From rforno at infowarrior.org Wed Apr 1 06:59:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Apr 2015 07:59:48 -0400 Subject: [Infowarrior] - After Snowden, The NSA Faces Recruitment Challenge Message-ID: <3A70E56A-B5F4-4508-97FC-D8E40B5A4D64@infowarrior.org> (Not surprising to see at all. --rick) After Snowden, The NSA Faces Recruitment Challenge March 31, 2015 4:58 AM ET Geoff Brumfiel Morning Edition http://www.npr.org/2015/03/31/395829446/after-snowden-the-nsa-faces-recruitment-challenge Daniel Swann is exactly the type of person the National Security Agency would love to have working for it. The 22-year-old is a fourth-year concurrent bachelor's-master's student at Johns Hopkins University with a bright future in cybersecurity. And growing up in Annapolis, Md., not far from the NSA's headquarters, Swann thought he might work at the agency, which intercepts phone calls, emails and other so-called "signals intelligence" from U.S. adversaries. "When I was a senior in high school I thought I would end up working for a defense contractor or the NSA itself," Swann says. Then, in 2013, NSA contractor Edward Snowden leaked a treasure-trove of top-secret documents. They showed that the agency's programs to collect intelligence were far more sweeping than Americans realized. After Snowden's revelations, Swann's thinking changed. The NSA's tactics, which include retaining data from American citizens, raise too many questions in his mind: "I can't see myself working there," he says, "partially because of these moral reasons." This year, the NSA needs to find 1,600 recruits. Hundreds of them must come from highly specialized fields like computer science and mathematics. So far, it says, the agency has been successful. But with its popularity down, and pay from wealthy Silicon Valley companies way up, agency officials concede that recruitment is a worry. If enough students follow Daniel Swann, then one of the world's most powerful spy agencies could lose its edge. People Power Makes The Difference Contrary to popular belief, the NSA's black buildings aren't simply filled with code-cracking supercomputers. "There's no such thing as a computer that can break any code," says Neal Ziring, a technical lead in the agency's information assurance directorate. "People like to think there's some magic bullet here, and there isn't. It's all hard work." "I was at a Dartmouth career fair a few months ago, and our table was right across from Facebook. And we are looking for some of the same things that they are." Hard work done by a lot of people. Nationwide, the NSA employs roughly 35,000. And each year it must find recruits to keep it at the cutting edge of code-making and code-breaking. It gets those recruits from hundreds of colleges and universities nationwide, including Johns Hopkins University. Matthew Green, a professor of computer science at Hopkins, says the number of such students the school turns out each year can vary. "Sometimes it's a half-a-dozen," he says. "Sometimes it's just one or two." Green says the Snowden leaks have changed academia's views of the agency. "Before the Snowden leaks we looked at the NSA as being a spy agency, and they did what they were supposed to do," he says. "But we've learned that they're been collecting this incredible amount of information. And they're not shy about doing whatever they have to do to get access to that information." Green says he doesn't feel as friendly toward the NSA as he once did. It's important that people learn about the Snowden documents, he says, and he teaches about them to students like Swann. Swann says Green's class helped shape his thinking on whether to work for the NSA. Someone like Daniel Swann is a fairly rare commodity. Hopkins is a big university, but its Information Security Institute will produce just 31 master's this year. Of those, only five are U.S. citizens ? a requirement to work at the NSA. With similarly small numbers at other schools, how many Daniel Swanns are rejecting the agency because of the Snowden leaks? "Well that's kind of a tricky question," says Ziring, the NSA computer scientist. Ziring also helps lead academic outreach for the agency. "When I've been out on campuses and talking to students," he says, "there are some of them ... that puts them off or they have doubts." On the other hand, Ziring says, the Snowden leaks have sparked other students' interest. "[They say], 'I actually know some of what you do now, and that's really cool and I want to come do that," he says. Corporations Willing To Pay Top Dollar But Ziring says there's a much bigger problem: "I was at a Dartmouth career fair a few months ago," he says, "and our table was right across from Facebook. And we are looking for some of the same things that they are." Ever since the Snowden leaks, cybersecurity has been hot in Silicon Valley. In part that's because the industry no longer trusts the government as much as it once did. Companies want to develop their own security, and they're willing to pay top dollar to get the same people the NSA is trying to recruit. Students like Swann. Last summer Microsoft paid him $7,000 a month to work as an intern. The company even rented him a car. "It was actually really nice," Swann says. "It was a Subaru Legacy." Ziring says the agency can't compete on money, so he tries to sell it in other ways: "You know we have good health benefits, and we're government, right? So we have a huge scope of insurance to choose from," he says. Things like work-life balance and continuing education do attract some people. Alyssa is a mathematician in her mid-20s who has been working at the NSA for just under two years. (She and the NSA won't tell NPR her last name because her work is classified.) Alyssa joined the agency right as the Snowden documents were being made public, and she wrestled with whether it was the right thing to do. Her mom wanted her to go for the big bucks, instead. "She actually held a grudge for a long time that I wasn't getting a higher paying job," Alyssa says. But Alyssa chose the NSA anyway. And she's glad she did. "I absolutely love what I'm doing now," she says. Which is classified, so she won't say anything more about it ? except that it's the kind of stuff she can't work on anywhere else. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 1 10:14:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Apr 2015 11:14:24 -0400 Subject: [Infowarrior] - POTUS issues cyber-sanctions order Message-ID: <14A8A7BD-41D2-4A70-BADD-1221EFF87BC3@infowarrior.org> Executive Order -- "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 2 14:56:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Apr 2015 15:56:37 -0400 Subject: [Infowarrior] - Android Security State of the Union 2014 Message-ID: Android Security State of the Union 2014 Posted: Thursday, April 2, 2015 Posted by Adrian Ludwig, Lead Engineer for Android Security http://googleonlinesecurity.blogspot.nl/2015/04/android-security-state-of-union-2014.html We?re committed to making Android a safe ecosystem for users and developers. That?s why we built Android the way we did?with multiple layers of security in the platform itself and in the services Google provides. In addition to traditional protections like encryption and application sandboxes, these layers use both automated and manual review systems to keep the ecosystem safe from malware, phishing scams, fraud, and spam every day. Android offers an application-focused platform security model rooted in a strong application sandbox. We also use data to improve security in near real time through a combination of reliable products and trusted services, like Google Play, and Verify Apps. And, because we are an open platform, third-party research and reports help make us stronger and users safer. But, every now and then we like to check in to see how we?re doing. So, we?ve been working hard on a report that analyzes billions (!) of data points gathered every day during 2014 and provides comprehensive and in-depth insight into security of the Android ecosystem. We hope this will help us share our approaches and data-driven decisions with the security community in order to keep users safer and avoid risk. It?s lengthy, so if you?ve only got a minute, we pulled out a few of the key findings here: ? Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day. ? Fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014. Fewer than 0.15% of devices that only install from Google Play had a PHA installed. ? The overall worldwide rate of Potentially Harmful Application (PHA) installs decreased by nearly 50% between Q1 and Q4 2014. ? SafetyNet checks over 400 million connections per day for potential SSL issues. ? Android and Android partners responded to 79 externally reported security issues, and over 25,000 applications in Google Play were updated following security notifications from Google Play. We want to ensure that Android is a safe place, and this report has helped us take a look at how we did in the past year, and what we can still improve on. In 2015, we have already announced that we are are being even more proactive in reviewing applications for all types of policy violations within Google Play. Outside of Google Play, we have also increased our efforts to enhance protections for specific higher-risk devices and regions. As always, we are appreciate feedback on our report and suggestions for how we can improve Android. Contact us at security at android.com. