsible for a borrower being too heavily in debt. If a debt haircut becomes necessary, decency demands that the banks relinquish a portion of their claims without complaint. Their role is that of participants, not of supervisors and criminal judges. Humility is required. Politicians should impose tougher rules on the banks so that the worst excesses of investment banking are no longer possible. Something has already been done, but it isn't enough. The best solution would be an international transaction tax. Politicians should also liberate themselves from the embrace of the banks. This is only possible if the practice of taking on massive debt finally comes to an end. Only a largely debt-free nation is a sovereign nation. The debt brake is a good instrument, but it would be even better if it were supplemented by a general awareness that high government debt is inappropriate -- because it undermines democracy and shifts the economic burden to future generations. As far as the euro is concerned, a two-pronged strategy is needed. European governments should do what it takes to rescue the euro. They should show solidarity with Greece and the other countries that are now struggling. This costs money, and it requires a smarter, better-coordinated and smoother approach than in the past. How Do We See Ourselves? At the same time, it's important to make it clear that Europe is more than the euro. If Greece doesn't manage to stay in the euro zone, it will not be the end of the European Union. The project is bigger than money. It's also a political and cultural project, but unfortunately it had an economic bias from the start. It's time for politicians to fix that. Which brings us to the citizens, to ourselves. How do we see ourselves? Is it the image that the banks have: that our biggest concern is achieving high returns on our investments? Is it the image of the Free Democratic Party (FDP): that we want to pay as little tax as possible? Is it the image of the Christian Democratic Union (CDU), the Social Democratic Party (SPD), the Greens and the Left Party: that we are happy with the greatest possible distribution of wealth? All of these images portray the citizen as Homo oeconomicus, as economic creatures first and foremost. Can this be true? Is that who we are? If we were merely driven by money, we could just as well live in an authoritarian state, as long as we were productive, a state that guarantees our prosperity, like Singapore, the United Arab Emirates or China. Democracy was originally a project of the somewhat affluent who wanted political influence so that they could shape their own lives. That's why they made themselves into the sovereign power. This idea is still seductive today. It removed people from the role of the economic subject that strives for things and is productive, but has no say in the way things are run. It was only when humankind took responsibility for the whole that dignity and sovereignty were obtained. And to remain sovereign -- or to become sovereign again -- we must consider our responsibility for the whole when taking action and making demands. Translated from the German by Christopher Sultan URL: ? http://www.spiegel.de/international/europe/0,1518,766518,00.html From rforno at infowarrior.org Sun Jun 5 21:09:29 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 5 Jun 2011 22:09:29 -0400 Subject: [Infowarrior] - How a cheap graphics card could crack your password in under a second Message-ID: How a cheap graphics card could crack your password in under a second http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer. In this report, the author takes a fairly standard Radeon 5770 graphics card (you?ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called ?Cain & Abel?. The results are startling. Working against NTLM login passwords, a password of ?fjR8n? can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU. Is an IT manager really going to manage to get the CFO to log in using ?fR4; $sYu 29 @QwmQz? without the combination ending up on a Post-it note in his wallet? Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren?t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU. He then went on to add in mixed symbols to create ?F6&B is? (there is a space in there). CPU will take 75 days, GPU will take 7 hours. What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile. Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like ?Barry1943Manilow? where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using ?fR4; $sYu 29 @QwmQz? without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years. A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that?s shipping within months. All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven?t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out. What are the solutions? To be honest, I?m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it?s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history. From rforno at infowarrior.org Mon Jun 6 06:52:56 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 07:52:56 -0400 Subject: [Infowarrior] - Is YouTube Killing Music Piracy? Message-ID: Is YouTube Killing Music Piracy? ? Ernesto ? 5/06/2011 http://torrentfreak.com/is-youtube-killing-music-piracy-110605/ For years the top record label executives have been claiming that it?s impossible to compete with free, but YouTube is proving them wrong. With billions of views every month the major record labels are making millions by sharing their music for free. For many people YouTube takes away the incentive to ?pirate,? but at the same time it may also cannibalise legal music sales. The music industry has witnessed some dramatic changes in recent years, even when piracy is left out of the picture. In just a decade the Internet and the MP3 revolution have redefined people?s music consumption habits. We?ve previously documented how people moved from buying albums to buying singles. But there?s another big change that occurred, one that may have an even bigger impact on the music industry as a whole; YouTube and other ?free? music sources. If we go back in time 5 or 6 years, people had only one option if they wanted to listen to their favorite artists online without paying for the pleasure. That one option was piracy. Today the public has a wide variety of legal options, and the medium of choice for most people appears to be YouTube. Although true music aficionados are hard to please, the majority of the public appreciates the option of listening to their favorite tunes for free on YouTube. Google is not complaining either, as music videos are a substantial revenue source for them. But what about the record labels, are they happy too? This is not an easy question to answer, but we?re going to give it a try. Revenue wise YouTube and Vevo have be come a serious revenue source. The major labels haven?t been very open about their revenue sharing deal, but EMI Music chief financial officer Paul Kahn said (pdf) during the LimeWire trial that his label gets half a penny for each YouTube play. Half a penny may not sound much, but with billions of views it adds up quickly. If we look at David Guetta, one of EMI?s top artists, we see that his YouTube uploads were viewed 308,000,000 times over the past 12 months. That means $1,540,000 in revenue, for only one artist. Just as a comparison, Guetta and EMI have to sell more than 2 million singles to earn that much from ?paid? music. In their latest report music industry group IFPI write that at the end of last year the major record labels were getting 1.7 billion views a month, and this number is rising rapidly. In the last 12 months alone Universal Music tripled the number of YouTube views from 2.3 billion May last year to nearly 7 billion today. Staggering numbers that bring in tens of millions of dollars at least, with free music. In part YouTube?s success goes at the expense of music piracy. With free music on YouTube a large group of people have less incentive to pirate, and indeed, the number of people who share music on BitTorrent appears to be slowing because of these and other alternatives. This doesn?t mean that music sharing BitTorrent communities are fading away, but the more casual downloaders have found an alternative in YouTube and other streaming services. That?s great news for the labels right? Well not so fast. All those billions of views on YouTube each month may have slowed piracy down, but if we have to follow the logic of the music industry then actual sales of recorded music would also be affected. After all, for years they?ve claimed that ?free music? on pirate sites caused billions in losses. Free music on YouTube should have a similar effect. The big question is of course whether the revenue from YouTube can match these alleged losses or not. Not an easy question to answer, but these are crucial factors that define how the major record labels will fare in the coming years, probably even more so than piracy. TorrentFreak asked both the RIAA and BPI to share their thoughts on how YouTube could affect music sales, but both unfortunately withheld their comments. This leaves us with the conclusion that, unlike many record label execs have argued in the past, you can compete with free. You can even compete with piracy. Whether the net result is going to be a positive one has yet to be seen, but YouTube is taking up a larger chunk of the record label revenues each year. From rforno at infowarrior.org Mon Jun 6 07:14:30 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 08:14:30 -0400 Subject: [Infowarrior] - Iran Vows to Unplug Internet Message-ID: <4E132148-F4D2-4BD3-9C60-98BD7084BD5E@infowarrior.org> Iran Vows to Unplug Internet By CHRISTOPHER RHOADS and FARNAZ FASSIHI Andres Gonzalez for The Wall Street Journal http://online.wsj.com/article/SB10001424052748704889404576277391449002016.html Iran is taking steps toward an aggressive new form of censorship: a so-called national Internet that could, in effect, disconnect Iranian cyberspace from the rest of the world. The leadership in Iran sees the project as a way to end the fight for control of the Internet, according to observers of Iranian policy inside and outside the country. Iran, already among the most sophisticated nations in online censoring, also promotes its national Internet as a cost-saving measure for consumers and as a way to uphold Islamic moral codes. In February, as pro-democracy protests spread rapidly across the Middle East and North Africa, Reza Bagheri Asl, director of the telecommunication ministry's research institute, told an Iranian news agency that soon 60% of the nation's homes and businesses would be on the new, internal network. Within two years it would extend to the entire country, he said. The unusual initiative appears part of a broader effort to confront what the regime now considers a major threat: an online invasion of Western ideas, culture and influence, primarily originating from the U.S. In recent speeches, Iran's Supreme Leader Ayatollah Ali Khamenei and other top officials have called this emerging conflict the "soft war." On Friday, new reports emerged in the local press that Iran also intends to roll out its own computer operating system in coming months to replace Microsoft Corp.'s Windows. The development, which couldn't be independently confirmed, was attributed to Reza Taghipour, Iran's communication minister. Iran's national Internet will be "a genuinely halal network, aimed at Muslims on an ethical and moral level," Ali Aghamohammadi, Iran's head of economic affairs, said recently according to a state-run news service. Halal means compliant with Islamic law. Mr. Aghamohammadi said the new network would at first operate in parallel to the normal Internet?banks, government ministries and large companies would continue to have access to the regular Internet. Eventually, he said, the national network could replace the global Internet in Iran, as well as in other Muslim countries. A spokesman for Iran's mission to the United Nations declined to comment further, saying the matter is a "technical question about the scientific progress of the country." There are many obstacles. Even for a country isolated economically from the West by sanctions, the Internet is an important business tool. Limiting access could hinder investment from Russia, China and other trading partners. There's also the matter of having the expertise and resources for creating Iranian equivalents of popular search engines and websites, like Google. Few think that Iran could completely cut its links to the wider Internet. But it could move toward a dual-Internet structure used in a few other countries with repressive regimes. Myanmar said last October that public Internet connections would run through a separate system controlled and monitored by a new government company, accessing theoretically just Myanmar content. It's introducing alternatives to popular websites including an email service, called Ymail, as a replacement for Google Inc.'s Gmail. Cuba, too, has what amounts to two Internets?one that connects to the outside world for tourists and government officials, and the other a closed and monitored network, with limited access, for public use. North Korea is taking its first tentative steps into cyberspace with a similar dual network, though with far fewer people on a much more rudimentary system. Iran has a developed Internet culture, and blogs play a prominent role?even President Mahmoud Ahmadinejad has one. Though estimates vary, about 11 of every 100 Iranians are online, according to the International Telecommunication Union, among the highest percentages among comparable countries in the region. Because of this, during the protests following 2009's controversial presidential election, the world was able to follow events on the ground nearly live, through video and images circulated on Twitter, Facebook and elsewhere. "It might not be possible to cut off Iran and put it in a box," said Fred Petrossian, who fled Iran in the 1990s and is now online editor of Radio Farda, which is Free Europe/Radio Liberty's Iranian news service. "But it's what they're working on." The discovery last year of the sophisticated "Stuxnet" computer worm that apparently disrupted Iran's nuclear program has added urgency to the Internet initiative, Iran watchers say. Iran believes the Stuxnet attack was orchestrated by Israel and the U.S. "The regime no longer fears a physical attack from the West," said Mahmood Enayat, director of the Iran media program at the University of Pennsylvania's Annenberg School of Communications. "It still thinks the West wants to take over Iran, but through the Internet." The U.S. State Department's funding of tools to circumvent Internet censorship, and Secretary of State Hillary Clinton's recent speeches advocating Internet freedom, have reinforced Iran's perceptions, these people said. Iran got connected to the Internet in the early 1990s, making it the first Muslim nation in the Middle East online, and the second in the region behind Israel. Young, educated and largely centered in cities, Iranians embraced the new technology. Authorities first encouraged Internet use, seeing it as a way to spread Islamic and revolutionary ideology and to support science and technology research. Hundreds of private Internet service providers emerged. Nearly all of them connected through Data Communications Iran, or DCI, the Internet arm of the state telecommunications monopoly. The mood changed in the late 1990s, when Islamic hardliners pushed back against the more open policies of then-president Mohammad Khatami. The subsequent shuttering of dozens of so-called reformist newspapers had the unintended effect of triggering the explosion of the Iranian blogosphere. Journalists who had lost their jobs went online. Readers followed. Authorities struck back. In 2003, officials announced plans to block more than 15,000 websites, according to a report by the OpenNet Initiative, a collaboration of several Western universities. The regime began arresting bloggers. Iran tried to shore up its cyber defenses in other ways, including upgrading its filtering system, for the first time using only Iranian technology. Until around 2007, the country had relied on filtering gear from U.S. companies, obtained through third countries and sometimes involving pirated versions, including Secure Computing Corp.'s SmartFilter, as well as products from Juniper Networks Inc. and Fortinet Inc., according to Iranian engineers familiar with with the filtering. Such products are designed primarily to combat malware and viruses, but can be used to block other things, such as websites. Iranian officials several years ago designed their own filtering system?based on what they learned from the illegally obtained U.S. products?so they could service and upgrade it on their own, according to the Iranian engineers. A Fortinet spokesman said he was unaware of any company products in Iran, adding that the company doesn't sell to embargoed countries, nor do its resellers. McAfee Inc., which owns Secure Computing, said no contract or support was provided to Iran. Intel Corp. recently bought McAfee, which added that it can now disable its technology obtained by embargoed countries. A Juniper spokesman said the company has a "strict policy of compliance with U.S. export law," and hasn't sold products to Iran. The notion of an Iran-only Internet emerged in 2005 when Mr. Ahmadinejad became president. Officials experimented with pilot programs using a closed network serving more than 3,000 Iranian public schools as well as 400 local offices of the education ministry. The government in 2008 allocated $1 billion to continue building the needed infrastructure. "The national Internet will not limit access for users," Abdolmajid Riazi, then-deputy director of communication technology in the ministry of telecommunications, said of the project that year. "It will instead empower Iran and protect its society from cultural invasion and threats." Iran's government has also argued that an Iranian Internet would be cheaper for users. Replacing international data traffic with domestic traffic could cut down on hefty international telecom costs. The widespread violence following Iran's deeply divisive presidential election in June 2009 exposed the limits of Iran's Internet control?strengthening the case for replacing the normal Internet with a closed, domestic version. In one of the most dramatic moments of the crisis, video showing the apparent shooting death of a female student, Neda Agha-Soltan, circulated globally and nearly in real time. Some of the holes in Iran's Internet security blanket were punched by sympathetic people working within it. According to one former engineer at DCI, the government Internet company, during the 2009 protests he would block some prohibited websites only partially?letting traffic through to the outside world. Since the 2009 protests, the government has ratcheted up its online repression. "Countering the soft war is the main priority for us today," Mr. Khamenei, the Supreme Leader, said November 2009 in a speech to members of the Basij, a pro-government paramilitary volunteer group. "In a soft war the enemy tries to make use of advanced and cultural and communication tools to spread lies and rumors." The Revolutionary Guard, a powerful branch of the Iranian security forces, has taken the lead in the virtual fight. In late 2009, the Guard acquired a majority stake of the state telecom monopoly that owns DCI. That put all of Iran's communications networks under Revolutionary Guard control. The Guard has created a "Cyber Army" as part of an effort to train more than 250,000 computer hackers. It recently took credit for attacks on Western sites including Voice of America, the U.S. government-funded international broadcasting service. And at the telecom ministry, work has begun on a national search engine called "Ya Hagh," or "Oh, Justice," as a possible alternative to popular search engines like Google and Yahoo. Write to Christopher Rhoads at christopher.rhoads at wsj.com and Farnaz Fassihi at farnaz.fassihi at wsj.com From rforno at infowarrior.org Mon Jun 6 07:49:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 08:49:25 -0400 Subject: [Infowarrior] - Studying the Frequency of Redaction Failures Message-ID: <0BA0EFED-8781-45B2-A1EF-4A2DC855CC20@infowarrior.org> Studying the Frequency of Redaction Failures in PACER By Timothy B. Lee - Posted on May 25th, 2011 at 1:52 pm http://freedom-to-tinker.com/blog/tblee/studying-frequency-redaction-failures-pacer Since we launched RECAP a couple of years ago, one of our top concerns has been privacy. The federal judiciary's PACER system offers the public online access to hundreds of millions of court records. The judiciary's rules require each party in a case to redact certain types of information from documents they submit, but unfortunately litigants and their counsel don't always comply with these rules. Three years ago, Carl Malamud did a groundbreaking audit of PACER documents and found more than 1600 cases in which litigants submitted documents with unredacted Social Security numbers. My recent research has focused on a different problem: cases where parties tried to redact sensitive information but the redactions failed for technical reasons. This problem occasionally pops up in news stories, but as far as I know, no one has conducted a systematic study. To understand the problem, it helps to know a little bit about how computers represent graphics. The simplest image formats are bitmap or raster formats. These represent an image as an array of pixels, with each pixel having a color represented by a numeric value. The PDF format uses a different approach, known as vector graphics, that represent an image as a series of drawing commands: lines, rectangles, lines of text, and so forth. Vector graphics have important advantages. Vector-based formats "scale up" gracefully, in contrast to the raster images that look "blocky" at high resolutions. Vector graphics also do a better job of preserving a document's structure. For example, text in a PDF is represented by a sequence of explicit text-drawing commands, which is why you can cut and paste text from a PDF document, but not from a raster format like PNG. But vector-based formats also have an important disadvantage: they may contain more information than is visible to the naked eye. Raster images have a "what you see is what you get" quality?changing all the pixels in a particular region to black destroys the information that was previously in that part of the image. But a vector-based image can have multiple "layers." There might be a command to draw some text followed by a command to draw a black rectangle over the text. The image might look like it's been redacted, but the text is still "under" the box. And often extracting that information is a simple matter of cutting and pasting. So how many PACER documents have this problem? We're in a good position to study this question because we have a large collection of PACER documents?1.8 million of them when I started my research last year. I wrote software to detect redaction rectangles?it turns out these are relatively easy to recognize based on their color, shape, and the specific commands used to draw them. Out of 1.8 million PACER documents, there were approximately 2000 documents with redaction rectangles. (There were also about 3500 documents that were redacted by replacing text by strings of Xes, I also excluded documents that were redacted by Carl Malamud before he donated them to our archive.) Next, my software checked to see if these redaction rectangles overlapped with text. My software identified a few hundred documents that appeared to have text under redaction rectangles, and examining them by hand revealed 194 documents with failed redactions. The majority of the documents (about 130) appear be from commercial litigation, in which parties have unsuccessfully attempted to redact trade secrets such as sales figures and confidential product information. Other improperly redacted documents contain sensitive medical information, addresses, and dates of birth. Still others contain the names of witnesses, jurors, plaintiffs, and one minor. Implications PACER reportedly contains about 500 million documents. We don't have a random sample of PACER documents, so we should be careful about trying to extrapolate to the entire PACER corpus. Still, it's safe to say there are thousands, and probably tens of thousands, of documents in PACER whose authors made unsuccessful attempts to conceal information. It's also important to note that my software may not be detecting every instance of redaction failures. If a PDF was created by scanning in a paper document (as opposed to generated directly from a word processor), then it probably won't have a "text layer." My software doesn't detect redaction failures in this type of document. This means that there may be more than 194 failed redactions among the 1.8 million documents I studied. A few weeks ago I wrote a letter to Judge Lee Rosenthal, chair of the federal judiciary's Committee on Rules of Practice and Procedure, explaining this problem. In that letter I recommend that the courts themselves use software like mine to automatically scan PACER documents for this type of problem. In addition to scanning the documents they already have, the courts should make it a standard part of the process for filing new documents with the courts. This would allow the courts to catch these problems before the documents are made available to the public on the PACER website. My code is available here. It's experimental research code, not a finished product. We're releasing it into the public domain using the CC0 license; this should make it easy for federal and state officials to adapt it for their own use. Court administrators who are interested in adapting the code for their own use are especially encouraged to contact me for advice and assistance. The code relies heavily on the CAM::PDF Perl library, and I'm indebted to Chris Dolan for his patient answers to my many dumb questions. Getting Redaction Right So what should litigants do to avoid this problem? The National Security Agency has a good primer on secure redaction. The approach they recommend?completely deleting sensitive information in the original word processing document, replacing it with innocuous filler (such as strings of XXes) as needed, and then converting it to a PDF document, is the safest approach. The NSA primer also explains how to check for other potentially sensitive information that might be hidden in a document's metadata. Of course, there may be cases where this approach isn't feasible because a litigant doesn't have the original word processing document or doesn't want the document's layout to be changed by the redaction process. Adobe Acrobat's redaction tool has worked correctly when we've used it, and Adobe probably has the expertise to do it correctly. There may be other tools that work correctly, but we haven't had an opportunity to experiment with them so we can't say which ones they might be. Regardless of the tool used, it's a good idea to take the redacted document and double-check that the information was removed. An easy way to do this is to simply cut and paste the "redacted" content into another document. If the redaction succeeded, no text should be transferred. This method will catch most, but not all, redaction failures. A more rigorous check is to remove the redaction rectangles from the document and manually observe what's underneath them. One of the scripts I'm releasing today, called remove_rectangles.pl, does just that. In its current form, it's probably not user-friendly enough for non-programmers to use, but it would be relatively straightforward for someone (perhaps Adobe or the courts) to build a user-friendly version that ordinary users could use to verify that the document they just attempted to redact actually got redacted. One approach we don't endorse is printing the document out, redacting it with a black marker, and then re-scanning it to PDF format. Although this may succeed in removing the sensitive information, we don't recommend this approach because it effectively converts the document into a raster-based image, destroying useful information in the process. For example, it will no longer be possible to cut and paste (non-redacted) text from a document that has been redacted in this way. Bad redactions are not a new problem, but they are taking on a new urgency as PACER documents become increasingly available on the web. Correct redaction is not difficult, but it does require both knowledge and care by those who are submitting the documents. The courts have several important roles they should play: educating attorneys about their redaction responsibilities, providing them with software tools that make it easy for them to comply, and monitoring submitted documents to verify that the rules are being followed. This research was made possible with the financial support of Carl Malamud's organization, Public.Resource.Org. From rforno at infowarrior.org Mon Jun 6 08:15:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 09:15:59 -0400 Subject: [Infowarrior] - Are the feds torturing the Patriot Act for location data? Message-ID: <3148FE3A-7D0D-456D-8BC0-272F2D256174@infowarrior.org> Are the feds torturing the Patriot Act for location data? By Timothy B. Lee | Published about an hour ago http://arstechnica.com/tech-policy/news/2011/06/its-hard-to-imagine-a.ars It's hard to imagine a Senator making a blunter statement than Sen. Ron Wyden (D-OR) made in the heat of the Patriot Act reauthorization fight last month: "When the American people find out how their government has secretly interpreted the Patriot Act," he said, "they will be stunned and they will be angry." Wyden is in a position to know. As a member of the Senate Intelligence Committee, he receives classified briefings from the executive branch. And in recent years, three other current and former members of the Senate?Mark Udall (D-CO), Dick Durbin (D-IL), and Russ Feingold (D-WI)?have made similar comments. These statements are puzzling because the explicit powers Congress has given to the government are already quite broad. For example, we've extensively covered the FISA Amendments Act of 2008 and the rapid increase in the use of National Security Letters since the enactment of the Patriot Act. Apparently, the government has such an appetite for information about Americans that it has felt the need to push even these quite generous boundaries. The government's activities are shrouded in secrecy, so we can't be sure what the senators are referring to. But the evidence suggests that the Obama administration is using Section 215 of the Patriot Act?a provision that gives the government access to "business records"?as the legal basis for the large-scale collection of cell phone location records. What we know It seems clear that the senators' concerns relate to Section 215 of the Patriot Act. As Ars alumnus Julian Sanchez ably explains in a recent paper for the Cato Institute, Section 215 gives the government the power to obtain "business records" without a showing of probable cause. The debate over section 215 has largely focused on library records, but the Patriot Act's definition of a "business record" extends to any ?tangible thing.? When Congress considered limiting the use of Section 215 orders to terrorism investigations in 2009, it ran into stiff opposition from the Obama administration. Sen. Durbin wasn't happy about this. "The real reason for resisting this obvious, common-sense modification of Section 215 is unfortunately cloaked in secrecy," he said. He suggested that this secrecy was inconsistent with "transparency, accountability, and fidelity to the rule of law and our Constitution" An even more direct statement came from Sen Feingold. He noted that Patriot Act supporters had claimed in 2005 that Section 215 had never been misused. "They cannot make that statement now," he said. "They have been misused." Unfortunately, he said, the details were classified. So in 2009, at least two Senators believed that Section 215 of the Patriot Act was being abused. Two years later, in the midst of a debate about again extending Section 215 authority, two other Senators complained about classified Patriot Act abuses. It's not a big leap to suppose these comments all refer to the same government activity. Every step you take So what's the government doing? A growing body of evidence suggests the controversy is related to cell phone location data. Law enforcement officials have become increasingly reliant on this kind of information. In a recent paper on the subject, Stephanie K. Pell and Christopher Soghoian tell the story of the Scarecrow Bandits, a gang that committed a string of bank robberies in the Dallas area. FBI agents captured the gang by examining cell phone location records and identifying phones that had made calls near several of the banks that were robbed. In a lengthy blog post, Julian Sanchez recently laid out the evidence tying the Section 215 controversy to the government's appetite for location data. First, Wyden recently unveiled legislation that would require a warrant for the feds to acquire geolocation data. The bill would establish the "exclusive means" for obtaining cell phone location information; it nevertheless goes out of its way to specify that location data may not be obtained using Section 215. This is puzzling since there's no particular reason to think Section 215 would be used in this way. But maybe Sen. Wyden knows something we don't. Second, Sanchez notes that Sen. Udall has repeatedly warned about Section 215 giving the government "unfettered" access to "a cell phone company?s phone records." Two things are notable about this phrasing: first, it specifically mentions cell phone, not wireline, records. And second, it refers to a company's records, rather than records related to some individual. The obvious conclusion is that the government has been claiming that geolocation information?most likely, data about which cell phone tower users are near at any given time?is a "business record" that can be obtained under section 215. By treating this information as the records of the cell phone company rather than the personal information of subscribers, the government sidesteps the need to show that any particular customer is suspected of a crime. More transparency needed Clearly, law enforcement officials need a process for obtaining location data. Reasonable people can disagree about the proper standard of review. And obviously, for surveillance to be effective, some operational details need to be kept secret. But without knowledge of the basic facts?what kind of information is being collected, how much, and with what procedural safeguards?it's impossible to have an informed public debate. Sen. Patrick Leahy (D-VT) recently unveiled privacy legislation that would raise the standard for government access to location data. The Pell and Soghoian paper suggests a different framework for regulating government access. It's impossible to have an intelligent debate about these or other options if we don't know what the government is already doing. Fortunately, the ACLU is on the case. Last week, it filed a Freedom of Information Act request seeking documents related to the Bush and Obama administration's legal interpretations of Section 215 of the Patriot Act. FOIA is a slow and cumbersome process, and the Obama administration will undoubtedly fight the ACLU's efforts. But if the request succeeds, it will give the American public some of the information it needs to have a well-informed debate. From rforno at infowarrior.org Mon Jun 6 09:19:32 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 10:19:32 -0400 Subject: [Infowarrior] - Mind Control & the Internet Message-ID: Mind Control & the Internet June 23, 2011 Sue Halpern World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet by Michael Chorost Free Press, 242 pp., $26.00 The Filter Bubble: What the Internet Is Hiding from You by Eli Pariser Penguin, 294 pp., $25.95 You Are Not a Gadget: A Manifesto by Jaron Lanier Vintage, 240 pp., $15.00 (paper) < big snip > http://www.nybooks.com/articles/archives/2011/jun/23/mind-control-and-internet/ From rforno at infowarrior.org Mon Jun 6 14:10:43 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 15:10:43 -0400 Subject: [Infowarrior] - National Academies Press Makes All PDF Books Free to Download Message-ID: <2A2E8239-5E20-4725-BA14-7173EF7E8286@infowarrior.org> GREAT RESOURCE ---- rick National Academies Press Makes All PDF Books Free to Download http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=06022011 From rforno at infowarrior.org Mon Jun 6 21:32:20 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jun 2011 22:32:20 -0400 Subject: [Infowarrior] - SecurIDs Come Under Siege Message-ID: <207B206F-78E3-4203-A489-01E5C77072E6@infowarrior.org> SecurIDs Come Under Siege Published June 06, 2011 The Wall Street Journal http://www.foxnews.com/scitech/2011/06/06/securids-come-under-siege/ RSA Security is offering to provide security monitoring and replace its well-known SecurID tokens?devices used by millions of corporate workers to securely log on to their computers?"for virtually every customer we have," the company's Chairman Art Coviello said in an interview. In a letter to customers Monday, the EMC Corp. unit openly acknowledged for the first time that intruders had breached its security systems at defense contractor Lockheed Martin Corp. using data stolen from RSA. SecurID tokens have become a fixture of office life at thousands of corporations, used when employees log onto computers or sensitive software systems. The token is an essential piece of security, acting as an ever-changing password that flashes a series of six digits that should be virtually impossible to duplicate. Mr. Coviello didn't specify what happened to the tokens at Lockheed. The intruders didn't take any Lockheed customer or employee data. But as a precaution, he said RSA will offer to replace nearly all tokens?millions of them used by government agencies and businesses ranging from Rolls Royce Motor Cars Ltd. to PokerStars.com. Some customers may not need to replace them because of their specific security needs, he said. "We believe and still believe that the customers are protected." From rforno at infowarrior.org Tue Jun 7 15:51:28 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jun 2011 16:51:28 -0400 Subject: [Infowarrior] - U.N. Agreement Should Have All Gun Owners Up In Arms Message-ID: <4494F4F0-1667-4BF2-AB51-C6C0E1F6DBC5@infowarrior.org> Larry Bell http://blogs.forbes.com/larrybell/2011/06/07/u-n-agreement-should-have-all-gun-owners-up-in-arms/ U.N. Agreement Should Have All Gun Owners Up In Arms Jun. 7 2011 - 2:04 pm | 317 views | 1 recommendation | 3 comments It may not come as surprising news to many of you that the United Nations doesn?t approve of our Second Amendment. Not one bit. And they very much hope to do something about it with help from some powerful American friends. Under the guise of a proposed global ?Small Arms Treaty? premised to fight ?terrorism?, ?insurgency? and ?international crime syndicates? you can be quite certain that an even more insidious threat is being targeted ? our Constitutional right for law-abiding citizens to own and bear arms. What, exactly, does the intended agreement entail? While the terms have yet to be made public, if passed by the U.N. and ratified by our Senate, it will almost certainly force the U.S. to: ? Enact tougher licensing requirements, creating additional bureaucratic red tape for legal firearms ownership. ? Confiscate and destroy all ?unauthorized? civilian firearms (exempting those owned by our government of course). ? Ban the trade, sale and private ownership of all semi-automatic weapons (any that have magazines even though they still operate in the same one trigger pull ? one single ?bang? manner as revolvers, a simple fact the ant-gun media never seem to grasp). ? Create an international gun registry, clearly setting the stage for full-scale gun confiscation. ? In short, overriding our national sovereignty, and in the process, providing license for the federal government to assert preemptive powers over state regulatory powers guaranteed by the Tenth Amendment in addition to our Second Amendment rights. Have no doubt that this plan is very real, with strong Obama administration support. In January 2010 the U.S. joined 152 other countries in endorsing a U.N. Arms Treaty Resolution that will establish a 2012 conference to draft a blueprint for enactment. Secretary of State Hillary Clinton has pledged to push for Senate ratification. Former U.N. ambassador John Bolton has cautioned gun owners to take this initiative seriously, stating that the U.N. ?is trying to act as though this is really just a treaty about international arms trade between nation states, but there is no doubt that the real agenda here is domestic firearms control.? Although professing to support the Second Amendment during her presidential election bid, Hillary Clinton is not generally known as a gun rights enthusiast. She has been a long-time activist for federal firearms licensing and registration, and a vigorous opponent of state Right-to-Carry laws. As a New York senator she ranked among the National Rifle Association?s worst ?F?-rated gun banners who voted to support the sort of gunpoint disarmament that marked New Orleans? rogue police actions against law-abiding gun owners in the anarchistic aftermath of Hurricane Katrina. President Obama?s record on citizen gun rights doesn?t reflect much advocacy either. Consider for example his appointment of anti-gun rights former Seattle Mayor Greg Nickels as an alternate U.S. representative to the U.N., and his choice of Andrew Traver who has worked to terminate civilian ownership of so-called ?assault rifles? (another prejudicially meaningless gun term) to head the Bureau of Alcohol, Tobacco, Firearms and Explosives. Then, in a move unprecedented in American history, the Obama administration quietly banned the re-importation and sale of 850,000 collectable antique U.S.-manufactured M1 Garand and Carbine rifles that were left in South Korea following the Korean War. Developed in the 1930s, the venerable M1 Garand carried the U.S. through World War II, seeing action in every major battle. As an Illinois state senator, Barack Obama was an aggressive advocate for expanding gun control laws, and even voted against legislation giving gun owners an affirmative defense when they use firearms to defend themselves and their families against home invaders and burglars. He also served on a 10-member board of directors of the radically activist anti-gun Joyce Foundation in Chicago during a period between 1998-2001when it contributed $18,326,183 in grants to anti-Second Amendment organizations. If someone breaks into your home when you are there, which would you prefer to have close at hand: 1) a telephone to call 911, or 2) a loaded gun of respectable caliber? That?s a pretty easy question for me to answer. I am a long-time NRA member, concealed firearms license holder and a regular weekly recreational pistol shooter. And while I don?t ordinarily care to target anything that has a mother, will reluctantly make an exception should an urgent provocation arise. I also happen to enjoy the company of friends who hunt, as well as those, like myself, who share an abiding interest in American history and the firearms that influenced it. There are many like me, and fewer of them would be alive today were it not for exercise of their gun rights. In fact law-abiding citizens in America used guns in self-defense 2.5 million times during 1993 (about 6,850 times per day), and actually shot and killed 2 1/2 times as many criminals as police did (1,527 to 606). Those civilian self-defense shootings resulted in less than 1/5th as many incidents as police where an innocent person was mistakenly identified as a criminal (2% versus 11%). Just how effectively have gun bans worked to make citizens safer in other countries? Take the number of home break-ins while residents are present as an indication. In Canada and Britain, both with tough gun-control laws, nearly half of all burglaries occur when residents are present. But in the U.S. where many households are armed, only about 13% happen when someone is home. Recognizing clear statistical benefit evidence, 41 states now allow competent, law-abiding adults to carry permitted or permit-exempt concealed handguns. As a result, crime rates in those states have typically fallen at least 10% in the year following enactment. So the majority in our Senate is smart enough to realize that the U.N.?s gun-grab agenda is unconstitutional, politically suicidal for those who support it, and down-right idiotic?right? Let?s hope so, but not entirely count on it. While a few loyal Obama Democrats are truly ?pro-gun?, many are loathe to vote against treaties that carry the president?s international prestige, causing him embarrassment. Also, don?t forget that Senate confirmation of anti-gun Obama nominee Supreme Court Justice Sonia Sotomayor. Many within the few who voted against her did so only because of massive grassroots pressure from constituents who take their Constitutional protections very seriously. Now, more than ever, it?s imperative to stick by our guns in demanding that all Constitutional rights be preserved. If not, we will surely lose both. From rforno at infowarrior.org Tue Jun 7 17:42:33 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jun 2011 18:42:33 -0400 Subject: [Infowarrior] - Protect IP copyright bill faces growing criticism Message-ID: June 7, 2011 3:01 PM PDT Protect IP copyright bill faces growing criticism by Declan McCullagh http://news.cnet.com/8301-31921_3-20069824-281/protect-ip-copyright-bill-faces-growing-criticism/ Technologists are warning that the practical effects of a controversial copyright bill backed by Hollywood will "weaken" Internet security and cause other harmful side effects. As more Internet engineers, networking professionals, and security specialists have evaluated the so-called Protect IP Act that was introduced last month, concern is growing about how it will change the end-to-end nature of the Internet in ways that could do more harm than good. (See CNET's previous coverage.) The Protect IP Act would give the U.S. Department of Justice the power to seek a court order against an allegedly infringing Web site, and then serve that order on search engines, certain Domain Name System (DNS) providers, and Internet advertising firms, who would be required to make the target Web site invisible. It's sponsored by Senate Judiciary committee chairman Patrick Leahy, a Vermont Democrat, and aims to target overseas Web sites. An analysis (PDF) prepared by five Internet researchers lists the problems with that approach. Among them: it's "incompatible" with a set of DNS security improvements called DNSSEC, innocent Web sites will be swept in as "collateral damage," and the blocks can be bypassed by using the numeric Internet address of a Web site. The address for CNET.com, for instance, is currently 64.30.224.118. Another concern, the authors said, is that the filters could be circumvented easily by using offshore DNS servers not subject to U.S. law. That "will expose users to new potential security threats" not present if they continued to use, say, Comcast's or AT&T's DNS servers. Fake DNS entries can be used by criminals to spoof Web sites for banks, credit card companies, e-mail providers, social networking sites, and so on. Circumvention by using offshore servers "will also mean that ISPs gain less data on network security threats, since they use their DNS services to monitor systems and guard against denial-of-service attacks, identify botnet hosts, and identify compromised domains," wrote Public Knowledge attorney Sherwin Siy in a blog post yesterday. The technical paper was authored by Steve Crocker, a longtime member of the Internet Engineering Task Force; David Dagon, a post-doctoral researcher at Georgia Institute of Technology; security researcher Dan Kaminsky; Verisign chief security officer Danny McPherson; and Paul Vixie, chairman of the Internet Systems Consortium and principal author of popular versions of the BIND DNS server software. It's not entirely clear how broad the Protect IP Act's authority would be. An earlier draft (PDF) of the legislation would have allowed the Justice Department to order any "interactive computer service" -- a phrase courts have interpreted to mean any Web site -- to block access to the suspected pirate site. But the final version (PDF) refers instead to an "information location tool." That's defined as a "directory, index, reference, pointer, or hypertext link," which would certainly sweep in Google, Yahoo, and search engines, and may also cover many other Web sites. The technical paper joins other criticism of Protect IP, including from the Electronic Frontier Foundation, which has created a petition saying the measure will "invite Internet security risks, threaten online speech, and hamper Internet innovation." EFF and other like-minded advocacy groups including the American Library Association and Human Rights Watch sent a letter (PDF last month to the bill's Senate sponsors saying the legislation goes too far. Google chairman Eric Schmidt has panned it. Internet industry trade associations, including the Consumer Electronics Association and NetCoalition, said in a separate letter (PDF) that Protect IP has a real "potential for unintended consequence and require intense scrutiny and study." (CNET's parent company has been a member of NetCoalition.) All this criticism hasn't done much to slow the bill's momentum so far. On May 26, the Senate Judiciary committee voted unanimously to send the bill to the floor for a vote. "The small businesses, artists, entrepreneurs, software designers, local journalists and every other segment of the creative community support the (Judiciary committee's decision) today," Sandra Aistars, director of the Copyright Alliance, a group backed by copyright owners, said after the committee vote. The U.S. Chamber of Commerce, too, is an enthusiastic supporter. Sen. Ron Wyden, an Oregon Democrat, has placed a hold on the bill, saying Protect IP takes an "overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective." From rforno at infowarrior.org Wed Jun 8 07:22:51 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 08:22:51 -0400 Subject: [Infowarrior] - Social Media Hari Kari Message-ID: <9D5F4BE7-48A8-465D-B69F-5237E89C5357@infowarrior.org> http://www.cbsnews.com/8301-504943_162-20069448-10391715.html June 6, 2011 8:50 PM Social Media Hari Kari What would it mean to completely pull the plug on your digital life? Is it even possible? By: Alan W. Silberberg (CBS/What's Trending) - There it is. The giant following your efforts on social media have given you. It's all of your hard work; your networking, your relationships, your virtual sweat and sometimes literal tears, wrapped in a neat digital package. All those friendly faces, maybe some trolls, maybe some exes, and maybe some total strangers, or many strangers. Social media is different for everyone, we each get out of it what we put into it, and its use is definitely highly subjective and personal. But something is changing. You are not really sure what yet. You have eclipsed the initial tip toeing around social media and mobile sites. You have some "cred" in your chosen areas of time and investment spent. You might even have achieved minor stardom; in the way that only the sometimes self-reverberating echo chamber that is now social media allows anyone. Then one night you are sitting at a friends' house bemoaning all the extra email, all the spam you get, and why are you really reading about your middle school friend who lives half a world away and who you have not seen since. Then it hits you. What if I could just end it all? Commit virtual suicide - social media Hari Kari if it were. The thought is tantalizing for some. For most it would be a passing thought, like the idea of real suicide, most people might possibly think of it, but would never do it. But for a growing number of people, it is more than a passing fancy. They are doing it for real. Facebook is concerned enough about this very real scenario they have actually blocked at least one such service that specializes in doing exactly that: erasing your social media history and presence completely. Other social media companies may soon follow in similar blocking. The consequences of erasing social media presences completely is barely being understood as social media itself is continually growing and changing. But there are many large societal questions attached to this like, what happens to politicians and their staff when caught doing things like Anthony Weiner's epic Twitter scandal (aka #Weinergate?) Or what happens when a Government or official gets caught doing it? Even more weird; is the idea of a Government official creating a fake account for some nefarious purpose, then using one of these services to erase it completely, thus basically fulfilling much of George Orwell's writings in his famous book, "1984." This is not fiction. This is happening already, at least the part about social media Hari Kari. The rest we may never know, or will we? Alan is the CEO of Silberberg Innovations and found of Gov20LA and a Principal Analyst with Constellation Research Group. He blogs once a week for What's Trending about politics online. Learn more about him here. The What's Trending show is produced by Shira Lazar Productions and the Disrupt Group, who are solely responsible for the content, opinions and viewpoints. From rforno at infowarrior.org Wed Jun 8 08:05:04 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 09:05:04 -0400 Subject: [Infowarrior] - Changes to the open Internet in Kazakhstan Message-ID: Changes to the open Internet in Kazakhstan 6/07/2011 05:24:00 PM http://googleblog.blogspot.com/2011/06/changes-to-open-internet-in-kazakhstan.html (Cross-posted on the European Public Policy Blog and Public Policy Blog) The genius of the Internet has always been its open infrastructure, which allows anyone with a connection to communicate with anyone else on the network. It?s not limited by national boundaries, and it facilitates free expression, commerce and innovation in ways that we could never have imagined even 20 or 30 years ago. Some governments, however, are attempting to create borders on the web without full consideration of the consequences their actions may have on their own citizens and the economy. Last month, the Kazakhstan Network Information Centre notified us of an order issued by the Ministry of Communications and Information in Kazakhstan that requires all .kz domain names, such as google.kz, to operate on physical servers within the borders of that country. This requirement means that Google would have to route all searches on google.kz to servers located inside Kazakhstan. (Currently, when users search on any of our domains, our systems automatically handle those requests the fastest way possible, regardless of national boundaries.) We find ourselves in a difficult situation: creating borders on the web raises important questions for us not only about network efficiency but also about user privacy and free expression. If we were to operate google.kz only via servers located inside Kazakhstan, we would be helping to create a fractured Internet. So we have decided to redirect users that visit google.kz to google.com in Kazakh. Unfortunately, this means that Kazakhstani users will experience a reduction in search quality as results will no longer be customized for Kazakhstan. Measures that force Internet companies to choose between taking actions that harm the open web, or reducing the quality of their services, hurt users. We encourage governments and other stakeholders to work together to preserve an open Internet, which empowers local users, boosts local economies and encourages innovation around the globe. Posted by Bill Coughran, SVP, Research & Systems Infrastructure From rforno at infowarrior.org Wed Jun 8 08:11:36 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 09:11:36 -0400 Subject: [Infowarrior] - Facebook doing facial recognition now Message-ID: <0B311EC0-FA5D-43F4-8704-ADF2A85C8B12@infowarrior.org> FYI if folks haven't seen it yet. I guess it's true: the only winning move is not to play. --- rick, still not on FB. Recognition is Creepy Everyone stop uploading photos of people to Facebook RIGHT NOW. By Sarah Jacobsson Purewal http://www.pcworld.com/printable/article/id,229742/printable.html Jun 8, 2011 5:46 AM I'm not sure if you've heard the news, but Facebook is officially getting super-creepy. Facebook announced Tuesday that it will be implementing facial recognition technology for all users in the next few weeks, semi-automating the photo-tagging process. Sure, you can "opt-out" of the service, but it's a pretty weak consolation. After all, opting out won't keep Facebook from gathering data and recognizing your face--it'll just keep people from tagging you automatically. The new facial recognition technology, which was announced in December but only introduced to a small test group, is basically Facebook's way of creating a huge, photo-searchable database of its users. And yes, it's terrifying. Basically, Facebook is using facial recognition technology to "suggest" tags to users who upload photos. In other words, if I upload six photos of my friend Kaitlin, Facebook may "recognize" her face (thanks to other tagged photos of her on the website) and "suggest" that I tag her in those six photos. This makes the tagging process a little easier for me--after all, aren't I more likely to tag Kaitlin if all I have to do is click a button that says "yes, tag away"? Another "benefit" is that I can tag all of these photos of Kaitlin at once--as Facebook said in a blog post, isn't it a whole lot better to be able to tag all of those photos of Kaitlin at once, instead of having to tag each one individually? Sure, I guess it's easier. Easier for Facebook to invade my privacy, that is. Ok, I know I sound a little melodramatic. But let's take a look at some facts here: - Facebook has 600 million members. - Each day, Facebook's members upload over 200 million photos, and Facebook currently hosts over 90 billion photos. - Each time you "tag" a photo on Facebook, its facial recognition technology learns more about what that person looks like. - Even if you happen to "opt out" of the facial recognition tagging, Facebook's technology can surely use the tagged photos of you (hey, perhaps even the tagged photos of you that you end up un-tagging) to figure out what you look like. - Right now Facebook is using this technology to help people tag photos. But once they have an accurate facial recognition database of several hundred million people? Hmm. At the end of the day, Facebook's facial recognition technology is downright creepy. Opting out of the service doesn't mean Facebook will stop trying to recognize your face--it just means that Facebook will stop suggesting that other people tag you. Even Google has noted the utter creepiness of facial recognition technology (though I suspect they're just waiting for Facebook to get burned). Facial recognition technology will ultimately culminate in the ability to search for people using just a picture. And that will be the end of privacy as we know it--imagine, a world in which someone can simply take a photo of you on the street, in a crowd, or with a telephoto lens, and discover everything about you on the internet. Obviously, we can't stop the world of technology from moving toward the development of accurate facial recognition software. But so far, no facial recognition software has really been a threat to our privacy, because nobody has that huge database of people and photos required. Oh wait, except Facebook totally does. Yeah. So not only should you opt out of Facebook's facial recognition technology by going to Account > Account Settings > Privacy > Customize Settings > Things Others Share and disabling "Suggest photos of me to friends," you should also upload random pictures of trees and animals and stuffed toys and tag them as yourself. From rforno at infowarrior.org Wed Jun 8 11:07:09 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 12:07:09 -0400 Subject: [Infowarrior] - Don't Believe Scare Stories About Cyber War Message-ID: <9EB2D1E2-A3FF-4321-9B76-37A9F4B83F7C@infowarrior.org> Source: http://www.scientificamerican.com/blog/post.cfm?id=dont-believe-scare-stories-about-cy-2011-06-03 Don't Believe Scare Stories About Cyber War By John Horgan Scientific American June 3, 2011 at 07:30 GMT-4 (EDT) Keywords: Commentary, Cyber, Defense, Government, New-York, Research-Community, United-States For years, a friend I'll call Chip, knowing my obsession with war, has been telling me: "Cyber War! That's what you should be writing about! Real war is pass?!" Chip keeps sending me stories about all the damage digital attacks do?or rather, might do, because as far as I can tell cyber war hasn't claimed a single life. My admittedly glib response has been that if nations start waging war with 1s and 0s rather than bombs and bullets, that's progress. But Chip finally goaded me into writing about cyber war by alerting me to a May 31 Wall Street Journal article, "Cyber Combat: Act of War." The Pentagon "has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force," according to the article. It adds: "If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a 'use of force' consideration, which could merit retaliation." This report follows years of scare stories about cyber attacks. One of the best known involves a mysterious program called "Stuxnet," which supposedly disrupted Iran's nuclear program by infecting its computer systems; the Stuxnet attack may have been carried out by Israel, possibly with U.S. help. Other stories have alleged attacks by Russia and China on U.S. computers belonging to our defense agencies and contractors as well as civilian businesses, such as Google. One obvious problem with the Pentagon's new retaliation policy is that tracing cyber attacks to their sources can be difficult. Sophisticated hackers can concoct false trails, leading the targets to suspect and possibly retaliate against an innocent group. As one unnamed Pentagon official told The New York Times, "How do we know when it's a hacker and when it's the People?s Liberation Army?" Here's another question: How do we know whether cyber war poses a genuine threat to the U.S. and other nations? The military-industrial complex has a long history of exaggerating threats. Remember the "missile gap," the Soviet Union's illusory superiority in nuclear missiles, which justified enormous investments in the U.S. nuclear arsenal? U.S. security agencies today are trying to justify and even increase their already immense budgets by hyping the threat of cyber war, according to an article published in The New Yorker last November by the legendary investigative reporter Seymour Hersh. He quoted former U.S. security officials Richard Clarke and Michael McConnell, among others, warning that the U.S. could be vulnerable to "catastrophic" cyber attacks. Hersh noted that cyber security, into which the U.S. already pours as much $14 billion a year, "is a major growth industry, and warnings from Clark, McConnell and others have helped to create what has become a military-cyber complex." Both Clarke and McConnell, Hersh pointed out, work for consulting groups that have grabbed pieces of the cyber-security pie. Hersh also cited "military, technical and intelligence experts" who contend that the danger of cyber attacks that shut down nuclear power plants, air-traffic control computers and other truly critical systems?as depicted in fictional TV shows such as 24?"have been exaggerated." Privacy advocates also warn that the military-cyber complex is seeking more control over civilian information systems, so that it can eavesdrop on communications more readily. Of course, by boosting its cyber defensive?and, no doubt, offensive?capabilities, the U.S. may encourage other countries to do so, triggering a cyber arms race that makes us more rather than less vulnerable. Here's a bit more context for the cyber warfare debate: Over the past decade the U.S. defense budget has doubled, and it is now almost as large as the military budgets of all other nations combined. The vast, super-secret National Security Agency (NSA), which oversees U.S. digital security and intelligence-gathering, is "three times the size of the CIA and with a third of the U.S.'s entire intelligence budget," Jane Mayer noted in the May 23 issue of The New Yorker. Mayer reported that the U.S. Department of Justice is zealously prosecuting a former NSA employee and whistle-blower, Thomas Drake, who dared raise questions about the agency's financial waste and illegal surveillance?even though President Barack Obama once praised whistleblowers as "often the best source of information about waste, fraud and abuse in government." Mayer quoted a law professor at Yale University, Jack Balkin, who said of the Drake prosecution and similar cases, "We are witnessing the bipartisan normalization and legitimization of a national-surveillance state." Cyber fear mongering originated during the George W. Bush administration, but it has continued under Bush?s successor, who as a candidate criticized Bush's warrantless wiretapping of Americans. I'm no longer surprised by the Obama administration's hawkishness. Just disappointed. Source: http://www.scientificamerican.com/blog/post.cfm?id=dont-believe-scare-stories-about-cy-2011-06-03 From rforno at infowarrior.org Wed Jun 8 14:53:47 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 15:53:47 -0400 Subject: [Infowarrior] - Stallman: EBooks are "attacking our freedom" Message-ID: EBooks are "attacking our freedom" By Barry Collins Posted on 8 Jun 2011 at 09:54 http://www.pcpro.co.uk/news/367894/ebooks-are-attacking-our-freedom Free software guru Richard Stallman has called on consumers to reject eBooks until they "respect our freedom". In an article entitled The Dangers of eBooks (PDF), the founder of the Free Software Foundation warns that "technologies that could have empowered us are used to chain us instead". He highlights the DRM embedded in eBooks sold by Amazon as an example of such restrictions, citing the infamous case of Amazon wiping copies of George Orwell's 1984 from users' Kindles without permission. He points to other examples of how buyers' freedoms are eroded. "Amazon requires users to identify themselves to get an eBook," Stallman claims, pointing out that printed book buyers can walk into a bookstore and make a cash purchase anonymously. He also claims the eBook format used by Amazon is "secret", and "only proprietary user-restricting software can read it at all". Stallman claims that eBook retailers can still support authors and retain buyers' freedoms by distributing tax funds to authors based on their popularity, or by "designing players so users can send authors anonymous voluntary payments". "EBooks need not attack our freedom, but they will if companies get to decide," Stallman concludes. "It's up to us to stop them." http://www.pcpro.co.uk/news/367894/ebooks-are-attacking-our-freedom From rforno at infowarrior.org Wed Jun 8 17:18:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 18:18:35 -0400 Subject: [Infowarrior] - Commerce Dept Proposes NewCybersecurity Policy Framework Message-ID: <8C599BBA-71D9-4F1B-A706-A485B394F689@infowarrior.org> Wednesday, June 08, 2011 Commerce Dept Proposes New Cybersecurity Policy Framework http://cybertelecom.blogspot.com/2011/06/commerce-dept-proposes-newcybersecurity.html Press Release "The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. The report, Cybersecurity, Innovation and the Internet Economy, focuses on the ?Internet and Information Innovation Sector? (I3S) ? these are businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks. ?Our economy depends on the ability of companies to provide trusted, secure services online. As new cybersecurity threats evolve, it?s critical that we develop policies that better protect businesses and their customers to ensure the Internet remains an engine for economic growth,? said Commerce Secretary Gary Locke. ?By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.? Today?s report, based on extensive public input, addresses the growing economic importance of strengthening cybersecurity protection and preserving consumer trust in the Internet. Global online transactions are currently estimated by industry analysts at $10 trillion annually. As Internet business grows, so has the threat of cybersecurity attacks. The number of Internet malware threats was estimated to have doubled between January 2009 and December 2010. In 2010, an estimated 55,000 new viruses, worms, spyware and other threats were bombarding the Internet daily. The report, developed by the Department?s Internet Policy Task Force, makes a number of specific recommendations for reducing I3S vulnerabilities: ? Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked. ? Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing ?cyberinsurance? premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses. ? Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures. ? Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth. This report follows a series of recent Internet security policy recommendations made by the Obama administration. In April, the Administration released [8]the National Strategy for Trusted Identities in Cyberspace, which seeks to better protect consumers from fraud and identity theft. Last month, the Administration proposed legislation to require companies providing critical infrastructure services, such as the financial and energy sectors, to implement stronger cybersecurity practices (fact sheet [9]). In addition, the Administration recently released a strategy [10]for managing international issues in cyberspace. The Commerce Department launched the Internet Policy Task Force in April 2010 to identify and address the Internet?s most pressing policy issues and to recommend new policies. The Task Force was directed to look at establishing practices, norms and ground rules that promote innovative uses of information in four key areas where the Internet must address significant challenges: enhancing Internet privacy; improving cybersecurity; protecting intellectual property and encouraging the global free flow of information. In order to gather additional stakeholder input and refine the report?s preliminary recommendations, the Commerce Department will seek public comment and publish questions from the report in a Federal Register notice later this week. The Commerce Department?s Internet Policy Task Force will also continue to work with others in government to engage the domestic and global privacy community, and will consider publishing a refined set of policy recommendations in the future. The full report, including questions seeking additional stakeholder input, can be found here [11]. http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf From rforno at infowarrior.org Wed Jun 8 17:45:09 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jun 2011 18:45:09 -0400 Subject: [Infowarrior] - Army Seeks Social Media Gurus to Save the Afghan Message-ID: <7F5E6E3D-CDA4-44DE-AFB9-77A247C88168@infowarrior.org> Army Seeks Social Media Gurus to Save the Afghan War ? By Spencer Ackerman ? ? June 8, 2011 | ? 4:53 pm | http://www.wired.com/dangerroom/2011/06/army-seeks-social-media-gurus-to-save-the-afghan-war/ Know how to Tweet? Or how to put words into the mouths of foreign security functionaries? If so, the U.S. Army wants you to help un-quagmire the Afghanistan war. A new solicitation from the Army seeks communications experts to run the full spectrum of outreach and messaging for the war effort. A new ?Web Content/Social Media Manager? will work with the U.S. military command in Afghanistan, known by the acronym USFOR-A, to spruce up and maintain ?the command?s official website and related social media platforms, such as Facebook, Twitter, YouTube and Flickr.? (PDF) Other officials will dig into the Afghan security ministries to advise key officials how to convince people they?re competent, energetic and not at all corrupt. To non-Afghan eyes, USFOR-A?s got a pretty robust social media presence. Check out how often it tweets its messaging into the ether. Its YouTube channel is filled with positive videos, and its Facebook page ? folded into the NATO command?s page ? has nearly 80,000 Likes. Is the war won yet? Evidently not. The solicitation sees the Taliban doing a better communications job than the U.S.: ?To date, the Insurgents (INS) have undermined the credibility of USFOR-A, the International Community (IC), and Government of the Islamic Republic of Afghanistan (GIRoA) through effective use of the information environment, albeit without a commensurate increase in their own credibility.? Guess the Army thinks the Taliban?s recent English-language tweeting and SMS terror campaign is having an impact. Or that Gen. Stanley McChrystal?s 2009 plea to revamp the war?s communications apparatus didn?t have the desired effect. That problem?s magnified when it comes to the Afghan government, which is so corrupt that Ryan Crocker, Obama administration?s nominee for ambassador to Kabul, compared its perfidies to a ?second insurgency? on Wednesday. The answer? ?[C]ulturally-astute and culturally-attuned communication and public affairs advisement? to mouthpieces for the ministries of Defense and Interior. What will those advisers do? The short answer is teach them how to spin. The long answer: ?better align media reporting and public perception and proactively engage opinion-shapers, from media to key leaders, in order to bring these attributes of the information landscape into alignment.? This is only partially about gaining or keeping Afghan support. The bolstered social media push needs to have rapid translation into Dari and Pashto, as well as ceaselessly nimble translations of the local press so the military gets feedback, the solicitation says. But it?s primarily to ?inform key audiences? ? that is, ?media and civilian populations internationally and within the region? about USFOR-A spin. And when the best that the smooth diplomat Crocker can tell the Senate about the war is that it?s ?not? hopeless,? it?s no wonder that the Army thinks USFOR-A needs all the communications help it can get. From rforno at infowarrior.org Thu Jun 9 06:50:00 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jun 2011 07:50:00 -0400 Subject: [Infowarrior] - Case against ex-NSA manager accused of mishandling classified files narrows Message-ID: <9318C5F3-E91D-4BD8-89AA-DBC5178D58CA@infowarrior.org> Case against ex-NSA manager accused of mishandling classified files narrows By Ellen Nakashima, Published: June 8 http://www.washingtonpost.com/national/national-security/case-against-ex-nsa-manager-accused-of-mishandling-classified-files-narrows/2011/06/07/AGk3ZZMH_print.html Federal prosecutors will withdraw key documents from their case against a former National Security Agency manager charged with mishandling classified material, a move that experts say could signal the unraveling of one of the Obama administration?s most prominent efforts to punish accused leakers. Prosecutors informed U.S. District Judge Richard Bennett this week that they would withhold documents they had planned to introduce as evidence to keep from disclosing sensitive technology. Former NSA executive Thomas A. Drake is charged with unlawfully retaining classified information at a time when he was in touch with a Baltimore Sun reporter who later chronicled mismanagement at the agency. The government has used the 1917 Espionage Act, which has been criticized as vague and overbroad, to charge Drake, one of five such cases against alleged leakers under the Obama administration. Drake is not accused of spying, but the law?s provisions criminalize the unauthorized retention of classified material. The trial is set to begin Monday. The government?s decision to withhold certain documents may complicate prosecutors? efforts to prove a violation of the act, suggesting that the government may have overreached in using an espionage law to target a suspected leaker. ?By withdrawing several of the exhibits, at least a couple of the counts against Drake will almost certainly need to be dismissed,? said Steven Aftergood, a national security expert with the Federation of American Scientists who has followed the case closely since Drake was indicted last year. ?It changes the whole dynamic of the prosecution and may even set the stage for settlement or dismissal.? Prosecutors ?gambled that the court would permit them to submit unclassified substitutions for this information,? Aftergood said. ?The case isn?t over, but this is clearly a setback for the prosecution.? Transparency activists and media experts warn that such prosecutions could stanch the flow of information the public needs to judge policy, and George W. Bush administration officials see the prosecutions as selective ? ignoring high-level officials who release sensitive information to advance their personal or policy agendas. Justice Department spokesman Laura Sweeney declined to comment on the case. Drake, 54, could face 35 years in prison if convicted of ?willful retention of national defense information.? He is not charged with a leak. Drake has said that he is a whistleblower who is facing a politically motivated reprisal for drawing attention to the NSA?s inefficiencies. ?I will never plea-bargain with the truth,? he told friends last year. Drake was a senior executive at the NSA ? a ?senior change leader? ? who professed an ambition to change the agency?s insular culture. He became disillusioned with the agency?s handling of major technology programs and concerned that the NSA was needlessly violating Americans? privacy through a massive surveillance program adopted after the Sept. 11, 2001, terrorist attacks. He raised concerns with officials and the inspector general, and later with the reporter, before leaving the agency in 2008. According to people following the case, the government may have to drop two Espionage Act counts that relate to information that Drake submitted to the Defense Department inspector general between 2002 and 2004 to buttress colleagues? complaints about waste, fraud and abuse of a bungled NSA data-sifting program, Trailblazer. He and his former NSA colleagues thought the complaints were confidential. The evidence for those two counts is contained in Exhibits 42 and 43, according to the sources. Prosecutor William M. Welch II, in a letter Sunday to Bennett, a U.S. District Court judge in Baltimore, said those exhibits will be withdrawn. The letter was first reported by Politico. Another exhibit, numbered 41, also consisting of information Drake submitted to the inspector general, is intended to support a third Espionage Act count, which may also be dropped, the sources said. That exhibit will be redacted, the prosecution has said. Two remaining Espionage Act charges relate to information that Drake possessed but that had been published on the NSA?s in-house intranet. Legal experts said Drake could contend that the material was unclassified information that was widely available to tens of thousands of agency employees. The rest of the charges ? one count of obstruction of justice and four counts of making a false statement ? are less important, legal experts said. Prosecutors decided to withdraw and redact the documents after Bennett ruled that they could not substitute unclassified language without harming Drake?s ability to mount a defense. In his letter, Welch, who led the unsuccessful corruption prosecution of the late senator Ted Stevens (R-Alaska), stated he was withdrawing four exhibits and redacting two more to remove any reference to a ?particular telecommunications technology.? ?In short, no reference to the technology will be made,? Welch said. ?This will allow continued protection of the details of NSA?s efforts in this area, while simultaneously protecting the defendant?s constitutional ability to present his defense.? The case against Drake is already leaner than initially planned. Welch?s predecessor, Steven Tyrrell, had wanted to charge Drake with leaking classified documents to a reporter and being part of a conspiracy, according to an early draft of the indictment that Welch inadvertently sent to the defense team. Leak prosecutions under the Espionage Act had been relatively rare until the Obama administration. Daniel Ellsberg, who gave the Pentagon Papers to a reporter, was the first leaker indicted under the law, but his case ended with a mistrial after government misconduct. The Obama administration is presiding over five cases involving the act, including those against Pfc. Bradley Manning, a former Army intelligence analyst accused of passing State Department and military war data to the anti-secrecy Web site WikiLeaks; Stephen Kim, a former State Department analyst accused of leaking to a television reporter; and Jeffrey Sterling, a former CIA analyst accused of passing classified information to author and New York Times reporter James Risen. ?Obama is prosecuting whistleblowers who made the kinds of disclosures that he said he wants ? contractors bilking the government of billions of dollars,? said Jesselyn Radack, a former Justice Department whistleblower and director of national security at the Government Accountability Project. ?That?s what Drake did.? Staff researcher Julie Tate contributed to this report. ? The Washington Post Company From rforno at infowarrior.org Thu Jun 9 06:57:03 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jun 2011 07:57:03 -0400 Subject: [Infowarrior] - Spyware, the FBI, and The Failure of ISPs Message-ID: <3AE664F4-0A47-4318-A29D-1E877BBA7B99@infowarrior.org> (c/o MS) Spyware, the FBI, and The Failure of ISPs ARTICLE DATE: 06.01.11 By John C. Dvorak http://www.pcmag.com/print_article2/0,1217,a=264949,00.asp?hidPrint=true Operation Adeona, it was called. It involved the FBI. Spyware. Intrigue. Controversy. The FBI took it upon itself to attack one of the miserable botnets that plagues the Internet to figure out how to intercept its "calling home function." And essentially it ended up giving it new and less destructive instructions. Let me try to explain. Botnets generally consist of thousands of infected computers that have some specific piece of malware installed. Your computer at home may be one of them. The malicious code is usually in the form of a Trojan Horse that was planted by a Web site or some code you mistakenly clicked on. Once installed on your computer it doesn't really do much until called into action. The idea nowadays is to inhabit your machine for nefarious purposes including mailing spam from your account, pinging a target computer to harass someone, or even to do odd sorts of market research. Most of the time these infected machines do their dirty work after hours and seldom during the day when an observant owner might spot the dubious activity. It is a public nuisance. I cannot emphasize enough how people should run some good scanners to ferret out these programs. Millions of machines are infected. Anyway, so the FBI decided to counterattack one of the major botnets called Coreflood, which is used to loot bank accounts. The FBI was to replace the servers communicating with infected Coreflood machines with its own servers, and also to disable the Coreflood malware on the infected machines. This process seems to have gonewell and the botnet was mostly silenced and had no way of getting any more nefarious instructions, rendering it useless. The problem is that the code is still on the machines. Now it gets dicey. Is the FBI Going Too Far? The FBI wants to take things a step further and let the code phone home to get an instruction to remove itself from the infected machines. In other words, it wants to have each personal computer erase code without the permission of its owner. Thus a controversy is now brewing. Privacy advocates see this as the beginning of the end insofar as government interference with private PCs goes. It would be pretty effortless to snoop on personal machines and perhaps find illegal MP3 files or fake copies of Windows or whatever. Then the government could erase the copies or have you arrested or disable your machine completely. These are justified fears, but I do not see any of this current process actually leading to that. In this instance the FBI appears to have been quite careful about everything and is showing no signs of being the camel head in the tent. I'd love to see the FBI uninstall these Trojans from any machine that would accept the uninstall code. There is a fear that doing this might damage some machines somehow. Perhaps the uninstall would take place while the machine was being used and a disk access was affected by the uninstall and important data was lost. There are a lot of possibilities and most are bad. But the FBI is collecting the ping information from the machines, and some people hope that the Agency could work with ISPs and tell the specific owners of the machines that their machine is infected and they need to take action. This idea is the most reasonable approach as far as I'm concerned. The Role ISPs Should Be Playing But here is the element missing from the whole mess: None of this should be necessary. ISPs should be monitoring their networks themselves and looking for botnets everywhere. I had a machine once that was infected and sending out millions of pings while I chatted with tech support. I ran a virus scanner and found some Trojan; I erased it, and the machine was great after that. The tech support guy saw the machine was doing this and reported it to me. Why can't all the ISPs routinely look at the activity on the network and use deep-packet sniffing to find these infected machines and tell the customer in the first place? How hard can it be? It's believed they can deep-sniff a Skype call, why not find these bots? After all, it would save bandwidth and be a benefit to everyone. I have no objection to the FBI trying to fix the problem, but the problem probably wouldn't exist if ISPs did more for their customers than merely collect money. From rforno at infowarrior.org Thu Jun 9 15:08:08 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jun 2011 16:08:08 -0400 Subject: [Infowarrior] - Special Needs Son Harassed by TSA at Detroit Metropolitan Airport Message-ID: <93CA8409-F590-4248-A1C5-6CC2D732271E@infowarrior.org> Horrible story, but the last line is very telling. How much are we paying these bozos to provide this pathetic illusion of "enhanced" security? -- rick http://www.myfoxdetroit.com/dpp/news/taryn_asher/dad-special-needs-son-harassed-by-tsa-at-detroit-metropolitan-airport-20110608-wpms Dr. David Mandy: Special Needs Son Harassed by TSA at Detroit Metropolitan Airport Updated: Thursday, 09 Jun 2011, 3:32 PM EDT Published : Wednesday, 08 Jun 2011, 11:10 PM EDT By TARYN ASHER WJBK | myFOXDetroit.com ROMULUS, Mich. (WJBK) - The Mandy family says they were on their way to the happiest place on earth (Disney), but had to go through hell to get there. "I realize they're trying to keep people safe, but come on, does he look like a terrorist?" said Dr. David Mandy. The family was going through security when two TSA agents singled Drew Mandy out for a special pat down. Drew is severely mentally disabled. He's 29, but his parents said he has the mental capacity of a two-year-old, which made the experience that followed at metro Detroit's McNamera Terminal that much harder to deal with. "You have got to be kidding me. I honestly felt that those two agents did not know what they were doing," Mandy told us. Dr. Mandy claimed they asked Drew to place his feet on the yellow shoe line, something he didn't understand. They proceeded to pat his pants down, questioning the padding which was his adult diapers. When the agents asked Drew to take his hand and rub the front and back of his pants so they could swab it for explosives, his dad stepped in and tried to explain that Drew was mentally challenged. "They said, 'Please, sir, we know what we're doing,'" Mandy said. The TSA agents saw Drew holding a six-inch plastic hammer. "My son carries his ball and his hammer for security. He goes everywhere with (them)," said Mandy. The TSA it seems saw the toy as a weapon. "He took the hammer and he tapped the wall. 'See, it's hard. It could be used as a weapon,'" Mandy explained. "So, Drew's also holding the ball, and I said, 'Well, how about the ball?' He (said), 'Oh, he can keep that." Dr. Mandy was told he would need to have the toy shipped if he wanted to keep it, a process which caused them to almost miss their plane, so he pitched it. "It just killed me to have to throw it away because he's been carrying this like for 20 years," Mandy said. Disgusted, he wrote TSA a letter. A response wasn't far behind. "Very polite. Very apologetic. He was embarrassed. He (said) we have to review how we deal with special needs individuals. Obviously, he (said), we're doing a terrible job," Mandy told us. "It made me feel that there is still hope, that there is still justice and that there's still somebody who listens to people's problems (in) the federal government. That's because federal security told him there are 800 TSA agents at Metro Airport and they are all going to be retrained based on Drew's case. We also spoke to a federal security director who said this incident is still under investigation, but as far as they can tell right now, better judgment was needed. The TSA took away one toy hammer, but they were still able to take another toy hammer on board the airplane. How did that happen? Drew's mother, always prepared, had another one in her backpack and that already passed through security with no problem. From rforno at infowarrior.org Thu Jun 9 20:13:36 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jun 2011 21:13:36 -0400 Subject: [Infowarrior] - NSA Whistleblower to Plead Guilty to Misdemeanor Message-ID: <80CF9DE6-B44D-4847-AD28-CA71FFE3C69D@infowarrior.org> NSA Whistleblower to Plead Guilty to Misdemeanor ? By Kim Zetter ? June 9, 2011 | ? 8:24 pm | ? Categories: The Courts http://www.wired.com/threatlevel/2011/06/drake-pleads-guilty/ Days before he was set to go on trial on charges that he illegally retained classified documents, NSA whistleblower Thomas Drake has agreed to plead guilty to a lesser misdemeanor count of exceeding authorized access to a computer. Drake had been charged under the Espionage Act after he allegedly provided information about waste and mismanagement at the NSA to a Baltimore Sun reporter in 2006 and 2007. The former NSA linguist, who was set to go to trial next Monday, rejected two pleas offered by the government on Wednesday before finally agreeing to a third proposal, according to the Washington Post. He turned down an offer to plead guilty to the charge that he retained classified documents without authorization. Drake, who left the NSA in 2008 and has been reduced to working at an Apple Store outside Washington, D.C. while he awaited trial, was facing a possible sentence of 35 years if convicted of the charges he was facing. He has long maintained that he never provided the Sun with classified information and also disputed that any documents investigators found at his home contained classified material. Experts told the Post that the misdemeanor plea indicates the government?s case against him was weak. The government likely harmed its case, they said, after prosecutors told a U.S. District judge this week that they would withhold documents they had planned to introduce as evidence, because out of fear that they would reveal sensitive technology information. The government?s decision to prosecute Drake and the resulting media attention has already led to more public disclosures about the NSA?s illegal surveillance program than the government likely wanted. Last month, a New Yorker article about the Drake case provided new insight into the program, including how top officials at the intelligence agency viewed it. Drake was a linguist and military crypto expert who had been an NSA contractor when he began a new staff job with the agency on the morning of September 11, 2001, in the agency?s Signals Intelligence Directorate. As a contractor, Drake had become familiar with a data-mining program codenamed ThinThread, that had been tested within the NSA and could be deployed in Afghanistan, Pakistan and other regions where terrorism was prevalent. It was designed to trap, map and mine vast amounts of data in real time to pick out relevant and suspicious communications, rather than requiring the data to be stored and sifted later. The program was ?nearly perfect? except that it swooped up the data of Americans as well as foreigners and continued to intercept foreign communications as they traversed U.S.-based switches and networks. This violated U.S. law, which forbids the collection of domestic communication without a probable-cause warrant. To solve this problem, the designer of the program added privacy controls and an ?anonymizing feature? to encrypt all American communications that ThinThread processed. The system would flag patterns that looked suspicious, which authorities could then use to obtain a warrant and decrypt the information. ThinThread was ready to deploy in early 2001, but the NSA?s lawyers determined it violated Americans? privacy, and NSA director Michael Hayden scrapped it. In its place, Hayden focused funding on a different program, codenamed Trailblazer, which the NSA contracted with outside defense companies, like SAIC, to produce. That system ran into numerous problems and cost overruns, yet continued with Hayden?s support. Hayden?s deputy director and his chief of signals-intelligence programs worked at various times for SAIC, which received several Trailblazer contracts worth hundreds of millions of dollars. In 2006, after eating up some $1.2 billion, Trailblazer was finally deemed a flop and killed. Drake?s revelations to the Baltimore Sun exposed the government?s waste and mismanagement of the programs. Last year the government had dropped a criminal investigation of another whistle blower who helped expose the Bush administration?s warrantless wiretapping program to the New York Times in 2004. Thomas Tamm had held a Top Secret/SCI clearance at the Justice Department?s Office of Intelligence Policy and Review when he discovered the illegal NSA program and tipped off the Times. From rforno at infowarrior.org Thu Jun 9 21:37:04 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jun 2011 22:37:04 -0400 Subject: [Infowarrior] - Lawmakers Pushing Bill That Could Land YouTube Lip-Synch Artists Behind Bars Message-ID: <7DBB39EF-CB4D-4F34-A67C-F9FD4D28C23F@infowarrior.org> Lawmakers Pushing Bill That Could Land YouTube Lip-Synch Artists Behind Bars By Pete Griffin http://www.foxnews.com/scitech/2011/06/09/lawmakers-pushing-bill-that-could-land-youtube-lip-synch-artists-behind-bars/ Published June 09, 2011 | FoxNews.com Record labels are clamoring for a chance to have their artist lip-synch alongside 16-year-old YouTube sensation Keenan Cahill in, of all places, his bedroom. But could a proposed amendment to the federal copyright infringement law potentially land Cahill, or any person lip-synching copyrighted material in a YouTube video, behind bars? Senate Bill 978, a bipartisan measure introduced last month by Sen. Amy Klobuchar (D-Minn.), Sen. John Cornyn (R-Texas) and Sen. Christopher Coons (D-Del.), is backed by supporters who say it closes glaring loopholes in current copyright infringement law created by the realities of the digital age. ?As technology rapidly evolves, our laws must be updated to protect creativity and innovation,? said a statement by Cornyn. But critics say a section of the bill provides for steep penalties -- up to five years in prison -- for ?publicly performing? copyrighted material and embedding the video to sites like YouTube. ?It seems like (the bill) is attacking the core of the Internet itself, which is to promote communication amongst people all over the world,? said Hemanshu ?Hemu? Nigam, a former White House counsel for online protection and the founder of the online safety advisory firm SSP Blue. Cahill?s manager, David Graham, said record labels have contacted the teen in an effort to use the material in his YouTube videos. But what about the average person who lip-synchs and plays a copyrighted song in the background of their YouTube video who doesn?t receive permission from a record label? Nigam said something as simple as a school recital could expose students and anyone else who participated in the potential copyright violation to prosecution. ?The questions you?re going to have to ask are do you prosecute the school for hosting the event? The parent for videotaping it and posting it on their Facebook? Or the child for actually using the Lady Gaga song and performing it in front of all her loved ones?? But the bill?s supporters say that?s not going to happen. The new law will not target ?individuals or families streaming movies at home,? said a statement from Klobuchar. She said the bill will instead target ?criminals that are intentionally streaming thousands of dollars in stolen digital content and profiting from it.? Mary LaFrance, a copyright law professor at the William S. Boyd School of Law at the University of Nevada, Las Vegas, believes the bill primarily focuses on those who intend to make money from streaming copyrighted material on the Internet. ?You have to have the purpose of commercial advantage or financial gain,? she said. But Nigam thinks lawmakers will face a ?nightmare? when it comes to actually executing the new measure. ?Because this is a federal law, what it?s saying is that you can go to federal prison for up to five years,? said Nigam. ?That?is a really big deal.? From rforno at infowarrior.org Fri Jun 10 09:43:57 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Jun 2011 10:43:57 -0400 Subject: [Infowarrior] - Hackers Grapple With Rivals, FBI to Control Armies of Hijacked Computers Message-ID: <25080EAF-B2C5-4B1F-BF4A-36D2F4120161@infowarrior.org> Hackers Grapple With Rivals, FBI to Control Armies of Hijacked Computers By Michael Riley - Jun 10, 2011 http://www.bloomberg.com/news/print/2011-06-10/hackers-grapple-with-rivals-fbi-to-control-armies-of-hijacked-computers.html Just after 3 a.m. on May 26, Karim Hijazi, the chief executive of Unveillance, a cyber-security firm, received an e-mail from hackers calling themselves LulzSec. They demanded he help them take over some networks of hijacked computers that other criminals were operating. Unveillance had information on the so-called botnets because it was tracking them for potential corporate targets, Hijazi said in an interview. LulzSec had leverage to make Hijazi comply because it had hacked his Wilmington, Delaware-based company?s e-mail system and threatened to post captured confidential documents online if he didn?t help the group. ?If they did get a hold of these, they could potentially do way more damage than what?s already being done to these corporate targets,? said Hijazi, who rejected the demands. ?The harm could be monumental.? Botnets, which secretly control almost one-fifth of all home computers, have become a hotly contested terrain in the cyber-underground, according to Alex Cox, a security researcher at Reston, Virginia-based NetWitness Corp. Criminals who run them or rivals who want to are facing off against each other and against law enforcement and intelligence agencies that seek to render the rogue networks harmless or use them for their own devices, according to cyber-security experts. Botnets are created through programs secretly downloaded on computers in homes, offices and schools across the globe. The programs have grown more powerful each year, and cyber-criminals have learned to create networks far larger than any corporation using other peoples? computers. Internet Threat The enslaved ?bots,? as the infected computers are known, have become so pervasive they now threaten the security of the Internet, said Gunter Ollmann, head of research at Atlanta-based Damballa Inc., which tracks botnet activity. At least 18 percent of home computers are now under remote command of cyber-thieves without their owners? knowledge, according to Damballa?s research. For corporate computers, which are usually protected by expensive security measures, around seven percent are controlled by such malware, which is hidden from the user and controlled via the Internet, Ollmann said. The FBI dismantled the so-called Coreflood botnet in April. Operated by a gang of Russian cyber-thieves who siphoned financial information off their hosts, agents estimated that the software that controlled it had infected more than 1.8 million computers in the U.S. alone. Botnet Victims The stolen information was used to make bank transfers in some cases of hundreds of thousands of dollars, the Justice Department said. Thieves attempted to transfer more than $934,000 from an unnamed defense contracting company in Tennessee in one case. They removed $78,421 from the bank account of an unidentified law firm in South Carolina and $115,771 from an unidentified real estate company in Michigan, according to court papers. ?Botnets are one of the most common ways of making money in the cyber-underground,? said Cox, the NetWitness security researcher. ?When I have control of a botnet, regardless of what family of malware it is, I have a tremendous amount of power.? Botnets do have a weakness. The infected computers feed confidential information to command-and-control servers, which can themselves be hijacked. Though technically demanding, the move allows the takeover of a valuable criminal asset by a rival or the dismantling of it if law enforcement does the seizing. Unveillance had access to data that could make such hijacking easier, and Hijazi said that?s what LulzSec wanted. The Threat ?I?m sure we can settle on control of bots,? a LulzSec hacker called Ninetales told Hijazi, according to a computer log of their interaction provided to Bloomberg News by Hijazi. When Hijazi said he didn?t want to face extortion, another hacker named hamster_nipples replied: ?Unfortunately, you have little choice at this point.? Hijazi, who declined to identify his corporate clients, refused to comply with LulzSec?s demands and rejected a separate request for money. The hackers posted the company?s e-mails on the Internet June 3. Botnets can be used to launch so-called denial-of-service attacks, which can bring down websites by inundating them with thousands of service requests a second. ?Imagine a crank phone call,? said E.J. Hilbert, a former FBI cyber-crime investigator. ?Now imagine 10,000 people calling your house all at the same time. That?s basically what a botnet can do to a website.? More sophisticated malicious software or ?malware? can scrape company computers for login passwords and financial information, automatically siphoning terabytes of data into servers located in Ukraine or Belarus or China, where law enforcement is lax, according to Cox. Zeus for Sale Malware sold under the name Zeus lets cyber-thieves hijack online banking sessions in progress, transferring money to illicit accounts without the computer owner realizing it, said Don Jackson, who tracks malware for Dell SecureWorks Inc., a cyber-security firm based in Atlanta. Jackson estimated that Zeus has been used to steal more than $1 billion from bank accounts over the past several years. Hijazi said the LulzSec experience made him realize how his company?s research on botnets had turned his small firm into a target not just for LulzSec, but potentially much more powerful criminal enterprises. ?Fraud Machines? ?We?re taking away their fraud machines, their DDOS tools,? Hijazi said, referring to denial-of-service programs. ?It?s something that is going to make these people mad.? So would a takeover of a botnet by a government agency. ?From an intelligence standpoint, getting control of a botnet in a country an intelligence officer is interested in would be a pretty good spying opportunity,? Cox said. He said he didn?t have personal knowledge that U.S. intelligence employees were using botnets. Documents leaked when hackers posted the e-mails of another security firm, Sacramento, California-based HBGary Inc., detailed how botnets were being used for spying by U.S. military and intelligence agencies. The FBI?s seizure of Coreflood?s command-and-control systems was the first time that U.S. law enforcement officials were known to have hijacked a botnet, a technique pioneered by researchers years before, according to Wenke Lee, a botnet researcher at the Georgia Institute of Technology. Decapitating Network After obtaining a court order, FBI agents took control and ordered the malware in infected machines to shut down. The move was praised by many cyber-security experts for decapitating a massive criminal network that had been operating for almost ten years. The FBI briefly had control over millions of individual computers in the same way the hackers did in what was previously considered a violation of federal hacking statutes, Hilbert said. ?Whenever we tried to do it before, we were always told it was illegal,? Hilbert said of earlier efforts by some in the FBI to try the takeover strategy. ?Shades of gray or not, the bottom line is you?re going into a computer without the owner?s permission and killing the program.? U.S. District Judge Vanessa Bryant in Hartford, Connecticut, ruled that the U.S. could set up a substitute server to replace the seized ones. The ruling allowed the server to be operated, under law enforcement supervision, by the Internet Systems Consortium, a nonprofit group based in Redwood City, California. Gordon Snow, FBI assistant director for the cyber-division, said the Coreflood operation would be followed by others like it. ?I expect we?ll see more of it,? he said. To contact the reporter on this story: Michael Riley in Washington at michaelriley at bloomberg.net To contact the editors responsible for this story: Michael Hytha at mhytha at bloomberg.net From rforno at infowarrior.org Fri Jun 10 11:45:32 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Jun 2011 12:45:32 -0400 Subject: [Infowarrior] - Judge furious at "inexcusable" P2P lawyering, nukes subpoenas Message-ID: Judge furious at "inexcusable" P2P lawyering, nukes subpoenas By Nate Anderson | Published about 21 hours ago http://arstechnica.com/tech-policy/news/2011/06/judge-furious-at-inexcusable-p2p-lawyering-cancels-subpoenas.ars There are three quick steps to angering a federal judge: first, launch the country's largest file-sharing lawsuit against 23,322 anonymous defendants, even though most of them don't live where you filed the suit. Second, request "expedited discovery" in the case, allowing you to quickly secure the subpoenas necessary to go to Internet access providers and turn those 23,322 IP addresses into real names. Third, don't even bother to serve the subpoenas you just told the court were so essential to your case. Federal Judge Robert Wilkins of Washington, DC this week blasted the conduct of Dunlap, Grubb, and Weaver, the attorneys behind the lawsuit, calling it "inexcusable." Dunlap, Grubb, and Weaver helped kickstart the current frenzy of P2P lawsuits last year after filing cases under the name "US Copyright Group." The 23,322-person case, their largest to date, involves the film The Expendables. Two months after Judge Wilkins approved the subpoenas, they have still not been served; upset at this behavior, he has now revoked them. In explaining his decision, the judge said the delay was "especially surprising given the fact that one of Plaintiff's stated reasons for 'good cause' for the expedited discovery was that the ISPs typically retain the information that Plaintiff seeks only for a limited period of time? Plaintiff's delay in pursuing the discovery they requested on an expedited bases is inexcusable." Further, the judge has realized that few of the IP addresses in question are likely to belong to DC residents; the plaintiffs admitted as much in a recent status conference. "The Court finds it inappropriate and a waste of scarce judicial resources to allow and oversee discovery on claims or relating to defendants that cannot be prosecuted in this lawsuit," said the judge. Judge Wilkins will allow the case to proceed, but only if Dunlap, Grubb, and Weaver "show cause as to why venue and joinder is proper for all 23,322 putative defendants" by June 21. More money in porn? The case raises questions: if this is such a large and important case, why weren't subpoeanas even served? The plaintiffs argued, when asked about this at a June 2 status conference, that they had refrained because of issues the court had raised about venue and joinder. In other words, they were deferring to the court and not trying to rush ahead. The judge wasn't buying it. In his June 7 decision, he noted that these issues hadn't been raised until May 25 and that the subpoenas had been granted back on March 17. David Kerr, a Colorado lawyer who has worked with 250 different P2P defendants over the last year, has a different take: the settlement money in such cases comes mainly from porn videos. Based on his experience, Kerr told me that "the settlement rate for porn films is about 80 percent, whereas for legitimate films it is usually less then 50 percent. Plus, all settlements for porn films are usually several hundred to thousand dollars more than for legit films. You can go to the public docket and see that all of Dunlap?s other cases besides the porn films are totally dead." Under this theory, there's just not enough money in conventional films like The Expendables, an action movie starring Sylvester Stallone and assorted other tough guys. But people will settle in the case of porn to avoid embarrassment from being exposed. From rforno at infowarrior.org Fri Jun 10 11:46:47 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Jun 2011 12:46:47 -0400 Subject: [Infowarrior] - UK gov Prevent strategy will block web sites Message-ID: UK government Prevent strategy will block web sites Extremist tackling measures are extreme By Dave Neal Thu Jun 09 2011, 17:32 http://www.theinquirer.net/inquirer/news/2077928/uk-government-prevent-strategy-block-web-sites/page/2 THE UK GOVERNMENT is promoting plans to curb civil liberties under the banner of its 'Prevent' strategy for countering terrorism. In a just published document introduced by Theresa May and given the Orwellianly simple title of 'Prevent', the Home Office revealed its refocusing and plans. "The Prevent strategy has been refocused following a review. The strategy now contains three objectives: to respond to the ideological challenge of terrorism and the threat from those who promote it; to prevent people from being drawn into terrorism and ensure that they are given appropriate advice and support; and to work with sectors and institutions where there are risks of radicalisation that we need to address," reads the notes on the official Home Office pages. The document is full of those kind of innocuous sounding government plans that suddenly become brutal suppression, turning from mild sounding suggestions into a 'hands behind your back and face the wall' method of encouragement. This is the modern age though and its not only reinforced doors that need kicking in, but virtual ones too, thus the Prevent plans have a beady eye on terrorist technology, like web sites. This will not come without challenges though, such as how can you stop people from expressing their opinions when you are supposed to be allowing free speech? Well, by giving yourself the right to in law. "All terrorist groups have an ideology. Promoting that ideology, frequently on the internet, facilitates radicalisation and recruitment," says the report. "Challenging ideology and disrupting the ability of terrorists to promote it is a fundamental part of Prevent. [We] regard the internet as vital to Prevent work, not just because we need to more effectively disrupt terrorist use of the internet, but because of the range of opportunities it provides to challenge terrorist ideology." This strikes us as how an overbearing police state justifies repression. The document continues, adding that as it seeks to block the distribution of hard copy terrorist material, so will it block in online. "Communications technology has transformed the capability of terrorist groups. The internet in particular has not only facilitated attack planning but also the distribution of terrorist propaganda and the process of radicalisation and recruitment," it adds. "Ideological challenge has to use all the communications tools which have been adopted by terrorists and where necessary also intervene in the virtual space to curtail illegal activities." Plans will not be easy to see out, so presumably they must be worth it. These plans include, "steps to: limit access to harmful content online in specific sectors or premises (notably schools, public libraries and other public buildings); [and] ensure that action is taken to try to remove unlawful and harmful content from the internet," according to the report. "This work will require effective dialogue with the private sector and in particular the internet industry. It will also require collaboration with international partners: the great majority of the websites and chat rooms which concern us in the context of radicalisation are hosted overseas. The jackboot must be one of the most comfortable members of the political costume, as it seems that once worn it proves hard to get off and a pleasantly reassuring fit. Any internet filtering is therefore encouraged, and as well as schools and libraries the ?public internet estate' should also have a dose. "Internet filtering across the public estate is essential. We want to ensure that users in schools, libraries, colleges and Immigration Removal Centres are unable to access unlawful material. We will continue to work closely with [the] filtering industry," the report adds. "We want to explore the potential for violent and unlawful URL lists to be voluntarily incorporated into independent national blocking lists, including the list operated by the Internet Watch Foundation (IWF)." This sort of thing does not go down well with the internet estate, and in a tweet the UK Pirate Party condemned the move. "The UK government says: 'Internet filtering across the public estate is essential',", reads a tweet from the party before offering a link to the report. This was followed with, "UK government plans to expand the web blocking remit of the IWF as part of #Prevent strategy". Loz Kaye, leader of the Party in the UK added his own thoughts to the mix in a short conversation with the INQUIRER. He said that the Party was concerned about the report, in fact very concerned, and added, "With its public Internet filtering the Coalition's Prevent strategy undermines the freedoms it purports to protect." ? From rforno at infowarrior.org Sun Jun 12 10:23:41 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Jun 2011 11:23:41 -0400 Subject: [Infowarrior] - U.S. Underwrites Internet Detour Around Censors Message-ID: <91476511-0176-4B5A-A19E-4A7330C6333B@infowarrior.org> June 12, 2011 U.S. Underwrites Internet Detour Around Censors By JAMES GLANZ and JOHN MARKOFF http://www.nytimes.com/2011/06/12/world/12internet.html?_r=1&pagewanted=print The Obama administration is leading a global effort to deploy ?shadow? Internet and mobile phone systems that dissidents can use to undermine repressive governments that seek to silence them by censoring or shutting down telecommunications networks. The effort includes secretive projects to create independent cellphone networks inside foreign countries, as well as one operation out of a spy novel in a fifth-floor shop on L Street in Washington, where a group of young entrepreneurs who look as if they could be in a garage band are fitting deceptively innocent-looking hardware into a prototype ?Internet in a suitcase.? Financed with a $2 million State Department grant, the suitcase could be secreted across a border and quickly set up to allow wireless communication over a wide area with a link to the global Internet. The American effort, revealed in dozens of interviews, planning documents and classified diplomatic cables obtained by The New York Times, ranges in scale, cost and sophistication. Some projects involve technology that the United States is developing; others pull together tools that have already been created by hackers in a so-called liberation-technology movement sweeping the globe. The State Department, for example, is financing the creation of stealth wireless networks that would enable activists to communicate outside the reach of governments in countries like Iran, Syria and Libya, according to participants in the projects. In one of the most ambitious efforts, United States officials say, the State Department and Pentagon have spent at least $50 million to create an independent cellphone network in Afghanistan using towers on protected military bases inside the country. It is intended to offset the Taliban?s ability to shut down the official Afghan services, seemingly at will. The effort has picked up momentum since the government of President Hosni Mubarak shut down the Egyptian Internet in the last days of his rule. In recent days, the Syrian government also temporarily disabled much of that country?s Internet, which had helped protesters mobilize. The Obama administration?s initiative is in one sense a new front in a longstanding diplomatic push to defend free speech and nurture democracy. For decades, the United States has sent radio broadcasts into autocratic countries through Voice of America and other means. More recently, Washington has supported the development of software that preserves the anonymity of users in places like China, and training for citizens who want to pass information along the government-owned Internet without getting caught. But the latest initiative depends on creating entirely separate pathways for communication. It has brought together an improbable alliance of diplomats and military engineers, young programmers and dissidents from at least a dozen countries, many of whom variously describe the new approach as more audacious and clever and, yes, cooler. Sometimes the State Department is simply taking advantage of enterprising dissidents who have found ways to get around government censorship. American diplomats are meeting with operatives who have been burying Chinese cellphones in the hills near the border with North Korea, where they can be dug up and used to make furtive calls, according to interviews and the diplomatic cables. The new initiatives have found a champion in Secretary of State Hillary Rodham Clinton, whose department is spearheading the American effort. ?We see more and more people around the globe using the Internet, mobile phones and other technologies to make their voices heard as they protest against injustice and seek to realize their aspirations,? Mrs. Clinton said in an e-mail response to a query on the topic. ?There is a historic opportunity to effect positive change, change America supports,? she said. ?So we?re focused on helping them do that, on helping them talk to each other, to their communities, to their governments and to the world.? Developers caution that independent networks come with downsides: repressive governments could use surveillance to pinpoint and arrest activists who use the technology or simply catch them bringing hardware across the border. But others believe that the risks are outweighed by the potential impact. ?We?re going to build a separate infrastructure where the technology is nearly impossible to shut down, to control, to surveil,? said Sascha Meinrath, who is leading the ?Internet in a suitcase? project as director of the Open Technology Initiative at the New America Foundation, a nonpartisan research group. ?The implication is that this disempowers central authorities from infringing on people?s fundamental human right to communicate,? Mr. Meinrath added. The Invisible Web In an anonymous office building on L Street in Washington, four unlikely State Department contractors sat around a table. Josh King, sporting multiple ear piercings and a studded leather wristband, taught himself programming while working as a barista. Thomas Gideon was an accomplished hacker. Dan Meredith, a bicycle polo enthusiast, helped companies protect their digital secrets. Then there was Mr. Meinrath, wearing a tie as the dean of the group at age 37. He has a master?s degree in psychology and helped set up wireless networks in underserved communities in Detroit and Philadelphia. The group?s suitcase project will rely on a version of ?mesh network? technology, which can transform devices like cellphones or personal computers to create an invisible wireless web without a centralized hub. In other words, a voice, picture or e-mail message could hop directly between the modified wireless devices ? each one acting as a mini cell ?tower? and phone ? and bypass the official network. Mr. Meinrath said that the suitcase would include small wireless antennas, which could increase the area of coverage; a laptop to administer the system; thumb drives and CDs to spread the software to more devices and encrypt the communications; and other components like Ethernet cables. The project will also rely on the innovations of independent Internet and telecommunications developers. ?The cool thing in this political context is that you cannot easily control it,? said Aaron Kaplan, an Austrian cybersecurity expert whose work will be used in the suitcase project. Mr. Kaplan has set up a functioning mesh network in Vienna and says related systems have operated in Venezuela, Indonesia and elsewhere. Mr. Meinrath said his team was focused on fitting the system into the bland-looking suitcase and making it simple to implement ? by, say, using ?pictograms? in the how-to manual. In addition to the Obama administration?s initiatives, there are almost a dozen independent ventures that also aim to make it possible for unskilled users to employ existing devices like laptops or smartphones to build a wireless network. One mesh network was created around Jalalabad, Afghanistan, as early as five years ago, using technology developed at the Massachusetts Institute of Technology. Creating simple lines of communication outside official ones is crucial, said Collin Anderson, a 26-year-old liberation-technology researcher from North Dakota who specializes in Iran, where the government all but shut down the Internet during protests in 2009. The slowdown made most ?circumvention? technologies ? the software legerdemain that helps dissidents sneak data along the state-controlled networks ? nearly useless, he said. ?No matter how much circumvention the protesters use, if the government slows the network down to a crawl, you can?t upload YouTube videos or Facebook postings,? Mr. Anderson said. ?They need alternative ways of sharing information or alternative ways of getting it out of the country.? That need is so urgent, citizens are finding their own ways to set up rudimentary networks. Mehdi Yahyanejad, an Iranian expatriate and technology developer who co-founded a popular Persian-language Web site, estimates that nearly half the people who visit the site from inside Iran share files using Bluetooth ? which is best known in the West for running wireless headsets and the like. In more closed societies, however, Bluetooth is used to discreetly beam information ? a video, an electronic business card ? directly from one cellphone to another. Mr. Yahyanejad said he and his research colleagues were also slated to receive State Department financing for a project that would modify Bluetooth so that a file containing, say, a video of a protester being beaten, could automatically jump from phone to phone within a ?trusted network? of citizens. The system would be more limited than the suitcase but would only require the software modification on ordinary phones. By the end of 2011, the State Department will have spent some $70 million on circumvention efforts and related technologies, according to department figures. Mrs. Clinton has made Internet freedom into a signature cause. But the State Department has carefully framed its support as promoting free speech and human rights for their own sake, not as a policy aimed at destabilizing autocratic governments. That distinction is difficult to maintain, said Clay Shirky, an assistant professor at New York University who studies the Internet and social media. ?You can?t say, ?All we want is for people to speak their minds, not bring down autocratic regimes? ? they?re the same thing,? Mr. Shirky said. He added that the United States could expose itself to charges of hypocrisy if the State Department maintained its support, tacit or otherwise, for autocratic governments running countries like Saudi Arabia or Bahrain while deploying technology that was likely to undermine them. Shadow Cellphone System In February 2009, Richard C. Holbrooke and Lt. Gen. John R. Allen were taking a helicopter tour over southern Afghanistan and getting a panoramic view of the cellphone towers dotting the remote countryside, according to two officials on the flight. By then, millions of Afghans were using cellphones, compared with a few thousand after the 2001 invasion. Towers built by private companies had sprung up across the country. The United States had promoted the network as a way to cultivate good will and encourage local businesses in a country that in other ways looked as if it had not changed much in centuries. There was just one problem, General Allen told Mr. Holbrooke, who only weeks before had been appointed special envoy to the region. With a combination of threats to phone company officials and attacks on the towers, the Taliban was able to shut down the main network in the countryside virtually at will. Local residents report that the networks are often out from 6 p.m. until 6 a.m., presumably to enable the Taliban to carry out operations without being reported to security forces. The Pentagon and State Department were soon collaborating on the project to build a ?shadow? cellphone system in a country where repressive forces exert control over the official network. Details of the network, which the military named the Palisades project, are scarce, but current and former military and civilian officials said it relied in part on cell towers placed on protected American bases. A large tower on the Kandahar air base serves as a base station or data collection point for the network, officials said. A senior United States official said the towers were close to being up and running in the south and described the effort as a kind of 911 system that would be available to anyone with a cellphone. By shutting down cellphone service, the Taliban had found a potent strategic tool in its asymmetric battle with American and Afghan security forces. The United States is widely understood to use cellphone networks in Afghanistan, Iraq and other countries for intelligence gathering. And the ability to silence the network was also a powerful reminder to the local populace that the Taliban retained control over some of the most vital organs of the nation. When asked about the system, Lt. Col. John Dorrian, a spokesman for the American-led International Security Assistance Force, or ISAF, would only confirm the existence of a project to create what he called an ?expeditionary cellular communication service? in Afghanistan. He said the project was being carried out in collaboration with the Afghan government in order to ?restore 24/7 cellular access.? ?As of yet the program is not fully operational, so it would be premature to go into details,? Colonel Dorrian said. Colonel Dorrian declined to release cost figures. Estimates by United States military and civilian officials ranged widely, from $50 million to $250 million. A senior official said that Afghan officials, who anticipate taking over American bases when troops pull out, have insisted on an elaborate system. ?The Afghans wanted the Cadillac plan, which is pretty expensive,? the official said. Broad Subversive Effort In May 2009, a North Korean defector named Kim met with officials at the American Consulate in Shenyang, a Chinese city about 120 miles from North Korea, according to a diplomatic cable. Officials wanted to know how Mr. Kim, who was active in smuggling others out of the country, communicated across the border. ?Kim would not go into much detail,? the cable says, but did mention the burying of Chinese cellphones ?on hillsides for people to dig up at night.? Mr. Kim said Dandong, China, and the surrounding Jilin Province ?were natural gathering points for cross-border cellphone communication and for meeting sources.? The cellphones are able to pick up signals from towers in China, said Libby Liu, head of Radio Free Asia, the United States-financed broadcaster, who confirmed their existence and said her organization uses the calls to collect information for broadcasts as well. The effort, in what is perhaps the world?s most closed nation, suggests just how many independent actors are involved in the subversive efforts. From the activist geeks on L Street in Washington to the military engineers in Afghanistan, the global appeal of the technology hints at the craving for open communication. In a chat with a Times reporter via Facebook, Malik Ibrahim Sahad, the son of Libyan dissidents who largely grew up in suburban Virginia, said he was tapping into the Internet using a commercial satellite connection in Benghazi. ?Internet is in dire need here. The people are cut off in that respect,? wrote Mr. Sahad, who had never been to Libya before the uprising and is now working in support of rebel authorities. Even so, he said, ?I don?t think this revolution could have taken place without the existence of the World Wide Web.? Reporting was contributed by Richard A. Oppel Jr. and Andrew W. Lehren from New York, and Alissa J. Rubin and Sangar Rahimi from Kabul, Afghanistan. From rforno at infowarrior.org Sun Jun 12 10:25:18 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Jun 2011 11:25:18 -0400 Subject: [Infowarrior] - Information Warfare and Civilian Populations Message-ID: (c/o dg) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1833515 "Information Warfare and Civilian Populations: How the Law of War Addresses a Fear of the Unknown" Goettingen Journal of International Law, Vol. 3, No. 1, p. 373, 2011 Imagine a civilian communications system is being temporarily relied upon by an opposing military force for vital operations. If one launches a computer network attack against the communications system, the operation may disable the opposing force's ability to function adequately and, as a result, prompt their surrender. The alternative course of action is to launch a traditional kinetic weapons attack in the hopes of inflicting enough casualties on the troops to induce surrender. Given these options, the law of war would encourage the utilization of the computer network attack because it would result in less unnecessary suffering. But is the same true if we are unsure of the collateral consequences of the computer network attack on a large civilian population that also relies on this communications system? For instance, because civilians use the same communications system to gather critical information, disabling the system might result in rioting, civil disorder, serious injuries, and deaths. Further, civilians may be unable to call for help, seek out medical assistance, or locate emergency response centers. Given these unknown yet potentially severe collateral consequences to civilians, it becomes less clear that a proportionality analysis under the law of war would favor the computer network attack over the traditional kinetic operation. In this article, Professor Lucian E. Dervan examines the application of the law of war to information operations and analyses the role of the Geneva Convention's utilitarian goals in determining the validity of computer network attacks against dual-use civilian objectives. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1833515 From rforno at infowarrior.org Sun Jun 12 22:10:06 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Jun 2011 23:10:06 -0400 Subject: [Infowarrior] - The 100% Scared Doctrine Message-ID: <0689C468-3C31-4563-A9B4-AE768AF62EA4@infowarrior.org> The 100% Scared Doctrine The Ever-Expanding National Security Complex By TOM ENGELHARDT http://www.counterpunch.org/engelhardt06092011.html Here's a scenario to chill you to the bone: Without warning, the network -- a set of terrorist super cells -- struck in northern Germany and Germans began to fall by the hundreds, then thousands. As panic spread, hospitals were overwhelmed with the severely wounded. More than 20 of the victims died. No one doubted that it was al-Qaeda, but where the terrorists had come from was unknown. Initially, German officials accused Spain of harboring them (and the Spanish economy promptly took a hit); then, confusingly, they retracted the charge. Alerts went off across Europe as fears spread. Russia closed its borders to the European Union, which its outraged leaders denounced as a "disproportionate" response. Even a small number of Americans visiting Germany ended up hospitalized. In Washington, there was panic, though no evidence existed that the terrorists were specifically targeting Americans or that any of them had slipped into this country. Still, at a hastily called news conference, Secretary of Homeland Security Janet Napolitano raised the new terror alert system for the first time from its always "elevated" status to "imminent" (that is, " a credible, specific, and impending threat"). Soon after, a Pentagon spokesman announced that the U.S. military had been placed on high alert across Europe. Commentators on Fox News, quoting unnamed FBI sources, began warning that this might be the start of the "next 9/11" -- and that the Obama administration was unprepared for it. Former Vice President Dick Cheney, in a rare public appearance at the American Enterprise Institute, denounced the president for "heedlessly putting this country at risk from the terrorists." In Congress, members of both parties rallied behind calls for hundreds of millions of dollars of supplementary emergency funding for the Department of Homeland Security to strengthen airport safety. ("In such difficult economic times," said House Speaker John Boehner, "Congress will have to find cuts from non-military discretionary spending at least equal to these necessary supplementary funds.") Finally, as the noise in the media echo chamber grew, President Obama called a prime-time news conference and addressed the rising sense of hysteria in Washington and the country, saying: "Al-Qaeda and its extremist allies will stop at nothing in their efforts to kill Americans. And we are determined not only to thwart those plans, but to disrupt, dismantle and defeat their networks once and for all." He then ordered a full review of U.S. security and intelligence capabilities and promised a series of "concrete steps to protect the American people: new screening and security for all flights, domestic and international;... more air marshals on flights; and deepening cooperation with international partners." Terrorism Tops Shark Attacks The first part of this scenario is, of course, a "terrorist" version of the still ongoing E. coli outbreak in Germany -- the discovery of an all-new antibiotic-resistant "super toxic variant" of the bacteria that has caused death and panic in Europe. Although al-Qaeda and E. coli do sound a bit alike, German officials initially (and evidently incorrectly) accused Spanish cucumbers, not terrorists in Spain or German bean sprouts, of causing the crisis. And the "disproportionate" Russian response was not to close its borders to the European Union, but to ban E.U. vegetables until the source of the outbreak is discovered. Above all, the American over-reaction was pure fiction. In fact, scientists here have been urging calm and mid-level government officials have been issuing statements of reassurance on the safety of the country's food supply system. No one attacked the government for inaction; Cheney did not excoriate the president, nor did Napolitano raise the terror alert level, and Obama's statement, quoted above, was given on January 5, 2010, in the panicky wake of the "underwear bomber's" failed attempt to blow a hole in a Christmas day plane headed from Amsterdam to Detroit. Ironically, non-super-toxic versions of E. coli now cause almost as much damage yearly in the U.S. as the recent super-toxic strain has in Europe. A child recently died in an outbreak in Tennessee. The Centers for Disease Control and Prevention (CDC) have estimated that earlier in the decade about 60 Americans died annually from E. coli infections and ensuing complications, and another 2,000 were hospitalized. More recently, the figure for E. coli deaths has dropped to about 20 a year. For food-borne disease more generally, the CDC estimates that 48 million (or one of every six) Americans get sick yearly, 128,000 are hospitalized, and about 3,000 die. By comparison, in the near decade since 9/11, while hundreds of Americans died from E. coli, and at least 30,000 from food-borne illnesses generally, only a handful of Americans, perhaps less than 20, have died from anything that might be considered a terror attack in this country, even if you include the assassination attempt against Congresswoman Gabrielle Giffords and the Piper Cherokee PA-28 that a disgruntled software engineer flew into a building containing an IRS office in Austin, Texas, killing himself and an IRS manager. ("Well, Mr. Big Brother IRS man, let's try something different; take my pound of flesh and sleep well" went his final note.) In other words, in terms of damage since 9/11, terror attacks have ranked above shark attacks but below just about anything else that could possibly be dangerous to Americans, including car crashes which have racked up between 33,800 and 43,500 deaths a year since 2001. While E. coli deaths have dropped in recent years, no one expects them to get to zero, nor have the steps been taken that might bring us closer to the 100% safety mark. As Gardiner Harris of the New York Times wrote recently, "A law passed by Congress last year gave the Food and Drug Administration new powers to mandate that companies undertake preventive measures to reduce the likelihood of such outbreaks, and the law called for increased inspections to ensure compliance. The agency requested additional financing to implement the new law, including hiring more inspectors next year. Republicans in the House have instead proposed cutting the agency's budget." Doctrines from One to 100 Here, then, is one of the strange, if less explored, phenomena of our post-9/11 American age: in only one area of life are Americans officially considered 100% scared, and so 100% in need of protection, and that's when it comes to terrorism. For an E. coli strain that could pose serious dangers, were it to arrive here, there is no uproar. No screaming headlines highlight special demands that more money be poured into food safety; no instant plans have been rushed into place to review meat and vegetable security procedures; no one has been urging that a Global War on Food-Borne Illnesses be launched. In fact, at this moment, six strains of E. coli that do cause illness in this country remain unregulated. Department of Agriculture proposals to deal with them are "stalled" at the Office of Management and Budget. Meanwhile, the super-toxic E. coli strain that appeared in Europe remains officially unregulated here. On the other hand, send any goofus America-bound on a plane with any kind of idiotic device, and the politicians, the media, and the public promptly act as if -- and it's you I'm addressing, Chicken Little -- the sky were falling or civilization itself were at risk. This might be of only moderate interest, if it weren't for the U.S. national security state. Having lost its communist super-enemy in 1991, it now lives, breathes, and grows on its self-proclaimed responsibility to protect Americans 100% of the time, 100% of the way, from any imaginable terror threat. The National Security Complex has, in fact, grown fat by relentlessly pursuing the promise of making the country totally secure from terrorism, even as life grows ever less secure for so many Americans when it comes to jobs, homes, finances, and other crucial matters. It is on this pledge of protection that the Complex has managed to extort the tidal flow of funds that have allowed it to bloat to monumental proportions, end up with a yearly national security budget of more than $1.2 trillion, find itself encased in a cocoon of self-protective secrecy, and be 100% assured that its officials will never be brought to justice for any potential crimes they may commit in their "war" on terrorism. Right now, even in the worst of economic times, the Department of Homeland Security, the Pentagon, and the sprawling labyrinth of competing bureaucracies that likes to call itself the U.S. Intelligence Community are all still expanding. And around them have grown up, or grown ever stronger, various complexes (? la "military-industrial complex") with their associated lobbyists, allied former politicians, and retired national security state officials, as well as retired generals and admirals, in an atmosphere that, since 2001, can only be described as boomtown-like, the modern equivalent of a gold rush. Think of it this way: in the days after 9/11, Vice President Cheney proposed a new formula for American war policy. Its essence was this: even a 1% chance of an attack on the United States, especially involving weapons of mass destruction, must be dealt with as if it were a certainty. Journalist Ron Suskind dubbed it "the one percent doctrine." It may have been the rashest formula for "preventive" or "aggressive" war offered in the modern era and, along with the drumbeat of bogus information that Cheney and crew dished out about weapons of mass destruction in Iraq, it was the basis for the Bush administration's disastrous attempt to occupy that country and build a Pax Americana in the Greater Middle East. There was, it turns out, a "homeland" equivalent, never quite formulated or given a name, but remarkably successful nonetheless at feeding an increasingly all-encompassing domestic war state. Call it the 100% doctrine (for total safety from terrorism). While the 1% version never quite caught on, the 100% doctrine has already become part of the American credo. Thanks to it, the National Security Complex of 2011 is a self-reinforcing, self-perpetuating mechanism. Any potential act of terrorism simply feeds the system, creating new opportunities to add yet more layers to one bureaucracy or another, or to promote new programs of surveillance, control, and war-making -- and the technology that goes with them. Every minor deviation from terror safety, even involving plots that failed dismally or never had the slightest chance of success, is but an excuse for further funding. Meanwhile, the Complex continually "mans up" (or drones up) and, from Pakistan to Yemen, launches attacks officially meant to put terrorists out of action, but that have the effect of creating them in the process. In other words, consider it a terrorist-creating machine that needs -- what else? -- repeated evidence of or signs of terrorism to survive and thrive. Though few here seem to notice, none of this bears much relationship to actual American security. But if the National Security Complex doesn't make you secure, its 100% doctrine is by no means a failure. On the basis of ensuring your security from terror, it has managed to make itself secure from bad times, the dangers of downsizing, job loss, most forms of accountability, or prosecution for acts that once would have been considered crimes. In fact, terrorism is anything but the greatest of our problems or threats, which means that acquiescing to a state dedicated to expansion on the principle of keeping you safe from terror is like making a bargain with the devil. So suck it up. Nothing is secure. No one is safe. Now, eat your sprouts. Tom Engelhardt, co-founder of the American Empire Project, runs the Nation Institute's TomDispatch.com, where this article originally appeared. His latest book is The American Way of War: How Bush?s Wars Became Obama?s (Haymarket Books). From rforno at infowarrior.org Sun Jun 12 23:03:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jun 2011 00:03:59 -0400 Subject: [Infowarrior] - =?windows-1252?q?FBI_expands_agents=92_investigat?= =?windows-1252?q?ive_power?= Message-ID: <86DF2E57-AC00-4736-AA02-9F2CFB5743C8@infowarrior.org> FBI expands agents? investigative power The New York Times First published 2 hours ago Updated 2 hours ago http://www.sltrib.com/sltrib/world/51992858-68/agents-fbi-search-bureau.html.csp Washington ? The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents ? allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. The FBI soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. The FBI recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former FBI agent who is now a lawyer for the American Civil Liberties Union, argued it was unwise to further ease restrictions on agents? power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing. "Claiming additional authorities to investigate people only further raises the potential for abuse," German said, pointing to complaints about the bureau?s surveillance of domestic political advocacy groups and mosques and to an inspector general?s findings in 2007 that the FBI had improperly used "national security letters" to obtain information like people?s phone bills. Valerie E. Caproni, the FBI general counsel, said the bureau had fixed the problems with the national security letters and had taken steps to make sure they would not recur. She also said the bureau ? which does not need permission to alter its manual so long as the rules fit within broad guidelines issued by the attorney general ? had carefully weighed the risks and the benefits of each change. Some of the most notable changes apply to the lowest category of investigations, called an "assessment." The category, created in December 2008, allows agents to look into people and organizations "proactively" and without firm evidence for suspecting criminal or terrorist activity. Under current rules, agents must open such an inquiry before they can search for information about a person in a commercial or law enforcement database. Under the new rules, agents will be allowed to search such databases without making a record about their decision. From rforno at infowarrior.org Mon Jun 13 07:33:42 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jun 2011 08:33:42 -0400 Subject: [Infowarrior] - (Cyber) War! Pentagon Ramps-Up Cyberwar Plans Message-ID: <40E319D4-54F4-462B-A2B8-32E0E89C217A@infowarrior.org> (c.o JH) (Cyber) War! Pentagon Ramps-Up Cyberwar Plans http://www.pacificfreepress.com/news/1/8950-its-cyber-war-pentagon-ramps-up-cyberwar-plans.html The Fire This Time: Pentagon Ramps-Up Cyberwar Plans by Tom Burghardt As the Obama administration expands Bush-era surveillance programs over the nation's electronic communications' infrastructure, recent media reports provide tantalizing hints of Pentagon plans for waging cyberwar against imperialism's geopolitical rivals. On May 31, The Wall Street Journal disclosed that the Pentagon now asserts "that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force." One sound bite savvy wag told journalist Siobhan Gorman, "if you shut down our power grid, maybe we will put a missile down one of your smokestacks." Also on May 31, The Washington Post reported that America's shadow warriors have "developed a list of cyber-weapons and tools, including viruses that can sabotage an adversary's critical networks, to streamline how the United States engages in computer warfare." That "classified list of capabilities has been in use for several months," with the approval of "other agencies, including the CIA." Post reporter Ellen Nakashima informed us that this "sensitive program ... forms part of the Pentagon's set of approved weapons or 'fires' that can be employed against an enemy." Not to be left in the dust by their U.S. and Israeli allies, The Guardian reported that the "UK is developing a cyber-weapons programme that will give ministers an attacking capability to help counter growing threats to national security from cyberspace." Armed Forces Minister Nick Harvey told The Guardian that "action in cyberspace will form part of the future battlefield" and will become "an integral part of the country's armoury." It appears that Western military establishments are in the grips of a full-blown cyber panic or, more likely, beating the war drums as they roll out new product lines with encouragement from corporate partners eager to make billions developing new weapons systems for their respective political masters. And why not? As Bloomberg News reported back in 2008, both Lockheed Martin and Boeing "are deploying forces and resources to a new battlefield: cyberspace." Bloomberg averred that military contractors and the wider defense industry are "eager to capture a share of a market that may reach $11 billion in 2013," and "have formed new business units to tap increased spending to protect U.S. government computers from attack." Linda Gooden, executive vice president of Lockheed's Information Systems & Global Services unit told Bloomberg, "The whole area of cyber is probably one of the faster-growing areas" of the U.S. budget. "It's something that we're very focused on." As part of the new strategy to be released later this month, the Post reports that the military needs "presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later." However, when it comes to espionage or other activities loudly denounced as illegal intrusions into the sacrosanct world of government and corporate crime and corruption, the "military does not need such approval." We're told such "benign" activities "include studying the cyber-capabilities of adversaries or examining how power plants or other networks operate." "Military cyber-warriors," Nakashima writes, "can also, without presidential authorization, leave beacons to mark spots for later targeting by viruses," an "unnamed military official" told the Post. But wait, aren't those precisely the types of covert actions decried by politicians, media commentators and assorted experts when they're directed against the heimat? Is there a double standard here? Well, of course there is! Along with a flurry of Defense Department leaks designed to ratchet-up the fear factor and lay the groundwork for billions more from Congress for giant defense firms servicing the Pentagon's unquenchable thirst for ever-deadlier weapons systems--cyber, or otherwise--"threat inflation" scaremongering described by researchers Jerry Brito and Tate Watkins in their essential paper, Loving the Cyber Bomb?, take center stage. Just last week, former Democratic party congressional hack, current CIA Director and Obama's nominee to lead the Defense Department, Leon Panetta, told the Senate Armed Services Committee that "the next Pearl Harbor that we confront could very well be a cyberattack that cripples America's electrical grid and its security and financial systems," The Christian Science Monitor reported. Cripple the financial system? Why greedy banksters and corporate bottom-feeders seem to be doing a splendid job of it on their own without an assist from shadowy Russian hackers, the People's Liberation Army or LulzSec pranksters! However, the Pentagon's propaganda blitz (courtesy of a gullible or complicitous corporate media, take your pick) is neither meant to inform nor educate the public but rather, to conceal an essential fact: the United States is already engaged in hostile cyber operations against their geopolitical rivals--and allies--and have been doing so since the 1990s, if not earlier, as journalist Nicky Hager revealed when he blew the lid off NSA's Echelon program in a 1997 piece for CovertAction Quarterly. Botnets and Root Kits: What the HBGary Hack Revealed When The Wall Street Journal informed readers that the "Pentagon's first formal cyber strategy ... represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military," what the Journal didn't disclose is that the Defense Department is seeking the technological means to do just that. Implying that hacking might soon constitute an "act of war" worthy of a "shock and awe" campaign, never mind that attributing an attack by a criminal or a state is no simple matter, where would the Pentagon draw the line? After all as The Guardian reported, with the "underground world of computer hackers ... so thoroughly infiltrated in the US by the FBI and secret service," will some enterprising criminal acting as a catspaw for his/her U.S. handlers, gin-up an incident thereby creating Panetta's "cyber Pearl Harbor" as a pretext for a new resource war? While fanciful perhaps, if recent history is any guide to future American actions (can you say "Iraq" and "weapons of mass destruction"), such fabrications would have very deadly consequences for those on the wrong side of this, or some future, U.S. administration. But we needn't speculate on what the Pentagon might do; let's turn our attention instead to what we know they're doing already. Back in February, The Tech Herald revealed that the private security firms HBGary Federal, HBGary, Palantir Technologies and Berico Technologies were contacted by the white shoe law firm Hunton & Williams on behalf of corporate clients, Bank of America and the U.S. Chamber on Commerce, to "develop a strategic plan of attack against Wikileaks." The scheme concocted by "Team Themis" was to have included a dirty tricks campaign targeting journalists, WikiLeaks supporters, their families and the whistleblowing group itself through "cyber attacks, disinformation, and other potential proactive tactics." But when the CEO of HBGary Federal boasted to the Financial Times that he had penetrated the cyber-guerrilla collective Anonymous, the group struck back and pwned ("owned") HBGary's allegedly "secure" servers, seizing a treasure trove of some 70,000 internal emails and other documents, posting them on the internet. As I reported earlier this year, Team Themis looked like a smart bet. After all, HBGary and the other firms touted themselves as "experts in threat intelligence and open source analysis" with a focus on "Information Operations (INFOOPS); influence operations, social media exploitation, new media development." Palantir, which was fronted millions of dollars by the CIA's venture capitalist arm, In-Q-Tel, bragged that they could deliver "the only platform that can be used at the strategic, operational, and tactical levels within the US Intelligence, Defense, and Law Enforcement Communities," and that they can draw "in any type of data, such as unstructured message traffic, structured identity data, link charts, spreadsheets, SIGINT, ELINT, IMINT and documents." In other words, these firms subsisted almost entirely on U.S. government contracts and, in close partnership with mega-giant defense companies such as General Dynamics, SRA International, ManTech International and QinetiQ North America, were actively building cyber weapons for the Defense Department. In the aftermath of the HBGary sting, investigative journalist Nate Anderson published an essential piece for Ars Technica which described how HBGary and other firms were writing "backdoors for the government." "In 2009," Anderson wrote, "HBGary had partnered with the Advanced Information Systems group of defense contractor General Dynamics to work on a project euphemistically known as 'Task B.' The team had a simple mission: slip a piece of stealth software onto a target laptop without the owner's knowledge." HBGary's CEO Greg Hoglund's "special interest," Anderson reported, "was in all-but-undetectable computer 'rootkits,' programs that provide privileged access to a computer's innermost workings while cloaking themselves even from standard operating system functions. A good rootkit can be almost impossible to remove from a running machine--if you could even find it in the first place." The secret-shredding web site Public Intelligence published HBGary's 2008 paper, Windows Rootkit Analysis Report. Amongst the nuggets buried within its 243 pages we learned that Hoglund suggested to his secret state and corporate clients that "combining deployment of a rootkit with a BOT makes for a very stealth piece of malicious software." Readers should recall that back in 2008, an article published in the influential Armed Forces Journal advocated precisely that. Col. Charles W. Williamson III's piece, "Carpet Bombing in Cyberspace," advocated "building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic." It would appear that the project envisioned by HBGary and General Dynamics would combine the stealthy features of a rootkit along with the destructive capabilities of a botnet. One can only presume that defense firms are building malware and other attack tools for the Defense Department, the CIA, the National Security Agency and USCYBERCOM, and that they constitute the short list of "approved weapons or 'fires'" alluded to by The Washington Post. A 2009 HBGary contract proposal released by Public Intelligence, DoD Cyber Warfare Support Work Statement, disclosed that the "contract will include efforts to examine the architecture, engineering, functionality, interface and interoperability of Cyber Warfare systems, services and capabilities at the tactical, operational and strategic levels, to include all enabling technologies." The firm proposed an "operational exercise design and construction," as well as "operations and requirements analysis, concept formulation and development, feasibility demonstrations and operational support." "This will include," the proposal averred, "efforts to analyze and engineer operational, functional and system requirements in order to establish national, theater and force level architecture and engineering plans, interface and systems specifications and definitions, implementation, including hardware acquisition for turnkey systems." Under terms of the contract, the company will "perform analyses of existing and emerging Operational and Functional Requirements at the force, theater, Combatant Commands (COCOM) and national levels to support the formulation, development and assessment of doctrine, strategy, plans, concepts of operations, and tactics, techniques and procedures in order to provide the full spectrum of Cyber Warfare and enabling capabilities to the warfighter." In fact, during an early roll-out of the Pentagon's cyber panic product line five years ago, Dr. Lani Kass, a former Israeli Air Force major and acolyte of neocon war criminals Dick Cheney and Donald Rumsfeld, and who directs the Air Force Cyber Space Task Force under Bush and Obama, submitted a provocative proposal. During a 2006 presentation titled, A Warfighting Domain: Cyberspace, Kass asserted that "the electromagnetic spectrum is the maneuver space. Cyber is the United States' Center of Gravity--the hub of all power and movement, upon which everything else depends. It is the Nation's neural network." Kass averred that "Cyber superiority is the prerequisite to effective operations across all strategic and operational domains--securing freedom from attack and freedom to attack." Accordingly, she informed her Air Force audience that "Cyber favors the offensive," and that the transformation of a militarized internet into a "warfighting domain" will be accomplished by "Strategic Attack directly at enemy centers of gravity; Suppression of Enemy Cyber Defenses; Offensive Counter Cyber; Defensive Counter Cyber; Interdiction." In the years since that presentation such plans are well underway. In another leaked file, Public Intelligence disclosed that HBGary, again in partnership with General Dynamics, are developing "a software tool, which provides the user a command line interface, that will enable single file, or full directory exfiltration over TCP/IP." Called "Task Z," General Dynamics "requested multiple protocols to be scoped as viable options, and this quote contains options for VoIP (Skype) protocol, BitTorrent protocol, video over HTTP (port 80), and HTTPS (port 443)." As I reported last year, the Obama administration will soon be seeking legislation that would force telecommunications companies to redesign their system and information networks to more readily facilitate internet spying. And, as the administration builds upon and quietly expands previous government programs that monitor the private communications of the American people, The New York Times revealed that our "change" regime will demand that software and communication providers build backdoors accessible to law enforcement and intelligence agencies. Such "backdoors" will enable spooks trolling "encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct 'peer to peer' messaging like Skype" the means "to intercept and unscramble encrypted messages." These are precisely the technological "fixes" which firms like HBGary, General Dynamics and presumably other defense contractors are actively building for their secret state security partners. The Fire This Time While denouncing China, Russia and other capitalist rivals over cyber espionage and alleged hacking escapades, the deployment of digital weapons of mass destruction against selected adversaries, Iran for one, is an essential feature of Pentagon targeting profiles and has now been fully integrated into overall U.S. strategic military doctrine. This is hardly the stuff of wild speculation considering that evidence suggests that last year's attack on Iran's civilian nuclear program via the highly-destructive Stuxnet worm was in all probability a joint U.S.-Israeli operation as The New York Timesdisclosed. Nor should we forget, that U.S. Cyber Command (USCYBERCOM), the Pentagon satrapy directed by NSA Director, Gen. Keith Alexander, is "a sub-unified command subordinate to U. S. Strategic Command," the lead agency charged with running space operations, information warfare, missile defense, global command, control, intelligence, surveillance and reconnaissance (C4ISR), global strike and strategic deterrence; the trigger finger on America's first-strike nuclear arsenal. Will the next crisis trigger an onslaught against an adversary's civilian infrastructure? The Washington Post informs us that an unnamed U.S. official acknowledged that "'the United States is actively developing and implementing' cyber-capabilities 'to deter or deny a potential adversary the ability to use its computer systems' to attack the United States." However, while the "collateral effects" of such an attack are claimed to be "unpredictable," one can be sure that civilian populations on the receiving end of a Pentagon cyber attack will suffer mass casualties as water and electrical systems go offline, disease and panic spreads and social infrastructures collapse. Welcome to America's brave new world of high-tech war crimes coming soon to a theater near you (3D glasses optional). Tom Burghardt is a researcher and activist based in the San Francisco Bay Area. In addition to publishing in Covert Action Quarterly and Global Research, an independent research and media group of writers, scholars, journalists and activists based in Montreal, he is a Contributing Editor with Cyrano's Journal Today. His articles can be read on Dissident Voice, The Intelligence Daily, Pacific Free Press,Uncommon Thought Journal, and the whistleblowing website WikiLeaks. He is the editor of Police State America: U.S. Military "Civil Disturbance" Planning, distributed by AK Press and has contributed to the new book from Global Research, The Global Economic Crisis: The Great Depression of the XXI Century. From rforno at infowarrior.org Mon Jun 13 08:13:02 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jun 2011 09:13:02 -0400 Subject: [Infowarrior] - OT: Terry Pratchett exploring assisted suicide Message-ID: <4CF9182D-3EB5-43D1-AFCE-71D6FE658909@infowarrior.org> Sir Terry Pratchett begins process that could lead to assisted suicide Sir Terry Pratchett, the author, has started the formal process that could lead to his assisted suicide at the Dignitas clinic in Switzerland. By Martin Evans 3:24PM BST 12 Jun 2011 http://www.telegraph.co.uk/health/8571142/Sir-Terry-Pratchett-begins-process-that-could-lead-to-assisted-suicide.html The 63-year-old, who has a rare form of early-onset Alzheimer?s disease, said he had received the consent forms recently and was now considering whether to sign them. Sir Terry, made the decision to request the forms after accompanying a motor-neurone sufferer to the Dignitas clinic for a controversial documentary to be screened on Monday evening on BBC TWO. The film the shows 71-year-old Peter Smedley drink a cocktail of toxins at the clinic before dying in his wife?s arms. It will be the first time suicide has been broadcast on terrestrial television and has sparked a fierce debate over the right to die issue. Speaking ahead of the screening Sir Terry said he has now also received the consent forms from Dignitas, but added he had not signed them yet. He said: ?The only thing stopping me [signing them] is that I have made this film and I have a bloody book to finish.? But he stressed that he was as yet still undecided whether he would eventually take his own life. He said he changed his mind ?every two minutes? but added that if he did choose to die would prefer to do so in England and in the sunshine. Sir Terry, creator of the Discworld novels, was 60 when he was diagnosed with terminal condition and has since campaigned passionately for a change in the law to allow assisted suicide in Britain. He has complained that people who wish to undergo the procedure under the current system are forced to commit suicide earlier than necessary because they have to go to Switzerland before they are too ill to travel. Sir Terry has called for a system that would allow someone with a terminal illness to be given a euthanasia kit they could take home, allowing them to choose the exact time and circumstances of their death. The writer also revealed that he would not "go to the barricades" and campaign for the right to die for people who had simply grown weary of living. It is estimated that 21 per cent of people who die at Dignitas do not have a terminal illness. From rforno at infowarrior.org Mon Jun 13 18:52:04 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jun 2011 19:52:04 -0400 Subject: [Infowarrior] - Citi Defends Delay in Disclosing Hacking Message-ID: <2B3C7BAD-3B85-4312-9677-E464D2396AAF@infowarrior.org> Citi Defends Delay in Disclosing Hacking By RANDALL SMITH http://online.wsj.com/article/SB10001424052702304665904576382391531439656.html Citigroup Inc. waited as long as three weeks to notify credit-card customers of a hacking attack because it was conducting an investigation and producing replacement cards, according to a person familiar with the situation. The internal investigation took 10 to 12 days and began within 24 hours of the discovery by Citigroup officials in early May that the New York bank's systems had been breached, this person said. In some cases, Citigroup took action to protect accounts considered vulnerable to fraud. Citigroup publicly disclosed the security attack last Thursday, saying it affected about 200,000 customers, or 1% of the company's card users in North America. The company said it had referred the matter to law-enforcement authorities and planned to send replacement cards to a majority of the affected customers. Some critics have accused Citigroup officials of dragging their feet in notifying customers that some of their data has been compromised. The Senate banking committee is planning hearings on data security. The breach follows other attacks that are fueling concerns among financial regulators and security experts that banks and other companies aren't doing enough to protect themselves and their customers. "Every minute that passes after a hacker gains access to customers' confidential information means a greater risk of both monetary and identity theft," said Mandeep Khera, an official at Cenzic Inc., an online-security firm in Santa Clara, Calif. Mr. Khera said Citigroup had "done a disservice" to customers because of the delay. Other recent targets of similar attacks include Sony Corp. and Lockheed Martin Corp. Security experts say financial institutions are a top target. On Saturday, the International Monetary Fund said it had been hit by "a cybersecurity incident." The person familiar with Citigroup's response to the security breach said company officials responded to discovery of the attack immediately. In late May, the company launched a week-long process for a mailing to notify the roughly 200,000 customers of the breach and provide replacement cards to most of them. Customer notification and shipment of new cards began June 3, or six days before Citigroup publicly disclosed the hack attack. Citigroup said the hackers obtained access to data such as names, account numbers and email addresses. The breach didn't compromise Social Security numbers, dates of birth, card security codes or expiration dates. Bank officials have said the data that was disclosed wasn't enough to perpetrate fraud. Before the official customer notification, Citigroup moved to protect certain customers by sending out an internal fraud alert on all those customers deemed at risk, the person familiar with the matter said. Some experts suggested that Citigroup's response was reasonable. By discovering and investigating the breach itself, Citigroup was able to "allay" customer fears about data that wasn't compromised, said Joe Gottlieb, chief executive of SenSage Inc., a Redwood City, Calif., firm that develops software to reduce fraud and compliance risks. Write to Randall Smith at randall.smith at wsj.com From rforno at infowarrior.org Mon Jun 13 22:12:51 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jun 2011 23:12:51 -0400 Subject: [Infowarrior] - Why Google Earth Can't Show You Israel Message-ID: <51EB8305-345F-477D-941B-B1F8C234C7A6@infowarrior.org> Why Google Earth Can't Show You Israel ? By Hamed Aleaziz Fri Jun. 10, 2011 10:16 AM PDT http://motherjones.com/politics/2011/06/google-israel-us Since Google launched its Google Earth feature in 2005, the company has become a worldwide leader in providing high-resolution satellite imagery. In 2010, Google Earth allowed the world to see the extent of the destruction in post-earthquake Haiti. This year, Google released similar images after Japan's deadly tsunami and earthquake. With just one click, Google can bring the world?and a better understanding of far-away events?to your computer. There is one entire country, however, that Google Earth won't show you: Israel. That's because, in 1997, Congress passed the National Defense Authorization Act, one section of which is titled, "Prohibition on collection and release of detailed satellite imagery relating to Israel." The amendment, known as the Kyl-Bingaman Amendment, calls for a federal agency, the NOAA's Commercial Remote Sensing Regulatory Affairs, to regulate the dissemination of zoomed-in images of Israel. When asked about the regulation, a Google spokeswoman said to Mother Jones, "The images in Google Earth are sourced from a wide range of both commercial and public sources. We source our satellite imagery from US-based companies who are subject to US law, including the Kyl-Bingaman Amendment to the National Defense Authorization Act of 1997, which limits the resolution of imagery of Israel that may be commercially distributed." And it's not just Israel. The regulation also applies to the occupied territories. It's why Human Rights Watch can't provide detailed imagery of the Gaza Strip in its reports. Of course, this regulation cuts both ways; one also cannot see the destruction in Sderot resulting from rockets sent out of Gaza. But, the impact of the regulation might be dwindling; after all, the US can only regulate the actions of American corporations. Turkey recently announced that its GokTurk satellite will provide high-resolution imagery of Israel when it becomes operational in 2013. Israel is unhappy with this possibility: An Israeli official told Al-Arabiya, "We try to ensure that we are not photographed at high resolutions, and most (countries) accommodate us." The official adds: "Should we request this of the Turks? We won't ask for it. There is no one to talk to." From rforno at infowarrior.org Tue Jun 14 07:17:50 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Jun 2011 08:17:50 -0400 Subject: [Infowarrior] - Chinese Spying Devices Installed on Hong Kong Cars Message-ID: Chinese Spying Devices Installed on Hong Kong Cars By Albert Ding & Matthew Robertson Epoch Times Staff Created: Jun 12, 2011 Last Updated: Jun 14, 2011 http://www.theepochtimes.com/n2/china/chinese-spying-devices-installed-on-hong-kong-cars-57587.html For years now Chinese authorities have been installing spying devices on all dual-plate Chinese-Hong Kong vehicles, enabling a vast network of eavesdropping across the archipelago, according to a Hong Kong newspaper. The report in Apple Daily states that the recording devices began being installed as ?inspection and quarantine cards? in July 2007. They were installed without charge by the Shenzhen Inspection and Quarantine Bureau on thousands of vehicles. Smugglers were the first to note something strange about the devices. A source told Apple Daily that after the cards were installed mainland authorities had no trouble picking off the cars carrying illicit goods. ?For every ten cars we ran we only had [smuggled goods] in three or four to reduce the risk, but the border agents caught all of them. The accuracy was unreal!? Apple Daily quoted the smuggler saying. The device, no larger than a PDA, is taped onto the vehicle?s front window. Protective tape covers the screws, presumably to prevent tampering?though it didn?t stop Apple Daily from removing the devices, taking them to experts for inspection, and presenting pictures of them splayed open on their website, with neat graphics indicating the various internal components. Apple Daily says they took the device to a university professor and a private investigator, both of whom attested to the espionage potential of the units. Zhang Dawei, identified as ?a private investigator of over 30 years,? took a look at the device?s internal structure and told the Daily that the card could certainly be used for eavesdropping. An Associate Professor of Electrical Engineering at City University of Hong Kong, Zheng Liming, took apart one of the devices and confirmed that it can listen in on conversations. And the range is extensive, he said. ?The signal receiving range is up to 20km, which means if the device installer wants to, they can listen even when the vehicles are in Hong Kong,? he said. Two of the regions in Hong Kong where the device can transmit data back to China are Sha tin and Tuen mun. Much cheaper chips can be used to check inspection status for simple border crossings, Zhang said, ?But this device uses chips commonly found in Bluetooth and voice recording devices, designed for receiving voice transmission.? He thus thought it ?very likely? that they were being used for surveillance. The Daily interviewed several Hong Kong drivers to gauge their reactions; predictably, they were often irate. Ms. Deng, who operates a real estate business, said: ?Even if we hired a maid, we are not allowed to install a surveillance camera in her room due to privacy issues! You can?t just do whatever you want.? A senior manager in an unidentified company noted that those who qualify for the dual license plate usually have some financial clout. If their business conversations in the car were recorded and the information shared, he said, it may be enough to send people bankrupt. HKBusiness.net, an online news site, says that businesses that invested more than $1 million in mainland China and paid more than 30,000 yuan in tax over the past year qualify for a dual license plate. Apple Daily quotes a source saying there are at least 20,000 cars with dual license places, and tens of thousands of trucks and buses. From rforno at infowarrior.org Tue Jun 14 08:02:40 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Jun 2011 09:02:40 -0400 Subject: [Infowarrior] - Facebook is losing users Message-ID: <9D0F0542-BE4C-475E-98BE-41D88A345232@infowarrior.org> (...or in my case, never had them. -- rick) Facebook is losing users Report shows losses in key countries like the US and UK By Dean Wilson Tue Jun 14 2011, 12:14 http://www.theinquirer.net/inquirer/news/2078752/facebook-losing-users THE JIG MIGHT BE UP for Facebook, which has seen its peak in user signups and is now losing people, according to a report by Inside Facebook. Facebook now has 687.1 million users, up from the milestone half a billion it recorded in July of last year, but it looks like its phenomenal growth is finally starting to slow, and in some regions the social notworking giant has actually lost users. Inside Facebook Gold tracks how many Facebook users exist in each country on a monthly basis, and it discovered that during May the US Facebook userbase dropped from 155.2 million to just below 149.4 million. A fall of 5.8 million users in the space of a month is significant, especially in a key country like the US, but Facebook managed to record overall growth throughout the world of 11.8 million. The problem for Facebook is that this is lower growth than the 13.9 million in April and the roughly 20 million it gained for each month before that, suggesting a significant slowdown in user uptake across the globe, which could be linked to the drop in users in countries like the US. The US was not the only country to lose Facebook users. Canada dropped from 18.1 million users to 16.2 million, a drop of 1.52 million. Russia, Norway and the UK have also seen declines of over 100,000 users, suggesting that things might also be beginning to peak in Europe for Facebook. Despite the figures Inside Facebook found, which are based on Facebook's own advertising tool, the company said that it was still growing in many of these regions. Some reports back up Inside Facebook's findings, while others show high growth instead, but the consensus generally appears to be that Facebook is not doing quite as well this year compared to 2010. ? From rforno at infowarrior.org Tue Jun 14 10:29:56 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Jun 2011 11:29:56 -0400 Subject: [Infowarrior] - Revealed: How Citigroup hackers broke in 'through the front door' using bank's website Message-ID: (I disagree with the anonymous source that says such an incident is hard to prepare for. -- rick) Revealed: How Citigroup hackers broke in 'through the front door' using bank's website By Lee Moran Last updated at 2:16 PM on 14th June 2011 http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html# Hacked: The personal details of more than 200,000 Citigroup customers were stolen in a 'brazen' attack (posed picture) Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers. It allowed them to leapfrog into the accounts of other customers - with an automatic computer programme letting them repeat the trick tens of thousands of times. The security breach, which was only spotted in May during a routine check, follows the high profile and embarrassing hacking of Sony's Playstation network. Security experts said it also showed the threat posed by the rising demand for private financial information from the world of foreign hackers. It was also a 'sign of things to come', they said. One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.' It is not known how much the incident is going to cost Citigroup and its customers. Spokesman Sean Kevelighan declined to comment as it was an 'ongoing criminal investigation'. But in a statement he said Citigroup discovered the breach in early May and the problem was 'rectified immediately'. He also said the bank had initiated internal fraud alerts and stepped up its account monitoring. Law enforcement officials said the expertise behind the attack was a 'sign of what is likely to be a wave of more and more sophisticated breaches' by high-tech thieves. This is because, according to a report by Verizon and the Secret Service, the demand for data is on the rise. In 2008 the underground market for data was flooded with more than 360 million stolen personal records, compared to just 3.8 million in 2010. As the credit cards, whose numbers were stolen in 2008, expire, there is a rush to find new accounts. It could see the price for basic credit card information rise from their current level of only pennies to several dollars. Bryan Sartin, forensic investigator for Verizon's consulting arm, said: 'If you think financially motivated breaches are huge now, just wait another year.' The hackers which targeted Citigroup did not gain expiration dates or the three-digit security code on the back of the card. Those two elements would have made it much easier for the thieves to use the information to commit fraud. From rforno at infowarrior.org Tue Jun 14 19:39:26 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Jun 2011 20:39:26 -0400 Subject: [Infowarrior] - Two Cultures of Secrecy and Disclosure Message-ID: http://www.fas.org/blog/secrecy/?p=5304 The legitimacy of official secrecy policy that is taken for granted within official circles is increasingly open to question within the press and among many members of the public. ?Government officials must? accept the enduring reality of a media culture that is prepared to publish official secrets and considers such disclosure a patriotic contribution to democratic discourse,? said the Congressional Research Service in passing in a new report. See ?Intelligence Information: Need-to-Know vs. Need-to-Share? (pdf), June 6, 2011. This is not quite precise, since no U.S. news organization publishes official secrets just because they are secret. And no one seriously views the publication of a classified technical manual, for example, as a contribution to democratic discourse. The secrets must also be newsworthy, and even then most news outlets will exercise discretion and will give consideration to national security claims. But it is certainly true that reputable news organizations of liberal, conservative and other editorial persuasions will publish classified information over government objections. That is the privilege and the right of a free press. Strangely, the obverse is also true: Government officials will sometimes insist that information that is irreversibly public is nevertheless classified and subject to official security controls. This was demonstrated most recently in a Justice Department policy for habeas attorneys regarding limitations on access to records published by WikiLeaks concerning detainees at Guantanamo, as first reported by the New York Times on June 11. ?While you may access such material from your non-U.S.