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 2 15:56:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Apr 2015 16:56:13 -0400 Subject: [Infowarrior] - DHS renews quest for access to national license-plate tracking system Message-ID: DHS renews quest for access to national license-plate tracking system By Ellen Nakashima April 2 at 4:42 PM Follow @nakashimae http://www.washingtonpost.com/world/national-security/dhs-renews-quest-for-access-to-national-license-plate-tracking-system/2015/04/02/4d79385a-d8a1-11e4-8103-fa84725dbf9d_story.html The Department of Homeland Security is seeking bids from companies able to provide law enforcement officials with access to a national license-plate tracking system ? a year after canceling a similar solicitation over privacy issues. The reversal comes after officials said they had determined they could address concerns raised by civil liberties advocates and lawmakers about the prospect of the department gaining widespread access, without warrants, to a system that holds billions of records that reveal drivers? whereabouts. In a privacy impact assessment issued Thursday, DHS clarifies it is not seeking to build a national database or contribute data to an existing system. Instead, it is seeking bids from companies that already gather the data to say how much they would charge to grant access to law enforcement officers at the Immigration and Customs Enforcement Agency. Officials said they also want to impose limits on ICE personnel?s access and use of the data. ?These restrictions will provide essential privacy and civil liberty protections, while enhancing our agents? and officers? ability to locate and apprehend suspects who could pose a threat to national security and public safety,? DHS spokeswoman Marsha Catron said in a statement. The solicitation will be posted publicly Thursday. Privacy advocates who reviewed a copy of the privacy assessment said it fell short. ?If this goes forward, DHS will have warrantless access to location information going back at least five years about virtually every adult driver in the U.S., and sometimes, to their image as well,? said Gregory T. Nojeim, senior counsel for the Center for Democracy & Technology. Commercial license-plate tracking systems are already used by the FBI and Drug Enforcement Administration, as well as some local and state law enforcement agencies. Law enforcement groups say that the fears of misuse are overblown. But news of the DHS solicitation triggered a public firestorm last year, leading Homeland Security Secretary Jeh Johnson to cancel it and order a review of the privacy concerns raised by advocates and lawmakers. Over the following months, ICE and DHS privacy officials developed policies aimed at increasing ?the public?s trust in our ability to use the data responsibly,? according to a senior DHS privacy officer. DHS is the first federal agency, officials said, to issue a privacy assessment on such a solicitation. Commercial license-plate-tracking systems can include a variety of data. Images of plate numbers are generally captured by high-speed cameras that are mounted on cars or in fixed locations and photograph the tags of vehicles crossing their paths. Some systems also capture images of the drivers and passengers. The largest commercial database is owned by Vigilant Solutions, which as of last fall had more than 2.5 billion records, and grows by 2.7 million records a day. DHS officials say Vigilant?s database, which some field offices have had access to on a subscription basis, has proven valuable in solving years-old cases. Privacy advocates, however, are concerned about the potential for abuse and note that commercial data banks generally do not have limits on how long that data is retained. ICE said it will restrict agents? access to the data to the number of years corresponding to the relevant statute of limitations for any crime being investigated. For civil immigration cases, where there is no statute of limitations, the agency is adopting a five-year limit, officials said. ICE officers and agents will also be required to enter the type of crime associated with the query to gain access, and there will be random audits to ensure that no one is using the database to look up information on personal associates. They may search for only a particular number. ICE queries will not be shared with other agencies, unless they are working on a joint investigation, a senior DHS official said. ICE personnel will also be able to put numbers of interest on an ?alert list,? enabling them to be notified almost instantly when a plate is spotted. Ginger McCall, director of the Electronic Privacy Information Center?s Open Government Project, said the new safeguards were not ?meaningful.? She called the data retention requirements ?exceedingly vague? and said tracking people through alert lists without a warrant is troubling. The senior privacy officer said current case law does not require the government to seek a warrant for such data. ?This is a step in the right direction, but it?s not nearly strong enough given the particular acute privacy and civil liberties issues implicated by locational data,? McCall said. Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties. ? Share on Facebook ? Share on Twitter 15 Comments Discussion Policy 15 Comments Mentioned in this story and want to comment? Learn more Please Sign In to Comment ? All Comments ? ? Newest First ? Pause live updates samyosemite 4:52 PM EDT Selling SAFETY to steal your FREEDOM. The NAZIS and STALIN would have loved this technology. It makes rounding up people SO much easier. LikeReplyShare 1 CMDPrompt 4:52 PM EDT No. Hell no. You have got to be freaking kidding me. LikeReplyShare Call it like I see it 4:47 PM EDT Just another Unconstitutional search and usurpation of States rights. Anyone who believes that the limitation of employee access will last is another candidate to buy swamp land. LikeReplyShare Kevin Stowell 4:42 PM EDT [Edited] Watch it! I have a truck and I know how to drive it! Live in fear! LikeReplyShare bartjohnson 4:41 PM EDT What an absurdity it is to suggest that these measures are being done to "protect us," while simultaneously ignoring our laughably porous borders and importing millions more criminal illegals. LikeReplyShare 2 More -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 3 16:25:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Apr 2015 17:25:44 -0400 Subject: [Infowarrior] - FBI stage-manages another 'terror bust' Message-ID: https://firstlook.org/theintercept/2015/04/03/alleged-isis-inspired-plotters-provided-bomb-making-manual-informant/ INFORMANT PROVIDED BOMB-MAKING MANUAL TO ALLEGED ?ISIS-INSPIRED? PLOTTERS In what has been widely described in the media as the breakup of an ?ISIS-inspired? plot, on April 2 the Department of Justice announced that Noelle Velentzas, 28, and Asia Siddiqui, 31, both of New York, had been arrested and charged with conspiracy to use a weapon of mass destruction. The defendants ?plotted to wreak terror by creating explosive devices? for use in New York City and sought ?bomb-making instructions and materials? for an attack, the Justice Department statement said. Like other recent sensational ?terror plots,? however, the criminal complaint unsealed yesterday demonstrates the key role of an undercover law enforcement informant in both formulating and facilitating the alleged plot. It doesn?t appear that Velentzas or Siddiqui actually planned or attempted to bomb any target, nor is there any evidence of discussions about how to create a bomb before the introduction of the informant into their lives. It was only after the informant provided the pair with a copy of The Anarchist Cookbook ? a manual with instructions on how to create an explosive device ? that their amateurish efforts gained any traction. < - > -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Apr 4 08:19:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 4 Apr 2015 09:19:33 -0400 Subject: [Infowarrior] - Report: Al Qaeda to formally disband this year Message-ID: Al Qaeda to formally disband this year Posted on April 2, 2015 by Philip Ingram http://securitymiddleeast.com/2015/04/02/al-qaeda-to-formally-disband-this-year/ In an unprecedented insight to the future of Al Qaeda, 5 Dimensions consultants based in Dubai, with direct access to information inside the command structures of Al Qaeda have released an assessment of their future based on actual discussions between key decision makers. One key finding is ?Al Qaeda to formally disband this year?. Sources within Ahrar al-Sham in Syria stated that Jabhat al-Nusra (al-Qaeda?s branch in Syria) informed Ahrar al-Sham and other allies in Syria of its intentions to break away from al-Qaeda in an ?organized? and pre planned manner, as al-Qaeda itself will announce its own disbandment this year. They stated that their allies in Jabhat al-Nusra have told them that AQ leader Ayman al-Zawahiri will relinquish his authority ? or what left of it ? over AQ branches globally and absolve them of their allegiance to him. The move is in response to the rising power of Islamic State in Iraq, Syria, Egypt, Libya and Nigeria as well as new IS incursion into Yemen. AQ and Zawahiri can no longer offer any meaningful leadership and the trend between the two strongest and largest AQ branches (al-Nusra and AQAP) is that the association with AQ is no longer an asset when it comes to local conflicts in Syria and Yemen, instead it is a hindrance and a liability. While Zawahiri and AQ central command have been ineffective and side lined since the start of 2014 and with the rise of the IS, nevertheless they provided moral and legitimate voice for al- Nusra and AQAP in the face of IS expansion. The immediate implication for such move (once it happens) is that al-Nusra would be free to establish wider alliances within Syria and open the door again for its plans for an Islamic Emirate in northern Syria after Idlib was taken with the help of Ahrar al-Sham. The move will also help AQAP to abandon the al-Qaeda name and adopt once and for all the new name of ?Ansar al-Sharia?. Both groups possess their own funding mechanism and have been (for several years) free financially from al-Qaeda Central Command. Nonetheless dissolving al-Qaeda will be seen as the end of an era and the beginning of a new chapter for both al-Nusra and AQAP (Ansar al-Sharia). AQIM were already dissolving and merging with other regional groups across the Sahara/North African region, therefore there will be limited strategic or logistical impact from this announcement. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Apr 4 08:19:39 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 4 Apr 2015 09:19:39 -0400 Subject: [Infowarrior] - USPTO Demands EFF Censor Its Comments On Patentable Subject Matter Message-ID: USPTO Demands EFF Censor Its Comments On Patentable Subject Matter https://www.techdirt.com/articles/20150403/14555030543/uspto-demands-eff-censor-comments-patentable-subject-matter.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Apr 5 17:47:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 5 Apr 2015 18:47:25 -0400 Subject: [Infowarrior] - Horace Edwards (finally) withdraws Snowden lawsuit Message-ID: <7B25F937-1E2A-4B13-AE03-BE017624EAAE@infowarrior.org> About time this moronic frivilous lawsuit, counter-suit, and re-suit, and his ongoing, baseless whinging was dropped?.. Horace Edwards Dismisses Snowden et al Complaint http://cryptome.org/2015/04/edwards-045.pdf -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 6 08:27:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Apr 2015 09:27:21 -0400 Subject: [Infowarrior] - Sling TV user caps & subscriber detail revealed Message-ID: (Disclosure: I was one of the first to sign up for Sling, having cut my cable last year. For the things I use it for, I am pretty pleased with it. --rick) TV Networks Put Subscriber Caps on Skinny Bundles and Streaming Video Services http://adage.com/article/media/tv-programmers-put-subscriber-caps-skinny-bundles/297887/ Thinking about joining the ranks of cable cord-cutters and signing up for Sling TV? Better act fast. The companies whose channels are included in Dish Network's new online-TV service are putting caps on the number of people who can subscribe. If the limits are exceeded, content companies may have the right to pull their shows and movies, said Geetha Ranganathan, an analyst at Bloomberg Intelligence. Subscriber caps are a way for the media industry to cope with an increase in viewers shunning traditional pay-TV packages with their hundreds of channels -- many never watched. Programmers like Walt Disney Co. and Time Warner can't ignore the rise of online options, yet don't want these cable alternatives growing too fast. Cable companies pay fees to programmers based on their subscribers. If large swaths drop pay-TV plans for Sling TV or Apple's planned service, it would mean less money for cable operators and certain programmers alike. "They want it to be a complementary product and not a competing product that cannibalizes their core business," Ms. Ranganathan said. "They don't want it to become too popular." Programmers want the skinny bundles to help them reach the estimated 10 million or so broadband subscribers who don't opt to buy pricey pay-TV packages, while making sure those less-costly plans don't encourage people to cut the cord with cable and satellite operators. Not just streaming services capped "It's still early stages," said Amy Yong, an analyst with Macquarie Group. "They're all testing the market." Subscriber limits aren't new. Cable companies that offer similar low-priced packages with a dozen or so channels are often restricted to sign up no more than 10% of their customers to such plans, said Rich Fickle, CEO of the National Cable Television Cooperative in Lenexa, Kansas. That way, programmers can ensure their channels on pricier tiers have a large enough audience to maintain advertiser interest, he said. Sling TV, introduced in February, offers about 20 channels for $20, including Time Warner's CNN and TBS, as well as ESPN, Disney Channel and AMC, and provides sports and entertainment series such as "Monday Night Football" and "The Walking Dead." Apple plans to debut a service this year with about 25 channels, according to people with knowledge of the matter. Verizon Communications, the largest U.S. wireless carrier, also intends to enter the web-based streaming market with a slimmed-down package. So far, Sling TV has signed up at least 100,000 subscribers, the technology site Re/Code reported last month. By comparison, online video-subscription service Netflix has more than 57 million members worldwide, with more than 39 million in the U.S. Danielle Johnson, a spokeswoman for Englewood, Colorado-based Dish, declined to comment on the number of people who have signed up for Sling or whether the service has subscriber limits. Limited content Skinny bundles could have trouble gaining traction because their content is limited or their price is too high to attract a large number of pay-TV subscribers, Todd Juenger, a media analyst at Sanford C. Bernstein & Co. in New York, said in a March 26 note to clients. But industry executives still want to make sure they don't get too popular and cite subscriber caps as a reason why the traditional pay-TV bundle is safe. "Sling is by its agreements with the content owners itself limited to be sold to people that don't have cable, with a limit of 2 million subscribers," Discovery CEO David Zaslav said at a media conference last month. "I don't see ? la carte or different bundles really having much of an impact here in the U.S." None of Discovery's channels is currently in Sling TV's lineup. 'Constructive' strategy Agreements that use subscriber caps are "a constructive way to make an offering to a given part of the market that does not undermine the other part of the market," Time Warner CEO Jeff Bewkes said at a media conference last year. But as the lower-cost packages increase in popularity, it will put pressure on cable networks and pay-TVdistributors to reassess those limits, said Mr. Fickle, whose group negotiates programing contracts on behalf of 900 smaller cable-TV providers. "It's going to grow, it has to," Fickle said. "Current programming agreements have problems in adapting to that." ~ Bloomberg News ~ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 6 08:51:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Apr 2015 09:51:34 -0400 Subject: [Infowarrior] - John Oliver interviews Edward Snowden Message-ID: <5798F0E1-77CD-442F-A459-6124AD55ADC5@infowarrior.org> John Oliver interviews Edward Snowden http://boingboing.net/2015/04/06/john-oliver-interviews-edward.html -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 6 19:01:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Apr 2015 20:01:24 -0400 Subject: [Infowarrior] - Court mulls revealing secret government plan to cut cell phone service Message-ID: <40CE848A-AAFC-4BB0-8565-55D916954C7A@infowarrior.org> Court mulls revealing secret government plan to cut cell phone service Feds: SOP 303 mobile-phone kill-switch policy would endanger public if disclosed. by David Kravets - Apr 6, 2015 2:27pm EDT http://arstechnica.com/tech-policy/2015/04/court-mulls-revealing-secret-government-plan-to-cut-cell-phone-service/ A federal appeals court is asking the Obama administration to explain why the government should be allowed to keep secret its plan to shutter mobile phone service during "critical emergencies." The Department of Homeland Security came up with the plan?known as Standing Operating Procedure 303?after cellular phones were used to detonate explosives targeting a London public transportation system. SOP 303 is a powerful tool in the digital age, and it spells out a "unified voluntary process for the orderly shut-down and restoration of wireless services during critical emergencies such as the threat of radio-activated improvised explosive devices." The US Court of Appeals for the Federal Circuit in February sided (PDF) with the government and ruled that the policy did not need to be disclosed under a Freedom of Information Act request from the Electronic Privacy Information Center. The court agreed with the government's citation of a FOIA exemption that precludes disclosure if doing so "could reasonably be expected to endanger the life or physical safety of any individual." EPIC asked the court to revisit its ruling, arguing that the decision, "if left in place, would create an untethered 'national security' exemption'" in FOIA law. On Friday, the court ordered (PDF) the government to respond?a move that suggests the appellate court might rehear the case. EPIC originally asked for the document in 2011 in the wake of the shut down of mobile phone service in the San Francisco Bay Area subway system during a protest. The government withheld the information, EPIC sued and won, but the government then appealed and prevailed. In its petition for rehearing, EPIC argued that the appellate court's decision "created a catch-all provision that would allow federal agencies to routinely withhold records subject to disclosure where the agency merely asserts a speculative security risk." Under the direction of the so-called National Security Telecommunications Advisory Committee, SOP 303 allows for the shutting down of wireless networks "within a localized area, such as a tunnel or bridge, and within an entire metropolitan area." There have been no publicly disclosed instances when SOP 303 has been invoked, but the telecoms have agreed to shutter service when SOP 303 is invoked. Local governments, however, have the power to shutter wireless service regardless of SOP 303. The last known time mobile phone service was cut by a government agency was the San Francisco example from 2011. That's when the Bay Area Rapid Transit System took heat for disabling service to quell a protest in four downtown San Francisco stations. The three-hour outage was done after BART cut service without the assistance of the telcos. In the aftermath, BART produced a new policy that said service could only be cut off when "there is strong evidence of imminent unlawful activity that threatens the safety of district passengers, employees, and other members of the public.