-Government-issued personal and work computers,? the attorneys were told (pdf), ?you are not permitted to download, save, print, disseminate, or otherwise reproduce, maintain, or transport potentially classified information.? But the idea that information can be ?accessed? online without ?downloading? it is garbled, and it illustrates the confusion that prevails in government regarding classified information in the public domain. See ?Feds? policy on reading WikiLeaks docs ?incoherent,? critics say? by Josh Gerstein, Politico Under the Radar, June 12. The gap that separates the two cultures of government and media over official secrecy could be narrowed if not eliminated by a concerted effort to limit secrecy to its least ambiguous, most broadly accepted purposes. But currently, the Obama Administration is devoting far more effort to enforcing the existing secrecy regime than to fixing it. From rforno at infowarrior.org Tue Jun 14 19:49:18 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Jun 2011 20:49:18 -0400 Subject: [Infowarrior] - Kissinger, Huntsman: U.S., China need cyber detente Message-ID: <0789C2D8-59C7-498E-992D-54DBE1C1AB46@infowarrior.org> Kissinger, Huntsman: U.S., China need cyber detente http://www.reuters.com/article/2011/06/14/us-china-kissinger-cyber-idUSTRE75D62Q20110614 Wed, Jun 15 2011 By Paul Eckert and Daniel Magnowski NEW YORK/SINGAPORE | Tue Jun 14, 2011 7:30pm EDT (Reuters) - The United States and China need to reach an agreement to restrict cyber attacks and designate some areas as off limits to hacking, two former senior U.S. officials said on Tuesday. Henry Kissinger, an architect of the opening of U.S. relations with China in the 1970s, told a Thomson Reuters event that Washington and Beijing both had significant espionage capabilities and the key was finding a way to discuss them. Jon Huntsman, the former U.S. ambassador to China, likened raising cyber attacks with Beijing to the challenge of discussing missile defense and the military use of space -- issues that are also highly sensitive to the Chinese. "At some point, we are going to have to develop a context in which we can actually discuss this and, I would think, draw some red lines around areas that we don't want them into and they might not want us into," said Huntsman, who left China in April to plan his presidential election campaign, and was speaking at the same event. Their calls for a cyber detente follow a blitz of hacking attacks on major U.S.-based institutions in recent weeks, including the International Monetary Fund, the Senate, and companies such as Citigroup and Lockheed Martin. Chinese entities have been suspected in attacks on Google e-mail accounts of U.S. officials and Chinese activists, though Beijing has denied involvement and said it too is a victim of international hacking. "China has also many times reiterated that we are willing to open up exchanges and cooperation with the international community about Internet security," Foreign Ministry spokesman Hong Lei said earlier on Tuesday. Kissinger, former secretary of state, said that without an overall agreement, relations over the issue would likely deteriorate. "If you take it case by case it will lead to accusations and counter-accusations," he said. The spate of security breaches prompted NATO to endorse a cyber defense policy on Monday after a meeting last week. NATO officials say the policy focuses on protecting the alliance's computer networks and defense planning processes, and allows for broader consultations on cyber threats. "If there's a cyber threat, NATO has consultation mechanisms and may consult about anything. But the ambition now is to defend NATO bodies, NATO agencies, NATO structures. This is what we are working concretely on," said a NATO official. CALLS FOR INTERNATIONAL ACTION Security experts say the borderless nature of the Web requires a coordinated global response against hacking. The view that cyber security is a technical problem, rather than a strategic one, has meant that it has not been a priority. India's top IT bureaucrat, R. Chandrasekhar, said high-level cooperation between states was needed. India's computer networks have frequently been attacked, with the hackers suspected to be from China and Pakistan. "Government to government contacts are there...(but) at the middle level," he said. "Concerted efforts are needed. We are yet to see the emergence of a clear organizational mechanism." Neelie Kroes, European Commission Vice President for the Digital Agenda, said there are plans for a pan-EU network to coordinate responses to cyber attacks by 2012, and the EU has a strategic partnership with the U.S. on cybercrimes. "Governments worldwide need to address cybersecurity threats, and drafting strategies is an important step toward doing so," Kroes said. Peter Coroneos, co-founder of the International Internet Industry Association and head of Australia's industry body, called on world leaders to put cyber security on the agenda at forums such as the G20 and urge "slower-moving" nations to take a stand against hacking. KOREA DRAFTS PLAN, INDONESIA WARNS OF RISKS South Korea said on Tuesday it was drawing up a cyber security master plan, but some other Asian governments appeared to have no blueprint for tackling the threat. Indonesia, a rapidly growing G20 country, warned that hackers could cause serious damage to its institutions. "Every day, not every month, but every day, we get 1.2 million hacker attacks in Indonesia, both from within the country and outside," said Gatot Dewa Broto, Indonesia's communication and information ministry spokesman. "If we don't improve (our capabilities) we could face a possible public and commercial institutional collapse." But getting nations to work together to combat cyber security won't be easy, experts said, pointing to differing ideologies and goals. The Chinese government, for example, may be more interested in tracking down dissidents on the Internet than in prosecuting criminal hackers. "At the end of the day, in my view, a lot of the Chinese solution for hackers is more aggressively finding out who's doing what in cyberspace," said Stewart Baker, a former Department of Homeland Security official now at the law firm Steptoe and Johnson LLP. "These are the kinds of things that are likely to make the world a little less safe for hackers but also for the color revolutions," he said. "If you help law enforcement around the world you're helping the British bobbies.. but you're also helping Russian, Iranian and Chinese security forces who are less attractive in the range of things that they do," he said. Others said they saw room for progress between the U.S. and China on questions such as the use of the Internet for child porn and terrorism. "Law enforcement -- that would be a good place to start," said Jim Lewis, a cyber expert at the Center for Strategic and International Studies. "Everyone can agree that child porn is bad and you don't want to support terrorism." Lewis also said that Beijing had many reasons to crack down on cybercrime. "Nobody likes cybercrime, including the Chinese. They don't like cybercrime. They worry about their hackers turning on the government." (Additional reporting by Jeff Mason, David Brunnstrom, Christopher Lecoq; Writing by Tiffany Wu; Editing by Martin Howell) From rforno at infowarrior.org Wed Jun 15 14:51:52 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Jun 2011 15:51:52 -0400 Subject: [Infowarrior] - War Powers Act Does Not Apply to Libya, Obama Argues Message-ID: <02C6BD3D-2EF4-4AED-8BB5-C129D7511C9B@infowarrior.org> June 15, 2011 War Powers Act Does Not Apply to Libya, Obama Argues By CHARLIE SAVAGE https://www.nytimes.com/2011/06/16/us/politics/16powers.html WASHINGTON ? The White House is telling Congress that President Obama has the legal authority to continue American participation in the NATO-led air war in Libya, even though lawmakers have not authorized it. In a broader package of materials the Obama administration is sending to Congress on Wednesday defending its Libya policy, the White House, for the first time, offers lawmakers and the public an argument for why Mr. Obama has not been violating the War Powers Resolution since May 20. On that day, the Vietnam-era law?s 60-day deadline for terminating unauthorized hostilities appeared to pass. But the White House argued that the activities of United States military forces in Libya do not amount to full-blown ?hostilities? at the level necessary to involve the section of the War Powers Resolution that imposes the deadline. ?We are acting lawfully,? said Harold Koh, the State Department legal adviser, who expanded on the administration?s reasoning in a joint interview with White House Counsel Robert Bauer. The two senior administration lawyers contended that American forces have not been in ?hostilities? at least since April 7, when NATO took over leadership in maintaining a no-flight zone in Libya, and the United States took up what is mainly a supporting role ? providing surveillance and refueling for allied warplanes ? although unmanned drones operated by the United States periodically fire missiles as well. They argued that United States forces are at little risk in the operation because there are no American troops on the ground and Libyan forces are unable to exchange meaningful fire with American forces. They said that there was little risk of the military mission escalating, because it is constrained by the United Nations Security Counsel resolution that authorized use of air power to defend civilians. ?We are not saying the president can take the country into war on his own,? Mr. Koh said. ?We are not saying the War Powers Resolution is unconstitutional or should be scrapped, or that we can refuse to consult Congress. We are saying the limited nature of this particular mission is not the kind of ?hostilities? envisioned by the War Powers Resolution.? The administration unveiled its argument at a time when members of Congress have shown increasing skepticism about the Libya operation. On June 3, the House of Representatives passed a resolution declaring that the mission had not been authorized. On Wednesday, the Speaker of the House, John Boehner, Republican of Ohio, sent Mr. Obama a letter pointing out that even under a flexible interpretation of War Powers Resolution that would allow hostilities to last 90 days without Congressional authorization, Mr. Obama was out of time. Mr. Boehner demanded a legal explanation by Friday. ?Given the mission you have ordered to the U.S. Armed Forces with respect to Libya and the text of the War Powers Resolution, the House is left to conclude that you have made one of two determinations: either you have concluded the War Powers Resolution does not apply to the mission in Libya, or you have determined the War Powers Resolution is contrary to the Constitution,? Mr. Boehner wrote. ?The House, and the American people whom we represent, deserve to know the determination you have made.? It remains to be seen whether majorities in Congress will accept the administration?s argument, defusing the confrontation, or whether the White House?s response will instead fuel greater criticism. Either way, because the War Powers Resolution does not include a definition of ?hostilities? and the Supreme Court has never ruled on the issue, the legal debate is likely to be resolved politically, said Rick Pildes, a New York University law professor. ?There is no clear legal answer,? he said. ?The president is taking a position, so the question is whether Congress accepts that position, or doesn?t accept that position and wants to insist that the operation can?t continue without affirmative authorization from Congress.? Ten members of Congress ? led by Rep. Dennis Kucinich, Democrat of Ohio, and Rep. Walter Jones, Republican of North Carolina ? filed a lawsuit on Weednesday asking a judge to order Mr. Obama to stop the air war. The suit asserts that the operation is illegal because Congress did not authorize it. That lawsuit faces steep challenges, however, because courts in the past have dismissed similar cases on technical grounds. The administration had earlier argued that Mr. Obama could initiate the intervention in Libya on his own authority as commander-in-chief because it was not a ?war? in the constitutional sense. It also released a memorandum by the Justice Department?s Office of Legal Counsel agreeing that he could do so unilaterally because he anticipated that its nature, scope, and duration would be limited. Since then, the conflict in Libya has dragged on longer than expected, and the goal of the NATO allies has all but openly shifted from merely defending civilians to forcing the Libyan dictator, Col. Muammar Qaddafi, from power. But Mr. Koh and Mr. Bauer said that while regime change in Libya may be a diplomatic goal, the military mission is separate, and remains limited to protecting civilians. The administration legal team considered other approaches, including a proposal to stop the use of armed drones after May 20 in order to bolster the case that United States forces were no longer engaged in hostilities. But the White House ultimately decided not to make any changes in the military mission. While many presidents have challenged the constitutionality of other aspects of the War Powers Resolution ? which Congress enacted over President Nixon?s veto ? no administration has said that the section imposing the 60-day clock was unconstitutional. In 1980,the Office of Legal Counsel concluded that it was within Congress?s constitutional power to enact such a limit on unauthorized hostilities. Mr. Bauer and Mr. Koh said the 1980 memorandum remains in force, but that their legal argument does not invoke any constitutional challenge to the act. It was not clear whether the Office of Legal Counsel has endorsed the White House?s interpretation of what ?hostilities? means. Mr. Bauer declined to say whether the office had signed off on the theory, saying he would not discuss inter-agency deliberations. Mr. Koh argued that the administration?s interpretation of the word was not unprecedented, noting that there have been previous disputes about whether the 60-day-clock portion of the War Powers Resolution applied to deployments where ? unlike the Libya operation ? there were troops on the ground and Americans suffered casualties. Still, such previous cases typically involved peacekeeping missions in which the United States had been invited to take part, and there were only infrequent outbreaks of violence, like those in Lebanon, Somalia and Bosnia. Libya, by contrast, is an offensive mission involving sustained bombardment of a government?s forces. The closest precedent was the NATO-led air war over Kosovo in 1999. In that case, the Clinton administration?s legal team characterized the campaign, which involved many piloted American warplanes, as ?hostilities? even though there was little exchange of fire from Serb forces after their air defenses were destroyed and there were no United States casualties. In Kosovo, however, Congress appropriated specific funds for the mission before 60 days had passed. The Clinton administration decided that by providing the money, Congress had satisfied the requirements of the War Powers Resolution. From rforno at infowarrior.org Wed Jun 15 17:02:26 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Jun 2011 18:02:26 -0400 Subject: [Infowarrior] - Who is behind the hacks? (FAQ) Message-ID: June 14, 2011 1:33 PM PDT Who is behind the hacks? (FAQ) by Elinor Mills http://news.cnet.com/8301-27080_3-20071100-245/who-is-behind-the-hacks-faq/?tag=cnetRiver Every day there's another report of a computer hack. Yesterday it was a video game company and a U.S. Senate database. And today it could be the Federal Reserve. There's no doubt that there's a wave of attacks going on right now, against different targets and with seemingly different motives. The questions on everyone's mind are who is behind these computer attacks and why are they doing it. This FAQ will help answer those questions in at least some of the cases. Who is Anonymous? Anonymous is the best known of the groups that are currently active and publicly taking credit for, even publicizing in advance, attacks on Web sites. It's a decentralized group that specializes in organizing distributed denial-of-service (DDoS) attacks designed to shut down sites, particularly in support of freedom of speech. Past targets have included the Church of Scientology, BMI, the governments of Egypt and Iran, and companies owned by conservative activist billionaires Charles and David Koch. They also conducted a massive compromise of the security firm HBGary Federal, which had reportedly been working with the FBI to identify the leaders of Anonymous. They launched a series of effective DDoS attacks against PayPal, Visa, and MasterCard late last year after the companies stopped enabling WikiLeaks to receive contributions through those means. Sources told CNET that the group has undergone a loss of membership and radical shift in direction and organizational participation since the arrest of a 16-year-old alleged member in the Netherlands late last year, the arrest of five people (ages 15-26) in the U.K. in January, and the issuing of more than 40 arrest warrants in the U.S. Member identities were reportedly leaked on the Internet as well. The group's strong anti-establishment and political messages have led some to call them hacktivists, which refers to activists who hack. It's unclear how many people participated in their campaigns, which they call "operations," because their system is designed to allow for confidential participation. Who have they targeted recently and why? Anonymous pretty much started the recent spate of hackings against Sony, hitting several Sony sites with a DDoS in early April in retaliation for Sony taking several PlayStation 3 hackers to court. PS3 "modder" George Hotz and Sony eventually settled out of court. But attacks on Sony continued, with a major breach at the PlayStation Network that exposed 77 million customer records and at Sony Online Entertainment where more than 24 million records were exposed. Sony has suggested connections between Anonymous and the breaches. While Anonymous was admittedly behind the initial DDoS, it says it wasn't behind the PSN and Sony Online Entertainment breaches, and hasn't claimed credit for any other Sony attacks. Last week, Spanish police arrested three people accused of taking part in Anonymous activities and Anonymous members retaliated by hitting the Spanish National Police Web site. This week, Turkish police arrested 32 people, including eight who were teens, within days of the group launching a campaign to shut down a Turkish government site in response to new Internet filtering laws. Yesterday, Anonymous was planning an attack on the site of the Federal Reserve for today. Who is LulzSec? LulzSec first popped up in early May seemingly out of nowhere. But sources told CNET that the group is a spinoff from Anonymous ranks, but with no pretense of having a political message or moral principle. Indeed, the group's name, LulzSec--a derivative of LOL (laugh out loud) combined with security--is a strong indication that the group's motivation is to just hack for kicks and entertainment. The group makes a lot of jokes and taunts on Twitter and today said it would take hacking target requests. "Pick a target and we'll obliterate it. Nobody wants to mess with The Lulz Cannon - take aim for us, twitter." Who have they targeted? LulzSec began publicizing its hacking in May with the compromise of the Web site of the Fox TV show "X Factor" and exposed personal information of contestants, followed by release of internal Fox data. The group also has taken credit for hacks of Sony Music Japan, Sony Pictures, Sony BMG Belgium and Netherlands, Sony Computer Entertainment Developer Network (allegedly stealing source code) and Sony BMG, according to this timeline. LulzSec hacked the site of PBS.org late last month, leaked passwords, and pasted a spoof news article on the site claiming that deceased rappers Tupac Shakur and Biggie Smalls were alive and residing in New Zealand. The group claimed they were punishing PBS for a Frontline program on WikiLeaks that they claimed was biased against the whistleblower site. LulzSec also has targeted Nintendo and the Web site of FBI partner Infragard in an attempt to embarrass the agency. LulzSec said it took the action against Infragard because of a plan by the Obama administration to classify cyberattacks as acts of war. Among the passwords on the Infragard site was one used by the CEO of botnet tracking firm Unveillance. The CEO told CNET that the hackers used the password to read his e-mails and listen in on conference calls and that they threatened to extort money and botnet data from him. Botnets composed of compromised computers are typically used to send spam and to launch DDoS attacks. LulzSec recently went public with data stolen from a U.S. Senate Web site and released data stolen from the site of Bethesda Softworks, a subsidiary of gaming company ZeniMax Media. The group also recently compromised a site at the U.K. National Health Services. LulzSec did not release the information publicly, but sent an e-mail to the agency warning them about the problem and then released a redacted version of the e-mail to the public. Who is Idahc? Another hacker who has taken credit for attacking Sony is known as Idahc. He has identified himself as a 18-year-old Lebanese computer science student. In an interview this week with Andy Greenberg at Forbes, Idahc said he began hacking for "justice," then it became a game and now he's trying to prompt organizations to improve the security of their Web sites. "I don't hack for 'lulz' but for moral reasons," he said in the interview, adding that he considers groups like LulzSec to be "black hat," or criminal, hackers, and that he is a "gray hat" hacker. Who has Idahc targeted? Idahc claims to have stolen 2,000 records from Sony Ericcson's e-commerce site in Canada, leaked a database from Sony Europe, and compromised a Sony Portugal site. Meanwhile, there have been other copycat-type attacks on Sony, specifically a hacker with the alias "k4L0ng666" took credit for hacking Sony Music Indonesia and has reported a long list of other Web site defacements to cybercrime archive Zone-H. And someone with the handle "b4d_vipera" claimed responsibility for hacking Sony BMG Greece. What about other big recent attacks? Are these all related? In the past few months there have been a string of other computer hacking incidents, but they are not all linked. Unlike the Sony and other attacks conducted by Anonymous and LulzSec which were done to expose security weaknesses and embarrass a target and get publicity, other types of attacks are more malicious. For instance, the networks of Citigroup and the International Monetary Fund were compromised recently. Reports have speculated that the IMF was targeted by a foreign government possibly wanting access to insider information that could affect financial markets. It's also unknown who is behind the Citigroup incident, although The New York Times reported that whoever did it managed to get in through the main customer Web site and then leapfrogged between different customers by inserting various account numbers into the browser address bar repeatedly. The data from accounts could be used for financial fraud, although the thieves apparently did not get card expiration dates or security codes, which will make the data more difficult to use. Then RSA warned customers in March that its system had been compromised and data was stolen related to its SecurID two-factor authentication devices, which are widely used by U.S. government agencies, contractors, and banks to secure remote access to sensitive networks. Within a few months, reports trickled out about breaches at three defense contractors: Lockheed Martin, L-3 Communications, and Northrop Grumman, the first two of which confirmed that the attacks were related to SecurIDs. It's unclear who is behind the attacks, but when it comes to military espionage foreign governments or nation states are often suspected. In this case several experts speculated it could be China. Google announced earlier this month that it had thwarted an attack aimed at snooping on hundreds of Gmail accounts owned by U.S. and other government officials, journalists, and political activists that appeared to originate in China. Chinese representatives have denied any involvement. There was also a breach at e-mail marketing service provider Epsilon in April that prompted big companies like Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, and Verizon to warn customers that their e-mail addresses had been exposed. And in March someone stole digital certificates from registration authorities associated with Comodo and could have used them to spoof sites like Google, Yahoo, Live.com, and Skype. A 21-year-old Iranian patriot claimed responsibility for the attacks, saying he was protesting U.S. policy and was taking revenge for last year's Stuxnet malware that experts believe was created to shut down Iran's nuclear program. From rforno at infowarrior.org Thu Jun 16 07:35:41 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Jun 2011 08:35:41 -0400 Subject: [Infowarrior] - Apple to 'ban iPhone gig filming' Message-ID: <0514503F-9AE5-498A-920B-80A7A0B9C246@infowarrior.org> Apple to 'ban iPhone gig filming' By STAFF REPORTER Published: Today http://www.thesun.co.uk/sol/homepage/news/3641676/Apple-to-ban-iPhone-gig-filming.html IPHONE users may soon be stopped from filming at concerts ? as a result of new Apple technology. The leading computer company plans to build a system that will sense when people are trying to video live events ? and turn off their cameras. A patent application filed by Apple revealed how the technology would work. If an iPhone were held up and used to film during a concert infra-red sensors would detect it. These sensors would then contact the iPhone and automatically disable its camera function. People would still be able to send text messages and make calls. The new technology is seen as an attempt to protect the interests of event organisers and broadcasters who have exclusive rights to concerts. The companies are often left frustrated when videos of shows appear online via websites such as YouTube which let users watch them for free. Apple filed for the patent 18 months ago ? and it is thought if successful it will help them negotiate deals with record labels to sell content through iTunes. From rforno at infowarrior.org Thu Jun 16 07:44:31 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Jun 2011 08:44:31 -0400 Subject: [Infowarrior] - IBM Turns 100 Today, We Look Back Message-ID: <1F6EF2A0-BAEA-4F0E-BFFC-6F554C66B6CE@infowarrior.org> IBM Turns 100 Today, We Look Back Thursday June 16, 2011, Matt Brian US computing giant IBM celebrates its 100th anniversary today, a century passing since business Charles Flint oversaw the merger of Hollerith?s Tabluating Machine Company with the Computing Scale Company of America and International Recording Company to become Computing-Tabulating-Recording Company, the brand we know today as IBM. So how did a tabulating machine company, an Ohio manufacturer of meat slicers and scales, and a maker of industrial clocks become one of the world?s most respected and profitable brands? We take a look: < - big snip - > http://thenextweb.com/industry/2011/06/16/ibm-turns-100-today-we-look-back/ From rforno at infowarrior.org Thu Jun 16 11:46:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Jun 2011 12:46:25 -0400 Subject: [Infowarrior] - Report: Bush White House Wanted CIA to Discredit Blogger Message-ID: Report: Bush White House Wanted CIA to Discredit Blogger ? By Spencer Ackerman ? June 16, 2011 | ? 9:01 am | ? Categories: Spies, Secrecy and Surveillance http://www.wired.com/dangerroom/2011/06/report-bush-white-house-wanted-cia-to-discredit-blogger/ Juan Cole is a University of Michigan professor and Mideast expert who spent years writing nasty things about the Bush administration on his blog. For that, a former CIA official claims, the Bush White House wanted him to STFU, and asked the CIA to handle it. Glenn Carle, a retired CIA counterterrorism official, tells the New York Times that in 2005, his supervisor at the National Intelligence Council returned from a White House meeting that discussed Cole?s writings ? which, at the time, were heavy on invective against the Iraq war and the administration that launched it. ?What do you think we might know about him, or could find out that could discredit him?,? Carle recalled his boss, David Low, inquiring. Shortly after, Carle found a memo from Low heading for the White House that contained what he called ?inappropriate, derogatory remarks? about Cole?s lifestyle. Carle took it to his boss, who removed the paragraph on Cole. But Carle soon found out about another inquiry within the agency about Cole. He said he had to warn a different CIA official that he?d go to the agency?s inspector general if it wasn?t quashed. ?People were accepting it, like you had to be part of the team,? Carle told the Times. He?s yet to return a phone call seeking elaboration. Carle is the only one making these claims on the record. Low told the Times he has no recollection of the incident. CIA spokesman George Little denies that the CIA ever gave the White House damaging information on Cole, an American citizen. (Which, if Carle got information on Cole removed from the memo, is actually consistent with the account provided by the Times? James Risen.) If true, the allegations would be pretty damaging to both the CIA and the Bushies, for two reasons. First, the CIA isn?t supposed to collect information on American citizens, and definitely not for their political views. It?s also potentially illegal: ?The statute makes it very clear: you can?t spy on Americans,? ex-CIA lawyer Jeffrey Smith told Risen. More bewilderingly, all Cole did was say mean things about the Bush team on the Internet. He wasn?t a militant, he wasn?t even an activist. He blogged. To devote precious intelligence resources, especially from counterterrorism officials, to silencing him is laughably solipsistic. If you don?t like what someone says about you on the Internet, stop Googling yourself. Trolling: Ur doing it wrong. Full disclosure: Cole is a pal of mine, though we?ve had our differences. On his blog, Cole writes that he hopes the congressional intelligence committees will investigate Carle?s allegations, as they might turn up other critics who might have been similarly spied upon. ?I know I am a relatively small fish and it seems to me rather likely that I was not the only target of the baleful team at the White House,? he blogs. ?It is sad that a politics of personal destruction was the response by the Bush White House to an attempt of a citizen to reason in public about a matter of great public interest.? From rforno at infowarrior.org Thu Jun 16 20:25:13 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Jun 2011 21:25:13 -0400 Subject: [Infowarrior] - NSA allies with Internet carriers to thwart cyber attacks against defense firms Message-ID: <644C1008-9964-4DF1-84D3-765548BA2B1A@infowarrior.org> NSA allies with Internet carriers to thwart cyber attacks against defense firms By Ellen Nakashima, Updated: Thursday, June 16, 7:37 PM http://www.washingtonpost.com/national/major-internet-service-providers-cooperating-with-nsa-on-monitoring-traffic/2011/06/07/AG2dukXH_print.html The National Security Agency is working with Internet providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, senior defense and industry officials say. The novel program, which began last month on a voluntary, trial basis, relies on sophisticated NSA data sets to identify malicious programs slipped into the vast stream of Internet data flowing to the nation?s largest defense firms. Such attacks, including one last month against Bethesda-based Lockheed Martin, are nearly constant as rival nations and terrorist groups seek access to U.S. military secrets. ?We hope the .?.?. cyber pilot can be the beginning of something bigger,? Deputy Defense Secretary William J. Lynn III said at a global security conference in Paris on Thursday. ?It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.? The prospect of a role for the NSA, the nation?s largest spy agency and a part of the Defense Department, in helping Internet providers filter domestic Internet traffic already had raised concerns among privacy activists. Lynn?s suggestion that the program might be extended beyond the work of defense contractors threatened to raise the stakes further. James X. Dempsey, vice president for public policy at the Center for Democracy & Technology, a civil liberties group, said that the pilot is ?an elegant solution? to the long-standing problem of how to use NSA?s expertise while avoiding domestic surveillance by the government. But, he said, any extension of the program must guarantee protections against government access to private Internet traffic. ?We wouldn?t want this to become a backdoor form of surveillance,? Dempsey said. Officials say the program does not involve direct monitoring of the contractors? networks by the government. The pilot program uses NSA-developed ?signatures,? or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor?s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats. The Internet providers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, Falls Church-based CSC, McLean-based SAIC and Northrop Grumman, which is moving its headquarters to Falls Church. The contractors have the option, but not the obligation, to report the success rate to the NSA?s Threat Operations Center. All three of the Internet carriers declined to comment on the pilot program. Several of the defense contractors declined to comment as well. Partnering with the major Internet providers ?is probably the technically quickest way to go and the best way to go? to defend dot.com networks, said Gen. Keith B. Alexander, who heads the NSA and the affiliated U.S. Cyber Command at Fort Meade, testifying before Congress in March. The premise of this strategy is that combining the providers? ability to filter massive volumes of traffic ? a large provider can monitor up to 100 gigabits per second ? with the NSA?s expertise will provide a greater level of protection without violating privacy laws. But the initiative stalled for months because of numerous concerns, including Justice Department?s worries that the program would run afoul of privacy laws forbidding government surveillance of private Internet traffic. Officials have, at least for now, allayed that concern by saying that the government will not directly filter the traffic or receive the malicious code captured by the Internet providers. The Department of Homeland Security is a partner in the pilot. ?The U.S. government will not be monitoring, intercepting or storing any private-sector communications,? Lynn said. ?Rather, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks.? But civil liberties advocates are worried that a provision in the White House?s recent legislative proposal on cybersecurity could open the way to government surveillance through public-private partnerships such as this one. They are concerned that the proposal would authorize companies to share vast amounts of communications data with the federal government. ?The government needs to make up its mind about whether it wants to protect networks or collect intelligence,? Dempsey said. Although this NSA technology is more sophisticated than traditional antivirus programs, it still can screen only for known threats. Developing detection and mitigation strategies for emerging new threats is more difficult. The program also does not protect against insider threats or employees who deliberately leak material. Nor will it protect a network against penetration by hackers who have compromised security software, enabling them to log in as if they were legitimate users. That is what happened recently when security firm RSA?s SecurID tokens were compromised, enabling hackers to penetrate Lockheed Martin?s computers. Lockheed said no customer, program or employee personal data were compromised. The pilot program has been at least a year in the making. Providers and companies were concerned that they would be vulnerable to lawsuits or other sanctions if they allowed the government to filter the traffic or shared network data with the government. The NSA, meanwhile, was concerned about the classified data getting into the hands of adversaries. The Internet providers are not being paid to prepare their systems for the pilot, an effort that industry officials said costs millions of dollars. The providers will work with the companies they already serve. In some cases, they already provide a similar service of filtering for malicious traffic using their own threat data. Lynn?s speech also appeared to outline key elements of the Pentagon?s cyber strategy, an unclassified version of which is due out soon. The strategy, said experts and analysts who have been briefed on it, focuses on building defenses and a framework for deterrence. It also makes clear the military?s prerogative to use cyber and other traditional military means if the United States is attacked or engaged in hostilities with an adversary. ?First we must raise the level of protection in government and military networks,? Lynn said Thursday. ?We must ready our defense institution to confront cyber threats, because it is clear any future conflict will have a cyber dimension.? ? The Washington Post Company From rforno at infowarrior.org Fri Jun 17 09:42:28 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jun 2011 10:42:28 -0400 Subject: [Infowarrior] - Chicago Chef Paul Kahan Slips Chef Knives Through TSA Security Message-ID: <945D98A8-04BB-4F94-9888-5D8AD46A6617@infowarrior.org> Chicago Chef Paul Kahan Slips Chef Knives Through TSA Security Where: Chicago, IL, United States June 16, 2011 at 11:43 AM | by JetSetCD http://www.jaunted.com/story/2011/6/16/123/45677/travel/Chicago+Chef+Paul+Kahan+Slips+Chef+Knives+Through+TSA+Security Are you prepared to be yet again disappointed in and freaked out by the incompetence of TSA agents? Chicagoan Paul Kahan, a James Beard award winning chef and partner at the awesome restaurants Avec, Blackbird, Big Star and The Publican, managed to slip four of his massive chef knives through security at Chicago-O'Hare Airport. What happened then? Well, he took his flight like normal with four giant knives at easy reach. Luckily Paul Kahan is a good guy who prefers filleting fish to filleting flight attendants. Still, the fact that he was patted down for his wallet while the sharp things made it through the scanner without a hitch...somebody's got some 'splaining to do. And here we think we're pretty badass for never adhering to the 3-1-1 liquids rule and still making it through security just fine. Kahan's incident is the third such TSA FAIL admission of recent. First one of the Mythbusters duo admitted carrying 12" razor blades, which weren't detected on him even in the full-body scanner. Then a bag containing three boxcutters made it onboard a plane at JFK, until the passenger remembered what he had packed. And now this?three strikes and you're out. Or, in the case of the TSA, it's three strikes and you're clear to go. From rforno at infowarrior.org Fri Jun 17 10:28:55 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jun 2011 11:28:55 -0400 Subject: [Infowarrior] - Deputy Secretary Lynn Details Anti-Cyber Threat Strategy Message-ID: <00599C2B-8B26-4C2C-9B6A-DE77C9E88CA5@infowarrior.org> Deputy Secretary Lynn Details Anti-Cyber Threat Strategy By John D. Banusiewicz American Forces Press Service http://www.defense.gov/news/newsarticle.aspx?id=64351 PARIS, June 16, 2011 ? The world is at a crossroads in the development of threats in the cyber realm, Deputy Defense Secretary William J. Lynn III said here today. More destructive attack capabilities are being developed but haven?t yet been used, Lynn told participants in the Center for Strategic Decision Research?s 28th International Workshop on Global Security. And the terrorist groups most likely to use such capabilities to attack cyber systems, he told the group, have yet to acquire them. ?This situation will not hold forever,? the deputy secretary said. ?Terrorist organizations or rogue states could obtain and use destructive cyber capabilities.? The window of opportunity to develop stronger defenses before that happens is of uncertain duration, he added. Lynn said three avenues of action are necessary to prevail against the spectrum of cyber threats. ?First, we must raise the level of protection in government and military networks,? he said. ?We must ready our defense institution to confront cyber threats, because it is clear that any future conflict will have a cyber dimension. Future adversaries will seek to use our reliance on information technology against us. We must be prepared to defend our networks effectively.? The U.S. Defense Department is moving aggressively to counter the cyber threat, Lynn told the audience, noting that as a doctrinal matter, the military must be able to defend and operate freely in cyberspace. ?Over the past two years, we have deployed specialized active defenses to protect military networks, and we have established the U.S. Cyber Command to operate and defend them,? he said. ?And we are developing a comprehensive cyber strategy that will guide how each military service trains, equips and commands its forces for the cyber mission.? And as the United States prepares its own forces to face the cyber challenge, Lynn said, it must pursue a second avenue of action: working with allies and partners on collective cyber defenses to strengthen their collective ability to monitor and respond to intrusions. ?In cyberspace, the more attack signatures you can see, and the more intrusions you can trace, the better your defense will be,? he explained. ?In this way, the Cold War construct of shared warning has applications to cyberspace today. Just as our air and space defenses are linked with those of our allies to provide warning of airborne and missile attacks, so too can we cooperatively monitor our computer networks for cyber intrusions.? The Defense Department has worked with NATO nations and other partners to strengthen cyber engagements, Lynn said. ?For the Department of Defense,? he added, ?the international strategy provides a framework for our contribution to an effort that has many facets, from Internet freedom and e-commerce to cybercrime law enforcement and international norms of behavior. ?Ultimately,? he continued, ?this strategy will help us build a coalition of nations whose mutual interest in securing cyberspace will ensure the benefits we derive from it flow uninterrupted.? A consensus for action on cybersecurity is emerging in Europe, Lynn said. ?NATO is unanimous in acknowledging the need to elevate its treatment of network security,? he said. ?The new strategic concept names cybersecurity as a leading priority for NATO in the 21st century.? In addition, he said, NATO made a high-level commitment to cybersecurity when the heads of state and government of its member nations met in Lisbon, Portugal, last year. As a result, Lynn said, NATO has undertaken efforts to better defend its networks. ?The commitment to take NATO?s Cyber Incident Response Center to full operating capability by 2012 is a significant step in the right direction,? he said, adding that the alliance?s defense ministers approved final cyber security policy guidance when they met last week. The European Union also is moving rapidly to address cybersecurity, Lynn said, noting that he has conferred with EU?s high representative, and Homeland Security Secretary Janet Napolitano has met with EU?s home affairs commissioner. ?And a joint cyber exercise slated for later this year will help establish how our computer incident response centers can work in partnership with the EU?s new cyber security unit,? he added. The third avenue of action is to form public-private partnerships with the operators of critical infrastructure, Lynn told the group. ?We need to work with industry to raise the level of network defenses in industrial sectors that are crucial to our economy and to the functioning of our militaries,? the deputy secretary said. ?This is, in many ways, the most consequential to the security of our societies.? Cyber threats target much more than military systems, Lynn explained. ?Cyber intruders have already probed many U.S. government networks, our electrical grid, and our financial system,? he said. ?The failure of any one of these could cause massive physical damage and economic disruption.? Protecting critical infrastructure not only is essential to the functioning of daily life, Lynn said, but also is crucial to national security. He noted that in the United States, as in Europe, military bases and installations are part of -- and not separate from -- the civilian infrastructure that supports towns and cities. ?Ninety-nine percent of the electricity the U.S. military uses comes from civilian sources,? he said. ?Ninety percent of U.S. military voice and Internet communications travel over the same private networks that service homes and offices. We also rely on the nation?s transportation system to move military freight, we rely on commercial refineries to provide fuel, and we rely on the financial industry to pay our bills.? Disruptions to any one of these sectors would significantly affect defense operations, and a cyber attack against more than one could be devastating, Lynn said. ?In short, secure military networks will matter little if the power grid goes down or the rest of government stops functioning,? he told the audience. ?Protecting the networks that undergird critical infrastructure must be part of our national security and homeland defense missions.? Making protection of critical infrastructure part of the defense mission will require a strong partnership with agencies that have jurisdiction over systems critical to military effectiveness, Lynn said. In the United States, he added, the Homeland Security Department has responsibility for protecting the ?dot-gov? domain and for leading government efforts to protect critical infrastructure in the ?dot-com? domain. ?In the past year, we have signed a memorandum of agreement with the Department of Homeland Security that codifies our commitment to seamlessly coordinating cybersecurity efforts,? he said. ?We have established a joint planning capability and exchange of personnel in our cyber watch centers, and we are helping Homeland Security deploy advanced defensive technologies on our government networks.? The critical infrastructure upon which the defense establishment depends also extends to the private companies that produce military equipment and weapons, the deputy secretary said. He outlined a program called Defense Industrial Base Cyber Pilot, established last month, in which the Defense Department, in partnership with the Department of Homeland Security, shares classified threat information and the know-how to employ it with participating defense companies or their Internet service providers to help them defend their computer networks from attack or exploitation. ?Without question, developments in cyberspace have redefined the front lines of national security,? Lynn said. ?Within a few short years, information technology has transitioned from a support function to a strategic element of power in its own right. As a result, future conflicts will unquestionably have a cyber dimension. The doctrine, organizational structure, and resource allocation of our defense ministries must change to reflect this new reality.? But efforts cannot end there, he added, as the challenges in cyberspace are not amenable to narrow solutions. ?No single agency can tackle the required issues,? he said. ?No one nation can devise or enforce a sustainable solution. And no combination of nations can succeed without partnering with private-sector companies. The range of actions necessary to enhance cybersecurity will require engagement in our defense institutions, across our governments, between our nations, and between the public and private sectors. ?In short,? Lynn continued, ?we must work together, as everyone -- from ordinary citizens, to the owners and operators of critical infrastructure, to our warfighters on the front lines -- has a stake in cybersecurity. ?Like other security challenges that galvanize like-minded nations, cyber threats can be more ably defeated through collective action,? he added. ?And just as we have for the last 60 years, I am confident that we can act collectively against this threat and make the investments in capability and interoperability necessary for us to prevail.? From rforno at infowarrior.org Fri Jun 17 20:55:31 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jun 2011 21:55:31 -0400 Subject: [Infowarrior] - Spam clogging Amazon's Kindle self-publishing Message-ID: <7490C21B-D062-49A8-A5E2-FA141FFC98AA@infowarrior.org> Spam clogging Amazon's Kindle self-publishing Thu, Jun 16 2011 By Alistair Barr http://www.reuters.com/article/2011/06/16/us-amazon-kindle-spam-idUSTRE75F68620110616 SAN FRANCISCO (Reuters) - Spam has hit the Kindle, clogging the online bookstore of the top-selling eReader with material that is far from being book worthy and threatening to undermine Amazon.com Inc's publishing foray. Thousands of digital books, called ebooks, are being published through Amazon's self-publishing system each month. Many are not written in the traditional sense. Instead, they are built using something known as Private Label Rights, or PLR content, which is information that can be bought very cheaply online then reformatted into a digital book. These ebooks are listed for sale -- often at 99 cents -- alongside more traditional books on Amazon's website, forcing readers to plow through many more titles to find what they want. Aspiring spammers can even buy a DVD box set called Autopilot Kindle Cash that claims to teach people how to publish 10 to 20 new Kindle books a day without writing a word. This new phenomenon represents the dark side of an online revolution that's turning the traditional publishing industry on its head by giving authors new ways to access readers directly. BY THE NUMBERS In 2010, almost 2.8 million nontraditional books, including ebooks, were published in the United States, while just more than 316,000 traditional books came out. That compares with 1.33 million nontraditional books and 302,000 conventional books in 2009, according to Albert Greco, a publishing-industry expert at Fordham University's business school. In 2002, fewer than 33,000 nontraditional books were published, while over 215,000 traditional books came out in the United States, Greco noted. "This is a staggering increase. It's mind boggling," Greco said. "On the positive side, this is helping an awful lot of people who wrote books and could not get them published in the traditional way through agents," Greco added. But Greco listed downsides. One problem is that authors must compete for readers with a lot more books -- many of which "probably never should have seen the light of day," he said. Some of these books appear to be outright copies of other work. Earlier this year, Shayne Parkinson, a New Zealander who writes historical novels, discovered her debut "Sentence of Marriage" was on sale on Amazon under another author's name. The issue was initially spotted and then resolved by customers through Amazon's British online forum. "How did I feel? Shocked and somewhat incredulous, but at the same time, because of the way I found out, very grateful that someone had taken the trouble to let me know," Parkinson said. For Amazon, the wave of ebook spam crashing over the Kindle could undermine its push into self-publishing and tarnish the brand of the best-selling Kindle eReader, which is set to account for some 10 percent of the company's 2012 revenue, according to Barclays Capital estimates. "It's getting to be a more widespread problem," said Susan Daffron, president of Logical Expressions, a book and software publishing company. "Once a few spammers find a new outlet like this, hoards of them follow." Amazon pays authors 70 percent to 35 percent of revenue for ebooks, depending on the price. That gives spammers a financial incentive to focus on this new outlet. "Amazon will definitely have to do more quality control, unless they want the integrity of their products to drop," she added. "Amazon will work hard to snuff this out as it undermines many of its advantages in the space," said James McQuivey, an eReader analyst at Forrester Research. Amazon is curating submissions to its new Kindle Singles business, which offers short stories, long-form journalism and opinion pieces, "after seeing how quickly the self-published side degenerated," McQuivey noted. "Undifferentiated or barely differentiated versions of the same book don't improve the customer experience," Amazon spokeswoman Sarah Gelman wrote in a June 14 email to Reuters. "We have processes to detect and remove undifferentiated versions of books with the goal of eliminating such content from our store." She did not respond further. DO-IT-YOURSELF SPAM Kindle spam has been growing fast in the last six months because several online courses and, ironically, ebooks have been released that teach people how to create a Kindle book per day, according to Paul Wolfe, an Internet marketing specialist. One tactic involves copying an ebook that has started selling well and republishing it with new titles and covers to appeal to a slightly different demographic, Wolfe explained. Spam has yet to flood the online bookstore of the Nook, a rival eReader sold by Barnes & Noble Inc. The company may be managing ebook submissions more aggressively than Amazon, but it might just be that the Kindle's huge audience is more attractive to spammers, Forrester's McQuivey said. Barnes & Noble did not respond to requests for a comment. Smashwords, an ebook publisher and distributor, has also struggled with spam, but not to the same degree as Amazon's Kindle, according to Founder Mark Coker. Smashwords, which competes with Amazon, manually checks the formatting and other basic characteristics of the submissions it receives, before publishing. Obvious signs of spam include poorly designed covers, the lack of an author's name on the cover and bad formatting, Coker explained. Smashwords pays authors quarterly, while Amazon pays monthly, Coker added. The longer payment period means Smashwords has more time to track down spammers and close accounts before money changes hands, he said. Amazon does not offer many free ebooks, while Smashwords does. So there is more of an incentive to publish lots of books via the Kindle, according to Coker. Coker said his company has found five or six instances when free ebooks published on Smashwords were copied and republished on Amazon's Kindle store for at least 99 cents each. Forrester's McQuivey said Amazon will have to craft a social-network solution to the problem. If the company can let readers see book recommendations from people they know, or people whose reviews they liked in the past, that would help them track down the content they want and avoid misleading recommendations, he explained. Daffron of Logical Expressions said Amazon should charge for uploads to the Kindle publishing system because that would remove a lot of the financial incentive for spammers. "This is why email spam has become such a problem -- it costs nothing," she said. "If people can put out 12 versions of a single book under different titles and authors, and at different prices, even if they sell just one or two books, they can make money. They win and the loser is Amazon." (Reporting by Alistair Barr, editing by Maureen Bavdek) From rforno at infowarrior.org Sat Jun 18 18:06:00 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Jun 2011 19:06:00 -0400 Subject: [Infowarrior] - Weather Satellites Lose Funding Message-ID: Blind Eye In The Sky: Weather Satellites Lose Funding by Jon Hamilton http://www.npr.org/2011/06/17/137251742/blind-eye-in-the-sky-weather-satellites-lose-funding Government officials are forecasting a turbulent future for the nation's weather satellite program. Federal budget cuts are threatening to leave the U.S. without some critical satellites, the officials say, and that could mean less accurate warnings about events like tornadoes and blizzards. In particular, officials at the National Oceanic and Atmospheric Administration are concerned about satellites that orbit over the earth's poles rather than remaining over a fixed spot along the equator. These satellites are "the backbone" of any forecast beyond a couple of days, says Kathryn Sullivan, assistant secretary of commerce for environmental observation and prediction, and NOAA's deputy administrator. It was data from polar satellites that alerted forecasters to the risk of tornadoes in Alabama and Mississippi back in April, Sullivan says. "With the polar satellites currently in place we were able to give those communities five days' heads up," she says. But that level of precision could diminish in the next few years, Sullivan says. One important NOAA satellite in a polar orbit will reach the end of its expected life around 2016. And its replacement has been delayed by a continuing resolution passed by Congress that limits the agency's ability to pursue its new Joint Polar Satellite System. Sullivan says that means there could be more than a year when the nation is lacking a crucial eye in the sky. "If we go blind, if there actually is a gap between the last satellite and this, it certainly will erode the reliability and accuracy of our forecasts," she says. To find out how bad the problem might be, the National Weather Service re-examined one of its great forecasting successes: the 2010 blizzard known as "Snowmageddon." Satellites that orbit over the North and South poles helped predict the amount of snowfall that hit the Eastern U.S. in the February 2010 blizzard known as "Snowmageddon." Without that data, the director of the National Weather Service says, forecasters would have underestimated the snowfall by 50 percent. Budget cuts are threatening the satellite program. The agency wanted to know what would happen if a similar blizzard arrived several years from now, when several satellites are likely to be out of commission, says National Weather Service Director Jack Hayes. "We were quite surprised at the finding that we would underestimate the amount of snowfall the Eastern Seaboard had, specifically in the Washington, D.C., area, by a factor of 2," Hayes says. In other words, areas where forecasts called for 15 inches would actually get 30 inches. Budget problems aren't the only reason NOAA's next polar satellite is behind schedule. A previous version of the program was scrapped, and NOAA has had trouble getting some of the new satellite's cutting-edge technology finished on time. But Hayes says this sort of technology is precisely what's made forecasting more accurate with each new generation of satellites. NASA officials are also concerned about the next generation of weather satellites. The agency will play an important role in building them and also supplements data from NOAA weather satellites with data from its own research satellites. "It used to be that weather was just something that happened," says Michael Freilich, who directs the earth science division at NASA. Now, he says, people and businesses make specific plans based on what forecasters say. "When they say that it's going to be hot and sunny, companies make economic decisions," he says. For example, he says, utilities decide how much electricity they need to produce, airlines decide whether to cancel flights, schools decide whether to close, and insurance companies anticipate damage claims from things like hurricanes and hailstorms. Other nations also fly polar satellites, and that can help fill the gap when U.S. units fail, officials say. But it's not enough, they say. "The United States, by virtue of our size, the mountains, the oceans on three sides, we have the widest array and greatest frequency of weather phenomena and severe weather phenomena of any country on the planet," Sullivan says. Some tweaks to NOAA's current budget could minimize delays to the polar satellite program, she says. Whether the agency is allowed to do that is up to Congress, which will also decide what happens to spending on polar satellites next year. From rforno at infowarrior.org Sat Jun 18 18:07:30 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Jun 2011 19:07:30 -0400 Subject: [Infowarrior] - Computer Failure Delays United Flights Nationwide Message-ID: June 17, 2011 Computer Failure Delays United Flights Nationwide By ANAHAD O?CONNOR http://www.nytimes.com/2011/06/18/us/18united.html?_r=1&pagewanted=print Passengers were stranded at airports across the country Friday night after a failure in United Airlines? computer system, the airline said. The disruption set off widespread delays at airports in San Francisco, Chicago and Washington, with many passengers left sitting in terminals or stuck on planes that were grounded. United said in a statement that the problems began at 8:15 p.m. New York time, when the computer failure knocked out its flight departures, airport processing and reservations systems. The statement did not address the nationwide delays, and a spokesman did not return a phone call seeking comment. It was not clear what had set off the computer failure, but United said in its statement that it had a technology team in place that was struggling to restore the system. ?We apologize for the disruption being caused to travelers at affected airports, and we are seeking to resume operations as quickly as possible,? the airline said. Just before 2:00 a.m. New York time, United updated its Twitter feed to say it had started to resolve the problem. "Our systems are up. We are in the process of resuming ops for UA," the Twitter message said. Passengers at San Francisco International Airport reported a chaotic scene at the United terminal, while others waiting for flights at various airports around the country took to Twitter as they sat in limbo. ?Sitting on the plane in Chicago wanting to go home so badly but the whole computer system at United Airlines has shut down,? wrote @RonRhoads. ?Delayed!? Another stranded passenger, @mettlinger, posted from Dulles International Airport, or IAD: ?Latest announcement at IAD: ?Every computer system United Airlines has is down ... Our computers are paperweights.? ? From rforno at infowarrior.org Sun Jun 19 20:34:49 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Jun 2011 21:34:49 -0400 Subject: [Infowarrior] - Backward at the F.B.I. Message-ID: <6946515C-8143-43D5-B3BE-C6943365D4F6@infowarrior.org> Editorial Backward at the F.B.I. Published: June 18, 2011 http://www.nytimes.com/2011/06/19/opinion/19sun1.html The Obama administration has long been bumbling along in the footsteps of its predecessor when it comes to sacrificing Americans? basic rights and liberties under the false flag of fighting terrorism. Now the Obama team seems ready to lurch even farther down that dismal road than George W. Bush did. Instead of tightening the relaxed rules for F.B.I. investigations ? not just of terrorism suspects but of pretty much anyone ? that were put in place in the Bush years, President Obama?s Justice Department is getting ready to push the proper bounds of privacy even further. Attorney General John Ashcroft began weakening rights protections after 9/11. Three years ago, his successor, Michael Mukasey, issued rules changes that permit agents of the Federal Bureau of Investigation to use highly intrusive methods ? including lengthy physical surveillance and covert infiltration of lawful groups ? even when there is no firm basis for suspecting any wrongdoing. The Mukasey guidelines let the bureau go after people identified in part by race or religion, which only raises the danger of government spying on law-abiding Americans based on their political activity or ethnic background. Incredibly, the Obama administration thinks Mr. Mukasey did not go far enough. Charlie Savage reported in The Times last week that the F.B.I plans to issue a new edition of its operational manual that will give agents significant new powers to search law enforcement and private databases, go through household trash or deploy surveillance teams, with even fewer checks against abuse. Take, for example, the lowest category of investigations, called an ?assessment.? The category was created as part of Mr. Mukasey?s revisions to allow agents to look into people and groups ?proactively? where there is no evidence tying them to possible criminal or terrorist activity. Under the new rules, agents will be allowed to search databases without making a record about it. Once an assessment has started, agents will be permitted to conduct lie detector tests and search people?s trash as part of evaluating a potential informant. No factual basis for suspecting them of wrongdoing will be necessary. The F.B.I. general counsel, Valerie Caproni, said agents want to be able to use the information found in a subject?s trash to pressure that person to assist in a government investigation. Um, well, yes, that is the problem. It only heightens concern about privacy, improper squeezing of individuals, and the adequacy of supervision. Currently, surveillance squads, which are trained to surreptitiously follow targets, may be used only once during an assessment. The new rules will allow repeated use. They also expand the special rules covering ?undisclosed participation? in an organization by an F.B.I. agent or informant. The current rules are not public, and, as things stand they still won?t be. But we do know the changes allow an agent or informant to surreptitiously attend up to five meetings of a group before the rules for undisclosed participation ? whatever they are ? kick in. The changes also remove the requirement of extra supervision when public officials, members of the news media or academic scholars are investigated for activities unrelated to their positions, like drug cases. That may sound like a reasonable distinction, but it ignores an inflated potential for politically motivated decision-making. The F.B.I.?s recent history includes the abuse of national security letters to gather information about law-abiding citizens without court orders, and inappropriate investigations of antiwar and environmental activists. That is hardly a foundation for further loosening the rules for conducting investigations or watering down internal record-keeping and oversight. Everyone wants to keep America safe. But under President Bush and now under President Obama, these changes have occurred without any real discussion about whether the supposed added security is worth the harm to civil liberties. The White House cares so little about providing meaningful oversight that Mr. Obama has yet to nominate a successor for Glenn Fine, the diligent Justice Department inspector general who left in January. Finally, Congress is showing some small sign of interest. Senator Jon Tester, Democrat of Montana, has written to Robert Mueller III, the F.B.I. director, asking that the new policies be scuttled. On Friday afternoon, Senators Patrick Leahy of Vermont and Charles Grassley of Iowa, the chairman and the ranking Republican member of the Judiciary Committee, called on Mr. Mueller to provide an opportunity to review the changes before they are carried out, and to release a public version of the final manual on the F.B.I.?s Web site. Mr. Obama and Attorney General Eric Holder Jr. need to listen. From rforno at infowarrior.org Mon Jun 20 06:36:34 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jun 2011 07:36:34 -0400 Subject: [Infowarrior] - ICANN votes to pollute the Internet Message-ID: <098DDD26-8D47-4AFA-A04A-C973A11193CD@infowarrior.org> (IMHO this will only serve to enrich ICANN and the registrars seeking to capitalise on the 'gold rush' of folks scrambling to 'protect their brands' on the Net. For shame, ICANN. -- rick) June 19, 2011 11:13 PM PDT ICANN approves expansion of top-level domains by Steven Musil http://news.cnet.com/8301-1023_3-20072478-93/icann-approves-expansion-of-top-level-domains/ The Internet's primary governing body today approved the expansion of new top-level domains--one of the most dramatic changes in the Internet's history. During a special meeting in Singapore, the Internet Corporation for Assigned Names and Numbers (ICANN) voted to dramatically increase the number of domain endings from the current 22, which includes the well-established .com, .net, and .org. The move will allow domains to end in almost any word, allowing companies to turn their brands into Internet extensions. "ICANN has opened the Internet's naming system to unleash the global human imagination," Rod Beckstrom, president and chief executive officer of ICANN, said in a statement. "Today's decision respects the rights of groups to create new Top Level Domains in any language or script. We hope this allows the domain name system to better serve all of mankind." Peter Dengate Thrush, chairman of ICANN's board of directors, said the "decision will usher in a new Internet age. We have provided a platform for the next generation of creativity and inspiration." ICANN said it would soon begin a global campaign to educate people about the changes and opportunities they afford. Applications for new generic top-level domains will be accepted from January 12, 2012, to April 12, 2012, and the estimated evaluation fee is $185,000. (Click here to see ICANN's fact sheet on the new GTLDs (PDF).) Hundreds of applications for these suffixes are expected, including .car, .love, .movie, .web, and .gay. The battle over new top-level domains has been long and often contentious. Earlier this year, a rift developed between national governments and the nonprofit organization over how much influence government officials, and to a lesser extent trademark owners, will enjoy over the process of creating new domain suffixes. Also, a U.S. proposal that would have given it and other governments the power to veto future top-level domain names failed to win approval. A group of nations rejected the proposal, concluding instead that governments can offer nonbinding "advice" about controversial suffixes but would not receive actual veto power. Proposed domain suffixes like .gay are likely to prove contentious among more conservative nations Steven Musil Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers. E-mail Steven. From rforno at infowarrior.org Mon Jun 20 07:16:03 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jun 2011 08:16:03 -0400 Subject: [Infowarrior] - War Evolves With Drones, Some Tiny as Bugs Message-ID: War Evolves With Drones, Some Tiny as Bugs By ELISABETH BUMILLER and THOM SHANKER https://www.nytimes.com/2011/06/20/world/20drones.html WRIGHT-PATTERSON AIR FORCE BASE, Ohio ? Two miles from the cow pasture where the Wright Brothers learned to fly the first airplanes, military researchers are at work on another revolution in the air: shrinking unmanned drones, the kind that fire missiles into Pakistan and spy on insurgents in Afghanistan, to the size of insects and birds. The base?s indoor flight lab is called the ?microaviary,? and for good reason. The drones in development here are designed to replicate the flight mechanics of moths, hawks and other inhabitants of the natural world. ?We?re looking at how you hide in plain sight,? said Greg Parker, an aerospace engineer, as he held up a prototype of a mechanical hawk that in the future might carry out espionage or kill. Half a world away in Afghanistan, Marines marvel at one of the new blimplike spy balloons that float from a tether 15,000 feet above one of the bloodiest outposts of the war, Sangin in Helmand Province. The balloon, called an aerostat, can transmit live video ? from as far as 20 miles away ? of insurgents planting homemade bombs. ?It?s been a game-changer for me,? Capt. Nickoli Johnson said in Sangin this spring. ?I want a bunch more put in.? From blimps to bugs, an explosion in aerial drones is transforming the way America fights and thinks about its wars. Predator drones, the Cessna-sized workhorses that have dominated unmanned flight since the Sept. 11, 2001, attacks, are by now a brand name, known and feared around the world. But far less widely known are the sheer size, variety and audaciousness of a rapidly expanding drone universe, along with the dilemmas that come with it. The Pentagon now has some 7,000 aerial drones, compared with fewer than 50 a decade ago. Within the next decade the Air Force anticipates a decrease in manned aircraft but expects its number of ?multirole? aerial drones like the Reaper ? the ones that spy as well as strike ? to nearly quadruple, to 536. Already the Air Force is training more remote pilots, 350 this year alone, than fighter and bomber pilots combined. ?It?s a growth market,? said Ashton B. Carter, the Pentagon?s chief weapons buyer. The Pentagon has asked Congress for nearly $5 billion for drones next year, and by 2030 envisions ever more stuff of science fiction: ?spy flies? equipped with sensors and microcameras to detect enemies, nuclear weapons or victims in rubble. Peter W. Singer, a scholar at the Brookings Institution and the author of ?Wired for War,? a book about military robotics, calls them ?bugs with bugs.? In recent months drones have been more crucial than ever in fighting wars and terrorism. The Central Intelligence Agency spied on Osama bin Laden?s compound in Pakistan by video transmitted from a new bat-winged stealth drone, the RQ-170 Sentinel, otherwise known as the ?Beast of Kandahar,? named after it was first spotted on a runway in Afghanistan. One of Pakistan?s most wanted militants, Ilyas Kashmiri, was reported dead this month in a C.I.A. drone strike, part of an aggressive drone campaign that administration officials say has helped paralyze Al Qaeda in the region ? and has become a possible rationale for an accelerated withdrawal of American forces from Afghanistan. More than 1,900 insurgents in Pakistan?s tribal areas have been killed by American drones since 2006, according to the Web site www.longwarjournal.com. In April the United States began using armed Predator drones against Col. Muammar el-Qaddafi?s forces in Libya. Last month a C.I.A.-armed Predator aimed a missile at Anwar al-Awlaki, the radical American-born cleric believed to be hiding in Yemen. The Predator missed, but American drones continue to patrol Yemen?s skies. Large or small, drones raise questions about the growing disconnect between the American public and its wars. Military ethicists concede that drones can turn war into a video game, inflict civilian casualties and, with no Americans directly at risk, more easily draw the United States into conflicts. Drones have also created a crisis of information for analysts on the end of a daily video deluge. Not least, the Federal Aviation Administration has qualms about expanding their test flights at home, as the Pentagon would like. Last summer, fighter jets were almost scrambled after a rogue Fire Scout drone, the size of a small helicopter, wandered into Washington?s restricted airspace. Within the military, no one disputes that drones save American lives. Many see them as advanced versions of ?stand-off weapons systems,? like tanks or bombs dropped from aircraft, that the United States has used for decades. ?There?s a kind of nostalgia for the way wars used to be,? said Deane-Peter Baker, an ethics professor at the United States Naval Academy, referring to noble notions of knight-on-knight conflict. Drones are part of a post-heroic age, he said, and in his view it is not always a problem if they lower the threshold for war. ?It is a bad thing if we didn?t have a just cause in the first place,? Mr. Baker said. ?But if we did have a just cause, we should celebrate anything that allows us to pursue that just cause.? To Mr. Singer of Brookings, the debate over drones is like debating the merits of computers in 1979: They are here to stay, and the boom has barely begun. ?We are at the Wright Brothers Flier stage of this,? he said. Mimicking Insect Flight A tiny helicopter is buzzing menacingly as it prepares to lift off in the Wright-Patterson aviary, a warehouse-like room lined with 60 motion-capture cameras to track the little drone?s every move. The helicopter, a footlong hobbyists? model, has been programmed by a computer to fly itself. Soon it is up in the air making purposeful figure eights. ?What it?s doing out here is nothing special,? said Dr. Parker, the aerospace engineer. The researchers are using the helicopter to test technology that would make it possible for a computer to fly, say, a drone that looks like a dragonfly. ?To have a computer do it 100 percent of the time, and to do it with winds, and to do it when it doesn?t really know where the vehicle is, those are the kinds of technologies that we?re trying to develop,? Dr. Parker said. The push right now is developing ?flapping wing? technology, or recreating the physics of natural flight, but with a focus on insects rather than birds. Birds have complex muscles that move their wings, making it difficult to copy their aerodynamics. Designing insects is hard, too, but their wing motions are simpler. ?It?s a lot easier problem,? Dr. Parker said. In February, researchers unveiled a hummingbird drone, built by the firm AeroVironment for the secretive Defense Advanced Research Projects Agency, which can fly at 11 miles per hour and perch on a windowsill. But it is still a prototype. One of the smallest drones in use on the battlefield is the three-foot-long Raven, which troops in Afghanistan toss by hand like a model airplane to peer over the next hill. There are some 4,800 Ravens in operation in the Army, although plenty get lost. One American service member in Germany recalled how five soldiers and officers spent six hours tramping through a dark Bavarian forest ? and then sent a helicopter ? on a fruitless search for a Raven that failed to return home from a training exercise. The next month a Raven went AWOL again, this time because of a programming error that sent it south. ?The initial call I got was that the Raven was going to Africa,? said the service member, who asked for anonymity because he was not authorized to discuss drone glitches. In the midsize range: The Predator, the larger Reaper and the smaller Shadow, all flown by remote pilots using joysticks and computer screens, many from military bases in the United States. A Navy entry is the X-47B, a prototype designed to take off and land from aircraft carriers automatically and, when commanded, drop bombs. The X-47B had a maiden 29-minute flight over land in February. A larger drone is the Global Hawk, which is used for keeping an eye on North Korea?s nuclear weapons activities. In March, the Pentagon sent a Global Hawk over the stricken Fukushima Daiichi nuclear plant in Japan to assess the damage. A Tsunami of Data The future world of drones is here inside the Air Force headquarters at Joint Base Langley-Eustis, Va., where hundreds of flat-screen TVs hang from industrial metal skeletons in a cavernous room, a scene vaguely reminiscent of a rave club. In fact, this is one of the most sensitive installations for processing, exploiting and disseminating a tsunami of information from a global network of flying sensors. The numbers are overwhelming: Since the Sept. 11 attacks, the hours the Air Force devotes to flying missions for intelligence, surveillance and reconnaissance have gone up 3,100 percent, most of that from increased operations of drones. Every day, the Air Force must process almost 1,500 hours of full-motion video and another 1,500 still images, much of it from Predators and Reapers on around-the-clock combat air patrols. The pressures on humans will only increase as the military moves from the limited ?soda straw? views of today?s sensors to new ?Gorgon Stare? technology that can capture live video of an entire city ? but that requires 2,000 analysts to process the data feeds from a single drone, compared with 19 analysts per drone today. At Wright-Patterson, Maj. Michael L. Anderson, a doctoral student at the base?s advanced navigation technology center, is focused on another part of the future: building wings for a drone that might replicate the flight of the hawk moth, known for its hovering skills. ?It?s impressive what they can do,? Major Anderson said, ?compared to what our clumsy aircraft can do.? From rforno at infowarrior.org Mon Jun 20 15:08:38 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jun 2011 16:08:38 -0400 Subject: [Infowarrior] - Quantum crypto felled by 'Perfect Eavesdropper' exploit Message-ID: Quantum crypto felled by 'Perfect Eavesdropper' exploit http://www.theregister.co.uk/2011/06/20/quantum_crypto_hack/ By Dan Goodin in San Francisco ? Get more from this author Posted in ID, 20th June 2011 19:14 GMT Researchers have devised a technique for eavesdropping on communications secured through quantum cryptography that allows an attacker to surreptitiously construct the secret key encrypting the secret content. The so-called Perfect Eavesdropper uses off-the-shelf hardware to defeat a key benefit of the alternative crypto system, namely that the use of properties rooted in quantum physics offers a theoretically fool-proof way for parties to exchange the secret key securing their communications without being intercepted. QKD, or quantum key distribution, allows a trusted party to construct a key by transmitting light to the other trusted party one photon at a time and then measuring their properties. In theory, anyone monitoring the transmissions passing between the two parties will automatically be detected because in the world of quantum mechanics the act of eavesdropping taints the key in ways that are clear to the trusted parties. The researchers, from the the National University of Singapore, the Norwegian University of Science and Technology, and the University Graduate Center in Norway, were able to compromise the QKD by making the key exchange behave in a classical way. Using readily available equipment that fits inside a suitcase, they intercepted single photons traveling over a 290-meter fiber link network and then re-emitted the corresponding pulses of light. The re-emitted pulses in effect blinded the photodiodes used by the trusted party receiving the transmission of photons. As a result, the photodiodes were no longer sensitive to single photons, making them behave like classical detectors that generate a current proportional to the intensity of the incoming light. ?Quantum key distribution has matured into a true competitor to classical key distribution,? Christian Kurtsiefer, a professor at the Center for Quantum Technologies at the National University of Singapore, said in a release. ?This attack highlights where we need to pay attention to ensure the security of this technology.? One of the biggest challenges faced by cryptographers throughout history is finding a secure way for trusted parties to share their secret key. Public key cryptography solved this problem by using a public key to encrypt communications and a separate private key that's unique to each recipient to decrypt the content. As a result, the key never has to be transmitted. Quantum cryptography takes a different approach by allowing one party to securely transmit the key to another party using principles at the heart of quantum mechanics. The findings are similar to those published last year by researchers from the University of Toronto, who claimed to carry out the first successful attack against a commercial system based on theoretically uncrackable quantum cryptography. The researchers behind the more recent Perfect Eavesdropper said it's the first practical exploit that surreptitiously steals a key during a typical QKD setup. The researchers have already identified the loopholes that allow the Perfect Eavesdropper to function and are working on countermeasures. The findings were reported in the most recent issue of Nature Communications (abstract here). More from Physics World and Forbes is here and here. ? From rforno at infowarrior.org Mon Jun 20 17:33:08 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jun 2011 18:33:08 -0400 Subject: [Infowarrior] - Judge Rules Reposting Entire Article Is Fair Use Message-ID: <29D084EC-017C-4B8C-A80F-F1D419BC1C43@infowarrior.org> Righthaven Loss: Judge Rules Reposting Entire Article Is Fair Use ? By David Kravets ? June 20, 2011 | ? 4:54 pm | ? Categories: The Courts, intellectual property http://www.wired.com/threatlevel/2011/06/fair-use-defense/ A federal judge ruled Monday that publishing an entire article without the rights holder?s authorization was a fair use of the work, in yet another blow to newspaper copyright troll Righthaven. It?s not often that republishing an entire work without permission is deemed fair use. Fair use is an infringement defense when the defendant reproduced a copyrighted work for purposes such as criticism, commentary, teaching and research. The defense is analyzed on a case-by-case basis. Monday?s ruling dismissed a lawsuit brought by Righthaven, a Las Vegas-based copyright litigation factory jointly owned with newspaper publisher Stephens Media. The venture?s litigation tactics and ethics are being questioned by several judges and attorneys, a factor that also weighed in on U.S. District Judge Philip Pro?s decision Monday. Righthaven has sued more than 200 websites, bloggers and commenters for copyright infringement. More than 100 have settled out of court. The lawsuit decided Monday targeted Wayne Hoehn, a Vietnam veteran who posted all 19 paragraphs of November editorial from the Las Vegas Review-Journal, which is owned by Stephens Media. Hoehn posted the article, and its headline, ?Public Employee Pensions: We Can?t Afford Them? on medjacksports.com to prompt discussion about the financial affairs of the nation?s states. Hoehn was a user of the site, not an employee. Righthaven sought up to $150,000, the maximum in damages allowed under the Copyright Act. Righthaven argued that the November posting reduced the number of eyeballs that would have visited the Review-Journal site to read the editorial. ?Righthaven did not present any evidence that the market for the work was harmed by Hoehn?s noncommercial use for the 40 days it appeared on the website. Accordingly, there is no genuine issue of material fact that Hoehn?s use of the work was fair and summary judgment is appropriate,? Judge Pro ruled. The judge also said he took into consideration that only five of the editorial?s paragraphs were ?purely creative opinions? of the author. ?While the work does have some creative or editorial elements, these elements are not enough to consider the work a purely ?creative work? in the realm of fictional stories, song lyrics, or Barbie dolls,? he wrote. ?Accordingly, the work is not within ?the core of intended copyright protection.?? Judge Pro, in his fair-use analysis, also found that the posting was for noncommercial purposes, and was part of an ?online discussion.? That said, Pro did not need to decide the fair-use question. That?s because he also found that Righthaven did not have legal standing to bring the lawsuit, a hot-button topic in the Righthaven litigation. Pro?s decision came a week after a different Las Vegas federal judge threatened to sanction Righthaven, calling its litigation efforts ?disingenuous, if not outright deceitful? when it came to standing. Standing is a legal concept that has enabled Righthaven to bring lawsuits on behalf of the copyrights owned by Stephens Media. That blistering decision by U.S. District Judge Roger Hunt, the chief judge in Nevada, places into doubt Righthaven?s year-old business model, which is also under a Colorado federal judge?s microscope. Hunt gave Righthaven two weeks to explain why he should not sanction it for trying to ?manufacture standing.? Judge Hunt suggested Righthaven never had standing in any of its cases because Righthaven and Stephens Media had agreed to share the proceeds of any damages awards or settlements, yet Stephens Media kept ownership of the copyright. Righthaven must own the copyright to sue on its behalf, Hunt ruled in a decision echoed by Judge Pro on Monday. What?s more, in each of the 200-plus cases Righthaven brought on behalf of Las Vegas Review-Journal articles, Righthaven never disclosed, as required, that Stephens Media had a ?pecuniary interest? in the outcome, Hunt wrote. Many bloggers who settled are mulling their legal options. Illustration: Electronic Frontier Foundation From rforno at infowarrior.org Tue Jun 21 06:54:15 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 07:54:15 -0400 Subject: [Infowarrior] - Warning to Social Media Users Message-ID: (If you didn't already know what you post can be used against you, that is. -- rick) Now Your Embarrassing/Job-Threatening Facebook Photos Could Haunt You For Seven Years Jun. 20 2011 - 12:07 pm | 38,437 views | 2 recommendations | 12 comments http://blogs.forbes.com/kashmirhill/2011/06/20/now-your-embarrassingjob-threatening-facebook-photos-will-haunt-you-for-seven-years/ Last week, the Federal Trade Commission gave a stamp of approval to a background check company that screens job applicants based on their Internet photos and postings. The FTC determined that Social Intelligence Corp. was in compliance with the Fair Credit Reporting Act. This means a search of what you?ve said or posted to Facebook/Twitter/Flickr/blogs and the Internet in general may become a standard part of background checks when you apply for a job. No big deal, right? You already knew that employers were Googling you. I argued this was actually better, because Social Intelligence has to make sure its clients inform job applicants if they took adverse action based on something found on the Internet. That way you can delete and change privacy settings accordingly. But there?s a wrinkle. Social Intelligence offers its services to employers en masse and builds files on people. If something job-threatening pops up on Facebook or Flickr or Craigslist in a search of you, you can?t just erase it so that future employers don?t come across it. Social Intelligence puts it into your file ? and it stays there for seven years. Update (6:47 p.m) ? Social Intelligence has an important clarification: COO Geoffrey Andrews sent me a statement via email this evening explaining that negative findings are kept on file but are not reused when a new employer runs a check on you: While we store information for up to seven years we do not ?reuse? that information for new reports. Per our policies and obligations under the Fair Credit Reporting Act, we run new reports on applicants on each new search to ensure the most accurate and up-to-date information is utilized, and we store the information to maintain a verifiable chain-of-custody in-case the information is ever needed for legal reasons. We are not however building a ?database? on individuals that will be evaluated each time they apply for a job and potentially could be used adversely even if they have cleaned up their profiles. Social Intelligence had sent me some of the reports they?ve provided to employers so far, including a job applicant who had a photo on a social networking site that featured multiple guns and a sword, and another who was designated racist for joining the Facebook group, ?I shouldn?t have to press 1 for English. We are in the United States. Learn the language.? Social Intelligence?s ?negative? findings will stay in the files of Workplace-Shooting-Waiting-To-Happen and No-Hablo-Espanol for seven years per the requirements of FCRA, though new employers who run searches through Social Intelligence won?t have access to the materials if they are completely removed from the Internet. (That last sentence has been rewritten since the original post per an update from the company. The service actually seems less useful now, though more respective of the rights of job applicants.) ?We store records for up to 7 years as long as those records haven?t been disputed,? says Social Intelligence COO Geoffrey Andrews by email. ?If a record is disputed and changed then we delete the disputed record and store the new record when appropriate.? The company limits its searches to what?s publicly available, mining data from, in Andrews?s words, ?social networking websites (i.e., Facebook and others), professional networking websites (i.e., Linked In and others), blogs, wikis, video and picture sharing websites, etc.).? And a job applicant must acknowledge and approve the use of a social media background screen, just as they would a criminal and credit background check. You should always be wary of posting job-threatening content on the Internet. It?s hard to erase something once it gets out there. But now that there?s a company that specializes in capturing this and putting it into a file, it may be even harder to undo the damage wrought by an unwise tweet or Craigslist posting. Handle your share/tweet/post buttons with care, and perhaps think about tools to protect you from sharing potentially humiliating and unemployment-guaranteeing material. From rforno at infowarrior.org Tue Jun 21 07:00:45 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 08:00:45 -0400 Subject: [Infowarrior] - NYSE Euronext Trading Disrupted 2nd Day in Row Message-ID: <36A690DC-E739-42AB-A952-739F96F6CE13@infowarrior.org> NYSE Euronext Trading Disrupted 2nd Day in Row June 21, 2011 Tom Steinert-Threlkeld http://www.securitiestechnologymonitor.com/news/nyse-euronext-trading-disrupted-second-day-row-28240-1.html NYSE Euronext experienced its second interruption in trading in two days in Europe. Like what you see? Click here to sign up for Securities Technology Monitor's weekly newsletter to get the latest news and analysis that matters to the effective operation of capital markets. Trading in the Amsterdam AE index and the Brussels Bel-20 index stopped at 7:07 a.m. Greenwich mean time Tuesday, according to Dow Jones Newswires. Trading in certain stocks and bonds in Paris also was suspended. These disruptions followed a one-hour suspension of all trading on European markets run by NYSE Euronext. In that case, an undescribed "technical problem" caused trading to halt between 7 a.m. and 8 a.m. Greenwich mean time. The trading in the Amsterdam and Brussels indcies was attributed t "some latencies in its cash market." But the exchange operator, whose namesake venue is the New York Stock Exchange, so far has given few details on the causes of either day's interruptions. Monday's suspension was the result of a glitch in the procedure used to open European stock and bond markets, Dow Jones reported. That left exchange members unable to enter, change or cancel orders, employees of the exchange operator told customers in a notice. A spokeswoman for NYSE Euronext said trading in Paris should be back to normal there by 9 a.m. Greenwich mean time. From rforno at infowarrior.org Tue Jun 21 07:12:41 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 08:12:41 -0400 Subject: [Infowarrior] - Paper: Sex, Lies and Cyber-crime Surveys Message-ID: (c/o the BruceBlog) "Sex, Lies and Cyber-crime Surveys" Dinei Flor?ncio and Cormac Herley, Microsoft Research. http://research.microsoft.com/pubs/149886/SexLiesandCybercrimeSurveys.pdf Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion. http://research.microsoft.com/pubs/149886/SexLiesandCybercrimeSurveys.pdf From rforno at infowarrior.org Tue Jun 21 08:01:16 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 09:01:16 -0400 Subject: [Infowarrior] - DuckDuckGo: The Privacy-centric Alternative to Google Message-ID: <2F8F5D87-75BF-492F-9368-F5EFEFAEE56F@infowarrior.org> DuckDuckGo: The Privacy-centric Alternative to Google posted by Thom Holwerda on Tue 21st Jun 2011 09:33 UTC http://www.osnews.com/story/24867/DuckDuckGo_The_Privacy-centric_Alternative_to_Google Remember when Altavista was the search engine? Or Yahoo? They stuffed their search pages with useless, distracting crap, and using them became unpleasant. And then, bam, along came Google, with a simple, clear search page and uncluttered search results. However, now that Google has become this massive behemoth, tracking our every move, and tailoring our search results, leading to only being fed those pages you agree with - isn't it time for something new? Something simple? It might be, and you've undoubtedly heard of them: DuckDuckGo. I'm switching. DuckDuckGo is a relatively new search engine that has really been gaining in popularity recently. On OSNews alone several people regularly advise others to try it out whenever we talk about online privacy. So, what are some of the reasons you might want to try out DuckDuckGo? First of all, DuckDuckGo doesn't track you, so you get real privacy when you search the web. Google tracks pretty much everything you do so they can better target you with advertisements. I have no problems with targeted advertising, and I have no issues in and of itself with Google collecting such information (in the end, I decide what I feed the web). What does bother me, though, is the fact that I wouldn't be able to protect myself if the US government ever subpoena'd Google to gain access to that information. Of course, I am of no interest to them (even my porn habits are incredibly boring), but it's the principle of the thing. Mind you that this is not mindless US-bashing; the same concerns apply to my own government and the EU. However, at least here in The Netherlands or even the EU I would have some means to defend myself against such government behaviour - I don't in the US. That's why I love the idea of a search engine that doesn't track me. God knows, I might develop some embarrassing illness in the future, and I would rather keep something like that under wraps. DuckDuckGo is the answer here - no tracking, no information sharing. DuckDuckGo doesn't send your search terms to the web sites you visit. It also has various other privacy features, such as the ability to use POST requests, HTTPS with the ability to automatically force sites in the search results to also use HTTPS, and integrated Tor functionality, so you can get completely end-to-end anonymous and encrypted search. More importantly though (at least for me) - DuckDuckGo tries to pop something called the filter bubble. "A filter bubble is a concept developed by internet activist Eli Pariser to describe a phenomenon in which search queries on sites such as Google or Facebook or Yahoo selectively guess what information a user would like to see based on the user's past search history and, as a result, searches tend to play back information which agrees with the user's past viewpoint," Wikipedia summarises, "Accordingly, users get less exposure to conflicting viewpoints." In the below TED talk, Pariser explains it in more detail. So, is this all, or are there any other reasons to try DuckDuckGo? Well, I really like the !bang syntax, which allows for all kinds of CLI-like commands to be parsed to DuckDuckGo. Of course, things like !youtube query work, but also something like !safeoff query to perform a single search without safe search on. The list of !bangs is pretty extensive already, and yes, I've sent them a request to have !osnews turned into a !bang, too. Other interesting goodies are listed on the, uh, goodies page. Of course, there are several browser extensions and smartphone applications for DuckDuckGo as well. DuckDuckGo isn't perfect, obviously. It doesn't do image search, for instance (although you can use the !gi !bang for that), and more annoyingly, it's kind of a hassle to switch 'locales'. With Google, when I need to perform a Dutch search, I simply go to Google.nl and search from there; for international searches, I go to Google.com. With DuckDuckGo, I'd have to change locales in the settings page - as a translator, that's incredibly annoying. I might shoot them an email and ask if locale-switching could be done using !bangs (e.g. !nl query). I'm starting the process of switching over to DuckDuckGo; it's now my default search engine in Chrome. It'll take a little getting used to, but then, I once switched from Altavista to Google without much hassle, so this should work too. Competition is good, and boy, does Google need it. From rforno at infowarrior.org Tue Jun 21 08:29:42 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 09:29:42 -0400 Subject: [Infowarrior] - Upending Anonymity, These Days the Web Unmasks Everyone Message-ID: June 20, 2011 Upending Anonymity, These Days the Web Unmasks Everyone https://www.nytimes.com/2011/06/21/us/21anonymity.html?hpw=&pagewanted=print By BRIAN STELTER Not too long ago, theorists fretted that the Internet was a place where anonymity thrived. Now, it seems, it is the place where anonymity dies. A commuter in the New York area who verbally tangled with a conductor last Tuesday ? and defended herself by asking ?Do you know what schools I?ve been to and how well-educated I am?? ? was publicly identified after a fellow rider posted a cellphone video of the encounter on YouTube. The woman, who had gone to N.Y.U., was ridiculed by a cadre of bloggers, one of whom termed it the latest episode of ?Name and Shame on the Web.? Women who were online pen pals of former Representative Anthony D. Weiner similarly learned how quickly Internet users can sniff out all the details of a person?s online life. So did the men who set fire to cars and looted stores in the wake of Vancouver?s Stanley Cup defeat last week when they were identified, tagged by acquaintances online. The collective intelligence of the Internet?s two billion users, and the digital fingerprints that so many users leave on Web sites, combine to make it more and more likely that every embarrassing video, every intimate photo, and every indelicate e-mail is attributed to its source, whether that source wants it to be or not. This intelligence makes the public sphere more public than ever before and sometimes forces personal lives into public view. To some, this could conjure up comparisons to the agents of repressive governments in the Middle East who monitor online protests and exact retribution offline. But the positive effects can be numerous: criminality can be ferreted out, falsehoods can be disproved and individuals can become Internet icons. When a freelance photographer, Rich Lam, digested his pictures of the riots in Vancouver, he spotted several shots of a man and a woman, surrounded by police officers in riot gear, in the middle of a like-nobody?s-watching kiss. When the photos were published, a worldwide dragnet of sorts ensued to identify the ?kissing couple.? Within a day, the couple?s relatives had tipped off news Web sites to their identities, and there they were, Monday, on the ?Today? show: Scott Jones and Alex Thomas, the latest proof that thanks to the Internet, every day could be a day that will be remembered around the world. ?It?s kind of amazing that there was someone there to take a photo,? Ms. Thomas said on ?Today.? The ?kissing couple? will most likely enjoy just a tweet?s worth of fame, but it is noteworthy that they were tracked down at all. This erosion of anonymity is a product of pervasive social media services, cheap cellphone cameras, free photo and video Web hosts, and perhaps most important of all, a change in people?s views about what ought to be public and what ought to be private. Experts say that Web sites like Facebook, which require real identities and encourage the sharing of photographs and videos, have hastened this change. ?Humans want nothing more than to connect, and the companies that are connecting us electronically want to know who?s saying what, where,? said Susan Crawford, a professor at the Benjamin N. Cardozo School of Law. ?As a result, we?re more known than ever before.? This growing ?publicness,? as it is sometimes called, comes with significant consequences for commerce, for political speech and for ordinary people?s right to privacy. There are efforts by governments and corporations to set up online identity systems. Technology will play an even greater role in the identification of once-anonymous individuals: Facebook, for instance, is already using facial recognition technology in ways that are alarming to European regulators. After the riots in Vancouver, locals needed no such facial recognition technology ? they simply combed through social media sites to try to identify some of the people involved, like Nathan Kotylak, 17, a star on Canada?s junior water polo team. On Facebook, Mr. Kotylak apologized for the damage he had caused. The finger-pointing affected not only him, it affected his family: local news media reported that his father, a doctor, had seen his ranking on a medical practice review site, RateMDs.com, drop after people posted comments about his son?s involvement in the riots. Other people subsequently went to the Web site to defend the doctor and improve his ranking. Predictably, there was a backlash to the Internet-assisted identification of the people involved in the alcohol-fueled riot. Camille Cacnio, a student in Vancouver who was photographed during the riot and who admitted to theft, wrote on her blog that the ?21st-century witch hunt? on the Internet was ?another form of mobbing.? In the New York area, the commuter who was the subject of online scorn last week shut down both her Twitter and LinkedIn accounts once her name bubbled up on blogs. Though the person who originally posted the cellphone video took it down, other people quickly reposted it, giving the story new life. The original video poster remains anonymous because his or her YouTube account has been shut down. Half a world away, in Middle Eastern countries like Iran and Syria, activists have sometimes succeeded in identifying victims of dictatorial violence through anonymously uploaded YouTube videos. They have also succeeded in identifying fakes: In a widely publicized case this month, a blogger who claimed to be a Syrian-American lesbian and called herself ?A Gay Girl in Damascus? was revealed to be an American man, Tom MacMaster. The sleuthing was led by Andy Carvin, a strategist for NPR who has exhaustively covered the Middle Eastern protests on Twitter. When sources of his said they were skeptical of the blogger?s identity, ?I just started asking questions on Twitter and Facebook,? Mr. Carvin recalled on CNN. ?Have any of you met her in person? Do you know her at all? The more I asked, the less I learned, because no one had met her, not even the reporters who had supposedly interviewed her in person.? Mr. Carvin, his online followers and others used photos and server log data to connect the blog to Mr. MacMaster?s wife. ?Publicity? ? something normally associated with celebrities ? ?is no longer scarce,? Dave Morgan, the chief executive of Simulmedia, wrote in an essay this month. He posited that because the Internet ?can?t be made to forget? images and moments from the past, like an outburst on a train or a kiss during a riot, ?the reality of an inescapable public world is an issue we are all going to hear a lot more about.? From rforno at infowarrior.org Tue Jun 21 10:15:21 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 11:15:21 -0400 Subject: [Infowarrior] - TSA Now Storming Public Places 8,000 Times a Year Message-ID: <80D934E9-F97A-47EA-BA31-2C3694F7043C@infowarrior.org> http://www.americanthinker.com/2011/06/tsa_now_storming_public_places_8000_times_a_tear.html June 20, 2011 TSA Now Storming Public Places 8,000 Times a Year By Tara Servatius Americans must decide if, in the name of homeland security, they are willing to allow TSA operatives to storm public places in their communities with no warning, pat them down, and search their bags. And they better decide quickly. Bus travelers were shocked when jackbooted TSA officers in black SWAT-style uniforms descended unannounced upon the Tampa Greyhound bus station in April with local, state and federal law enforcement agencies and federal bureaucrats in tow. A news report by ABC Action News in Tampa showed passengers being given the signature pat downs Americans are used to watching the Transportation Security Administration screeners perform at our airports. Canine teams sniffed their bags and the buses they rode. Immigration officials hunted for large sums of cash as part of an anti-smuggling initiative. The TSA clearly intends for these out-of-nowhere swarms by its officers at community transit centers, bus stops and public events to become a routine and accepted part of American life. The TSA has conducted 8,000 of these security sweeps across the country in the past year alone, TSA chief John Pistole told a Senate committee June 14. They are part of its VIPR (Visible Intermodal Prevention and Response) program, which targets public transit related places. All of which is enough to make you wonder if we are watching the formation of the "civilian national security force" President Obama called for on the campaign trail "that is just as powerful, just as strong and just as well funded" as the military. The VIPR swarm on Wednesday, the TSA's largest so far, was such a shocking display of the agency's power that it set the blogosphere abuzz. In a massive flex of muscle most people didn't know the TSA had, the agency led dozens of federal and state law enforcement agencies in a VIPR exercise that covered three states and 5,000 square miles. According to the Marietta Times, the sweep used reconnaissance aircraft and "multiple airborne assets, including Blackhawk helicopters and fixed wing aircraft as well as waterborne and surface teams." When did the TSA get this powerful? Last year, Pistole told USA Today he wanted to "take the TSA to the next level," building it into a "national-security, counterterrorism organization, fully integrated into U.S. government efforts." What few people realize is how far Pistole has already come in his quest. This is apparently what that next level looks like. More than 300 law enforcement and military personnel swept through a 100-mile stretch of the Ohio Valley alone, examining the area's industrial infrastructure, the Charleston Gazette reported. Federal air marshals, the Army Corps of Engineers, the U.S. Coast Guard, the FBI, the Office of Homeland Security and two dozen other federal, state and local agencies teamed up to scour the state's roads, bridges, water supply and transit centers under the TSA's leadership. What is remarkable about these security swarms is that they don't just involve federal, state and local law enforcement officials. The TSA brings in squads of bureaucrats from state and federal agencies as well, everything from transportation departments to departments of natural resources. The TSA had received no specific threats about the Tampa bus station before the April sweep, reporters were told. They were there "to sort of invent the wheel in advance in case we have to if there ever is specific intelligence requiring us to be here," said Gary Milano with the Department of Homeland Security in an ABC News Action television report. "This way us and our partners are ready to move in at a moment's notice." Federal immigration officials from Customs and Border Patrol swept the station with the TSA, looking for "immigration violations, threats to national security" and "bulk cash smuggling." (How the bulk cash smuggling investigation related to national security was never explained.) "We'll be back," Milano told reporters. "We won't say when we'll be back. This way the bad guys are on notice we'll be back." The TSA gave the same vague answers when asked about the three-state sweep this week. That sweep wasn't in response to any specific security threat, either. The purpose was to "have a visible presence and let people know we're out here," Michael Cleveland, federal security director for TSA operations in West Virginia told the Gazette. "It can be a deterrent." It might be -- if Americans are willing to live this way. From rforno at infowarrior.org Tue Jun 21 19:54:43 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jun 2011 20:54:43 -0400 Subject: [Infowarrior] - FBI seizes Web hosting company's servers Message-ID: June 21, 2011 4:29 PM PDT FBI seizes Web hosting company's servers by Steven Musil http://news.cnet.com/8301-1009_3-20073102-83/fbi-seizes-web-hosting-companys-servers/ The FBI seized Web-hosting servers from a data facility today, causing a number of sites to go down or transfer operations to other facilities. Agents confiscated three racks of blade servers from a Maryland facility run by DigitalOne, the Switzerland-based hosting company said. DigitalOne's site, as well as real estate blog Curbed and restaurant blog Eater--two sites affected by the outage, according to The New York Times--were inaccessible this afternoon. Another site, bookmarking site Pinboard, was also affected by the server confiscation but had transferred some pages to a backup server, the site said in a status update: Just received word from our hosting company that they were raided by the FBI who pulled some racks of equipment. No word on whether our server was among those machines, or whether it is just offline. In the meantime the site is running on a backup server with reduced capabilities (see below). All bookmarks are intact. In a note to clients viewed by CNET, DigitalOne employee Sergej Ostroumow said the FBI was interested in one specific client. "FBI was interesting only in one of clients and it is absolutely unintelligible, why they took servers of tens of clients," Ostroumow said. "After FBI's unprofessional 'work' we can not restart our own servers, that's why our website is offline and support doesn't work." It's unknown what agents were looking for, and the FBI did not immediately respond to a request for comment. From rforno at infowarrior.org Wed Jun 22 06:50:05 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 07:50:05 -0400 Subject: [Infowarrior] - MPAA Anti-Piracy Lobbying Targets FBI, DOJ, ICE, DHS and Biden Message-ID: <887C7A72-D165-40D6-9DF5-B1E83C3E1E92@infowarrior.org> MPAA Anti-Piracy Lobbying Targets FBI, DOJ, ICE, DHS and Biden ? enigmax ? 