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 6 19:19:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Apr 2015 20:19:50 -0400 Subject: [Infowarrior] - DHS Seeks Increase in Domestic HUMINT Collection Message-ID: <2C7D788B-84F3-4092-AED8-6CDE7D7CF3C3@infowarrior.org> DHS Seeks Increase in Domestic HUMINT Collection http://fas.org/blogs/secrecy/2015/04/dhs-humint/ http://fas.org/?post_type=secrecy&p=30279 The Department of Homeland Security aims to increase its domestic human intelligence collection activity this year, the Department recently told Congress. In a question for the record from a September 2014 congressional hearing, Rep. Paul C. Broun (R-GA) asked: ?Do we currently have enough human intelligence capacity?both here in the homeland and overseas?to counter the threats posed by state and non-state actors alike?? The Department replied, in a response published in the full hearing volume last month (at p. 64): ?DHS is working on increasing its human intelligence-gathering capabilities at home and anticipates increasing its field collector/reporter personnel by 50 percent, from 19 to approximately 30, during the coming year.? ?We are also training Intelligence Officers in State and major urban area fusion centers to do intelligence reporting. This will increase the human intelligence capability by additional 50?60 personnel.? The projected increase in DHS HUMINT collection activity was not specifically mentioned in the Department?s FY 2015 budget request. Human intelligence collection in this context does not necessarily mean that the Department is running spies under cover. According to a 2009 report from the Congressional Research Service (footnote 38), ?For purposes of DHS intelligence collection, HUMINT is used to refer to overt collection of information and intelligence from human sources. DHS does not, generally, engage in covert or clandestine HUMINT.? In any case, ?The DHS Intelligence Enterprise has increased intelligence reporting, producing over 3,000 reports in fiscal year 2014,? DHS also told Rep. Broun. A June 2014 report from the Government Accountability Office found fault with some of that reporting, which is generated by the DHS Office of Intelligence and Analysis (I&A). ?I&A customers had mixed views on the extent to which its analytic products and services are useful,? GAO found. See DHS Intelligence Analysis: Additional Actions Needed to Address Analytic Priorities and Workforce Challenges, GAO report GAO-14-397, June 2014. DHS concurred with the resulting GAO recommendations. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 7 14:28:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Apr 2015 15:28:12 -0400 Subject: [Infowarrior] - Warner & Rightscorp: Copyright Trolling Is Protected By The First Amendment Message-ID: <5CA39D6F-E7A3-4566-9857-A897DEA91C0B@infowarrior.org> Warner Bros. And Rightscorp Argue That Copyright Trolling Is Protected By The First Amendment from the that's-one-way-to-look-at-it dept Is the process of copyright trolling protected by the First Amendment? That appears to be the claim that both Rightscorp and Warner Bros. are making in response to a class action lawsuit filed against them. < - > https://www.techdirt.com/articles/20150406/18122330569/warner-bros-rightscorp-argue-that-copyright-trolling-is-protected-first-amendment.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 7 16:59:11 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Apr 2015 17:59:11 -0400 Subject: [Infowarrior] - U.S. secretly tracked billions of calls for decades Message-ID: <911A852A-CDCB-4089-88DF-404364275E0C@infowarrior.org> U.S. secretly tracked billions of calls for decades Brad Heath, USA TODAY 5:51 p.m. EDT April 7, 2015 WASHINGTON ? The U.S. government started keeping secret records of Americans' international telephone calls nearly a decade before the Sept. 11 terrorist attacks, harvesting billions of calls in a program that provided a blueprint for the far broader National Security Agency surveillance that followed. For more than two decades, the Justice Department and the Drug Enforcement Administration amassed logs of virtually all telephone calls from the USA to as many as 116 countries linked to drug trafficking, current and former officials involved with the operation said. The targeted countries changed over time but included Canada, Mexico and most of Central and South America. Federal investigators used the call records to track drug cartels' distribution networks in the USA, allowing agents to detect previously unknown trafficking rings and money handlers. They also used the records to help rule out foreign ties to the bombing in 1995 of a federal building in Oklahoma City and to identify U.S. suspects in a wide range of other investigations. The Justice Department revealed in January that the DEA had collected data about calls to "designated foreign countries." But the history and vast scale of that operation have not been disclosed until now. The now-discontinued operation, carried out by the DEA's intelligence arm, was the government's first known effort to gather data on Americans in bulk, sweeping up records of telephone calls made by millions of U.S. citizens regardless of whether they were suspected of a crime. It was a model for the massive phone surveillance system the NSA launched to identify terrorists after the Sept. 11 attacks. That dragnet drew sharp criticism that the government had intruded too deeply into Americans' privacy after former NSA contractor Edward Snowden leaked it to the news media two years ago. < - > http://www.usatoday.com/story/news/2015/04/07/dea-bulk-telephone-surveillance-operation/70808616/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 7 17:00:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Apr 2015 18:00:40 -0400 Subject: [Infowarrior] - =?windows-1252?q?Erie_County_Sheriff_Records_Reve?= =?windows-1252?q?al_Invasive_Use_of_=93Stingray=94_Technology?= Message-ID: <9DD31ED1-BC82-432D-8F4B-E22E8CEA1C85@infowarrior.org> Erie County Sheriff Records Reveal Invasive Use of ?Stingray? Technology http://www.nyclu.org/news/erie-county-sheriff-records-reveal-invasive-use-of-stingray-technology April 7, 2015 ? The New York Civil Liberties Union released today records it received from the Erie County Sheriff?s Office on its use of ?stingrays,? devices that can track and record New Yorkers? locations via their cell phones. The records showed that of the 47 times the Sheriff?s Office used stingrays in the past four years, it apparently only once obtained a court order, contradicting the sheriff?s own remarks. ?These records confirm some of the very worst fears about local law enforcement?s use of this expensive and intrusive surveillance equipment,? said NYCLU Staff Attorney Mariko Hirose. ?Not only did the Sheriff?s Office promise the FBI breathtaking secrecy to keep information about stingrays as hidden as possible, it implemented almost no privacy protections for the Erie County residents it is sworn to protect and serve.? Stingrays can collect information on all cell phones in a given area as well as precisely track particular phones, locating people within their own home, at a doctor?s office, at a political protest or in a church. In March, a Supreme Court Justice ruled that the Sheriff?s Office must disclose information about stingrays after the NYCLU sued the office for failing to follow the law and respond to public information requests about how it uses the devices. The court ordered disclosure of all existing records requested by the NYCLU, including purchase orders, a letter from the stingrays' manufacturer, a confidentiality agreement with between the Sheriff?s Office and the FBI, a procedural manual and summary reports of instances in which the device was used. The records reveal that: ? The Sheriff?s Office used stingrays at least 47 times between May 1, 2010 and October 3, 2014, including assisting other law enforcement departments like the Monroe County Sheriff?s Office. ? The office apparently obtained a court order prior to using the device only once in those 47 circumstances, contradicting the sheriff?s statements to a local reporter and the legislature that this device is being used subject to ?judicial review.? In the one case a court order was obtained, in October 2014, the sheriff did not obtain a warrant but a lower level court order called a ?pen register? order. ? Its confidentiality agreement with the FBI requires the Sheriff?s Office to maintain almost total secrecy over stingray records, including in court filings and when responding to court orders, unless the Sheriff?s Office receives the written consent of the FBI. ? Its confidentiality agreement with the FBI also instructs the Sheriff?s Office that the FBI may request it to dismiss criminal prosecutions rather than risk compromising the secrecy of how stingrays are used. ?Stingrays are an advanced surveillance technology that can sweep up very private information, including information on innocent people,? said NYCLU Western Region Director John Curr III. ?If the FBI can command the Sheriff?s Office to dismiss criminal cases to protect its secret stingrays, it is not clear how the $350,000 we are spending on stingray equipment is keeping the people of Buffalo safer.