22/06/2011 http://torrentfreak.com/mpaa-anti-piracy-lobbying-targets-fbi-110622/ According to a disclosure report, the MPAA spent $400,000 lobbying a wide range of US government departments in the first quarter of 2011 including the FBI, Department of Justice, Department of Homeland Security, ICE and the Vice President?s Office. Issues on the table include so-called ?rogue sites? including RapidShare, streaming, graduated response (3 strikes) and domain seizures. In its quest to stamp out piracy, the MPAA continues to pump money into its lobbying activities in the hope of planting the seeds of legislative change. While the debate over whether corporations should be allowed to lobby crime-fighting organizations such as the police and FBI will rage on, at least there is an enforced level of transparency which allows the public to see where lobbyists are spending their money. The MPAA have just made their mandatory disclosure for the first quarter of 2011 and it makes interesting reading. In total the member companies of the MPAA ? Disney, Sony, Warner Bros., Paramount, 20th Century Fox and Universal ? spent $400,000 in the first three months of the year lobbying influential government departments. These included the office of Vice-President Joe Biden, a valuable MPAA ally in 2010 with his mantra of ?Piracy Is Theft, Clean and Simple.? In the filing, which covers the period from January 1st to March 31st, several government departments are listed repeatedly including the U.S Senate, House of Representatives, Homeland Security, Dept. of Justice, FBI, ICE, U.S. Copyright Office and U.S. Trade Representative. On the back of moves to turn the activity into a felony, it?s no surprise that streaming illegal content featured heavily in the MPAA?s 1st quarter lobbying. Considering the huge effort already underway with domain seizures, many of them streaming-related, Operation in Our Sites remained firmly on the agenda. Also listed is the issue of ?Pay processors role in IP enforcement?, a reference to the developing strategy of strangling the revenue to sites that the MPAA believe are generating income from infringement. In November 2010, file-hosting service RapidShare was among the first Internet services to be labelled by both the MPAA and RIAA as a so-called ?Rogue Site?, a move which forced the cyberlocker service to initiate lobbying of its own. In 2011 it is evident that Hollywood is continuing to pressure on the Swiss-based company. RapidShare is mentioned several times in the MPAA disclosure report under several headings, not least ?Rogue Site Legislation? and ?Law Enforcement/Crime and Criminal Justice?. Interestingly, ?Graduated Response? is also listed as a lobbying subject, although the U.S. appeared to rule out so-called ?3 strikes? regimes earlier this month in response to a United Nations report. On the educational front, the MPAA is keen to drive home the anti-P2P message to the country?s schools and universities. Equally it is pushing for anti-camcording activities in the Asia-Pacific region plus awareness of counterfeit movie usage at US military bases, a subject we?ve touched on previously. The MPAA also discussed the anti-piracy company MiMTiD. A DMCA-related controversy connected to that company was covered by TechDirt in February. The $400,000 spent by the MPAA in the first 3 months of 2011 represents a $30,000 uplift on the same period last year and a $60,000 increase on its spend during the final quarter of 2010. From rforno at infowarrior.org Wed Jun 22 06:54:00 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 07:54:00 -0400 Subject: [Infowarrior] - UK copyright lobby holds closed-door meetings with gov't to discuss national Web-censorship regime Message-ID: <7DB9B8B0-F9ED-4173-BA3F-12ABB386D929@infowarrior.org> Cory Doctorow at 2:46 AM Wednesday, Jun 22, 2011 http://feeds.boingboing.net/~r/boingboing/iBag/~3/auYxeBepvO8/leaked-uk-copyright.html A group of UK copyright lobbyists held confidential, closed-door meetings with Ed Vaizey, Minister for Culture, Communications and Creative Industries to discuss a plan to allow industry groups to censor the Internet in the UK. The proposal has leaked, and it reveals a plan to establish "expert bodies" that would decide which websites British people were allowed to see, to be approved by a judge using a "streamlined" procedure. The procedure will allow for "swift" blocking in order to shut down streaming of live events. Public interest groups like the Open Rights Group asked to attend the meeting, but were shut out, presaging a regulatory process that's likely to be a lopsided, industry-centric affair that doesn't consider the public. The process is characterised as "voluntary," but the proposal makes reference to the Digital Economy Act, which allows for mandatory web-blocking (thanks to the action of LibDem Lords who submitted a proposal written by a record industry lobbyist as an amendment to the DEA). The Open Rights Group has a campaign to repeal the DEA that you can sign onto. We would like confirmation from the government that these are genuine proposals which they are actively considering. We would also like to know what steps they will be taking to consider the views of organisations such as Open Rights Group, and those others who recently wrote to rights holders expressing their concern and requesting such proposals are made public. So far these discussions have involved only rightsholders and Internet companies, with only in the most recent meeting involving Consumer Focus. (As Jim blogged yesterday, Consumer Focus' response to the proposals they discussed is here). This is a welcome concession. But it is a concession. Open policy making that takes on board the broadest range of views is not something within the gift of politicians but a responsibility they bear. From rforno at infowarrior.org Wed Jun 22 07:42:56 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 08:42:56 -0400 Subject: [Infowarrior] - OpEd: Attacking Libya - and the dictionary Message-ID: <1E853895-4A61-46C1-82A4-B73909DF1E65@infowarrior.org> Attacking Libya - and the dictionary By Jonathan Schell http://www.atimes.com/atimes/Middle_East/MF23Ak01.html The Barack Obama administration has come up with a remarkable justification for going to war against Libya without the congressional approval required by the constitution and the War Powers Resolution of 1973. American planes are taking off, they are entering Libyan air space, they are locating targets, they are dropping bombs, and the bombs are killing and injuring people and destroying things. It is war. Some say it is a good war and some say it is a bad war, but surely it is a war. Nonetheless, the Obama administration insists it is not a war. Why? Because, according to "United States Activities in Libya", a 32-page report that the administration released last week, "US operations do not involve sustained fighting or active exchanges of fire with hostile forces, nor do they involve the presence of US ground troops, US casualties or a serious threat thereof, or any significant chance of escalation into a conflict characterized by those factors." In other words, the balance of forces is so lopsided in favor of the United States that no Americans are dying or are threatened with dying. War is only war, it seems, when Americans are dying, when we die. When only they, the Libyans, die, it is something else for which there is as yet apparently no name. When they attack, it is war. When we attack, it is not. This cannot be classified as anything but strange thinking and it depends, in turn, on a strange fact: that, in our day, it is indeed possible for some countries (or maybe only our own), for the first time in history, to wage war without receiving a scratch in return. This was nearly accomplished in the bombing of Serbia in 1999, in which only one American plane was shot down (and the pilot rescued). The epitome of this new warfare is the predator drone, which has become an emblem of the Obama administration. Its human operators can sit at Creech Air Force Base in Nevada or in Langley, Virginia, while the drone floats above Afghanistan or Pakistan or Yemen or Libya, pouring destruction down from the skies. War waged in this way is without casualties for the wager because none of its soldiers are near the scene of battle if that is even the right word for what is going on. Some strange conclusions follow from this strange thinking and these strange facts. In the old scheme of things, an attack on a country was an act of war, no matter who launched it or what happened next. Now, the Obama administration claims that if the adversary cannot fight back, there is no war. It follows that adversaries of the United States have a new motive for, if not equaling us, then at least doing us some damage. Only then will they be accorded the legal protections (such as they are) of authorized war. Without that, they are at the mercy of the whim of the president. The War Powers Resolution permits the president to initiate military operations only when the nation is directly attacked, when there is "a national emergency created by attack upon the United States, its territories or possessions, or its armed forces." The Obama administration, however, justifies its actions in the Libyan intervention precisely on the grounds that there is no threat to the invading forces, much less the territories of the United States. There is a parallel here with the administration of George W Bush on the issue of torture (though not, needless to say, a parallel between the Libyan war itself, which I oppose but whose merits can be reasonably debated, and torture, which was wholly reprehensible). President George W Bush wanted the torture he was ordering not to be considered torture, so he arranged to get lawyers in the Justice department to write legal-sounding opinions excluding certain forms of torture, such as waterboarding, from the definition of the word. Those practices were thenceforward called "enhanced interrogation techniques". Now, Obama wants his Libyan war not to be a war and so has arranged to define a certain kind of war - the American-casualty-free kind - as not war (though without even the full support of his own lawyers). Along with Libya, a good English word war is under attack. In these semantic operations of power upon language, a word is separated from its commonly accepted meaning. The meanings of words are one of the few common grounds that communities naturally share. When agreed meanings are challenged, no one can use the words in question without stirring up spurious "debates", as happened with the word torture. For instance, mainstream news organizations, submissive to Bush's decisions on the meanings of words, stopped calling waterboarding torture and started calling it other things, including "enhanced interrogation techniques", but also "harsh treatment", "abusive practices" and so on. Will the news media now stop calling the war against Libya a war? No euphemism for war has yet caught on, though soon after launching its Libyan attacks, an administration official proposed the phrase "kinetic military action" and more recently, in that 32-page report, the term of choice was "limited military operations". No doubt someone will come up with something catchier soon. How did the administration twist itself into this pretzel? An interview that Charlie Savage and Mark Landler of the New York Times held with State Department legal adviser Harold Koh sheds at least some light on the matter. Many administrations and legislators have taken issue with the War Powers Resolution, claiming it challenges powers inherent in the presidency. Others, such as Bush administration deputy assistant attorney general John Yoo, have argued that the constitution's plain declaration that congress "shall declare war" does not mean what most readers think it means, and so leaves the president free to initiate all kinds of wars. Koh has long opposed these interpretations - and in a way, even now, he remains consistent. Speaking for the administration, he still upholds congress' power to declare war and the constitutionality of the War Powers Resolution. "We are not saying the president can take the country into war on his own," he told the Times. "We are not saying the War Powers Resolution is unconstitutional or should be scrapped or that we can refuse to consult congress. We are saying the limited nature of this particular mission is not the kind of 'hostilities' envisioned by the War Powers Resolution." In a curious way, then, a desire to avoid challenge to existing law has forced assault on the dictionary. For the Obama administration to go ahead with a war lacking any form of congressional authorization, it had to challenge either law or the common meaning of words. Either the law or language had to give. It chose language. Jonathan Schell is the Doris M Shaffer Fellow at The Nation Institute, and a Senior Lecturer at Yale University. He is the author of several books, including The Unconquerable World: Power, Nonviolence, and the Will of the People. From rforno at infowarrior.org Wed Jun 22 07:47:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 08:47:35 -0400 Subject: [Infowarrior] - iCloud stops routing Apple e-mail when 5GB limit is reached Message-ID: iCloud stops routing Apple e-mail when 5GB limit is reached By Casey Johnston | Published about 17 hours ago http://arstechnica.com/apple/news/2011/06/e-mail-service-through-icloud-stops-when-5gb-limit-is-reached.ars A screenshot of the upcoming iCloud storage service from Apple shows that if your free 5GB of storage gets eaten up by backups, calendars, or other data, your e-mail will get choked out, as noted by a screenshot sent to MacRumors. If the storage cap is reached, users stop receiving e-mail at their me.com addresses, and anything sent there is bounced back to the sender. On the one hand, this isn't terribly surprising?what should Apple do, let people keep using space they're not supposed to have? But because e-mail is being routed through the same virtual space that can only hold a fraction of a full-sized iPhone backup, this is bound to happen quite a bit. It's not only e-mail that stops, either: device backups will also cease until space is cleared. Apple hasn't announced anything to this effect yet, but we expect that there will be pricing tiers above the free 5GB for customers with a larger, more active setup of devices. Another possible solution would be to route e-mail outside the 5GB box, similar to the PhotoStream service. As long as Apple keeps an e-mail size cap, that shouldn't be too much of a traffic hit. In fact, given a choice of exempt services, we'd almost certainly choose e-mail over photos. From rforno at infowarrior.org Wed Jun 22 08:22:47 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 09:22:47 -0400 Subject: [Infowarrior] - Pentagon gets cyberwar guidelines Message-ID: <22C9BF36-DE46-4010-9621-8AC9F24EE61F@infowarrior.org> Pentagon gets cyberwar guidelines Jun 22, 6:44 AM (ET) LOLITA C. BALDOR http://apnews.myway.com/article/20110622/D9O0SERG0.html WASHINGTON (AP) - President Barack Obama has signed executive orders that lay out how far military commanders around the globe can go in using cyberattacks and other computer-based operations against enemies and as part of routine espionage in other countries. The orders detail when the military must seek presidential approval for a specific cyber assault on an enemy and weave cyber capabilities into U.S. war fighting strategy, defense officials and cyber security experts told The Associated Press. Signed more than a month ago, the orders cap a two-year Pentagon effort to draft U.S. rules of the road for cyber warfare, and come as the U.S. begins to work with allies on global ground rules. The guidelines are much like those that govern the use of other weapons of war, from nuclear bombs to missiles to secret surveillance, the officials said. In a broad new strategy document, the Pentagon lays out some of the cyber capabilities the military may use during peacetime and conflict. They range from planting a computer virus to using cyberattacks to bring down an enemy's electrical grid or defense network. "You don't have to bomb them anymore. That's the new world," said James Lewis, cybersecurity expert at the Center for Strategic and International Studies. The new Pentagon strategy, he said, lays out cyber as a new warfare domain and stresses the need to fortify network defenses, protect critical infrastructure and work with allies and corporate partners. The entire strategy has not been released, but several U.S. officials described it on condition of anonymity. Many aspects of it have been made public by U.S. officials, including Deputy Defense Secretary William Lynn, in speeches over the past several months. The Pentagon is expected to announce the entire strategy soon. As an example, the new White House guidelines would allow the military to transmit computer code to another country's network to test the route and make sure connections work - much like using satellites to take pictures of a location to scout out missile sites or other military capabilities. The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president. The guidelines also make clear that when under attack, the U.S. can defend itself by blocking cyber intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries - even if those are virtual network lines. "We must be able to defend and operate freely in cyberspace," Lynn said in a speech last week in Paris. The U.S., he said, must work with other countries to monitor networks and share threat information. Lynn and others also say the Pentagon must more aggressively protect the networks of defense contractors that possess valuable information about military systems and weapons' designs. In a new pilot program, the Defense Department has begun sharing classified threat intelligence with a handful of companies to help them identify and block malicious cyber activity on their networks. Over time, Lynn said, the program could be a model for the Homeland Security Department as it works with companies that run critical infrastructure such as power plants, the electric grid and financial systems. Members of Congress are working on a number of bills to address cybersecurity and have encouraged such public-private partnerships, particularly to secure critical infrastructure. But they also warn of privacy concerns. "We must institute strict oversight to ensure that no personal communications or sensitive data are inappropriately shared with the government by businesses," said Rep. Jim Langevin, D-R.I., who served as co-chairman of the Center for Strategic and International Studies' cybersecurity commission. Cyber security experts and defense officials have varying views of cyber war, but they agree that it will be a part of any future conflict. At a recent Capitol Hill hearing, incoming Pentagon chief Leon Panetta, the outgoing CIA director, said the U.S. must be aggressive in offensive and defensive countermeasures. "I've often said that there's a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems," he said. Stewart Baker, a former Homeland Security official, said Americans need to come to grips with the idea that cyber warfare could hit the U.S. homeland. "We've had 50 years in which we haven't really had to rethink what might happen in a war here," he said. "We need to think very hard about an actual strategy about how to win a war in which cyber weapons are prominently featured." Part of that thinking, Baker said, involves ensuring that the U.S. has strong firewalls to prevent attacks and that there are established routes into the networks of potential enemies. But officials also say that cyber capabilities must be put in perspective. "It's a decisive weapon, but it's not a super weapon," said Lewis. "It's not a nuclear bomb." It is, however, a new weapon that hackers, criminals and other nations are honing. Already hackers have breached military networks and weapons programs, including key defense contractor Lockheed Martin. Military officials have also warned repeatedly of cyberattacks and intrusions coming out of China, Russia and Eastern Europe. "Regrettably," Lynn said, "few weapons in the history of warfare, once created, have gone unused. For this reason, we must have the capability to defend against the full range of cyber threats." Lynn predicted that terror groups eventually will learn how to launch crippling cyberattacks. Important questions linger about the role of neutral countries. Hackers routinely route their attacks through networks of innocent computers that could be anywhere, including in the U.S. Often it may be difficult to tell exactly where an attack originated or who did it, although forensic capabilities are steadily improving. That issue was clear during the cyberattack against Estonia in 2007 that used thousands of infected computers to cripple dozens of government and corporate websites. Estonia has blamed Russia for the attack. But, according to Robert Giesler, the Pentagon's former director of information operations, 17 percent of the computers that attacked Estonia were in the United States. He said the question is: Did the Estonians have the right to attack the U.S. in response, and what responsibility did the U.S. bear? Under the new Pentagon guidelines, it would be unacceptable to deliberately route a cyberattack through another country if that nation has not given permission - much like U.S. fighter jets need permission to fly through another nation's airspace. . From rforno at infowarrior.org Wed Jun 22 08:25:42 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 09:25:42 -0400 Subject: [Infowarrior] - Top-secret clearance checks falsified Message-ID: http://www.washingtontimes.com/news/2011/jun/21/top-secret-clearance-checks- falsified/ Top-secret clearance checks falsified Time, money now spent to probe fraud The Washington Times 8:00 p.m., Tuesday, June 21, 2011 Federal authorities responsible for granting security clearances to government employees and contractors are spending hundreds of thousands of dollars investigating the investigators. Government inspectors say they have undertaken a broader campaign in recent years to root out fraud in background checks as more national security clearances are being sought than ever before. Overall, court records reviewed by The Washington Times show at least 170 confirmed falsifications of interviews or record checks and more than 1,000 others that couldn't be verified. The background investigators, whose work helps determine who gets top-secret security clearance, were submitting forms saying they conducted interviews or verified official documents when they never did. "The monetary loss sustained by the government does not, nor cannot, represent the cost associated with potential compromise of our nation's security and the trust of the American people in its government's workforce," Kathy L. Dillaman, associate director in charge of investigations at the Office of Personnel Management, wrote in a victim-impact statement for a recent court case involving a convicted investigator. Douglas Shontz, a national security researcher at the Rand Corp. who had conducted back ground checks at the Defense Department, said background investigations used to be the purview of retired FBI agents and police detectives. That has changed as more and more contractors and employees require security clearances. Many of the background checks are now outsourced. "You have a huge push to get people in the door," he said. Mr. Shontz said that, in general, background interviews with neighbors, former employers, associates and others help determine whether someone could be more vulnerable to taking bribes or likely to talk too freely about sensitive government information. "They can highlight potential issues for follow-up," he said. The OPM's office of inspector general has an initiative "focused on fabrication cases involving OPM Federal Investigative Services background investigators," said Michelle Schmitz, assistant inspector general for investigations. OPM handles background investigations for most federal agencies. Overall, OPM processes about 2 million background investigations per year. During the past three years, court records show, seven investigators and two records checkers have been convicted of federal crimes in Washington involving falsification of records. There is no indication in any of the cases that the people who got the security clearances eventually were determined to be unsuitable. Still, investigators were forced to reopen old cases, and one falsified interview or document check can raise doubts about entire investigations. "In addition to the potential damage to OPM's reputation as the primary provider of federal background investigations, the cost of investigating and correcting the case is substantial both in time and money," Ms. Dillaman wrote in a victim-impact statement for a recent court case. Those convicted of lying about background checks have faced sentences ranging from probation to more than two years in federal prison, court records show. The U.S. Attorney's Office in Washington this month announced a 90-day prison sentence given to a former government background investigator, Thomas Fitzgerald, for falsifying information in more than two dozen investigative reports from March 2005 to May 2006. He was ordered to pay more than $100,000 to OPM's investigative services branch for the cost of reopening numerous investigations that were assigned to him. Another investigator, Catherine Webb, faces up to 18 months in prison at her scheduled sentencing next month in federal court. She has pleaded guilty and has agreed to pay nearly $75,000 in restitution. In 2009, a former contract investigator, George Abraham, was sentenced to more than two years in federal prison after he was convicted on six counts of making a false statement in his background reports. Authorities said subjects in Abraham's background investigations were seeking top-secret clearances for positions in the Air Force, the Army, the Navy and the Treasury Department. In several cases, defense attorneys suggested in sentencing memos that the investigators started to cut corners because of stress and increasing work demands. But security consultant Chris McGoey, based in Los Angeles, said that's no excuse for investigators saying that they interviewed people or checked documents when they did not. "If I get so busy, I just have to tell the client I can't do it," he said. "But you don't say that you did it and charge the fees. That's fraud." From rforno at infowarrior.org Wed Jun 22 11:03:55 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 12:03:55 -0400 Subject: [Infowarrior] - US plan to hold EU passenger data for 15 yrs 'unlawful' Message-ID: US plan to hold EU passenger data for 15 yrs 'unlawful' http://www.theregister.co.uk/2011/06/22/pnr_eu/ Database likely to be used against non-serious crimes By OUT-LAW.COM ? Get more from this author Posted in Government, 22nd June 2011 14:20 GMT A reported plan to allow the US to retain the personal details of inbound EU air passengers for 15 years would be unlawful, lawyers for the European Commission have said, according to a newspaper report. The Guardian, which reported last month that the US wanted to keep the information for 15 years, has reported that Commission lawyers have advised against acceding to the US's reported request. The European Commission and US have an agreement to share passenger name data, a record of data on every air passenger. Data is collected by airlines and passed to authorities at the destination to aid counter-terrorism activities. Data protection laws in the EU state that member countries must protect individuals' rights to freedom and privacy when handling personal data. The EU also has PNR agreements with Australia and Canada and is developing a PNR Directive to govern the transfer of PNR to other countries. Lawyers have advised the Commission that allowing the US to retain details about passengers for 15 years would be disproportionate to the security threat countries face, according to the Guardian. According to papers published the data would be held in an active database for five years and a 'dormant database' for up to a further 10 years. "It appears highly doubtful that a period of 15 years can be regarded as proportional," the lawyers said in an opinion, according to the Guardian report. Any new US PNR agreement would have to be approved by EU law makers. The European Parliament has questioned the need for PNR arrangements with the US in the past, and has previously blocked transfer deals with US authorities. "Despite certain presentational improvements, the draft agreement does not constitute a sufficiently substantial improvement of the agreement currently applied on a provisional basis, the conclusion of which was refused on data protection grounds by the European Parliament," the lawyers said, according to the Guardian. The lawyers are concerned that allowing PNR data to be used to target offences that carry a year's jail sentence would allow the information to be used for wider purposes than to combat terrorism and serious crime that the agreement defines. "Given the low maximum penalty, it is likely to include a very large number of crimes which cannot be regarded as serious. This point alone puts the proportionality of the agreement in question," the lawyers said. Wording in the draft agreement which says passenger information will be used to "ensure border security" means the passenger database will be used for other minor offences not linked to terrorism or serious crime, the lawyers said as per the report. "For these reasons the legal service does not consider the agreement in its present form as compatible with fundamental rights," the lawyers were quoted as saying. The lawyers also expressed concern whether passengers would be able to obtain compensation if their personal data was mis-used under the terms of the agreement, the report said. "All redress is made subject to US law, while the forms of redress explicitly guaranteed are administrative only and thus at the discretion of the department of homeland security," the lawyers said, according to the Guardian. Privacy officials working for the US department of homeland security do not represent independent observers of how PNR data is used, the lawyers said, according to the report. Opinion is split among EU countries over the contents of the PNR agreement with the US, the Guardian said. A leaked document from an EU meeting last week showed that France, Germany, Italy, Holland and others are opposed to the proposed deal with the UK, Ireland, Sweden and Estonia the only countries backing it, the Guardian report said. According to the report, the European Commission said that finalised agreement could be tested in the European courts. The EU is acting against its own legal advice by agreeing to increase the time passenger data can be retained, a member of the European Parliament's civil liberties committee said, according to the Guardian. "The commission cannot simply continue to stick its fingers in its ears, and it is high time that it dropped its obsession with PNR," Jan Philipp Albrecht, a German Green party MEP said, according to the Guardian report. "This means going back to the drawing board and renegotiating the draft agreements with the US, Australia and Canada on passenger record retention, ensuring these agreements are in line with EU data protection law," Albrecht said, according to the Guardian. "It also means dropping the proposed legislation on the retention of passenger data within the EU". Plans to create new laws covering the recording, use and storage of airline passenger data are currently being developed by EU countries. Last year the European Commission said a new PNR Directive was needed to prevent passengers travelling if they are suspected of being involved in terrorism or serious crime. Under the proposed Directive airlines would have to send information such as passengers' home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details to countries before its planes can land. The Commission initially outlined plans to make the Directive applicable to flights in and out of the EU. Recent negotiations between EU members suggest that the Directive's remit may be expanded to cover flights within the EU, though. In May the UK Government opted to support the EU proposals after it said 15 other countries supported an extension of the plans to include passenger tracking on flights within the EU. The UK, US, Canada and Australia already require PNR data to be sent, but the Directive would extend PNR collection across Europe for the first time. From rforno at infowarrior.org Wed Jun 22 20:15:22 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jun 2011 21:15:22 -0400 Subject: [Infowarrior] - Top ISPs poised to adopt graduated response to piracy Message-ID: June 22, 2011 5:27 PM PDT Exclusive: Top ISPs poised to adopt graduated response to piracy by Greg Sandoval http://news.cnet.com/8301-31001_3-20073522-261/exclusive-top-isps-poised-to-adopt-graduated-response-to-piracy/ Some of the country's largest Internet service providers are poised to leap into the antipiracy fight in a significant way. After years of negotiations, a group of bandwidth providers that includes AT&T, Comcast, and Verizon are closer than ever to striking a deal with media and entertainment companies that would call for them to establish new and tougher punishments for customers who refuse to stop using their networks to pirate films, music and other intellectual property, multiple sources told CNET. The sources cautioned that a final agreement has yet to be signed and that the partnership could still unravel but added that at this point a deal is within reach and is on track to be unveiled sometime next month. This has been in the works a long time. The Recording Industry Association of America (RIAA) and Motion Picture Association of America (MPAA), the respective trade groups for the four major record companies and six top Hollywood film studios, have labored for years to persuade ISPs to take a tougher antipiracy position. Under the proposed plan, participating bandwidth providers would adopt a "graduated response" to subscribers who repeatedly infringe copyrights. ISPs would first issue written warnings, called Copyright Alerts, to customers accused by copyright owners of downloading materials illegally via peer-to-peer sites, the sources said. Should a subscriber fail to heed the warning, an ISP could choose to send numerous follow-up notices. Eventually, the plan requires ISPs to take more serious action. Participating ISPs are given plenty of leeway to choose how to proceed. They can select from a "menu" of responses outlined in the plan, such as throttling down an accused customer's bandwidth speed or limit their access to the Web. For example, a suspected pirate may be allowed to visit only the top 200 Web sites until they stop illegal file sharing. The subscriber may also be asked to participate in a program that educates them on copyright law and the rights of content creators. The ISPs and copyright owners will share the costs of operating the program, sources said. At least on paper, the proposal appears to have the potential to become one of the most potent antipiracy strategies ever implemented. The ISPs involved provide Internet access to a large percentage of the U.S. population and they are in the unique position to act as an Internet gatekeeper. Critics have argued that a graduated response doesn't allow for due process of law. They reject the notion that an ISP should limit a person's service based solely on accusations of copyright owners. White House helps shepherd deal But enlisting the help of some of the top ISPs to thwart piracy represents a major victory for the film and music industries. Certainly, they had plenty of help. For starters, the National Cable and Telecommunications Industry is helping to broker the deal, the sources said. While the NCTA's members include companies such as Time Warner Cable, CableVision, Charter Communications, Comcast, and Qwest Communications, not all the group's members are participating, according to the sources. Spokespeople for the NCTA, RIAA, and MPAA declined to comment. Representatives from some of the known participating ISPs, such as AT&T and Comcast, couldn't immediately be reached for comment. In addition to the NCTA, the White House was also instrumental in encouraging the parties to reach an agreement, the sources confirmed. President Obama has vowed to step up the fight against piracy and counterfeiting, and his administration has lobbied Congress the past several years to pass new pro-copyright legislation while instructing federal law enforcement to make antipiracy a priority. It's tough to deny that most of the momentum in the online copyright wars appears to be with content creators. In the past year, a federal court ruled that the top music file-sharing service LimeWire induced copyright infringed and ordered the network be shut down. In recent months, the U.S. Immigrations and Customs Enforcement (ICE) agency has seized domain names from dozens of sites accused of trafficking in pirated content or counterfeit goods. In the U.S. Senate, lawmakers are expected to pass legislation that would enable the government to block U.S. Internet users from accessing alleged pirates sites based overseas. When it comes to the proposed agreement on graduated response, the term was sometimes referred to also as a three-strikes plan. The sources who spoke to CNET said this isn't an accurate description of what the latest plan calls for, as an ISP gets to choose how many times to notify a customer before interrupting service. In the past, a three-strikes strategy also was supposed to lead to a complete termination of service for chronic file sharers. Kicking someone off a network for good is not required under the proposed agreement, the sources said. If the term graduated response sounds familiar it's likely because of the RIAA. The trade group claimed in December 2008 that several ISPs, which were never identified, had agreed to adopt graduated-response programs to help the top record labels to fight illegal file sharing. Some ISPs did appear to start booting small numbers of people off their networks but in the years since, no major bandwidth provider openly acknowledged adopting a graduated response. Sources in the music and film sectors said that their antipiracy measures, coupled with the rise of popular legal services, such as Netflix and Amazon, which provide inexpensive content that is also easy to access, has put them in the best possible position to compete with online piracy. From rforno at infowarrior.org Thu Jun 23 07:53:00 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Jun 2011 08:53:00 -0400 Subject: [Infowarrior] - Telstra, Optus to start censoring the web next month Message-ID: <978BBA7E-5AF7-4E6C-A88A-915ED0D82D03@infowarrior.org> Telstra, Optus to start censoring the web next month ? By Jennifer Dudley-Nicholson ? From: News Limited newspapers ? June 22, 2011 1:00PM http://www.news.com.au/technology/internet-filter/telstra-optus-to-begin-censoring-web-next-month/story-fn5j66db-1226079954138 MOST Australian internet users will have their web access censored next month after the country's two largest internet providers agreed to voluntarily block more than 500 websites from view. Telstra and Optus confirmed they would block access to a list of child abuse websites provided by the Australian Communications and Media Authority and more compiled by unnamed international organisations from mid-year. But internet experts have warned that the scheme is merely a "feel-good policy" that will not stop criminals from accessing obscene material online and could block websites unfairly. The voluntary scheme was originally proposed by the Federal Government last year as part of a wider, $9.8 million scheme to encourage internet service providers to block all Refused Classification material from users as an optional service. The Government dropped its funding for the scheme last month due to "limited interest" from the industry, but a spokesman for Communications Minister Stephen Conroy said a basic voluntary filter was still on track to be introduced by Telstra, Optus and two small ISPs. "The ACMA will compile and manage a list of URLs of child abuse content that will include the appropriate subsection of the ACMA blacklist as well as child abuse URLs that are provided by reputable international organisations (to be blocked)," the spokesman said. System Administrators Guild of Australia board member Donna Ashelford said blocking these website addresses should not affect internet speed, but was only a "cosmetic fix" that was easily circumvented by criminals. "The effectiveness will be trivial because you're just blocking a single website address (and) a person can get around it by changing that address with one character," she said. "Child abuse material is more likely to be exchanged on peer-to-peer networks and private networks anyway and is a matter for law enforcement." Electronic Frontiers Association board member Colin Jacobs also expressed concern at the scheme, saying the Government and internet providers needed to be more upfront about websites being blocked and offer an appeals process for website owners who felt URLs had been blocked unfairly. "There is a question about where the links are coming from and I'd like to know the answer to that," Mr Jacobs said. "We've been waiting to hear details on this from the Government. It they turn out to be zealous with the type of material that is on the list then we'd want to have a discussion about ways to introduce more transparency." From rforno at infowarrior.org Thu Jun 23 19:01:16 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Jun 2011 20:01:16 -0400 Subject: [Infowarrior] - Can ICANN really be necessary? Message-ID: <47C87053-A5C8-49BB-B4CF-7FD408302D71@infowarrior.org> Can Icann really be necessary? It's a question worth asking as the body that oversees internet domain names will now permit any suffix you want ? at a price ? Dan Gillmor ? guardian.co.uk, Thursday 23 June 2011 18.00 BST http://www.guardian.co.uk/commentisfree/cifamerica/2011/jun/23/icann-internet-domain-names Are you ready for .xxx, .coke and .insertyournamehere? You'd better get ready, because an organisation with significant authority and scant accountability says you must. That organisation is Icann: the Internet Corporation for Assigned Names and Numbers. It supervises the naming system for internet domains. With a budget north of $60m, Icann's board members and staff ? who strike me as well-meaning, if too often unwise, in their actions ? have embedded their work into the DNA of modern cyberspace. One would expect no less from an enterprise that can essentially tax the internet and is simultaneously accountable to everyone and no one. Like Icann's operations, its rules are complex. The organisation's key role, boiled down to the basics, is to oversee the domain name system (DNS) ? a role that gives Icann the authority to decide what new domain-name suffixes may exist, and who can sell and administer them. The best known "top level" domain suffixes, at least in the US, are .com, .org and .edu; they are among 22 generic suffixes, along with about 250 country-level domains such as .uk, (United Kingdom), .de (Germany) .and cn (China). Two recent Icann initiatives highlight its reach. The first was the approval earlier this year of the .xxx domain, intended to be a red-light zone for cyberspace. The other, announced just this week, is a plan to let people and enterprises create domain names of any kind ? for example, .Apple or .CocaCola or .treehugger ? reflecting their trademarks or specific interests. Contrary to Icann's rationalisations (pdf), .xxx is a terrible idea. Should it succeed, it will enrich its promoters. But it will also likely lead, should the domain actually be adopted widely, to widespread censorship and manipulation. Governments are keen to restrict access to what they consider to be pornography or block it altogether; look for laws requiring adult sites to use the .xxx domain, so they can be more easily fenced in ? or out. India has already announced it will block .xxx entirely. I hope this wretched move fails for practical reasons. Adult content providers possessing common sense will hesitate to move their operations into a censor-friendly zone of this kind. Indeed, the Free Speech Coalition, an adult entertainment trade group, is urging its members to boycott .xxx and stick with the tried and true .com suffix that most of them already use. The success of .com helps explain why the latest Icann move, expanding the domain system in potentially infinite ways, is at best problematic. It's not entirely misguided, however. In principle, the idea is inoffensive; why not have internet addresses that fully match reality and might (repeat: might) be more secure under certain circumstances? And why would a company with a valuable trademark not want to reserve a domain suffix reflecting its trademark? Because, as noted, the current system isn't all that broken. Trademark disputes already get resolved in the .com world with laws and rules of various kinds. So, who wins by inviting every enterprise with a trademark or valuable name to register with multiple domain suffixes? The registrars win, of course, and so does the organisation that decides who can be a registrar; that would be Icann, which, in effect, taxes the registrars based on how many people they sign up for domains. Speaking of fees, if you want one of the new domain suffixes and are not a wealthy individual or company, get ready to put a major dent in your bank balance. The Icann application alone will be $185,000, with an annual fee of $25,000. Who sets this fee? Why, Icann, of course. Is it reasonable? Icann says it is. Why is it reasonable? Because Icann says, based on evidence that is less than persuasive, that it needs the money for things like legal costs. So much for small business registrations, much less domains for individuals with relatively common last names ? how about .JohnSmithWhoWasBornInDallasOnMay51983? ? which want to be as unique in their domain name as they are in the real world. Esther Dyson, former board chair at Icann (and a friend), told NPR she considered the new domains "a useless market". She is right, but I'd go further: Icann itself is unneeded, or should be made to be so. Clearly, it would be unworkable to simply pull the plug on Icann, because it has become a key link in the digital chain. But the internet community should be working on a bypass, not controlled in any way by governments, that is both secure and robust. A partial bypass already exists for end users. It's called Google ? though this also applies to Bing and other search engines. Internet users are learning that it's easier, almost always with better results, to type the name of the enterprise they're searching for into the browser's search bar than to guess at a domain name and type that guess into the address bar. Google isn't the DNS, but its method suggests new approaches. To that end, some technologists have suggested creating a DNS overlay, operated in a peer-to-peer way that incorporates modern search techniques and other tools. Making this workable and secure would be far from trivial, but it's worth the effort. A few years ago, I was a candidate for a post on the Icann board. During an interview, I was asked to describe what I hoped to achieve, should I be asked to serve. A major goal, I replied, was to find ways to make Icann less necessary. My service was not required. From rforno at infowarrior.org Fri Jun 24 13:05:21 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Jun 2011 14:05:21 -0400 Subject: [Infowarrior] - Challenges to red light cameras span US Message-ID: <5B98497A-D614-4D89-B24F-6D10F63F8D48@infowarrior.org> Challenges to red light cameras span US Studies touting safety benefits sometimes contradictory, incomplete http://today.msnbc.msn.com/id/43521646/ns/us_news-life/ In more than 500 cities and towns in 25 states, silent sentries keep watch over intersections, snapping photos and shooting video of drivers who run red lights. The cameras are on the job in metropolises like Houston and Chicago and in small towns like Selmer, Tenn., population 4,700, where a single camera setup monitors traffic at the intersection of U.S. Highway 64 and Mulberry Avenue. One of the places is Los Angeles, where, if the Police Commission gets its way, the red light cameras will have to come down in a few weeks. That puts the nation's second-largest city at the leading edge of an anti-camera movement that appears to have been gaining traction across the country in recent weeks. A City Council committee is considering whether to continue the city's camera contract over the objections of the commission, which voted unanimously to remove the camera system, which shoots video of cars running red lights at 32 of the city's thousands of intersections. The private Arizona company that installed the cameras and runs the program mails off $446 tickets to their registered owners. The company's contract will expire at the end of July if the council can't reach a final agreement to renew it. Opponents of the cameras often argue that they are really just revenue engines for struggling cities and towns, silently dinging motorists for mostly minor infractions. And while guidelines issued by the National Highway Traffic Safety Administration say revenue is an invalid justification for the use of the eyes in the sky, camera-generated citations do spin off a lot of money in many cities ? the nearly 400 cameras in Chicago, for example, generated more than $64 million in 2009, the last year for which complete figures were available. Los Angeles hasn't been so lucky. The city gets only a third of the revenue generated by camera citations, many of which go unpaid anyway because judges refuse to enforce them, the city controller's office reported last year. It found in an audit that if you add it all up, operating the cameras has cost $1 million to $1.5 million a year more than they've generated in fines, even as "the program has not been able to document conclusively an increase in public safety." Another common refrain from critics is that the devices replace a human officer's judgment and discretion with the cold, unforgiving algorithms of a machine. "You've got to treat people fairly," said Jay Beeber, executive director of Safer Streets LA, who has led the campaign to kill the city's red light cameras. "You have to give people a fighting chance that you're not going to penalize them for a minor lapse of judgment." Paul Kubosh, a lawyer who has led a similar anti-camera fight in Houston, called the camera systems "a scam on the public," because they "are writing tickets that police officers don't write." There's a fierce court battle going on in Houston, the nation's fourth-largest city, after a U.S. district judge this week ruled that a measure voters approved to shut down the city's more than 70 cameras was invalid on procedural grounds. Could hundreds of lives be saved? More than a dozen large studies over the past decade have concluded that the cameras reduce accidents and injuries. The most recent, published in February by the Insurance Institute for Highway Safety, crunched 10 years of federal traffic data for the 99 largest U.S. cities ? 14 of which now deploy cameras ? and calculated that had all 99 installed the devices, 815 lives would have been saved from 2004 through 2008. "We still have thousands of people who die," said Adrian Lund, the Insurance Institute's president. "We look at where and how that's happening, and one of the most dangerous (locations) is intersections." Citing reports like that, the U.S. Conference of Mayors, which coincidentally is headed by Los Angeles Mayor Antonio Villaraigosa, this week approved a resolution endorsing nationwide adoption of red light cameras. And yet, in addition to the votes in Los Angeles and Houston: ? The Albuquerque, N.M., City Council voted this month to let residents vote on the future of the city's 20 red light cameras in October. (City lawyers are still weighing whether the vote would have any official effect.) ? In May, a Missouri circuit judge issued a preliminary ruling saying the measure that authorized St. Louis' 51 cameras was illegally enacted. ? Tennessee Gov. Bill Haslam said he would sign a bill the Legislature passed last month to limit ? though not ban outright ? localities' use of cameras at intersections. ? The North Carolina Senate voted in April to ban cameras; the measure awaits House action. ? The Florida House passed a bill last month to ban red light cameras; the measure failed in the Senate. ? A Superior Court judge last week struck down the law that enacted use of cameras in Spokane, Wash., agreeing that citations generated by the cameras were invalid because they were not personally signed by a police officer. Often, the cameras lead to fines ? and depending on the jurisdiction, costly points on drivers' records ? for borderline infractions like failing to come to a complete stop before making a right turn. (That infraction makes up two-thirds of the citations issued at camera-monitored intersections in Los Angeles, even though it rarely leads to an accident, the controller's audit reported.) Other common complaints are that the automated citations violate due process and equal protection rights ? often, there's no officer to confront in court ? and invade motorists' privacy. Leslie Blakey, executive director of the nonprofit Campaign to Stop Red Light Running, which advocates for red light cameras, said opponents have fought the devices since they started taking root about a decade ago. She broke the opposition down into two camps: "civil libertarians who resist the imposition of automated enforcement" and "people who got tickets and just don't like it." Beeber, of Safer Streets LA, agreed that "as more people get tickets, they start getting mad about it," saying: "You start doing that year after year after year and you start generating enough anger in the populace and it gets to the tipping point." What's changed in the last couple of years, Blakey said, is the "ability of people to organize online and form communities and organize actions that are well-orchestrated" on sites like Facebook and Twitter. "These things are becoming more and more useful to a small minority of people who want to mount an action against anything," she said. In response, Blakey's group points to the Insurance Institute study and others like it that conclude the "red light cameras lead to significant decreases in intersection violations and crashes." Large studies produce wide range of results This is where things get muddy, because hard research on the effect of red light cameras in the United States is incomplete and often contradictory. That includes the widely reported Insurance Institute study from February. Like nearly all other studies over the past decade, that report found a significant decline in deaths from red light accidents in cities that use cameras. But deaths from U.S. roadway accidents of all kinds have dropped significantly ? by 13.1 percent ? during the study period of 2004 through 2008, data from the Federal Highway Traffic Safety Administration show. That means researchers have to dig deeper, but because there's no centralized database listing all of the nation's red light cameras, researchers have found it difficult to isolate and study only intersections monitored by cameras on a national scale. So the Insurance Institute researchers constructed a statistical projection model that counted deaths at every intersection in 14 cities that now have cameras at some intersections and sought to extrapolate what effect cameras would have had if they had been in place at all of them. Those results, expressed as an average annual rate of deaths per million residents, were then compared with data from an earlier five-year period (1992-96), when there were no cameras at all in those cities. As a control, they also ran the same comparisons for 48 control cities that don't have any cameras. Under that model, the Insurance Institute found a 35 percent reduction in the rate of deaths in the camera cities, compared with 14 percent in the non-camera cities. Advocates say that's proof that the cameras directly save lives. Opponents say it's not, contending that the study, and others like it, compared apples to oranges. The Insurance Institute's inventive approach was about as sound and rigorous a way as could be conceived to construct a comparison that necessarily involved incomplete data. How incomplete? In a city like Chicago, the institute had to include data from all 2,900 signalized intersections ? fewer than 200 of which, or less than 7 percent ? actually had cameras throughout the study period. None of that means the Insurance Institute's conclusion is wrong. But it also doesn't mean it's indisputably right ? and critics have been eager to dispute it, noting that the study didn't include Los Angeles, where the city audit found that the rate of accidents actually rose or held steady at half of the intersections that had cameras. And it couldn't account for major rises in death rates in two of the 14 camera cities it did study ? Raleigh, N.C. (a 99 percent increase) and Bakersfield, Calif. (a 55 percent increase). Other safety factors could affect numbers Opponents point to a variety of other factors that could also have contributed to the decline in deaths at intersections, both with and without cameras, over the past decade. Cars are sturdier today thanks to tougher federal safety standards, and they almost universally deploy air bags. Authorities have cracked down on enforcing seat-belt and DUI laws, and engineering advances in roadway design have made intersections safer. In particular, several traffic flow studies indicate that tinkering with signal cycles ? lengthening the time a signal remains yellow, or ensuring all four signals are red for a time before anyone can proceed ? results in a drastic drop in red light violations, accidents and deaths ? in a few single-city studies, more than 90 percent. That's because drivers inclined to try to beat the light have more time to clear the intersection before traffic starts barreling through from the other direction, they suggest. To further account for the Institute's differences, they argue that deploying cameras demonstrates that city officials were already concerned about intersection safety and probably aggressively pursued most or all of those strategies. To boil it down: The studies conclusively establish a correlation between the use of cameras and a reduction in deaths at signalized intersections; even opponents of cameras acknowledge that. The arguments arise because of the statistical reality that a correlation ? the fact that two things happened at the same time ? doesn't necessarily mean that one of those things caused the other. That's why many camera proponents, like Blakey, advise that municipalities "do a basic engineering review ... before they go to photo enforcement as a solution." Researchers deny conflict of interest Beeber, meanwhile, suspects a profit motive also figures into the results of camera research, arguing that many of the studies are done by groups with links to interested parties. He contended that the Insurance Institute for Highway Safety is "a lobbying group for the insurance industry," which he argued has an incentive to push cameras because they generate more violations on drivers' records. That lets insurance companies "jack up your rates, and many times it can be three or four times the rate that you were paying" previously, he said. Lund, the institute's president, denied that, saying, "We aren't involved in the business of insurance." While the institute is funded by auto insurers, it's an independent nonprofit whose "mission is to look at ways to lessen the losses," he said. While it may be true that "the public health interest actually coincides with our insurance interests," that's no more than "a nice synergy, and I don't see any conflict in that whatsoever," he said. Blakey also acknowledged that the Campaign to Stop Red Light Running was founded with funding from a manufacturer of red light cameras and that "after four years, we were able to get some of the other companies involved." But she said the group broke ranks with the companies three years ago because she was troubled by their direct management of individual cities' camera programs, an example of "vendor overreach" that she said could call into question the programs' credibility. Today, the campaign is funded by individual donors "concerned about red light running and speeding who feel that something needs to be done about this problem," she said. "I have always maintained a great deal of independence," she said. "I would never agree that we were a front group." Gauging the 'fear of death' In the absence of consistently reliable research and nationwide standards that make comparisons easier, the contention over red light cameras is "only going to get worse because they're starting to put these things in more places," Beeber said. Notwithstanding all of the data on both sides, the rationale for the cameras is flawed at its heart, he argued. That's because they proceed from an assumption the people who run red lights do so intentionally and that they can therefore be stopped by stricter enforcement measures of any sort. "The fallacy is someone looks at a red light and decides, 'Well, I'm just going to blow through that,'" he said. "If the fear of death isn't enough to stop you from running a red light, I don't know what will." From rforno at infowarrior.org Fri Jun 24 13:26:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Jun 2011 14:26:59 -0400 Subject: [Infowarrior] - Twitter plans bolder advertisements Message-ID: <202A515B-9A47-42BA-A68E-2D602499CCD2@infowarrior.org> June 23, 2011 6:40 pm Twitter plans bolder advertisements By Tim Bradshaw in Cannes http://www.ft.com/intl/cms/s/2/dcd35ed2-9dbc-11e0-b30c-00144feabdc0.html Twitter is looking at introducing advertisements among the short messages that users see in the most active part of the social networking service, according to people with direct knowledge of its plans. The move comes as Twitter looks at a wider range of options to generate revenues from a service that has so far failed to make money from its audience as effectively as rivals such as Facebook. The move to place ?promoted tweets? in the main ?stream? of tweets on the service is likely to be controversial with users who have seen only limited and unobtrusive marketing messages so far in Twitter?s five-year history. Other commercial options under discussion include deals and offers similar in style to rival Groupon, which aggregates consumer demand for time-limited specific offers. It is also looking at introducing enhanced profile pages for brands and media management tools, which could allow advertisers to pre-schedule 140-character posts. Twitter executives, including Adam Bain, head of revenue, have been meeting with marketers and agencies on the fringes of the Cannes Lions event this week to discuss new ways of harnessing its 300m registered users for advertising. Twitter introduced ?promoted tweets?, its first advertising products last year. Modelled on Google?s search advertising system, promoted tweets appear when users type in relevant terms using Twitter?s search facility. It also now offers ?promoted trends?, at the top of the list of the most popular topics of discussion on the site, and ?promoted accounts? in a list of recommended users to follow. Although some brands, such as Coca-Cola, have had success with these formats, Twitter is looking for something that can offer greater scale. According to three people familiar with the situation, Twitter?s plans under consideration would see ?promoted tweets? appear in their main timeline, the main focus of the Twitter website. Twitter had tested such ads with a third-party mobile client, HootSuite. Users could also see tweets from a brand they follow appear high up in their stream even though they were posted hours previously. The introduction of a ?QuickBar? in Twitter?s iPhone software, which prominently displayed promoted trends in the timeline, prompted an uproar from users earlier this year, forcing Twitter to remove the feature. Twitter said in a blog post at the time that it would be ?bold in the product decisions we make? and remove features if they did not ?improve the user experience or serve our mission?. ?We believe there are still significant benefits to increasing awareness of what?s happening outside the home timeline,? it wrote in March. ?Evidence of the incredibly high usage metrics for the QuickBar support this.? Twitter said: ?We are always talking with marketers about ways they could potentially get more out of Twitter. Some of these discussed concepts may materialise; others will not.? Twitter is expected to generate revenues of about $100m this year, compared with Enders Analysis? forecast of Facebook?s $3.5bn from display advertising alone. ?Twitter are getting it together, slowly,? said one agency executive familiar with the company?s plans. The service?s integration into Apple?s next version of its iPhone mobile software is a ?massive coup?, the executive added. Another said: ?They are going to get much more commercial.? Printed from: http://www.ft.com/cms/s/2/dcd35ed2-9dbc-11e0-b30c-00144feabdc0.html From rforno at infowarrior.org Fri Jun 24 15:00:41 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Jun 2011 16:00:41 -0400 Subject: [Infowarrior] - Spies, military looking for hacker-, backdoor-proof circuits Message-ID: <12BE2F81-F356-4852-8701-5F0827FC99AF@infowarrior.org> Spies, military looking for hacker-, backdoor-proof circuits By Adam Rawnsley, wired.com | Published about 2 hours ago http://arstechnica.com/tech-policy/news/2011/06/spies-military-looking-for-hacker--backdoor-proof-circuits.ars In 2010, the US military had a problem. It had bought over 59,000 microchips destined for installation in everything from missile defense systems to gadgets that tell friend from foe. The chips turned out to be counterfeits from China, but it could have been even worse. Instead of crappy Chinese fakes being put into Navy weapons systems, the chips could have been hacked, able to shut off a missile in the event of war or lie around just waiting to malfunction. The Intelligence Advanced Research Projects Agency, the spy community?s way-out research arm, is looking to avoid a repeat. The Trusted Integrated Circuit program is IARPA's attempt to keep foreign adversaries from messing with our chips?and check the circuits for backdoors once they?ve been made. The US has been worried about its foreign-sourced chips in its supply chain for a while now. In a 2005 report, the Defense Science Board warned that the shift towards greater foreign circuit production posed the risk that ?trojan horse? circuits could be unknowingly installed in critical military systems. Foreign adversaries could modify chips to fizzle out early, the report said, or add secret back doors that would place a kill switch in military systems. The problem is that the United States isn?t the only game in town anymore when it comes to building better chips. Foreign chip foundries?companies that manufacture chips for third parties?are churning out more advanced products and making regular chips cheaper and more quickly. American military and intelligence customers would love to take advantage of some of these developments, but they don?t want to limit themselves to just US-made technology. The Defense Science Board warned in its report that ?trust cannot be added to integrated circuits after fabrication.? IARPA disagrees. The agency is looking for ways to check out chips once they?ve been made, asking for ideas on how the US can verify that its foreign chips haven?t been hacked in the production process. Keep your suggestions original, though. IARPA's sister-shop, DARPA, has already done some work on chip verification. DARPA's TRUST program uses advanced imaging and X-rays to search for deviations from chips? designs. Its IRIS program aims to check out chips when the US doesn?t have the full designs to compare them to. One way IARPA would like to make chips from foreign foundries safe is by splitting up the manufacturing process. Under this scenario, the front-end-of-line (FEOL) stage of manufacturing would take place at offshore foundries, while the back-end-of-line processing would finish up at a more secure US facility. IARPA is also interested in hearing ideas on chip obfuscation. The idea is to hide the ?intent of digital and analog functions and their associated building blocks? of an integrated circuit in the FEOL manufacturing stage. If potential adversaries can?t reverse-engineer or understand how a circuit works, it?ll be harder for them to modify it for malicious purposes. What kinds of chips is IARPA interested in? One type mentioned in its announcement are microelectromechanical systems, super-small chips that can be used to make things like very tiny advanced sensors. These kinds of chips have all kinds of military applications, helping to make 10-gram cameras for use on micro air vehicles and fast-acting sensors that can detect bacteria and viruses. Photo by John R. Southern From rforno at infowarrior.org Fri Jun 24 15:17:58 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Jun 2011 16:17:58 -0400 Subject: [Infowarrior] - RIP Peter "One More Thing..." Falk Message-ID: <53B0405D-6924-4E83-9669-C43EB5D47179@infowarrior.org> 'Columbo' actor Peter Falk dies at 83 By Todd Leopold, CNN June 24, 2011 4:02 p.m. EDT http://www.cnn.com/2011/SHOWBIZ/celebrity.news.gossip/06/24/obit.falk/ (CNN) -- Actor Peter Falk, who rose to fame on a shambling manner and a rumpled raincoat as the TV detective Lt. Columbo, has died. He was 83. Falk died peacefully at his Beverly Hills home Thursday evening, according to a statement released by his friend, attorney Larry Larson. The cause of death was not released. Though he was a renowned movie and stage actor -- he earned two Oscar nominations in the early '60s and won an Obie (an off-Broadway honor) for his performance in Eugene O'Neill's "The Iceman Cometh" -- he is best remembered for the polite, raincoat-wearing, Peugeot-driving Los Angeles police detective who always wanted to know "just one more thing." That line -- which usually meant that the seemingly absent-minded detective was about to outwit his perfect-crime-committing suspects -- became so popular that Falk used it as the title of his memoir. The character, which originated with "Columbo" writers and producers William Link and Richard Levinson, was given a unique spin by the actor. "Before we ever had a script or anything, I was attracted to the idea of playing a character that housed within himself two opposing traits," Falk told CNN's Larry King in 2005. "On the one hand (he was) a regular Joe, Joe Six-Pack, the neighbor like everybody else. But, at the same time, the greatest homicide detective in the world. Now that's a great combination, and you can do a lot with that combination." Falk first played Columbo in a 1968 TV movie "Prescription: Murder" and revived it three years later when the character became a regular part of the "NBC Mystery Movie," a series that also included Dennis Weaver's "McCloud" and "McMillan & Wife" with Rock Hudson and Susan Saint James. "Columbo" was the most popular of the "Mystery Movie" offerings, so much so that Falk was rumored to earn more than $250,000 an episode in the late '70s. But Falk, who also starred in the films "The In-Laws" (1979), "Wings of Desire" (1987), "The Princess Bride" (1987) and several by his friend John Cassevetes, generally remained unimpressed with himself. "I just keep working," he said. "I've never worried about the grand concepts. My philosophy is that I just try to get through the day," he told The New York Times in a 1990 interview. Peter Michael Falk was born in New York City on September 16, 1927, and raised in Ossining, New York. After military service, he earned a master's in public administration and went to work for the Connecticut State Budget Bureau in Hartford as an efficiency expert. "I was doing exactly what I was born not to do," he wrote in his memoir. However, Hartford had a small theater troupe, and Falk immediately joined, which led to participation in other companies. Within a couple years -- while still working as a civil servant -- he was set to play Richard III at a summer workshop in Westport when, he says, a statement from acting teacher Eva Le Gallienne changed his life. As Le Gallienne upbraided him for his chronic lateness -- he had to drive 45 minutes from Hartford every week -- Falk confessed that he wasn't really an actor. "Well, you should be," Le Gallienne replied, and that was enough for Falk to quit his job. Soon he was a regular presence on the New York stage, earning raves for his performance as the bartender in "The Iceman Cometh." (One of his jobs, he recalled, was keeping the other actors awake during the 4 ?-hour play.) His work there and on TV led to an interview with Columbia Pictures head Harry Cohn. Cohn was concerned about Falk's glass eye, the result of an operation Falk had had as a child, and wanted the actor to take a screen test. Falk said there was nothing to talk about and refused. "Young man, for the same price I'll get an actor with two eyes," Cohn retorted, according to Falk's memoir. Falk's film breakthrough came in 1960's "Murder, Inc." in which he played gangster Abe Reles. The performance earned him a best supporting actor Oscar nomination. He earned another Oscar nomination for his performance in the next year's "Pocketful of Miracles," director Frank Capra's last film. Falk went back and forth between film, TV and the stage in the '60s. He had the lead in the short-lived TV series "The Trials of O'Brien," cast as a lawyer, and played Joseph Stalin in the even more short-lived "The Passion of Josef D.," a Paddy Chayefsky play, on Broadway. He also appeared in the films "It's a Mad, Mad, Mad, Mad World" (1963), "The Great Race" (1965) and "Luv" (1967). But it was "Columbo" that made Falk's name. The TV movie character, which succeeded a play and TV episode that included him, was originally offered to Bing Crosby, of all people. But "Der Bingle" turned it down allegedly because it would get in the way of his golf game, according to Tim Brooks' and Earle Marsh's Complete Directory to Prime Time Network and Cable Shows. The series turned the standard mystery structure inside out. Instead of being revealed at the end, the criminal and the crime were shown in great detail in the show's opening scenes. It was then up to Columbo to stumble onto the scene and figure out whodunit -- something the audience already knew. The series had a storied run, winning seven Emmys -- including four for Falk. Steven Spielberg, then unknown, directed the first episode, and stars included Robert Culp, Ray Milland, Robert Vaughn and Cassavetes. On the big screen, Falk's roles included parts in Cassavetes' gritty, verite films, such as "A Woman Under the Influence" (1974), as well as broad comedies, most notably "The In-Laws" (1979). In the latter, he played a CIA agent who drags a new friend, a dentist played by Alan Arkin, into a plot that involves currency printing plates and a coup in an unnamed Latin American country. Falk's choice of roles was often quirky and unusual. After the initial run of "Columbo" ended, he starred in "... All the Marbles" (1981) as the manager of female wrestlers; German director Wim Wenders' "Wings of Desire" as an existentially blocked version of himself; and "The Princess Bride" as a storytelling grandfather. "Columbo" returned for a series of movies in 1989 and ran, sporadically, until 2003. In recent years, Falk had periods of furious activity -- he had three credits in 1995 and four in 2000, according to the Internet Movie Database -- and relaxed almost-retirement. In 2008, his daughter said he was suffering from Alzheimer's disease in a filing for conservatorship. Early that year, Falk had been found disoriented on a Beverly Hills street, and that summer he suffered a head injury in an auto accident. The conservatorship was granted to his wife, Shera, in June 2009. A doctor who evaluated Falk testified that the condition had worsened since a series of dental operations in 2007 and a hip procedure in 2008, and that the actor couldn't remember "Columbo." But Falk always wanted to move on to the next thing, anyway. Taking a tip from his friend Cassavetes, he refused to repeat himself -- one reason his characters, even the ones he played more than once, always seemed so fresh. "If your mind is at work, we're in danger of reproducing another clich?," he once said. "If we can keep our minds out of it and our thoughts out of it, maybe we'll come up with something original." Falk is survived by his wife of 34 years, Shera; and two daughters, Catherine and Jackie, whom he adopted during his first marriage, to Alyce Mayo. From rforno at infowarrior.org Fri Jun 24 19:05:46 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Jun 2011 20:05:46 -0400 Subject: [Infowarrior] - Economist on the dangers of ETFs, ETNs, and more Message-ID: (Some ETFs I feel are fine -- but the more exotic ones, or the ones back by 'funny math' certainly deserve more scrutiny, I think. -- rick) Exchange-traded funds A fast-growing industry is attracting more regulatory attention Jun 24th 2010 | New york | from the print edition http://www.economist.com/node/16438622/print EVEN the best financial innovations have a nasty habit of spinning out of control. No surprise, then, that regulatory antennae are twitching at the rapid growth of exchange-traded funds (ETFs), investment pools that are listed on stockmarkets. ETFs have plenty of attractions, giving retail investors a relatively cheap way to diversify their holdings. But their dangers are also becoming more apparent. The sheer size of the industry is one cause of concern. At the end of May ETFs in America held around $792.6 billion in assets, according to Morningstar, a research firm. The worldwide total passed $1 trillion at the end of 2009. Morgan Stanley predicts the industry will grow by 20-30% in 2010. The market has rapidly evolved to meet demand for more exotic products, particularly in commodities, where many worry about the impact of the appetite for ETFs on prices (see Buttonwood). ETFs also gained popularity because investors can trade them all day long, whereas a mutual fund can be liquidated only at the beginning and end of the trading day. Retail investors, who are thought to make up half the American ETF market, are probably better off holding on to investments rather than day-trading them. And the ?flash crash? on May 6th demonstrated that it is not always easy to exit from ETFs. As liquidity disappeared that day, many ETFs traded down nearly to zero. The events of May 6th may have been exceptional but a period of market volatility is not. That spells danger for investors in leveraged ETFs, which use debt to magnify the returns of the index they follow. Because these ETFs ?reset? on a daily basis, they can easily stray from their targets. If an index worth $100 drops 10% one day and gains 10% the next, it is worth $99, a loss of $1. You might assume that a fund leveraged to deliver twice the returns of this index would be worth $98, a loss of $2. In fact, an ETF of this sort would be worth $80 on the first day and $96 on the second day, for a loss of $4. Whether retail investors understand this is not clear. Similar concerns dog other types of ETFs which use derivatives to achieve their results. An ETF tracking the price of oil, for instance, might not buy oil itself, but may make a ?swap? deal with another financial firm guaranteeing a payout if the price of oil goes up. These ?synthetic? funds entail hidden counterparty risks. If the firm guaranteeing the results of this oil ETF goes bankrupt, for instance, investors might lose their money regardless of the oil price. In late March the Securities and Exchange Commission (SEC) issued a moratorium on the creation of new ETFs that use derivatives. Among other things, the government says it wants to assess whether a fund?s prospectus clearly conveys how it uses derivatives. Pressure is also mounting in Europe, where some have suggested banning retail investors from buying inverse funds, which are designed to benefit from falling prices, or leveraged products. The SEC hopes to finish its review by the end of summer and says its goal is to craft a policy that will permit ETFs only limited use of derivatives. Otherwise the industry?s explosive rise may end badly. From rforno at infowarrior.org Sat Jun 25 08:53:21 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Jun 2011 09:53:21 -0400 Subject: [Infowarrior] - AP source: KKR, Silver Lake near deal on Go Daddy Message-ID: (c/o dg) AP source: KKR, Silver Lake near deal on Go Daddy By RACHEL METZ, AP Technology Writer Fri Jun 24, 8:16 pm ET http://news.yahoo.com/s/ap/20110625/ap_on_hi_te/us_godaddy_sale/print SAN FRANCISCO ? Go Daddy, the domain-name registration company known for its racy Super Bowl ads, is close to being bought by two private investment firms for up to $2.5 billion, according to a person close to the deal. A deal is expected by Tuesday, said the person, who spoke on condition of anonymity because the transaction hasn't been publicly announced. The deal is being led by Silver Lake Partners and KKR & Co., according to the person. Silver Lake's investment portfolio includes a variety of tech companies, while KKR's spans a number of industries, including technology. Private-equity and venture capital firm Technology Crossover Ventures will be involved as a lesser partner. The person said Go Daddy had been looking to sell itself. The Go Daddy Group Inc. was founded in 1997 by Bob Parsons, who continues to serve as its CEO. The privately held company, which is based in Scottsdale, Ariz., manages more than 48 million domain names. It also sells Web hosting services, site-building tools and other website-related offerings. The company's ads for its eponymous domain registration website, GoDaddy.com, are known for featuring scantily clad women including Danica Patrick, a race car driver who is sponsored by the company. KKR's desire for Go Daddy was reported earlier by the New York Post. From rforno at infowarrior.org Sat Jun 25 08:56:21 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Jun 2011 09:56:21 -0400 Subject: [Infowarrior] - Singapore: A Stronger Net Security System Is Deployed Message-ID: <0B69D355-9FA8-4C23-9A3F-4BE1E84A91FF@infowarrior.org> (c/o jc) June 24, 2011 A Stronger Net Security System Is Deployed By JOHN MARKOFF http://www.nytimes.com/2011/06/25/science/25trust.html A small group of Internet security specialists gathered in Singapore this week to start up a global system to make e-mail and e-commerce more secure, end the proliferation of passwords and raise the bar significantly for Internet scam artists, spies and troublemakers. ?It won?t matter where you are in the world or who you are in the world, you?re going to be able to authenticate everyone and everything,? said Dan Kaminsky, an independent network security researcher who is one of the engineers involved in the project. The Singapore event included an elaborate technical ceremony to create and then securely store numerical keys that will be kept in three hardened data centers there, in Zurich and in San Jose, Calif. The keys and data centers are working parts of a technology known as Secure DNS, or DNSSEC. DNS refers to the Domain Name System, which is a directory that connects names to numerical Internet addresses. Preliminary work on the security system had been going on for more than a year, but this was the first time the system went into operation, even though it is not quite complete. The three centers are fortresses made up of five layers of physical, electronic and cryptographic security, making it virtually impossible to tamper with the system. Four layers are active now. The fifth, a physical barrier, is being built inside the data center. The technology is viewed by many computer security specialists as a ray of hope amid the recent cascade of data thefts, attacks, disruptions and scandals, including break-ins at Citibank, Sony, Lockheed Martin, RSA Security and elsewhere. It allows users to communicate via the Internet with high confidence that the identity of the person or organization they are communicating with is not being spoofed or forged. Internet engineers like Mr. Kaminsky want to counteract three major deficiencies in today?s Internet. There is no mechanism for ensuring trust, the quality of software is uneven, and it is difficult to track down bad actors. One reason for these flaws is that from the 1960s through the 1980s the engineers who designed the network?s underlying technology were concerned about reliable, rather than secure, communications. That is starting to change with the introduction of Secure DNS by governments and other organizations. The event in Singapore capped a process that began more than a year ago and is expected to be complete after 300 so-called top-level domains have been digitally signed, around the end of the year. Before the Singapore event, 70 countries had adopted the technology, and 14 more were added as part of the event. While large countries are generally doing the technical work to include their own domains in the system, the consortium of Internet security specialists is helping smaller countries and organizations with the process. The United States government was initially divided over the technology. The Department of Homeland Security included the .gov domain early in 2009, while the Department of Commerce initially resisted including the .us domain because some large Internet corporations opposed the deployment of the technology, which is incompatible with some older security protocols. Internet security specialists said the new security protocol would initially affect Web traffic and e-mail. Most users should be mostly protected by the end of the year, but the effectiveness for a user depends on the participation of the government, Internet providers and organizations and businesses visited online. Eventually the system is expected to have a broad effect on all kinds of communications, including voice calls that travel over the Internet, known as voice-over-Internet protocol. ?In the very long term it will be voice-over-I.P. that will benefit the most,? said Bill Woodcock, research director at the Packet Clearing House, a group based in Berkeley, Calif., that is assisting Icann, the Internet governance organization, in deploying Secure DNS. Secure DNS makes it possible to make phone calls over the Internet secure from eavesdropping and other kinds of snooping, he said. Security specialists are hopeful that the new Secure DNS system will enable a global authentication scheme that will be more impenetrable and less expensive than an earlier system of commercial digital certificates that proved vulnerable in a series of prominent compromises. The first notable case of a compromise of the digital certificates ? electronic documents that establish a user?s credentials in business or other transactions on the Web ? occurred a decade ago when VeriSign, a prominent vendor of the certificates, mistakenly issued two of them to a person who falsely claimed to represent Microsoft. Last year, the authors of the Stuxnet computer worm that was used to attack the Iranian uranium processing facility at Natanz were able to steal authentic digital certificates from Taiwanese technology companies. The certificates were used to help the worm evade digital defenses intended to block malware. In March, Comodo, a firm that markets digital certificates, said it had been attacked by a hacker based in Iran who was trying to use the stolen documents to masquerade as companies like Google, Microsoft, Skype and Yahoo. ?At some point the trust gets diluted, and it?s just not as good as it used to be,? said Rick Lamb, the manager of Icann?s Secure DNS program. The deployment of Secure DNS will significantly lower the cost of adding a layer of security, making it more likely that services built on the technology will be widely available, according to computer network security specialists. It will also potentially serve as a foundation technology for an ambitious United States government effort begun this spring to create a system to ensure ?trusted identities? in cyberspace. From rforno at infowarrior.org Sat Jun 25 09:14:31 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Jun 2011 10:14:31 -0400 Subject: [Infowarrior] - CORRECTION -- Re: Economist on the dangers of ETFs, ETNs, and more In-Reply-To: References: Message-ID: Sorry.....the original article I sent was from 2010 and not this week's Economist. The article I meant to send can be found here: Exchange-traded funds Too much of a good thing The risks created by complicating a simple idea Jun 23rd 2011 | from the print edition http://www.economist.com/node/18864254/print Have a good weekend, and thx to JVB for pointing out the error. - rick From rforno at infowarrior.org Sat Jun 25 09:31:01 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Jun 2011 10:31:01 -0400 Subject: [Infowarrior] - Google to End Health Records Service After It Fails to Attract Users Message-ID: June 24, 2011 Google to End Health Records Service After It Fails to Attract Users By STEVE LOHR https://www.nytimes.com/2011/06/25/technology/25health.html Google is giving up on its vision of helping people live healthier lives with online personal health records. When Google Health was introduced in 2008, Marissa Mayer, a Google executive, said it would be a ?large ongoing initiative? that the company hoped would attract millions of regular users. But Google Health never really caught on. In a posting on the company?s blog on Friday, Aaron Brown, senior product manager for Google Health, wrote that the goal was to ?translate our successful consumer-centered approach from other domains to health care and have a real impact on the day-to-day health experiences of millions of our users.? Yet, after three years, Mr. Brown said, ?Google Health is not having the broad impact we had hoped it would.? In the drive to apply information technology to health care, personalized health records are the element that relies most heavily on individual motivation and efforts. They are controlled by the consumer, and require individuals to put in, update and edit their health data. By contrast, the federal government has begun a five-year campaign to accelerate the adoption of electronic patient records by hospitals and doctors, with the incentive payments to physicians topping $40,000. Personal health records, analysts say, are a new concept to most people, and early users have found them difficult to use. ?Personal health records have been a technology in search of a market,? said Lynne A. Dunbrack, an analyst at IDC Health Insights, a research firm. In a survey earlier this year, IDC Health Insights found that 7 percent of consumers had tried online personal health records, and fewer than half of those continued to use them. Google is by no means the only company to abandon the field of consumer health records. Revolution Health, for example, retired its personal health record service last year, citing few users. Suppliers of online personal health records include WebMD, Microsoft, RelayHealth and Dossia. But analysts note that what success these offerings have had has often been in partnership with insurers and health providers, while Dossia is an employer-sponsored personal health record. Adam Bosworth, a former manager of Google Health, who left in 2007 before the service was introduced, said the service could not overcome the obstacle of requiring people to laboriously put in their own data. ?In the end,? Mr. Bosworth said, ?it was an experiment that did not have a compelling consumer proposition.? The consumer technologies that catch on, he said, inform or entertain users, or enable social communication. Mr. Bosworth said he learned that in his own health information technology company, Keas. The business started in 2009, but switched its approach last November to focus on social games to encourage participation in wellness programs. Technology companies have often underestimated the complexity of the health field, assuming that fresh ideas and new digital tools will bring quick results, said Dr. David J. Brailer, the national coordinator for health information technology in the Bush administration. When that does not happen, they pull back, Dr. Brailer said. The Google experience, he said, fit that pattern, and the company had been pulling resources from Google Health for some time. ?For a long while, everybody knew that Google Health was dead, except Google,? said Dr. Brailer, who is the chief executive of Health Evolution Partners, an investment fund. Google is also shutting down its PowerMeter service, which let consumers track their energy use. From rforno at infowarrior.org Sat Jun 25 18:41:05 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Jun 2011 19:41:05 -0400 Subject: [Infowarrior] - Humour: You're Welcome - Hacker Threat Message-ID: You're Welcome - Hacker Threat John Hodgman does whatever it takes to keep the hackers happy so his Etsy storefront stays safe. http://www.thedailyshow.com/watch/thu-june-23-2011/you-re-welcome---hacker-threat From rforno at infowarrior.org Sat Jun 25 22:23:17 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Jun 2011 23:23:17 -0400 Subject: [Infowarrior] - LulzSec disbanding Message-ID: Notorious Hacker Group LulzSec Just Announced That It's Finished Joe Weisenthal | Jun. 25, 2011, 7:06 PM | 16,071 | 17 http://www.businessinsider.com/lulzsec-finished-2011-6 LulzSec, the notorious hacker group that's been on a rampage, just announced that it's disbanding. This follows 50 days chaos during which time it took down several websites (including CIA.gov at one point), exposed passwords, exposed documents of the Arizona penal system, and at one point threatened to hit Too Big To Fail banks. Obviously, it's possible that the group will not abide by its promise to quit. Nobody knows. Regardless, already other affiliated hackers are promising to "sail the stormy seas for booty and Lulz" so it would clearly be a mistake to think some major turning point has been reached. The below note was pubbed here, and tweeted from the @lulzsec account. --- Friends around the globe, We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us. For the past 50 days we've been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others - vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It's what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself. While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn't that interesting to know? The mediocre painter turned supervillain liked cats more than we did. Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we've gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don't stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve. So with those last thoughts, it's time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind - we hope - inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere. Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon. Let it flow... Lulz Security - our crew of six wishes you a happy 2011, and a shout-out to all of our battlefleet members and supporters across the globe From rforno at infowarrior.org Sun Jun 26 14:36:48 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 26 Jun 2011 15:36:48 -0400 Subject: [Infowarrior] - Elderly woman asked to remove adult diaper during TSA search Message-ID: Elderly woman asked to remove adult diaper during TSA search Comments 62 June 25, 2011 12:41:00 PM LAUREN SAGE REINLIE / Florida Freedom Newspapers http://www.newsherald.com/news/mother-94767-search-adult.html A woman has filed a complaint with federal authorities over how her elderly mother was treated at Northwest Florida Regional Airport last weekend. Jean Weber of Destin filed a complaint with the Department of Homeland Security after her 95-year-old mother was detained and extensively searched last Saturday while trying to board a plane to fly to Michigan to be with family members during the final stages of her battle with leukemia. Her mother, who was in a wheelchair, was asked to remove an adult diaper in order to complete a pat-down search. ?It?s something I couldn?t imagine happening on American soil,? Weber said Friday. ?Here is my mother, 95 years old, 105 pounds, barely able to stand, and then this.? Sari Koshetz, a spokeswoman for the Transportation Security Administration in Miami, said she could not comment on specific cases to protect the privacy of those involved. ?The TSA works with passengers to resolve any security alarms in a respectful and sensitive manner,? she said. Weber?s mother entered the airport?s security checkpoint in a wheelchair because she was not stable enough to walk through, Weber said. Wheelchairs trigger certain protocols, including pat-downs and possible swabbing for explosives, Koshetz said. ?During any part of the process, if there is an alarm, then we have to resolve that alarm,? she said. Weber said she did not know whether her mother had triggered an alarm during the 45 minutes they were detained. She said her mother was first pulled aside into a glass-partitioned area and patted down. Then she was taken to another room to protect her privacy during a more extensive search, Weber said. Weber said she sat outside the room during the search. She said security personnel then came out and told her they would need for her mother to remove her Depends diaper because it was soiled and was impeding their search. Weber wheeled her mother into a bathroom, removed her diaper and returned. Her mother did not have another clean diaper with her, Weber said. Weber said she wished there were less invasive search methods for an elderly person who is unable to walk through security gates. ?I don?t understand why they have to put them through that kind of procedure,? she said. Koshetz said the procedures are the same for everyone to ensure national security. ?TSA cannot exempt any group from screening because we know from intelligence that there are terrorists out there that would then exploit that vulnerability,? she said. Weber filed a complaint through Northwest Florida Regional?s website. She said she received a response from a Homeland Security representative at the airport on Tuesday and spoke to that person on the phone Wednesday. The representative told her that personnel had followed procedures during the search, Weber said. ?Then I thought, if you?re just following rules and regulations, then the rules and regulations need to be changed,? she said. Weber said she plans to file additional complaints next week. ?I?m not one to make waves, but dadgummit, this is wrong. People need to know. Next time it could be you.? From rforno at infowarrior.org Sun Jun 26 21:05:09 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 26 Jun 2011 22:05:09 -0400 Subject: [Infowarrior] - U.S. to Provide Guidelines to Bolster Computer Security Message-ID: June 26, 2011 U.S. to Provide Guidelines to Bolster Computer Security By RIVA RICHMOND http://www.nytimes.com/2011/06/27/technology/27secure.html The Homeland Security Department plans to unveil on Monday a new system of guidance intended to help make the software behind many services ? be they Web sites or power grids ? less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today?s most serious hacks. To help make the list more useful, it adds new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products. The effort to improve software security has been three years in the making, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit that conducts federal research in systems engineering. The Homeland Security Department?s hope is that the program, which is voluntary, will make it easier for companies and agencies to better secure their corners of cyberspace and contribute to building safer global networks. ?We?re going after root cause issues,? said a senior department official, who declined to be named because the announcement of the new plans had not yet been made. ?You can make your enterprise more resilient from the people who would attack you.? The top 25 list was created by the nonprofit SANS Institute and Mitre with the help of top software security experts in the United States and Europe, and it includes programming errors that have been used in a number of recent headline-grabbing hacking attacks. For instance, No. 1 on the list is a programming mistake that allows so-called SQL-injection attacks on Web sites, which were successfully used by the hacker group LulzSec. That group was able to use the flaws to cause databases to spit out user names and passwords from Web sites, including one associated with the F.B.I.?s InfraGard program and NATO?s online bookstore. The list also warns about the type of error that allowed hackers to steal several hundred thousand credit card numbers from a Citigroup site recently. The guidance framework will include ?vignettes? for industries like e-commerce, banking and manufacturing, and will highlight for them which programming errors are of greatest concern in the types of technologies they use. Companies that make tools to test software for dangerous programming mistakes are already beginning to incorporate the frameworks into their products, said Alan Paller, head of research at SANS. And eventually there will be services that help businesses evaluate whether the software they?re considering buying has stood up to scrutiny. Avoiding common programming mistakes is vital to fending off today?s worst attacks, he said. ?This is the only way to get around ?zero days,? ? he said, referring to attacks that make use of software vulnerabilities that are unknown and, therefore, cannot be fixed quickly with patches. ?The only possible defense is to stop the error from being in the software in the first place.? From rforno at infowarrior.org Mon Jun 27 08:51:43 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Jun 2011 09:51:43 -0400 Subject: [Infowarrior] - Congress hears criticisms of WH cyber proposal Message-ID: <15A7C698-079C-4CC7-BF29-EA5CD9B2E3DC@infowarrior.org> Congress hears criticisms of WH cyber proposal June 27, 2011 - 7:30am By Jared Serbu Reporter Federal News Radio http://www.federalnewsradio.com/?nid=35&sid=2438535 Experts from outside government criticized the White House's legislative proposal for cybersecurity Friday, saying the bill the administration has proposed could make the nation's critical infrastructure less secure. The House Homeland Security Subcommittee on Cybersecurity invited testimony from witnesses outside government. The subcommittee is one of several Congressional panels tasked with developing information security policy during the current legislative session. Melissa Hathaway, who served as President Barack Obama's acting cybersecurity chief during most of 2009, told the panel Congress should closely examine the effects of the administration's proposal on industry and invite private sector input. She said this is something the White House process, which produced the legislative proposal submitted to Congress earlier this year, appears not to have done. "The administration's proposal had the opportunity to engage the private sector to inform the debate and the items within the proposal. But during the course of their review, they did not engage the private sector," she told the subcommittee. "That's why it's so important that this committee and other committees understand the second and third order effects of regulation and other market levers." She says she was specifically worried about a confused definition of the role of the Department of Homeland Security in cyberspace and said Congress should discuss whether it should serve as a policy function, an operational function, or a regulatory function. "The proposal attempts to establish a minimum standard of care and an audit and certification function similar to the Securities and Exchange Commission requirement for attestation of material risk. In my view, inserting DHS into a regulatory role in this context could dilute its operational and policy responsibilities and likely distract from the nation's security posture," she said. Hathaway also said she worried about DHS being assigned broader roles and missions at a time when the department is still finding its sea legs in the cybersecurity arena. Larry Clinton, president of the Internet Security Alliance, was far more blunt in his criticism of the administration proposal, calling it "anti-security." In particular, his group, which primarily represents the operators of privately owned critical infrastructure, worries about provisions in the bill which mandate that companies disclose data breaches in a timely manner. The administration believes that increasing the transparency of breaches will provide incentives for industry to increase their cybersecurity in order to prevent embarrassing incidents. But Clinton said the proposal begs the question of what precisely a breach is and when a breach is actually a problem. "There's currently an opinion?in the press anyway?that when you've been breached, that's a significant incident," he said. "In the modern world with modern attacks, virtually everybody gets breached. If you're going to have these advanced persistent threat guys come after you, they're going to get into your system. If you're going to make that the line, and then you're subject to some of these name-and-shame penalties, I think that would be a mistake." Clinton said any legislation that would require companies to disclose all breaches is based on outdated thinking. The old model, he said, is based on the idea that companies and agencies can defend their network perimeters and keep attackers out. Instead, he said, the focus should be on making sure networks can be defended from the inside and that any damage intruders do once they've penetrated a network can be mitigated. "They go in your system and they hide. It's very difficult to find these guys," he said. "We should be providing incentives for companies to go and look for them. If a corporation knows that the harder they look, the more likely it is they'll be named and shamed for finding them, we've created exactly the wrong incentives. It would be much better if companies were proactively incented so that they wanted to go find these guys, because they would lower their liability, lower their insurance rates and have a better chance at federal contracts." He said companies such as major defense contractors who have advanced intrusion detection systems would, in effect, be penalized, because they are more able to spot the slightest compromise to their networks. He said the message to the rest of industry under the administration's proposal would be to do everything they can to avoid spotting network intrusions, and therefore avoid having to report them. The Homeland Security Committee is one of many on Capitol Hill that is currently considering pieces of legislation that would reform the government approach to cybersecurity. Besides the legislative text the White House submitted, a tally assembled by Hathaway puts the number of bills under active consideration at 10 on the Senate side alone. There are eight more in the House. From rforno at infowarrior.org Mon Jun 27 09:39:38 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Jun 2011 10:39:38 -0400 Subject: [Infowarrior] - SCOTUS: Can't Ban Violent Video Game Sales Message-ID: Court: Calif. can't ban violent video game sales By JESSE J. HOLLAND, Associated Press ? 7 mins ago http://news.yahoo.com/s/ap/us_supreme_court_violent_video_games WASHINGTON ? The Supreme Court says California cannot ban the rental or sale of violent video games to children. The high court agreed Monday with a federal court's decision to throw out California's ban on the sale or rental of violent video games to minors. The 9th U.S. Circuit Court of Appeals in Sacramento said the law violated minors' rights under the First and Fourteenth amendments. The law would have prohibited the sale or rental of violent games to anyone under 18. Retailers who violated the act would have been fined up to $1,000 for each infraction. The court on a 7-2 vote said the law was unconstitutional. More than 46 million American households have at least one video-game system, with the industry bringing in at least $18 From rforno at infowarrior.org Mon Jun 27 10:48:31 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Jun 2011 11:48:31 -0400 Subject: [Infowarrior] - Microsoft May Add Eavesdropping To Skype Message-ID: <8D1E5CE5-D442-4DF1-8F75-F68EFF861565@infowarrior.org> (c/o D) Microsoft May Add Eavesdropping To Skype Kurt Bakke in Products on June 26 The U.S. Patent and Trademark Office published A Microsoft patent application that reaches back to December 2009 and describes ?recording agents? to legally intercept VoIP phone calls. The Legal Intercept patent application is one of Microsoft?s more elaborate and detailed patent papers, which is comprehensive enough to make you think twice about the use of VoIP audio and video communications. The document provides Microsoft?s idea about the nature, positioning and feature set of recording agents that silently record the communication between two or more parties. The patent was filed well before Microsoft?s acquisition of Skype and there is no reason to believe that the patent was filed with Skype as a Microsoft property in mind. However, the patent mentions Skype explicitly as an example application for this technology and Microsoft may now have to answer questions in which way this patent applies to its new Skype entity and if the technology will become part of Skype. Legal intercept structure (RA= recording agent) In the patent descriptions, the company justifies such a feature with the fact that monitoring of calls has been around for a long time for traditional calls, but devices that were used for plain old telephone service (POTS) simply do not work with VoIP anymore. Recording agents are designed to take the place of those outdated devices, but are ? not surprisingly ? much more capable, can be placed in different locations and automate call interceptions. For example, Microsoft says that recording will be triggered by ?events?, or a ?sequence of events? ? for example when specific callers are involved. The patent does not mention an eavesdropping module that is integrated into the client software. However, it describes recordings agents that can be placed in a multitude of devices, including routers (see image, RA = recording agent). There is also the note of a recording agent software that represents ?a software module that logically and/or physically sits between the call server and the network.? According to Microsoft, the agent will have access ?to each communication sent to and from the call server,? which clearly refers to the general infrastructure of a VoIP service and network. Legal intercept process The patent lists the following process of a silently recorded call (we removed references to drawings in the description for easier reading): 1. A delivery endpoint is registered with a call server. For example, the intercept requestor may register an IP address/port for delivery of copies of recorded communications associated with a designated VoIP entity. 2. A request to monitor a selected VoIP entity is sent by the requestor to the call server. For example, the intercept requestor may request that the call server record communications for the VoIP entity. 3. An initiating entity negotiates candidate network paths with a media relay. For example, the VoIP entity may talk to a STUN, TURN, and/or other servers to determine what IP address/port of the VoIP entity is visible from the network. For example, if the VoIP entity is connected to a NAT, the NAT may translate IP addresses and port numbers. In STUN/TURN environments, the call gateway may act as a STUN and/or TURN server. The SDP parameters indicated previously are an example of what may result as the entity negotiates candidate communication points with a media relay. 4. The initiating entity sends an invite to the call server. The invite includes data regarding establishing a communication session between at least two entities via a switched packet network for a communication that includes audio. For example, the VoIP entity sends an invite (such as the SDP parameters mentioned previously) to the call server to communicate with a VoIP entity in the enterprise. 5. A copy of the invite is sent to the delivery point. For example, the call server may send a copy of the invite to the intercept requestor or another endpoint designated by the intercept requestor. 6. An invite with no local candidates is sent to the remote entity. For example, the call server sends an SDP with the local candidates deleted to the remote entity of the enterprise . Having no local candidates is synonymous with having ?no direct paths.? In STUN/TURN terminology, this means that the VoIP entity needs to employ a TURN server to communicate with the remote entity. 7. The remote entity responds to the invite by sending ?OK.? For example, the remote entity in the enterprise responds to the invite by sending an OK to the call server. 8. A copy of the OK is sent to the delivery point. For example, the call server sends a copy of the OK to the intercept requestor or another endpoint designated by the intercept requestor. 9. The OK is sent to the initiating entity. For example, the call server sends the OK to the VoIP entity. 10. The agent that will be recording the subsequent communication between the entities is configured so that it will create a copy of the communication. For example, the call server, the call gateway, or some other server may configure the router to create a copy of the communication to and from the VoIP entity. Note, that the recorded may be configured to record a communication for an entity any time after a monitoring request for the entity is received. 11. The VoIP entity sends a packet to the media relay. For example, the VoIP entity may send a packet to the call gateway. 12. The packet passes to the recorder. For example, the packet may pass to the router. 13. The packet is sent to the remote entity. In addition, a copy of the packet is sent to the delivery point and/or stored for later sending to the delivery point or retrieval by a law enforcement agent. For example, the router sends the packet to the VoIP entity in the enterprise and sends a copy of the packet to the intercept requestor or another endpoint designated by the intercept requestor. This continues until the communication is terminated. 14. Upon termination, the delivery endpoint may be informed that the communication has terminated. The patent clearly addresses the need of governments and law enforcement to record Internet calls. There is also a certain sense that especially closed networks are targeted with this technology, yet the clear notion that VoIP applications targeted by this patent ?may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like? may raise privacy concerns and surely the question how Microsoft intends to use such a patent now that it owns Skype. So, Microsoft: Will Skype officially include eavesdropping capability in the future? A request for clarification we sent to Microsoft has remained unanswered so far. From rforno at infowarrior.org Mon Jun 27 11:09:53 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Jun 2011 12:09:53 -0400 Subject: [Infowarrior] - Anonymous dumps DHS "Counter Cyberterrorism" courses Message-ID: <3B684014-77A3-4A53-AD04-EDCE2C8BD20A@infowarrior.org> Via Anonymous' twitter: Find the ISO for the CDI Sentinel Cyberterrorism Defense Program here: http://bit.ly/iLenW8 Info: http://bit.ly/jbp466 #AntiSec | Thanks! More info @ the DHS "Cyberterrorism Defense Initiative Training" website -- http://www.cyberterrorismcenter.org/courses.html "Cyberterrirusn Defense" ?? Really? Srsly? -- rick From rforno at infowarrior.org Mon Jun 27 11:12:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Jun 2011 12:12:25 -0400 Subject: [Infowarrior] - Human Errors, Idiocy Fuel Hacking Message-ID: Human Errors, Idiocy Fuel Hacking By Cliff Edwards, Olga Kharif and Michael Riley - Jun 27, 2011 http://www.bloomberg.com/news/print/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.html The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out. Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed. ?There?s no device known to mankind that will prevent people from being idiots,? said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC) The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders? ability to exploit people?s vulnerabilities has tilted the odds in their favor and led to a spurt in cyber crimes. In real-life intrusions, executives of EMC Corp.?s RSA Security, Intel Corp. (INTC) and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter. It?s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara, California-based computer security company. Rule No. 1 Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department?s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses. ?Rule No. 1 is, don?t open suspicious links,? Rasch said. ?Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.? A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department?s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington. Tactics such as spear-phishing -- sending a limited number of rigged e-mails to a select group of recipients -- rely on human weaknesses like trust, laziness or even hubris. That?s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA -- the company that provides network-access tokens using random secondary passwords -- was in a hiring campaign. Organized Attack Two small groups of employees received e-mails with attached Excel spreadsheets titled ?2011 Recruitment Plan,? the company said in April. The e-mails were caught by the junk- mail screen. Even so, one employee went into the folder, retrieved the file and opened it. The spreadsheet contained an embedded Adobe Systems Inc. (ADBE) Flash file that exploited a bug, then unknown to San Jose, California-based Adobe, that allowed hackers to commandeer the employee?s PC. RSA said information related to its two-factor SecurID authentication process was taken. Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst. ?The team that hacked us is very organized and had a lot of practice,? Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. ?I can compare them to the Navy Seals Team Six, which hit Osama Bin Laden.? The Federal Bureau of Investigation began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust. Whale Phishing Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp. (SYMC)?s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month. Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers. Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they?re better protected from computer hackers than their employees, Rasch said. Hackers research decision makers by browsing social networks, reading up on news about the company, and creating e- mails and links that appear to be genuine and come from people that the targets know. ?Flipping Burgers? ?Phishing is on a different trajectory than it?s been in the past,? said Malcolm Harkins, Intel?s chief information- security officer. Intel was targeted a few years ago, when Chief Executive Officer Paul S. Otellini opened a hacker?s e-mail that looked like it came from a federal circuit court in relation to legal proceedings. Hackers have many motives, including making mischief, selling information for profit or stealing trade or military secrets. While many of the attacks seem sophisticated, the majority require little programming knowledge because people in the companies do the work for them, Rasch says. ?It beats flipping burgers for a lot of these guys,? he said. Their forays can be aided by workers who place their trust in digital communications despite warnings they should be more cautious. Faux Vixen In early 2010, security specialist Thomas Ryan created a fictional online-security analyst using pictures taken from a pornography-related website. Through e-mail and other online correspondence, he said he gained access to e-mail addresses and bank accounts, learned the location of secret military units based on soldiers? Facebook photos, and connections between people and organizations. The fictional woman received private documents to review, speaking requests and job offers from Google Inc. (GOOG) and defense contractor Lockheed Martin Corp. (LMT), Ryan said. Assets are also put at risk by people who use easy-to-crack passwords, and repeat them among Facebook, e-mail and bank accounts. When Daniel Amitay checked to see which passwords people were using in his iPhone app, Big Brother Camera Security, he found that many weren?t secure. Out of 204,508 recorded passwords, the most common was ?1234,? followed by ?0000? and ?2580,? the middle line of the numeric keypad. CEO Resigns ?By knowing a bit of psychology, people can avoid security,? Amitay said. ?People choose things from memory, and they are making the job easier for someone who wants to steal their pass code.? In a February attack on Sacramento, California-based security firm HBGary and its sister, HBGary Federal, the hacker group Anonymous said it cracked the passwords of CEO Aaron Barr and Chief Operating Officer Ted Vera, and discovered they used the same passwords in e-mail accounts, LinkedIn, Twitter and elsewhere. Anonymous said it deleted ?gigabytes of backups and research data? from company servers. The group didn?t stop there. Using the compromised personal e-mail account of HBGary owner Greg Hoglund, they asked for and were given the user name and password of a second HBGary Federal site, which had to be taken offline. The HBGary attack tied back in an unusual way to January 2010 security breaches at Google, Adobe Systems Inc., Juniper Networks Inc. (JNPR), defense contractor Northrop Grumman Corp. (NOC) and Dow Chemical Co. (DOW) Tracking Executives Anonymous released HBGary?s e-mails, which show that DuPont, Walt Disney Co. (DIS), Sony Corp. (6758) and Johnson & Johnson (JNJ) were also attacked by hackers somewhere in China, but decided not to disclose the intrusion. Barr resigned three weeks later, citing the distraction caused by the hack. DuPont declined to comment after the HBGary incident, as did Sony and Johnson & Johnson. Disney didn?t respond to requests for comment. Lulz Security, known as LulzSec and made up of former members of Anonymous, announced June 25 it is disbanding after 50 days during which it claimed attacks on computers of the U.S. Senate, Public Broadcasting Service television network, and Central Intelligence Agency. To better rebuff attacks targeting decision makers, Santa Clara, California-based Intel is deploying software to analyze employees? log-on patterns, Harkins said. If a user logs on in New York an hour after logging on from a California web address, the system may limit or cut off access. New Products ?That?s the work we are doing right now,? Harkins said, citing an increase in security spending. ?It will take a couple of years.? A number of companies are now offering analytics and security products designed to combat social-engineered attacks. In February, Milpitas, California-based FireEye announced a system designed to stop spear-phishing. Its software can open an e-mail attachment or a link outside of the corporate network, run it to see if it?s malicious, and report back on the scope of the planned attack, Ashar Aziz, FireEye?s Chief Executive Officer, said in an interview. ?This is the deadliest sector of attack that exists today,? he said. The company already provides the product to several governmental agencies, he said. Another vendor, CertiVox, started selling a product last week that lets users safeguard their Web e-mails and online posts on Facebook or blogs. Through encryption, the messages are readable only to recipients picked by the sender. The company, with offices in San Francisco and London, is testing the software with large law firms in London, CEO Brian Spector said in an interview. Trying to Keep Up ?The security industry is still stuck in infrastructure 1.0,? Spector said. ?As the Web 2.0 world started taking off, it wasn?t keeping up.? Training may be the biggest key to stopping the attacks. Hudson Valley Credit Union in Poughkeepsie, New York, experienced a spear-phishing attack five years ago. Now, each of the company?s more than 800 employees takes an annual online security training course, said John Brozycki, the credit union?s information security officer. Each year, the course expands to include new schemes and provides a refresher on long-time problems like phishing. ?We hope that our defenses are able to handle it,? Brozycki said. To contact the reporters on this story: Cliff Edwards in San Francisco at cedwards28 at bloomberg.net; Olga Kharif in Portland at okharif at bloomberg.net; Michael Riley in Washington at michaelriley at bloomberg.net To contact the editors responsible for this story: Anthony Palazzo at apalazzo at bloomberg.net; Tom Giles at tgiles5 at bloomberg.net; Michael Hytha at mhytha at bloomberg.net From rforno at infowarrior.org Mon Jun 27 14:40:24 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Jun 2011 15:40:24 -0400 Subject: [Infowarrior] - =?windows-1252?q?New_Documents_Prove_TSA_=93Misch?= =?windows-1252?q?aracterized=94_Safety_Aspects_Of_Full_Body_Scanners?