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 8 08:41:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Apr 2015 09:41:21 -0400 Subject: [Infowarrior] - US Navy going to cyberwar Message-ID: <4F5EB3D2-40B8-415F-8AEC-0C5FF32AD6A8@infowarrior.org> I think the Navy's got a new song..... "Packets Away, my friends, Packets Away! Blow through the bad guys de-fenses, we click okay-ay-ay-ay. Through our leet hacking work, energy drinks all around Until we see that 404, here's wishing that our bandwidth stays so sound." (lyrics (c) me.) Navy preps to launch offensive cyberattacks By Elise Viebeck - 04/07/15 04:17 PM EDT http://thehill.com/policy/cybersecurity/238117-navy-will-prepare-to-launch-offensive-cyberattacks The Navy will prepare to launch offensive cyberattacks under a new, soon-to-be-released cyber strategy, a top official said Tuesday. Kevin Cooley, executive director and command information officer for Fleet Cyber Command/10th Fleet, suggested that the service is gearing up for the possibility that the White House will order offensive cyberattacks. "You don't win a knife fight without swinging a knife," Cooley said at a C4ISR & Networks conference in Arlington, Va., on Tuesday. "We're spending time making sure we're ready to execute should those options be considered appropriate by national command authority to do that.? U.S. corporate executives, security researchers and lawmakers have expressed a desire for the United States to go on offense against its adversaries online. Intelligence agencies are already engaged in some offensive cyber activities, but not to the satisfaction of the business community, which is under constant attack from China, Russia and other countries. Cooley said the Navy will prepare for cyber offense orders in addition to four other key initiatives, including developing the service?s cyber forces. He called cyberspace a ?warfare domain.? ?Just like in other warfare domains we have the capability to be tactically offensive and tactically defensive [and] strategically offensive and strategically defensive,? he said, according to C4ISR & Networks, which reported his comments. ?Being open about that capability is an important part of transparency that we acknowledge in any other form of warfare.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 10 15:24:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Apr 2015 16:24:38 -0400 Subject: [Infowarrior] - MS response to USG overseas data search warrant idea Message-ID: <401E0482-B397-491C-AFF9-69EFF9B79124@infowarrior.org> Our legal challenge to a US government search warrant Posted April 9, 2015 by Brad Smith General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft Last evening, we filed our reply brief in our ongoing legal challenge to the U.S. government?s attempt to force us to turn over a customer?s email stored in our Irish data center. As we stated in our brief, we believe the law is on the side of privacy in this case. We were gratified by the large number of organizations and individuals that filed amicus briefs in this case in December. They include leading technology and media companies, expert computer scientists, and trade associations and advocacy organizations that together represent millions of members on both sides of the Atlantic. As we said then, this case involves a broad policy issue that is important to the future of cloud computing. In a nutshell, this case is about how we best protect privacy, ensure that governments keep people safe, and respect national sovereignty while preserving the global nature of the internet. While there are many areas where we disagree with the government, we both agree that outdated electronic privacy laws need to be modernized. The statute in this case, the Electronics Communications Privacy Act, is almost 30 years old. That?s an eternity in the era of information technology. In the U.S. we believe there is an important debate to be held about the best way to reform the law and our international relationships, and there are critical policy considerations on both sides. Law enforcement needs to be able to do its job, but it needs to do it in a way that respects fundamental rights, including the personal privacy of people around the world and the sovereignty of other nations. We hope the U.S. government will work with Congress and with other governments to reform the laws, rather than simply seek to reinterpret them, which risks happening in this case. < - > http://blogs.microsoft.com/on-the-issues/2015/04/09/our-legal-challenge-to-a-us-government-search-warrant/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 10 18:04:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Apr 2015 19:04:24 -0400 Subject: [Infowarrior] - As encryption spreads, U.S. grapple with clash between privacy, security Message-ID: <55A80E1C-33B5-4C28-B647-09D13237055B@infowarrior.org> As encryption spreads, U.S. grapple with clash between privacy, security By Ellen Nakashima and Barton Gellman April 10 at 4:47 PM For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee U.S. government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers? Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, said Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it? ?I don?t want a back door,? said Rogers, the director of the nation?s top electronic spy agency during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. ?I want a front door. And I want the front door to have multiple locks. Big locks.? < - > http://www.washingtonpost.com/world/national-security/as-encryption-spreads-us-worries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f-ee745911a4ff_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Apr 12 16:15:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Apr 2015 17:15:00 -0400 Subject: [Infowarrior] - CEO: Why We Will Not Be Registering easyDNS.SUCKS Message-ID: <9AC36E7E-DBE1-4790-893A-CCC2E8083CE8@infowarrior.org> Why We Will Not Be Registering easyDNS.SUCKS April 10, 2015 Mark Jeftovic http://blog.easydns.org/2015/04/10/why-we-will-not-be-registering-easydns-sucks/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 13 08:45:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Apr 2015 09:45:19 -0400 Subject: [Infowarrior] - Teen Changes Wallpaper On Teacher's Computer; Gets Charged With A Felony Message-ID: "Even though some might say this is just a teenage prank, who knows what this teenager might have done," -- Sheriff Nocco .....because, future evil hax0rs must be taught a lesson, right? *bangs head* Teen Changes Wallpaper On Teacher's Computer; Gets Charged With A Felony https://www.techdirt.com/articles/20150410/18473230615/teen-changes-wallpaper-teachers-computer-gets-charged-with-felony-sheriffs-office.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 13 19:08:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Apr 2015 20:08:41 -0400 Subject: [Infowarrior] - (Almost) All of CSI:Cyber's Cringeworthy Tech Buzzwords in One Video Message-ID: <312BCB0F-F258-4703-9C6D-FF65FBE05A8D@infowarrior.org> CSI:Cyber is Gizmodo?s new favorite terrible tech-tinged procedural that may or may not be written by people who have never actually seen a computer. It?s great! This compilation of buzzwords from the fourth and fifth episodes of this season is a nonsense cacophony. I?ve watched every single episode of this show so far, but seeing all of the tech talk mashed together is like a concentrated dose of the show?s corny, corny charm. I like to imagine James van der Beek and Shad Moss getting together on rainy Saturday afternoons to run through their scripts, laughing and clinking ceramic mugs at their good fortune and silly show. ?Even the malware has malware.? < - > http://gizmodo.com/almost-all-of-csi-cybers-cringeworthy-tech-buzzwords-1697600169 -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 13 19:10:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Apr 2015 20:10:40 -0400 Subject: [Infowarrior] - FBI Insisted That 'Terrorist' Guy It Arrested Last Week Was No Threat At All Message-ID: <4D6141B0-172C-4C95-B841-D72BC62D4A2E@infowarrior.org> One Year Ago, FBI Insisted That 'Terrorist' Guy It Arrested Last Week Was No Threat At All https://www.techdirt.com/articles/20150410/18091630614/one-year-ago-fbi-insisted-that-terrorist-guy-it-arrested-last-week-was-no-threat-all.shtml Last week, we wrote about the FBI arresting John Booker, who was involved in yet another of the FBI's own plots. At the beginning of our post (and the criminal complaint) against Booker, we noted how a year ago Booker had tried to join the army, and had then been denied after posting stuff to his Facebook page about how he was going to "wage jihad" and planned to die. It was noted that the FBI visited him at that time, and we found it odd that if he was such a threat, why wasn't he arrested then. Instead, it appears that months later, the FBI got together and concocted a ridiculous plot for Booker to join, in which the FBI itself did all the planning. What he hadn't realized was that when the incident happened last year with Booker and his Facebook page, there was actually news coverage about it, with the FBI actually saying that they had investigated and Booker was no threat at all: < - > It appears that Booker only became a real threat... once two FBI informants showed up and created the plot for him. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 14 07:50:11 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Apr 2015 08:50:11 -0400 Subject: [Infowarrior] - FBI establishes "international corruption squads" Message-ID: <9F3932DE-BE43-469F-9986-70602344D9DF@infowarrior.org> Good idea. Hopefully it will more than just expanding their thematic repertoire of stage-managed and informant-manipulated "busts" to ensure the agency can generate headlines. --rick http://www.fbi.gov/news/stories/2015/march/fbi-establishes-international-corruption-squads/fbi-establishes-international-corruption-squads < - > The FBI?in conjunction with the Department of Justice?s (DOJ) Fraud Section?recently announced another weapon in the battle against foreign bribery and kleptocracy-related criminal activity: the establishment of three dedicated international corruption squads, based in New York City, Los Angeles, and Washington, D.C. Special Agent George McEachern, who heads up our International Corruption Unit at FBI Headquarters, explains that the squads were created to address the national and international implications of corruption. ?The FCPA allows us to target the supply side of corruption?the entities giving the bribes,? he said. ?Kleptocracy cases allow us to address the demand side?the corrupt officials and their illicit financial assets. By placing both threats under one squad, we anticipate that an investigation into one of these criminal activities could potentially generate an investigation into the other.? Corruption cases in general are tough to investigate because much of the actual criminal activity is hidden from view. But international corruption cases are even tougher because the criminal activity usually takes place outside of the U.S. However, members of these three squads?agents, analysts, and other professional staff?have a great deal of experience investigating white-collar crimes and, in particular, following the money trail in these crimes. And they?ll have at their disposal a number of investigative tools the Bureau uses so successfully in other areas?like financial analysis, court-authorized wiretaps, undercover operations, informants, and sources. < - > -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 14 12:13:08 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Apr 2015 13:13:08 -0400 Subject: [Infowarrior] - =?utf-8?q?NYT_OpEd=3A_Don=E2=80=99t_Keep_the_TPP_?= =?utf-8?q?Talks_Secret?= Message-ID: <420AFE1E-BAA2-427A-86AF-7FB8F973C0E9@infowarrior.org> Don?t Keep the Trans-Pacific Partnership Talks Secret By MARGOT E. KAMINSKI APRIL 14, 2015 http://www.nytimes.com/2015/04/14/opinion/dont-keep-trade-talks-secret.html COLUMBUS, Ohio ? WHEN WikiLeaks recently released a chapter of the Trans-Pacific Partnership Agreement, critics and proponents of the deal resumed wrestling over its complicated contents. But a cover page of the leaked document points to a different problem: It announces that the draft text is classified by the United States government. Even if current negotiations over the trade agreement end with no deal, the draft chapter will still remain classified for four years as national security information. The initial version of an agreement projected by the government to affect millions of Americans will remain a secret until long after meaningful public debate is possible. National security secrecy may be appropriate to protect us from our enemies; it should not be used to protect our politicians from us. For an administration that paints itself as dedicated to transparency and public input, the insistence on extensive secrecy in trade is disappointing and disingenuous. And the secrecy of trade negotiations does not just hide information from the public. It creates a funnel where powerful interests congregate, absent the checks, balances and necessary hurdles of the democratic process. Free-trade agreements are not just about imports, tariffs or overseas jobs. Agreements bring complex national regulatory systems together, such as intellectual property law, with implications for free speech, privacy and public health. The level of secrecy employed by the Office of the United States Trade Representative is not typical of how most international agreements are negotiated. It?s not even how our negotiating partners say they want to operate. Yet it is the way that the Obama administration handles trade deals, from a failed anti-counterfeiting agreement more than two years ago to the TPP today. The trade representative?s office keeps trade documents secret as national security information, claiming that negotiating documents ? including work produced by United States officials ? are ?foreign government information.? The justification for secrecy in trade is that negotiations are like a poker game: Negotiators don?t want to reveal their hand too soon, or get pressured by concerned domestic constituencies. But the trade representative?s office takes this logic too far. After being forced to turn over documents in a 2002 lawsuit, it began regularly classifying trade documents. Now the office uses classification to invoke the national security exemption to open government law. Yale Law School?s Media Freedom and Information Access Clinic is challenging this behavior in a lawsuit. (I submitted testimony in the case.) The peculiarity of this secretive approach is becoming more apparent as our foreign negotiating partners push toward transparency in trade. The European Union now voluntarily releases its side of trade negotiations in an effort to be as transparent as possible; New Zealand officials pressed for greater transparency in previous trade negotiations with the United States. Secrecy has real costs. Because the negotiating process combines a general shield from the public with privileged access for industry advisers, the substance of American free trade agreements does not represent truly national interests. It represents the interests of those members of industry who sit on the office?s Industry Trade Advisory Committees, which have regular access to negotiating information. One justification for keeping trade negotiations in the executive branch is that it can keep lobbyists at bay. But the current system brings those entities inside, using classification to keep out citizens and competitors. Perhaps in response to these sorts of criticisms in 2014, the Obama administration announced the creation of a new public interest advisory committee. But that committee would be given less direct access than industry groups, and couldn?t discuss some issues with the public. Secrecy also delegitimizes trade agreements: The process has been internationally criticized as undemocratic. The European Parliament, for example, rejected the Anti-Counterfeiting Trade Agreement in large part over legitimacy concerns. In some of our trading partner countries, citizens have objected to trade agreements by calling them undemocratic. And they rightly fear that the American commitment to these agreements is weak because the United States public might rebel once the texts are released. Congress is soon likely to consider whether to authorize an up-or-down vote on a trade deal, with what?s known as ?fast track? legislation. Free trade now involves dozens of areas with complex subject matter, and the agency responsible for negotiating it often fails to tap key expertise. The discussion over the trade negotiating authority is not a question of which is better: the executive branch or the legislative branch. It?s a question of whose input we?re getting on decisions that reach far beyond trade ? into questions on the price of generic drugs or whether websites will have to monitor users online. As it considers fast track here, Congress must address the secrecy, and the views of the privileged advisers, that shaped the agreement. Otherwise, ?fast? will be little more than a euphemism for ?avoid the public, and benefit the fortunate few.? Margot E. Kaminski is an assistant professor of law at Ohio State University and a fellow of the Information Society Project at Yale Law School. A version of this op-ed appears in print on April 14, 2015, on page A23 of the New York edition with the headline: Don?t Keep Trade Talks Secret. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 14 12:32:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Apr 2015 13:32:55 -0400 Subject: [Infowarrior] - No Fly List: Govt Offers New Redress Procedures Message-ID: <2708B49E-A9D7-4C76-A334-F28E211B20C7@infowarrior.org> No Fly List: Govt Offers New Redress Procedures http://fas.org/blogs/secrecy/2015/04/no-fly-redress/ Posted on Apr.14, 2015 in transportation security by Steven Aftergood The government will no longer refuse to confirm or deny that persons who are prevented from boarding commercial aircraft have been placed on the ?No Fly List,? and such persons will have new opportunities to challenge the denial of boarding, the Department of Justice announced yesterday in a court filing. Until now, the Government refused to acknowledge whether or not an individual traveler had been placed on the No Fly List and, if so, what the basis for such a designation was. That is no longer the case, the new court filing said: ?Under the previous redress procedures, individuals who had submitted inquiries to DHS TRIP [the Department of Homeland Security Traveler Redress Inquiry Program] generally received a letter responding to their inquiry that neither confirmed nor denied their No Fly status.? ?Under the newly revised procedures, a U.S. person who purchases a ticket, is denied boarding at the airport, subsequently applies for redress through DHS TRIP about the denial of boarding, and is on the No Fly List after a redress review, will now receive a letter providing his or her status on the No Fly List and the option to receive and/or submit additional information.? If the individual traveler chooses to pursue the matter, DHS ?will provide a second, more detailed response. This second letter will identify the specific criterion under which the individual has been placed on the No Fly List and will include an unclassified summary of information supporting the individual?s No Fly List status, to the extent feasible, consistent with the national security and law enforcement interests at stake.? The new redress procedures were developed in response to legal challenges to the No Fly List procedures, which argued that the procedures were constitutionally deficient or otherwise improper. The notice of the new procedures was filed yesterday in the pending lawsuit Gulet Mohamed v. Eric H. Holder, Jr., which is one of the ongoing lawsuits over the No Fly List. ?A number of travelers who dispute any connection to terrorism have alleged that they have been denied boarding on commercial aircraft,? a recent Congressional Research Service report noted. ?A denial of entry can occur, for example, when a person?s name and/or date of birth correspond or are similar to the identity of someone in the government?s watchlist database.? The CRS report, which predates the newly announced procedures, reviewed many of the legal issues involved. See The No Fly List: Procedural Due Process and Hurdles to Litigation, April 2, 2015. Update: DHS TRIP has received and processed more than 185,000 redress requests and inquiries ? regarding enhanced screening, delays, or denials of boarding ? since 2007, DHS told the House Homeland Security Committee in a September 2014 hearing. Update 2: A similar notice regarding changes in the No Fly List redress procedures was filed in several other pending lawsuits, including Latif v. Holder, in which a court found the previous process unconstitutional. In its filing in that case, the Justice Department added: ?The Government will be closely monitoring the initial implementation of these newly revised procedures on an interagency basis, and will, as circumstances warrant, consider whether further revisions to the process are necessary. The revised procedures will be discussed in more depth in Defendants? upcoming summary judgment briefing.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 14 18:09:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Apr 2015 19:09:04 -0400 Subject: [Infowarrior] - Pentagon: US Cyber Reserve Is in the Works Message-ID: <6B6172EC-7ACF-4270-A21A-BEC95265A00C@infowarrior.org> Pentagon: US Cyber Reserve Is in the Works By Aliya Sternstein 3:08 PM ET http://www.nextgov.com/cybersecurity/2015/04/pentagon-us-cyber-reserve-works/110113/ The Pentagon is prepared to draft thousands of private sector and National Guard cyber pros in the event of a network emergency affecting American lives, a top U.S. military official said Tuesday. The ?surge forces? will be trained by the Defense Department and help defend the energy sector, telecommunications and other so-called critical infrastructure, Defense Principal Cyber Adviser Eric Rosenbach said in remarks prepared for a Senate Armed Forces subcommittee hearing. ?Up to 2,000 Reserve and National Guard personnel will also support the Cyber Mission Force,? which is part of the department?s offensive and defensive Cyber Command, he added. The Pentagon is bringing in security reinforcements, as it contends with a cyber workforce shortage and growing Internet threat. Each military service ?has developed reserve component integration strategies? that harness active duty cyber know-how ?and leverage the Reserve and National Guard strengths from the private sector,? Rosenbach said in his written testimony for Tuesday's hearing. Military and civilian agencies currently are competing with the private sector for scarce cyber talent. Lawmakers and advisory councils have long recommended the federal government institute a civilian cyber militia to aid agencies during crises. On Monday, the Partnership for Public Service issued a similar call to arms. The federal workforce advocacy group urged the government to establish a civilian Cyber Reserve Training Corps, modeled on the military?s ROTC program, to provide education and workforce development. More than 100 foreign intelligence agencies ?continually attempt? to infiltrate U.S. military networks ?some incursions -- by both state and nonstate entities -- have succeeded,? Rosenbach said. Defense also is finalizing a new defensewide cyber strategy that builds upon the first-ever strategy released in 2011, he said. DOD, as a whole, is looking to hire 3,000 cyber whizzes by Dec. 31. Cyber Command is slated to be at full capacity in fiscal 2018, with 6,200 military and civilian personnel. The force is currently about half-staffed. The department is talking to industry members about incentives and career pathways to bring more cyber expertise into the military, Rosenbach testified. He singled out North Korea?s alleged attack on Sony Pictures Entertainment as an example of how threat actors are targeting American companies. Calling the incident, ?the most destructive cyberattack against the United States to date,? he accused North Korea of destroying systems and exposing sensitive data. Rosenbach also asserted the country ?threatened physical violence in retaliation for releasing a film of which the regime disapproves.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 14 18:54:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Apr 2015 19:54:42 -0400 Subject: [Infowarrior] - Microsoft Takes Pirated Windows NT 4.0 Source Code Offline Message-ID: <544566EE-1D82-49D1-ABE9-5DD32C01E929@infowarrior.org> Microsoft Takes Pirated Windows NT 4.0 Source Code Offline http://torrentfreak.com/microsoft-takes-pirated-windows-nt-4-0-source-code-offline-150415/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 15 08:32:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Apr 2015 09:32:36 -0400 Subject: [Infowarrior] - Schneier: Metal Detectors at Sports Stadiums Message-ID: <44C937E1-0C02-4B40-B6DC-34B49B395B74@infowarrior.org> The TLDR extract: "In reality, this is CYA security, and it's pervasive in post-9/11 America. It no longer matters if a security measure makes sense, if it's cost-effective or if it mitigates any actual threats. All that matters is that you took the threat seriously, so if something happens you won't be blamed for inaction. It's security, all right -- security for the careers of those in charge." Metal Detectors at Sports Stadiums https://www.schneier.com/blog/archives/2015/04/metal_detectors.html Fans attending Major League Baseball games are being greeted in a new way this year: with metal detectors at the ballparks. Touted as a counterterrorism measure, they're nothing of the sort. They're pure security theater: They look good without doing anything to make us safer. We're stuck with them because of a combination of buck passing, CYA thinking, and fear. As a security measure, the new devices are laughable. The ballpark metal detectors are much more lax than the ones at an airport checkpoint. They aren't very sensitive -- people with phones and keys in their pockets are sailing through -- and there are no X-ray machines. Bags get the same cursory search they've gotten for years. And fans wanting to avoid the detectors can opt for a "light pat-down search" instead. There's no evidence that this new measure makes anyone safer. A halfway competent ticketholder would have no trouble sneaking a gun into the stadium. For that matter, a bomb exploded at a crowded checkpoint would be no less deadly than one exploded in the stands. These measures will, at best, be effective at stopping the random baseball fan who's carrying a gun or knife into the stadium. That may be a good idea, but unless there's been a recent spate of fan shootings and stabbings at baseball games -- and there hasn't -- this is a whole lot of time and money being spent to combat an imaginary threat. But imaginary threats are the only ones baseball executives have to stop this season; there's been no specific terrorist threat or actual intelligence to be concerned about. MLB executives forced this change on ballparks