= Message-ID: <34626863-4D4B-4B33-A3C5-496A83D8EA03@infowarrior.org> New Documents Prove TSA ?Mischaracterized? Safety Aspects Of Full Body Scanners Steve Watson Infowars.com June 27, 2011 http://www.infowars.com/new-documents-prove-tsa-%E2%80%9Cmischaracterized%E2%80%9D-safety-aspects-of-full-body-scanners/ Newly released internal government documents, obtained via the Freedom Of Information Act, reveal that the TSA, and specifically the head of the Department of Homeland Security, ?publicly mischaracterized? the findings of the National Institute of Standards and Technology, in stating that NIST had positively confirmed the safety of full body scanners in tests. In the private email response, NIST stated that the Institute had not, in fact, tested full body scanners at all for safety, and that the Institute does not even undertake product testing. The email (below) states that the director of NIST was ?not looking for corrections?, but wished to ?offer clarification?, that the agency ?doesn?t want any mischaracterization of their work continued.? At the time, Prisonplanet.com published a response article to Napolitano?s claims, highlighting the fact that her statements regarding the safety of the scanners, as well as her claims that the pat down alternative was ?discreet?, were manifestly false. It is now clear that our concerns were shared by another government agency, in the form of NIST. Another document obtained by EPIC even shows that, far from affirming their safety, NIST warned that airport screeners should avoid standing next to full body scanners in order to keep exposure to harmful radiation ?as low as reasonably achievable.? It is not clear whether or not the information and advice was ever passed on to TSA workers. However, another document obtained by EPIC shows that a growing number of TSA workers diagnosed with cancers are voicing concern that the full body scanners and x-ray machines are indeed to blame for their illnesses. The document also highlights the fact that the TSA has failed to issue employees with dosimeters, safety devices that would warn of radiation exposure, despite repeated requests from workers and their supervisors. In an email sent by a TSA representative to employees at Boston?s Logan Airport, workers are assured that their complaints are being listened to and that a request to issue the radiation monitoring devices had been sent to TSA headquarters. ?I understand that some TSO?s who were diagnosed as having cancer have already left TSA employment but that BOS still has an alarmingly high number of cancer afflicted TSOs still working here.? the email states. ?Despite TSA management?s past assurances, many TSOs here do not feel safe from radiation threats that may go hand in hand with using x-ray screening technology, especially the newer [installed since TSA federalized airport security] technology?? the email continues. In the same USA Today piece, Napolitano, or ?Big Sis? as she is now often referred to, also claimed that the Johns Hopkins University Applied Physics Laboratory had also independently affirmed the safety of the scanners. However, yet another document obtained and released by EPIC now shows that a Johns Hopkins study actually revealed that radiation zones around body scanners could exceed the ?General Public Dose Limit.? At the time we pointed out that Dr Michael Love, who runs an X-ray lab at the department of biophysics and biophysical chemistry at the Johns Hopkins school of medicine had publicly stated two days previously that ?statistically someone is going to get skin cancer from these X-rays?. ??we have a situation at the airports where people are so eager to fly that they will risk their lives in this manner,? Love said. In addition, several other scientists have continued to speak out over the health hazards associated with the x-ray technology, noting that the body scanners are far from safe. It is now even more clear that Napolitano?s statements to the public regarding the body scanners were misleading at best, and at worst were outright lies. EPIC is currently engaged in a lawsuit against the DHS to force full disclosure of body scanner radiation risks. A second EPIC lawsuit is seeking to suspend the use of full body scanners altogether. Both lawsuits are ongoing. The TSA previously refused to release internal reports on the safety of the body scanners. ?????????????????????? Steve Watson is the London based writer and editor for Alex Jones? Infowars.net, and Prisonplanet.com. He has a Masters Degree in International Relations from the School of Politics at The University of Nottingham in England. From rforno at infowarrior.org Tue Jun 28 06:43:45 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Jun 2011 07:43:45 -0400 Subject: [Infowarrior] - Facebook bans KDE application, deletes user photos Message-ID: <7C185E5B-814C-44A3-8F99-C8E956E59B40@infowarrior.org> Facebook bans KDE application, deletes user photos KDE users burned by Facebook By Joe Brockmeier on Mon, 06/27/11 - 8:56pm. http://www.networkworld.com/community/node/75598 KDE users have gotten a rather unpleasant surprise from Facebook: Not only is the site blocking KDE apps like Gwenview from uploading, the social media giant has also taken down photos uploaded with the KDE plugins. Yet another reason that users might think twice before depending on Facebook for photo storage. I stumbled on this via, of course, Facebook. A friend of mine had posted that the "kipi" (KDE Plug-Ins) that handles uploading to Facebook had been banned. That's annoying, but not a major issue ? but the real issue is that the site has also apparently zapped photos already uploaded using KDE applications that depend on the plugin. I would point you to the bug, but apparently bugs.kde.org is unaccustomed to the amount of interest that the bug is receiving. (Maybe it's up by the time you read this, though.) Thinking it might be a single user glitch or limited to one area, I decided to fire up Gwenview and try to upload a picture. No dice ? I got the "Facebook Call Failed: Invalid API key" error. I don't typically use Gwenview to upload photos, so I can't see of my photos missing, but I'll take my friend's word for it. It's popular for people to talk about hating Facebook or, for a smaller group, not using Facebook. I'm not going to go there ? I don't particularly trust Facebook, but I do use the site and (so far) find that the positives outweigh the negatives. But this is an object lesson in why users should never depend on Facebook or assume that their data stored on the site will be there five minutes from now. (You also should not assume that anything stored on Facebook is private, but that's another conversation for another time.) While I use Facebook and other sites, I always keep local copies of photos or anything else that I share. What's a shame is that you have to assume that the conversations that accompany photos, etc., are ephemeral. Maybe they'll be there in six months, maybe they'll be gone in sixty seconds. Whether Facebook will be able to revert the photos, or why the company mistakenly banned an innocent FOSS application from uploads and storage is almost beside the point. It's nothing new, and almost certainly won't be the last time that the site mistakenly blocks a legitimate app or fumbles user data. This is yet another argument for distributed, free software social media tools like GNU MediaGoblin. Facebook's mission is not to carefully tend to its users data. Facebook's users aren't even the company's customers ? it's all about the advertisers and companies it can sell marketing data to. Your comments, photos, profile, and time spent on Facebook's site are the company's product not its business. So I won't tell people "don't use Facebook" because that ship has already sailed unless the company commits a particularly heinous breach of user trust, or something more popular eclipses it. But I will say this: Use Facebook like you use any shared space. You never know who might be observing, and anything you leave behind might be gone five seconds after you turn your back. From rforno at infowarrior.org Tue Jun 28 06:49:38 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Jun 2011 07:49:38 -0400 Subject: [Infowarrior] - Firefox update policy: the enterprise is wrong, not Mozilla Message-ID: Firefox update policy: the enterprise is wrong, not Mozilla By Peter Bright | Published about 13 hours ago http://arstechnica.com/business/news/2011/06/firefox-update-policy-the-enterprise-is-wrong-not-mozilla.ars/2 Three months ago, Mozilla released the long-awaited Firefox 4. Last week, the organization shipped the follow-up release: Firefox 5. Firefox 5 was the first version of the browser to be released using Mozilla's new Firefox product lifecycle, which would see a new version of the browser shipping every three months or so. The new policy has been publicized for some months, and so the release of Firefox 5 was not itself a big surprise. What has caught many off-guard is the support, or lack thereof. With the release of Firefox 5, Firefox 4?though just three months old?has been end-of-lifed. It won't receive any more updates, patches, or security fixes. Ever. And corporate customers are complaining. The major problem is testing. Many corporations have in-house Web applications?both custom and third-party?that they access through their Web browsers, and before any new browser upgrade can be deployed to users, it must be tested to verify that it works correctly and doesn't cause any trouble with business-critical applications. With Mozilla's new policy, this kind of testing and validation is essentially impossible: version 5 may contain critical security fixes not found in version 4, and with version 4 end-of-lifed, the only way to deploy those fixes is to upgrade to version 5. That may not be an issue this time around, but it's all but inevitable that the problem will crop up eventually. Testing overhead That makes things awkward for the companies who need to validate browser releases. Rolling out security updates with minimal testing is, in theory, generally pretty safe, because security updates are narrow in scope, and because the risk of the alternative?running a known-exploitable browser?is worse than the risk of something breaking. With those security updates now inextricably linked to other, nonsecurity updates, some enterprise users are expressing the fear that their task is now impossible. The other updates included with the security fixes mean that each release is so large that it must be tested thoroughly, but the rapid release schedule means there's no time to do so. This has some corporate users of the browser feeling very unhappy. Though the release itself came as little surprise, the consequences it would have for version 4 were not generally understood until it was too late. They didn't realize that they would no longer have access to security fixes for Firefox 4, and now have to test all over again for Firefox 5. And to make matters worse, future updates will probably come out even more frequently; a six week cycle is the goal. These enterprise customers are plainly unhappy, and some commentators are suggesting that Mozilla is alienating its enterprise customers and in effect signing its own death warrant. Flawed assumptions But is this really the right response to take? We're not so sure that it is. Let's be clear: the enterprise has never been Mozilla's number one priority. If it were, this pair of bugs wouldn't still be open more than half a decade after they were first filed. For enterprises, deployment and patch management using MSIs and configuration control using GPOs, are bread-and-butter stuff. They're a hallmark of enterprise readiness. Internet Explorer?surely the king of enterprise browsers?has this kind of support in spades. Chrome, too has some amount of enterprise support. I'm sure both of those bugs will be fixed eventually. The work will get done. But enterprise users should take note: they're not the priority, and never have been. This should not be regarded as surprising. But what of those organizations that use Firefox anyway? How are they going to cope now that they will have to do all this extra testing? The answer to that is: the same way they always have done. The reality is that Firefox minor updates have never been restricted to pure security fixes. If organizations thought that they could get away with performing only minor testing of the 18 minor updates that Firefox 3.6 has received in just 15 months, they were mistaken. Firefox minor releases have long contained stability and compatibility updates. Sometimes there are even feature changes: 3.6.4 introduced a new system whereby plugins were run in a separate process, and 3.6.9 introduced support for new countermeasures against a certain type of security flaw. These kinds of changes could absolutely cause compatibility issues with business sites and applications. For businesses that needed to perform extensive validation of the browser before deploying it, then both of these updates would require new validation. And in both cases there was no way of avoiding the new features; there were few "pure security" updates made to 3.6. The implication that the new policy somehow changes something about the nature of Firefox updates?and hence the testing burden?just isn't true. Combining security fixes with broader compatibility and stability fixes or new features is not unique to Firefox, either; Google does the same for Chrome, and even the latest security update to Internet Explorer 9 includes a minor nonsecurity update that resolves a bug with downloading files. The isolated pure security fix just isn't a feature of the Web browser landscape. Meaningless numbers Some have said that the testing problem is a result of Mozilla's decision to bump the major version number?with the implication that their company's testing procedures are driven not by an assessment of what's actually changed but by a mere version number, as if the major version increasing meant that there must be major changes. Mozilla could have chosen a better mechanism to distinguish between versions than a major version number bump?for example, if they had used a date-based numbering scheme then it's likely that this (flawed) inference would no longer be made. But it didn't, and the result is that an increase of the major version number doesn't necessarily imply major changes under the hood. Mozilla certainly isn't the first to do this. The next version of the Linux kernel will be version 3.0, from the current 2.6.39.2, but this major version update doesn't denote major changes. It might just as well have been version 2.6.40, or 2.8, or something else entirely; it was simply the preference of Linus Torvalds that the major version should, after many years, be increased. Nor is Mozilla the first major open source project to use a time-based release model instead of a feature-driven one. The Ubuntu Linux distribution has made twice-annual releases, with major version numbers that increment accordingly, since its inception. The user community understands this and responds accordingly. The corporate response to this change in numbering policy should be trivial: base testing on what has changed rather than what the number is. Any other policy has never been consistent with the way the browser is actually updated. At worst, the new update policy is simply highlighting flaws in existing corporate practices. The Web is the victim The backlash against the new policy shows a lack of understanding both of Mozilla's priorities and the way it has updated its browser for many years. The new policy doesn't really change the testing implications, and if Firefox was good enough for corporate environments before, it's still good enough today. But the complaints do more than show a lack of understanding of Firefox: they show a lack of understanding of the Web itself. The Web is a shared medium. It's used for both private and public sites, and the ability to access these sites is dependent on Web browsers understanding a common set of protocols and file formats (many corporate intranet sites may not in fact be accessible from the Internet itself, but the browsers used to access these sites generally have to live in both worlds). Shared media of all kinds suffer a problem in that the experience of the medium is often constrained by the worst system using that medium. Fire up an 802.11b Wi-Fi device on an 802.11g network, and you'll tend to make the connection slower for everyone: the network drops back to the slower speed to allow the older device to work. TV broadcasters still have to waste valuable bandwidth transmitting a standard definition picture alongside high def, because many TV sets can only use the standard broadcast. And so it is with the Web. A not-insignificant number of sites have to avoid using HTML, CSS, and JavaScript techniques developed over the last five years, because they have to cater to browsers like Internet Explorer 6 or 7. As the numbers using these browsers drop, sites can slowly adopt newer technology, but this is a slow and painful process. If developers could be sure that only Internet Explorer 9, Firefox 5, and Chrome 13 were in use on the Internet, they would be able to make substantial savings in development and testing, and would have a wealth of additional features available to use. But they can't assume that, and so they have to avoid desirable features or waste time working around their absence. And a major reason?not the only reason, but a substantial one?is corporate users. Corporate users who can't update their browsers because of some persnickety internal application they have to use, but who then go and use that same browser on the public Internet. By unleashing these obsolete browsers on the world at large, these corporate users make the Web worse for everyone. Web developers have to target the lowest common denominator, and the corporations are making that lowest common denominator that much lower. The need for speed In and of itself, this might not be so bad if the Web were a stable, mature platform, one undergoing only minor, incremental improvements. But it isn't; though there was a period in the mid-2000s where W3C, the organization with oversight of Web specifications like HTML and CSS, had rather lost its direction, since 2007 the development of a whole range of specifications under the HTML5 banner has been vigorous. This work on the specifications has been matched with similar advances in browsers. This in turn has motivated the rapid release schedules of both Chrome and Firefox; instead of sitting on the implementation of some new feature for eighteen months, waiting for the next "significant" release, both Google and Mozilla have decided that it's better to ship features when they're ready. The state of the art of Web browsers is today moving forward at pace not seen since the late 1990s. It would be nice if Web applications could have the freedom to match that progress. The result is a vast yawning chasm between the very best browsers used with the Web?Firefox 5, Chrome 13?and the very worst?Internet Explorer 6, Internet Explorer 7. And the result of that is that developers have to make the public Web worse for everybody to accommodate these wretched antique browsers. Progress is severely retarded by corporate foot-dragging. The path Mozilla has taken, the path that enriches the experience of the Web and of Web users, is absolutely the right one for the medium as a whole, and in practice, the negative consequences for corporate customers are not as great as they make out. Corporate headaches That doesn't mean that the corporate world has it easy. Companies bought in to the promise of the Web?an easy development platform that would allow robust, rapid deployment of internal applications, without the overheads of managing the thick client applications written in tools such as Visual Basic, the applications that prior to the advent of the Web and the office intranet defined line-of-business software. And for a time, particularly in the post-2001 age of Internet Explorer 6-induced stagnation, it worked out very well for them. That was the only browser that mattered, and since it never changed, it meant that their applications never had to change either. And so mistakes were made. Some of the mistakes were the same mistakes that existed for conventional applications: disbanding development teams, so programs become orphaned, with nobody around who understands their source code, and letting support and maintenance contracts for third-party software lapse, on the basis that the current version works fine, so who needs to upgrade? Some of the mistakes were new: building applications that were specifically dependent on quirks and unique features of Internet Explorer 6. But even this was understandable; Internet Explorer's market lead looked, for a time, to be unassailable, so where was the harm? These decisions are now coming back to bite those same companies who bought into the Web concept. These companies never expected the Web, and the browsers that people depend on, to change so rapidly, and they don't have the processes to cope. Balancing the demands of the public, rapidly developed, exciting, and innovative Web, with the needs of the private, stable, line-of-business Web, is a tough problem, and no browser really bridges the gap between the two worlds. Firefox and Chrome have made the public Web their priority. Each iteration of their browser should be better than the last, and it should be rare that internal applications get broken?at least if those internal applications are sensibly written and developed?but for organizations that need to be able to validate and verify specific browser versions, they're not a good fit. Internet Explorer, in contrast, has swung very much in the other direction. Microsoft's commitment to support its browser versions for as much as ten years allows corporate customers to settle on a version and ignore everything newer?but this comes at the expense of the public Web. This happens directly?Internet Explorer 9 just isn't as fully featured as Firefox 5 or Chrome 12, so even the latest version of Microsoft's browser is behind the times?and indirectly?because these legacy browsers contaminate and retard the public Web. Beyond that, they're also, arguably, bad for the companies themselves. A company that today needs an Internet Explorer 6-dependent application is in a tough spot. Internet Explorer 6 isn't available on current operating systems, and with each passing day, developer knowledge of such an application will decrease. That IE 6 dependence has to be broken some day, and the longer these companies wait, the harder, more expensive, and more disruptive that change will be. Neither position is ideal, but indications are that it's the Mozilla and Google strategy that is currying more favor with users. Internet Explorer still has the market share lead, but that share is declining with each passing month. Firefox's share is holding steady, and Chrome's is growing month on month. If the trends of the past year or so continue, Microsoft's browser will lose its majority market share by the end of the year. It'll still retain a plurality share, but it's clear that Redmond's influence on the Web is waning. Internet Explorer's plodding progress just isn't the right approach if you want to win over users. Though some are suggesting that the new policy is some great opportunity for Internet Explorer to regain some market share, this seems improbable. Organizations that could cope with Firefox before can cope with it now; nothing has changed in that sense. Back to the desktop? So what can enterprises do? Longer term, writing Web applications that are sympathetic to the demands placed on the Web is probably the route to take, and that means writing applications that target standards, not browsers. This isn't as simple as it ought to be, as there are still plenty of discrepancies between different browser families, but applications written in this way will be subject to much less disruption from upgrades than applications that depend on quirks. In the meantime, one technique may be to use different browsers for the intranet and the public Web. Microsoft, for example, has facilities within its MDOP management pack to denote certain URLs, such as those for intranet sites, as requiring a legacy version of Internet Explorer. When this is enabled, you can use Internet Explorer 9 for normal browsing, but the system will switch to legacy Internet Explorer, running within a virtual machine, whenever you attempt to use a legacy intranet site. This doesn't solve the problem entirely?those legacy sites need to be updated eventually?but it can ease the pain. Restricting the legacy browser to intranet sites also somewhat alleviates the need for security fixes for that browser, by greatly reducing its exposure to hostile code. It's not impossible to see Mozilla offer a similar facility; for example, one release per year could be considered a "long-term" release, and receive security fixes for a period of, say, 12 months. The model here would be similar to that used in the Ubuntu LTS releases: every fourth Ubuntu version is given long-term support, receiving security fixes for an extended period (three years on the desktop, five on the server). Of course, Mozilla itself need not do this work: as an open source project, third parties step in to fill this role, if they believe the enterprise customers are genuinely there. Canonical (the organization that develops Ubuntu) and Red Hat would both be obvious candidates for such a role, as both do such work already for other software packages. Ultimately, perhaps companies need to re-evaluate their use of the Web itself. If a company really does need to perform extensive validation and verification of its software, perhaps using a browser to deliver that software just isn't appropriate. There are platforms that have a slower pace of evolution, stabler APIs, greater resistance to feature regressions, and long-term support: they're called operating systems. If long-term stability is what you want, perhaps a desktop application is what you need. From rforno at infowarrior.org Tue Jun 28 07:54:26 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Jun 2011 08:54:26 -0400 Subject: [Infowarrior] - Federal Study of Power Grid Might Disrupt The Nation's Clocks Message-ID: <3B0D18FD-E643-47F0-AC4D-DCDC5D1B37A9@infowarrior.org> Federal Study of Power Grid Might Disrupt The Nation's Clocks By Rebecca Boyle Posted 06.27.2011 at 4:40 pm 9 Comments http://www.popsci.com/technology/article/2011-06/federal-study-save-electricity-might-disrupt-nations-clocks# Power Lines Wikimedia Commons Soon, when you sleep through your Monday morning alarm, it may be Uncle Sam?s fault. Federal officials are considering an experiment on the nation?s electrical grid that could interrupt the way your appliances tell time ? from your bedside alarm to your automatic coffeemaker. Once they?re programmed, electrically powered clocks tell time based on the rate of the electric current that feeds them, as an Associated Press story explains. Electrical utilities keep the current?s frequency stable in part to keep clocks precise, the AP says. But utilities could save energy and money by allowing for greater frequency variation, so the Federal Energy Regulatory Commission is considering allowing the change. Joe McClelland, head of electric reliability for FERC, wondered whether anyone really uses the grid to tell time. ?Let?s see if anyone complains if we eliminate it,? he said. Renewable energy is one primary reason FERC cares about frequency variation. Power sources like wind and solar energy will ramp up and drop off with great variability, inducing spikes and valleys in the energy flowing through the nation?s electrical grid. Adjusting for those differences is expensive, and can be wasteful, according to FERC. Forgetting about it would just be easier ? unless all the nation?s clocks are suddenly off. With a more variable current, wall clocks and appliance clocks, like the one that?s programmed to brew your coffee every morning, will become less accurate every second, a phenomenon that can get much worse over time. One trade group that has studied the potential effects says East Coast clocks could run 20 minutes fast over a year, and timepieces on the West Coast clocks would be off by about 8 minutes. Officials from FERC said they are tentatively planning to test a more variable frequency in mid-July, AP said. It?s a good thing we have ridiculously accurate atomic clocks to keep us all on track. From rforno at infowarrior.org Tue Jun 28 08:06:44 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Jun 2011 09:06:44 -0400 Subject: [Infowarrior] - =?windows-1252?q?DARPA_chief_Regina_Dugan=3A_=91F?= =?windows-1252?q?ailure_is_okay_for_us=92?= Message-ID: <5D542298-A7AF-43C5-86B8-DBBF967997BF@infowarrior.org> (The WSJ interview video is @ http://allthingsd.com/20110627/darpas-regina-dugan-takes-it-to-mach-20-the-full-d9-interview-video/) DARPA chief Regina Dugan: ?Failure is okay for us? By Emi Kolawole http://www.washingtonpost.com/blogs/innovations/post/darpa-chief-regina-dugan-failure-is-okay-for-us/2011/06/27/AGJxHnnH_blog.html?hpid=z13 Last week, President Obama announced a new government and advanced-manufacturing industry partnership to spur high-tech innovation. Before his speech, he was briefed on a new combat support vehicle developed by the Defense Advanced Research Projects Agency (DARPA). Among those briefing the president? DARPA Director Regina Dugan. To know about DARPA and Dugan is to know about military innovation, except the agency is so tightly wrapped in a blanket of secrecy that it?s difficult to figure out exactly what it does until well after it?s done it ? take the agency?s role in the creation of the Internet, for example. Dugan, the 19th (and first female) director of DARPA, came to the agency after co-founding Dugan Ventures, which in turn founded RedXDefense in 2005. RedXDefense was created to produce solutions for combating explosive threats. Dugan?s involvement in both companies created friction in 2010, when RedXDefense won a $1.7 million contract from DARPA and Wired reported that the firm also owed Dugan $250,000. Dugan recused herself from any business dealings with RedXDefense, and DARPA Deputy Director Kaigham ?Ken? Gabriel told the Los Angeles Times: ?Honestly, this is something that is prevalent. .?.?. We just know how to deal with it. It?s not that big of a deal, frankly.? The Times also reported that no law exists preventing a sitting DARPA chief from divesting in companies that receive defense contracts before assuming their post. That aside, the full interview from the Wall Street Journal?s ?All Things D? was posted Monday morning. Dugan discusses some of the latest developments at DARPA and the role the agency plays in some of the nation?s most significant inventions. ?We have a singular mission. Our singular mission is the prevention and creation of strategic surprise,? Dugan says. Asked what those surprises were, Dugan responds predictably, ?Well, they wouldn?t be surprises if I told you, now, would they?? Dugan touches briefly on her past in the public and private sector as well as the challenges DARPA faces in terms of working with the corporate and educational communities. The interview is relatively long, clocking in at just over 30 minutes. But it?s a worthwhile watch for anyone interested in what DARPA is up to and the critical role it plays in domestic innovation. From rforno at infowarrior.org Tue Jun 28 08:09:10 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Jun 2011 09:09:10 -0400 Subject: [Infowarrior] - Capcom tries to kill used video game sales with the one-save game Message-ID: <94726119-675D-4247-AA3A-FDE82198AC98@infowarrior.org> Capcom tries to kill used video game sales with the one-save game http://dvice.com/archives/2011/06/capcom-tries-to.php Buying used video games is great for gamers who don't want to pay full price for the latest hits. You know who doesn't like used video games? Game publishers. In a very sad twist, Capcom's fighting back against the second-hand game market with a game that can only support one save file ? for life. It's been confirmed that Resident Evil: Mercenaries 3D for the Nintendo 3DS is a game that once finished, cannot be reset for complete replay. According to both the U.S. and U.K. game's instruction manual "saved data on this software cannot be reset." Basically what Capcom has done is make Mercenaries 3D a one-time play affair. Once you've unlocked all the goodies and played the entire game, you will not be able to erase the game's save data and start fresh as if it were a new copy. Consider this: lending Mercenaries 3D to a friend, a little brother or sister will be worthless because they'll only be able to continue playing the game with your saved settings and create their own. We get that game publishers don't make any money off sales from used video games, but killing off the ability to hit the reset button is just taking things too far. It's like saying Upperdeck is entitled to a cut in my autographed Michael Jordan basketball card I sold at a garage sale for $10,000 some 25 years after I bought it. While it can be argued that used video game sales are actually more damaging than piracy, it's still a lowball move for Capcom to make, especially with a franchise as large and significant as the Resident Evil series. Will other publishers follow in Capcom's footsteps to take a stand against the lucrative market of used video games? We really hope this isn't a sign of things to come. From rforno at infowarrior.org Tue Jun 28 15:04:28 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Jun 2011 16:04:28 -0400 Subject: [Infowarrior] - John The Ripper Expedites Password Auditing Message-ID: <991412F3-AAE0-46B7-89B1-36A334CB2573@infowarrior.org> John The Ripper Expedites Password Auditing By Sean Michael Kerner June 27, 2011 http://www.esecurityplanet.com/features/print.php/3936466 Chances are that if you've tested password security in the last decade, you have heard of John the Ripper. John the Ripper is an open source password cracker that is used by security researchers to help audit, crack and test password security. The core project is sponsored by security vendor Openwall led by developers Alexander Peslyak and Roman Rusakov. Thanks to funding from security vendor Rapid7, leaders of the open source Metasploit project, Peslyak and Rusakov were able to expand John the Ripper with improved performance and capabilities for testing and cracking password hashes. "John the Ripper is a tool I have used since the mid-90s, the team behind it has dedicated a large portion of their to the open source community and improving the security of open source software in general," HD Moore, Metasploit chief architect and Rapid7 CSO told InternetNews.com. "This was an opportunity for Rapid7 to give something back and benefit the security community as a whole in the process." Moore explained that Rapid7 provided funding to Openwall for the research; this made it possible for Peslyak and Rusakov to spend time that would have otherwise been allocated to commercial work. The specific improvements that have been made deal with performance gains for cracking data encryption standard (DES) based password hashes. According to Openwall, the DES improvements have led to a 17 percent performance boost for cracking password hashes. According to Moore, the DES improvements are available in the Jack the Ripper 1.7.8 release under an open source license. He added that he fully expects these improvements to be incorporated by other password testing tools. Overall, Moore noted that John the Ripper is an amazing piece of software for many reasons. The speed of the cryptographic implementations has always been impressive even as the number of hash types continues to grow. John the Ripper has also become much better at using distributed resources and multiple processor cores. "John is seeing some competition from the GPGPU tools, but these tools are often not open source, and are definitely not as flexible as what John provides for free," Moore said. While the new update's key addition to password cracking, Moore noted that the tool has an incredible backend for password transformations and word list generation. "Quite a few tools use John the Ripper as a way to permute a word into similar possibilities (hacker -> h4ck3r -> h4ck3r123) and simply feed its output into their own offline or live password cracking engines," Moore said. "The rules engine built into the tool provides an incredible amount of flexibility with a level of performance that a typical scripting language will be hard pressed to match." Rapid7 is the lead commercial sponsor behind the open source Metasploit project and sells the commercial Metasploit Pro and Express editions. Moore noted that the Metasploit Framework has often been a tool that was used alongside John, but the two have never been fully integrated. "Now that the Metasploit Framework has a central database for storing collected password hashes, we would like to do more direct integration with John and offline password cracking tools in general," Moore said. "We are still sorting out the best way to deliver this, but our community has been asking for better integration for years and we plan to deliver." A possible integration could come in Metasploit Pro, where Moore said he is considering the use of John as a way to quickly enumerate weak hashes in collected data. Moore explained that such an integration would make password relay attacks easier when weak credentials are found and allow collected hashes to be cracked and tested against services that do not allow pass-the-hash style attacks. "This is a long way from wrapping a GUI around John and selling it. We have no plans to go that direction and are more than happy with how Openwall manages John the Ripper's commercial options," Moore said. "Any commercial use by Rapid7 of the John the Ripper software would be in full accordance with the open source license and spirit." Moving forward, Moore said that Rapid7 will continue to support the John the Ripper project and they look forward to more integration with Rapid7 products. "We believe that John the Ripper is a critical piece of the open source security ecosystem and it will continue to raise the bar," Moore said. Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals. From rforno at infowarrior.org Wed Jun 29 17:04:50 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Jun 2011 18:04:50 -0400 Subject: [Infowarrior] - Summary: ZDNet's USA PATRIOT Act series Message-ID: <3606BFAA-6F9A-4381-B2F9-788C641CABB9@infowarrior.org> Summary: ZDNet's USA PATRIOT Act series By Zack Whittaker | April 27, 2011, 8:00am PDT Summary ZDNet?s USA PATRIOT Act series: A summary of four extensively detailed posts, of how the Act can access data held outside the United States. This executive summary recaps a series of posts and a year?s worth of research on how the USA PATRIOT ACT impacts cross-border clouds, and considers whether data is safe from the risk of interception or unwarranted searches by U.S. authorities; even European protected data. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States. < -- > http://www.zdnet.com/blog/igeneration/summary-zdnets-usa-patriot-act-series/9233 From rforno at infowarrior.org Wed Jun 29 17:30:07 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Jun 2011 18:30:07 -0400 Subject: [Infowarrior] - Myspace to be sold for $35 million Message-ID: <6CC4C724-2A94-44EB-9832-9DAF55FA7EBD@infowarrior.org> (c/o JH) Myspace to be sold for $35 million Los Angeles Times | June 29, 2011 | 11:27 a.m. Myspace, formerly the dominant online social network, will be sold to Irvine-based Specific Media for $35 million in cash and stock, a person familiar with the matter said. News Corp., which acquired Myspace in 2005 for $580 million, plans to retain a small stake in company. More soon at http://www.latimes.com. From rforno at infowarrior.org Thu Jun 30 07:02:45 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 08:02:45 -0400 Subject: [Infowarrior] - RIP Robert Morris Message-ID: <1EA8B779-078B-443E-9816-EE3D09A3A0AB@infowarrior.org> Robert Morris, Pioneer in Computer Security, Dies at 78 By JOHN MARKOFF Published: June 29, 2011 https://www.nytimes.com/2011/06/30/technology/30morris.html?_r=1 Robert Morris, a cryptographer who helped developed the Unix computer operating system, which controls an increasing number of the world?s computers and touches almost every aspect of modern life, died on Sunday in Lebanon, N.H. He was 78. The cause was complications of dementia, his wife, Anne Farlow Morris, said. Known as an original thinker in the computer science world, Mr. Morris also played an important clandestine role in planning what was probably the nation?s first cyberwar: the electronic attacks on Saddam Hussein?s government in the months leading up to the Persian Gulf war of 1991. Although details are still classified, the attacks, along with laser-guided bombs, are believed to have largely destroyed Iraq?s military command and control capability before the war began. Begun as a research effort at AT&T?s Bell Laboratories in the 1960s, Unix became one of the world?s leading operating systems, along with Microsoft?s Windows. Variations of the original Unix software, for example, now provide the foundation for Apple?s iPhone iOS and Macintosh OSX as well as Google?s Android operating systems. As chief scientist of the National Security Agency?s National Computer Security Center, Mr. Morris gained unwanted national attention in 1988 after his son, Robert Tappan Morris, a graduate student in computer science at Cornell University, wrote a computer worm ? a software program ? that was able to propel itself through the Internet, then a brand-new entity. Although it was intended to hide in the network as a bit of Kilroy-was-here digital graffiti, the program, because of a design error, spread wildly out of control, jamming more than 10 percent of the roughly 50,000 computers that made up the network at the time. After realizing his error, the younger Mr. Morris fled to his parents? home in Arnold, Md., before turning himself in to the Federal Bureau of Investigation. He was convicted under an early federal computer crime law, sentenced to probation and ordered to pay a $10,000 fine and perform community service. He later received a computer science doctorate at Harvard University and is now a member of the Massachusetts Institute of Technology computer science faculty. Robert Morris was born in Boston on July 25, 1932, the son of Walter W. Morris, a salesman, and Helen Kelly Morris. He earned a bachelor?s degree in mathematics and a master?s in applied mathematics from Harvard. At Bell Laboratories he initially worked on the design of specialized software tools known as compilers, which convert programmers? instructions into machine-readable language that can be directly executed by computers. Beginning in 1970, he worked with the Unix research group at Bell Laboratories, where he was a major contributor in both the numerical functions of the operating system and its security capabilities, including the password system and encryption functions. His interest in computer security deepened in the late 1970s as he continued to explore cryptography, the study and practice of protecting information by converting it into code. With another researcher, he began working on an academic paper that unraveled an early German encryption device. Before the paper could be published, however, he received an unexpected call from the National Security Agency. The agency invited him to visit, and when he met with officials, they asked him not to publish the paper because of what it might reveal about the vulnerabilities of modern cryptographic systems. He complied, and in 1986 went to work for the agency in protecting government computers and in projects involving electronic surveillance and online warfare. Although little is known about his classified work for the government, Mr. Morris told a reporter that on occasion he would help the F.B.I. by decoding encrypted evidence. In 1994, he retired to Etna, N.H., where he was living at his death. In addition to his wife and his son Robert, of Cambridge, Mass., Mr. Morris is survived by a daughter, Meredith Morris, of Washington; another son, Benjamin, of Chester, N.J.; and two grandchildren. From rforno at infowarrior.org Thu Jun 30 08:10:32 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 09:10:32 -0400 Subject: [Infowarrior] - OT: You can't make this stuff up Message-ID: North Korea to Head U.N. Conference on Disarmament http://www.weeklystandard.com/blogs/north-korea-head-un-conference-disarmament_575920.html What's next? Greece to head the UN's Conference on Global Financial Stability? *headdesk* I don't agree often with stuff found in The Kristol Rag, but they're right: the UN is embarrassing itself again. -- rick From rforno at infowarrior.org Thu Jun 30 09:31:22 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 10:31:22 -0400 Subject: [Infowarrior] - TSA Fail. part whatever Message-ID: <34583383-A59C-4872-AFF5-273C6D6AA3C0@infowarrior.org> Authorities Investigate Security Breach At JFK Airport After Man Flies To Los Angeles Without Ticket Or ID http://newyork.cbslocal.com/2011/06/30/authorities-investigate-security-breach-at-jfk-airport-after-man-flies-to-los-angeles-without-ticket/ .. and TSA's response? "He was screened." Another win for security theater. *headdesk* From rforno at infowarrior.org Thu Jun 30 12:57:03 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 13:57:03 -0400 Subject: [Infowarrior] - FBI Probes Massive Botnet Computer Infection Message-ID: FBI Probes Massive Botnet Computer Infection By Michael Riley - Jun 30, 2011 http://www.bloomberg.com/news/print/2011-06-30/fbi-probes-botnet-infecting-millions-of-computers.html International law enforcement agencies are investigating what may be the largest documented botnet, a network of tens of millions of hijacked computers used to steal banking information, according to a security firm aiding the investigation. The botnet, called Metulji, Slovenian for butterfly, is linked to the theft of hundreds of thousands of dollars by a criminal gang based in Eastern Europe, including two people arrested last month in a joint operation in which the FBI joined in, said Karim Hijazi, chief executive officer of Wilmington, Delaware-based Unveillance LLC. Jenny Shearer, a spokeswoman for the Federal Bureau of Invesetigation, wasn?t immediately available for comment. The Metulji botnet is at least twice as extensive as any known predecessor and uses a potent new form of spyware that has infected computers in 172 countries, evading anti-virus software, Hijazi said. Botnets, which are based on computer worms that give criminals remote command of the computers they infect, have helped fuel an expanding crime wave that cyber-security company McAfee Inc. estimates costs $1 trillion a year. ?It?s a live botnet that is probably stealing information and facilitating ill-gotten gains to bad guys right now,? Hijazi, 35. He said some members of the gang have been traced to the city of Banja Luka in Bosnia and Herzegovina. Still in Control Hijazi said there are indications that other members of the gang are still in control of the botnet, and he estimated that losses will eventually rise to millions of dollars. ?This is far from over,? Hijazi said. Along with a Spanish firm, Panda Security, Unveillance analyzed the Metulji computer worm and found it?s a more sophisticated version of the virus behind the Mariposa botnet, previously known as the largest, which was dismantled by international law enforcement agencies last year. The June arrests of two men in Slovenia resulted from their use of real names and addresses when they registered domains used to control the Metulji botnet, Hijazi said. More arrests may be imminent. The alleged author of the computer worm behind the Mariposa botnet, who may have also created the Metulji software, was arrested last year in Slovenia. At the time, police seized records of people he sold his software to, data that Hijazi said could now lead authorities to other members of the Metulji gang. ?That may be the key to finding any others who are still out there,? Hijazi said. To contact the reporter on this story: Michael Riley in Washington at michaelriley at bloomberg.net. To contact the editor responsible for this story: Michael Hytha at mhytha at bloomberg.net From rforno at infowarrior.org Thu Jun 30 14:17:57 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 15:17:57 -0400 Subject: [Infowarrior] - As the Internet evolves, is there a place for spam? Message-ID: <03FACDEF-F865-468A-A55B-3AF230401320@infowarrior.org> As the Internet evolves, is there a place for spam? Spam volumes are down dramatically, but the scourge of the Internet is smarter and more dangerous than ever http://www.itworld.com/security/178991/internet-evolves-there-place-spam June 30, 2011, 10:30 AM By Robert McMillan Robert Soloway, who federal prosecutors dubbed the Spam King in 2007. He says that if he were starting out today, he would not get into spamming. The spam filters are just too good. Image: IDG News Service In the late 1990s Robert Soloway made $20,000 a day as a spammer. He drove fancy cars. He wore Armani clothes. He was, by all accounts, one of the most successful spammers on the planet. But if he were starting out today, he'd find some other line of work. In 2011, spamming just won't pay the bills. "It's not something financially feasible for anyone to even consider," said Soloway, who was released from the Federal Correctional Institution in Sheridan, Oregon a few months ago, after serving almost four in prison for spamming. For a time, his business was good. He spammed people to advertise his company, Newport Internet Marketing, which in turn offered a full range of spamming services for the unscrupulous marketer. $195, for example, would buy a 15-day spam run targeting 2 million addresses. Those with more cash could pay $495 and the Spam King, as federal prosecutors called him, would hit 20 million in-boxes. But Soloway now says that even before federal agents arrested him four years ago, spam was a losing proposition. In 2007, "when I had 10 years of experience and knew every possible way to send out spam," he was still losing money, he said. His problem? Spam filters had become too good. In 1997 Soloway was making his $20,000 a day with just one Earthlink account and a single mail server. Ten years later, he had hundreds, perhaps thousands of accounts, computers and Internet domains which he used to play an increasingly complex game of cat-and-mouse with the anti-spam crusaders trying to shut him down. When he finally stopped, he was making just $20 per day. "That should tell you how effective the anti-spam community has become," he said. With each passing year, the reports of criminal activity on the Internet seem to get more disturbing. Distributed denial of service attacks knock entire nations offline; criminal gangs make off with hundreds of millions of dollars using stolen bank card data, a nation's nuclear ambitions are thwarted by a new type of computer worm. But lately a ray of light has cut through all the gloom. Spam -- the Internet's original sin -- dropped for the first time ever at the end of 2010. In September, Cisco System's IronPort group was tracking 300 billion spam messages per day. By April, the volume had shrunk to 34 billion per day, a remarkable decline. "The largest spam-sending botnets are being shut down and a lot of the big pharmaceutical spam has disappeared," said Nilesh Bhandari, a product manager with Cisco. No more spam millionaires, but... Not everyone needs $20,000 a day. Average income in China for example is only a couple thousand dollars US. Costs are lower overseas and profits can be lower while still maintaining financial feasibility. User Kenja on Slashdot | What's your take? Spam watchers say a handful of high-profile arrests at the end of 2010 put a dent in the business, but there may be a bigger issue: E-mail spamming, at least in its traditional form, may not be as profitable as it once was. "You don't see a lot of new blood coming to the table," said Joe Stewart, a researcher with Dell's SecureWorks group. Every year or two Stewart takes a look at the top spamming botnets on the Internet. He analyzes spam messages and tracks down the networks of hacked computers responsible for sending them out. This year, the news was that there was no news. Stewart didn't find any new spam botnets. "Everything that is spamming today is pretty much what was spamming two years ago," he said in February when he released his latest report. There was a brief, halcyon day when the Internet, or rather its precursor, the Arpanet, was spam-free. But then a Digital Equipment Corporation marketer named Gary Thuerk decided to let a few hundred Arpanet users know about his new DecSystem-20 mainframes, and it was downhill from there. When consumers flocked to the Internet in the mid 1990s -- Soloway's glory days -- the open online culture provided a breeding ground for fraudsters, and soon the vast majority of all messages on the Internet was unsolicited commercial email. Until recently, spammers were in an ugly war of attrition. As spam filters got better and better, spammers bumped up the volume of messages they pumped out. If a fraction of one percent of a million messages get through, that's not profitable. Make that a billion messages and the money starts to add up. But it now seems as though this war of escalation has subsided; not because the spammers have given up, but because the game is changing. U.S.-based spammers have all but disappeared, scared off by prison sentences handed down to the likes of Soloway under the 2004 CAN Spam act. Even overseas there has been progress. In the past year a series of spam-spewing botnets -- Waledac, Pushdo, and most recently Rustock -- have been taken offline thanks to the efforts of law enforcement and private security researchers. And in October 2010, an affiliate marketing website called Spammit closed its doors. It was used by spammers pushing online pharmaceuticals, and was a major source of income for many spammers. That's taken a big dent out of spam, but the nature of the business has evolved. Once a source of irritating commercial marketing messages, unsolicited mass emails are increasingly being used by scammers and criminal hackers to ply their trade. No longer is spam just a way to sell pornography or cheap pills. Spam messages are being used to install malicious software, and for a targeted form of spamming called spearphishing that has become a particularly effective hacker technique. A spearphishing attack opened the door to RSA security and helped hackers to compromise the security of RSA's SecurID tokens. Spammers may be getting more crafty, too. "There has been a decline in what we're getting in our traps, but what we're seeing that's out there is smarter spam," said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. Warner helped set up a massive database at the university that vacuums up as many as a million spam messages per day. Take Feb. 14, for example; Valentine's Day. Instead of the usual Viagra or Rolex spam, Warner saw a flood of messages advertising a legitimate florist -- FTD. That's a more targeted form of spam than what his team would typically have seen a couple of years ago. And the spammers were directing people to a legitimate Web site -- FTD Flowers -- making their money from Web marketing referral fees. If the spammers succeeded in reminding just a few absent-minded spouses to order flowers, they could make money. Another example of smart spam? Those strange emails that come from friends, telling you to visit an online pharmacy or watch a video. Criminals break into Hotmail or Gmail accounts and send messages to every one of the victims' mail contacts before anyone realizes. This type of spam -- sent between two people who know each other -- is much more likely to evade filters. Scammers have taken this game to Facebook, YouTube, and Twitter too. Sometimes they send @messages to their targets. Other times they hack into an account and use it to send out their messages. That's what happened last week to "Shaun of the Dead" actor Simon Pegg's Twitter account. It was used to spam out a Trojan horse program disguised as a screensaver to his 1.2 million followers. The hunt for new ways to pump out unwanted messages is a natural evolution. Old fashioned e-mail isn't the ubiquitous connector it once was. According to the Pew Center for Internet Life, young Internet users shy away from e-mail, preferring texts and instant messages. Pew's December 2010 Generations report on Internet usage found that 70-year-olds are now more likely to use email than teenagers. In an effort to reach these younger Internet users, scammers have turned to search engines too, poisoning search results by gaming Google or Bing. "People are spending more time on Web properties than they were four or five years ago," said Paul Judge, chief research officer at security appliance vendor Barracuda Networks. The result is that search engine results are becoming cluttered with blatantly commercial or useless pages, in much the same way that email boxes were flooded when spam first spiked about a decade ago. Scammers know how search engines work, and they work hard to get their dodgy pages to pop up near the top of search results. They bombard online forums with links to their pages or hack into websites to add links -- all in an effort to boost their Google ranking. For less than $100, crooked marketers can automatically add 10,000 links --typically from the comments section of blogs -- to whatever webpage they want. This can quickly push a webpage to the top of Google or Bing's results. This doesn't only lead to bad Web-searching. Sometimes it means that people get hacked. In fact, the number of malicious Web pages that use search engine optimization tricks to lure visitors nearly doubled between June and December last year, Judge said. Even spammy Web pages that aren't malicious, the ones slapped together with stolen or low-quality content, are becoming a problem. Earlier this year Google was forced to acknowledge/a> a "slight uptick" in spam pages, and said it was trying new tricks to exclude unwanted pages from its results. Spam is morphing. So while the spam boom that kicked off in the late 1990s may finally be abating, that doesn't mean unwanted mass emails are going away. It's still an effective way for scammers to quickly and cheaply connect with millions of people they don't know, and convince them to buy something they don't need or to go to a Web site they should really avoid. On Monday, Cisco's IronPort group tracked more than 45 billion spam messages. That means spam accounted for 86% of all the email on the Internet that day. In a recent report, Symantec pegged spam at 73% of all email. But both companies agree that it's at its lowest levels in years. Robert Soloway believes spam will never die, so long as email is free. But the barriers to entry are getting higher. According to the former Spam King, people will try it out, then once they realize how hard it is to make it big, most will move on to something else. But those who have found a way to make money will be around for a long time, said Dell's Stewart. They may be dinosaurs, but "they're dinosaurs that are still making money," he said. "I don't think they're going to quit." From rforno at infowarrior.org Thu Jun 30 14:21:29 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 15:21:29 -0400 Subject: [Infowarrior] - Wikileaks spoofs 'Priceless' ad Message-ID: <985003CD-8E0A-4409-9EFA-BEEEABC8426D@infowarrior.org> Wonder how long before Mastercard starts complaining (again) about trademark infringement??? --rick Wikileaks Spoofs Mastercard Ad In Video Plea For Donations http://gizmodo.com/5817049/wikileaks-spoofs-mastercard-ad-in-video-plea-for-donations From rforno at infowarrior.org Thu Jun 30 14:27:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 15:27:35 -0400 Subject: [Infowarrior] - Twitter Is Under Federal Investigation Message-ID: <6E53254D-2F9B-4AB1-9C0B-5B36696CE259@infowarrior.org> (I wondered when this would happen for exactly the reasons mentioned in the article. -- rick) Twitter Is Under Federal Investigation Nicholas Carlson and Dan Frommer | Jun. 30, 2011, 2:30 PM | 5,205 | 3 http://www.businessinsider.com/the-ftc-is-investigating-the-way-twitter-is-handling-its-platform-2011-6 The Federal Trade Commission is actively investigating Twitter and the way it deals with the companies building applications and services for its platform, we've learned. In Spring 2010, Twitter started making noises that it planned to provide users "official" versions of services that, until then, had typically been provided by third-parties ? ads, photo-sharing, URL shortening and mobile apps. Over the following year, Twitter followed-up on its promise. It acquired third-party Twitter clients such as Tweetie and TweetDeck, blessing them as "official" Twitter apps. Twitter also redesigned Twitter.com so that third-party video and photo-hosting sites no longer linked to off-Twitter sites, but kept users on Twitter. Twitter also banned third-party ad services. Meanwhile, serial entrepreneur Bill Gross ? best known for inventing search advertising ? launched a company called TweetUp. The initial plan was some kind of Twitter ad network. Later, Gross started buying Twitter apps. Eventually, his company got funding from Accel with the idea that the money would be used to buy TweetDeck. It sort of looked like Gross might be planning to launch a Twitter competitor ? or at least string his Twitter clients into their own monetized network. But then Twitter got aggressive with Gross ? first by shutting down several of its apps for a week or so, and then by stepping in and acquiring TweetDeck for itself. We reached out to people at Twitter. They did not respond. The FTC declined to comment. A representative from Gross's company tells us: "We have been contacted by the FTC and are in the process of responding to their requests." Another app-maker says: "Our lawyer has advised us not to talk about this particular topic." Today, we learned that Twitter will soon create a site to "offer up as much information as possible to developers and partners." The news seems related. Twitter settled with the FTC in March over allegations of privacy violations. From rforno at infowarrior.org Thu Jun 30 15:05:44 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jun 2011 16:05:44 -0400 Subject: [Infowarrior] - China's army develops 'online war game' Message-ID: <56A25422-390D-49A4-90B5-D82AEA661609@infowarrior.org> China's army develops 'online war game' Jun 29, Technology/Internet http://pda.physorg.com/news/2011-06-china-army-online-war-game.html After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle awareness, state press said on Wednesday. After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle awareness, state press said Wednesday. "Glorious Mission" is a first-person shooter game that sends players on solo or team missions armed with high-tech weapons, the China Daily reported. Weapons used in the game are part of the actual arsenal of China's People's Liberation Army, it added. The final version of the game, which took nearly three years to develop and test, was launched on June 20. "I think it is possible the game will be made open online for Chinese military fans to download and play," an unnamed PLA press officer was quoted as saying. China has the world's biggest online population at more than 477 million users, according to official data. The launch of the game comes after the military announced earlier this year that it had set up an elite Internet security task force to fend off cyber attacks. Despite numerous allegations from around the world pointing at China as a source of cyber attacks, the state press, citing military officials, denied that the elite task force was set up as a "hacker army". (c) 2011 AFP