based on unspecified discussions with the Department of Homeland Security after the Boston Marathon bombing in 2013. Because, you know, that was also a sporting event. This system of vague consultations and equally vague threats ensure that no one organization can be seen as responsible for the change. MLB can claim that the league and teams "work closely" with DHS. DHS can claim that it was MLB's initiative. And both can safely relax because if something happens, at least they did something. It's an attitude I've seen before: "Something must be done. This is something. Therefore, we must do it." Never mind if the something makes any sense or not. In reality, this is CYA security, and it's pervasive in post-9/11 America. It no longer matters if a security measure makes sense, if it's cost-effective or if it mitigates any actual threats. All that matters is that you took the threat seriously, so if something happens you won't be blamed for inaction. It's security, all right -- security for the careers of those in charge. I'm not saying that these officials care only about their jobs and not at all about preventing terrorism, only that their priorities are skewed. They imagine vague threats, and come up with correspondingly vague security measures intended to address them. They experience none of the costs. They're not the ones who have to deal with the long lines and confusion at the gates. They're not the ones who have to arrive early to avoid the messes the new policies have caused around the league. And if fans spend more money at the concession stands because they've arrived an hour early and have had the food and drinks they tried to bring along confiscated, so much the better, from the team owners' point of view. I can hear the objections to this as I write. You don't know these measures won't be effective! What if something happens? Don't we have to do everything possible to protect ourselves against terrorism? That's worst-case thinking, and it's dangerous. It leads to bad decisions, bad design and bad security. A better approach is to realistically assess the threats, judge security measures on their effectiveness and take their costs into account. And the result of that calm, rational look will be the realization that there will always be places where we pack ourselves densely together, and that we should spend less time trying to secure those places and more time finding terrorist plots before they can be carried out. So far, fans have been exasperated but mostly accepting of these new security measures. And this is precisely the problem -- most of us don't care all that much. Our options are to put up with these measures, or stay home. Going to a baseball game is not a political act, and metal detectors aren't worth a boycott. But there's an undercurrent of fear as well. If it's in the name of security, we'll accept it. As long as our leaders are scared of the terrorists, they're going to continue the security theater. And we're similarly going to accept whatever measures are forced upon us in the name of security. We're going to accept the National Security Agency's surveillance of every American, airport security procedures that make no sense and metal detectors at baseball and football stadiums. We're going to continue to waste money overreacting to irrational fears. We no longer need the terrorists. We're now so good at terrorizing ourselves. This essay previously appeared in the Washington Post. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 15 08:32:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Apr 2015 09:32:44 -0400 Subject: [Infowarrior] - UK: Top cop's title/salary is a secret Message-ID: UK Government Refuses To Reveal Job Title Or Salary Of Top Law Enforcement Officer Because Terrorism https://www.techdirt.com/articles/20150412/09182130624/uk-government-refuses-to-reveal-job-title-salary-top-law-enforcement-officer-because-terrorism.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 15 10:46:35 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Apr 2015 11:46:35 -0400 Subject: [Infowarrior] - Documentary about FBI's use of 'informants' in terror raids Message-ID: <96C626B5-6338-43F2-9C5D-85D3C1C8C3DA@infowarrior.org> The FBI Informant Who Mounted a Sting Operation Against the FBI https://firstlook.org/theintercept/2015/04/15/fbi-informant-stung-fbi/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 15 14:01:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Apr 2015 15:01:38 -0400 Subject: [Infowarrior] - TSA Agents Outwitted By Cory Doctorow's Unlocked, 'TSA-Safe' Suitcase Message-ID: <9E285A87-C66B-4876-8A9A-D9FE56C21CEF@infowarrior.org> https://www.techdirt.com/articles/20150414/10471430654/tsa-agents-outwitted-cory-doctorows-unlocked-tsa-safe-suitcase.shtml < - > The TSA will never have to pay for broken luggage. Because terrorism. I miss the good old days when this sort of behavior was only displayed by baggage handlers searching for valuables/setting distance records in amateur luggage-tossing competitions. At least then you could find someone to hold accountable for the damage sustained. The TSA, however, is above even the most minimal level of accountability. If its employees are outsmarted by a "TSA-safe" lock, it's your fault for not ensuring your checked luggage was already open and dumping its contents all over the conveyor belts by the time it reached the TSA's elite group of suitcase-battering counterterrorists. This entire situation (especially the TSA's "response") cleary shows that Doctorow is the guilty party here. If he truly loved America, he'd have prepared for this eventuality? or at least just taken back the taped-together remains of his $1000 suitcase and shed a tear of gratitude for all the hard work the TSA did to ensure his flight didn't get blown up/hijacked. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 15 18:55:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Apr 2015 19:55:53 -0400 Subject: [Infowarrior] - VA decertifies voting machine w/guessable passwds & no updates in a decade Message-ID: <009C7EA3-108D-41E5-8675-C1A07165575F@infowarrior.org> (c/o AJR) Meet the e-voting machine so easy to hack, it will take your breath away Virginia decertifies device that used weak passwords and wasn't updated in 10 years. by Dan Goodin - Apr 15, 2015 2:55pm EDT Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts. The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of "admin," "abcde," and "shoup" to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections. The weak passwords?which are hard-coded and can't be changed?were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network's encryption key. The shortcomings of WEP have been so well-known that it was banished in 2004 by the IEEE, the world's largest association of technical professionals. What's more, the WINVote runs a version of Windows XP Embedded that hasn't received a security patch since 2004, making it vulnerable to scores of known exploits that completely hijack the underlying machine. Making matters worse, the machine uses no firewall and exposes several important Internet ports. "Because the WINVote devices use insecure security protocols, weak passwords, and unpatched software, the WINVote devices operate with a high level of risk," researchers with the Virginia Information Technologies Agency wrote in Tuesday's report. "The security testing by VITA proved that the vulnerabilities on the WINVote devices can allow a malicious party to compromise the confidentiality and integrity of Voting data.? < - > http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 16 07:25:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Apr 2015 08:25:23 -0400 Subject: [Infowarrior] - Credential Hijacking Vulnerability Impacts All Versions of Windows Message-ID: <70742A52-B6DD-4E54-B664-63902321EA65@infowarrior.org> (c/o JC) "Re-Direct to SMB" Vulnerability Allows Attackers to Gain Access to Login Credentials Researchers from security firm Cylance have disclosed a security flaw which impacts all versions of Windows, including the upcoming Windows 10, as well as products from major software makers such as Adobe, Apple, Oracle, and Symantec. Attackers can exploit the "Re-Direct to SMB" vulnerability to redirect Windows users to malicious SMB-based servers and steal encrypted login credentials, Brian Wallace, a researcher with the Cylance SPEAR team, told SecurityWeek. http://www.securityweek.com/credential-hijacking-vulnerability-impacts-all-versions-windows-cylance -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 16 11:33:39 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Apr 2015 12:33:39 -0400 Subject: [Infowarrior] - Technologists oppose CISA/information sharing bills Message-ID: <4412FE93-3055-428D-9067-E4205D8EAAEC@infowarrior.org> (I am a signatory. --rick) Technologists oppose CISA/information sharing bills By Jennifer Granick on April 16, 2015 at 9:21 am Today we sent a letter to lawmakers expressing security experts' opposition to the Cybersecurity Information Sharing Act (CISA) as well as two other pending bills that purport to be about security information sharing, the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity Protection Advancement Act of 2015. These experts agree that the information sharing bills unnecessarily waive privacy rights because they focus on sharing information beyond that needed for cybersecurity. The letter seeks to educate law makers about the kind of information that experts need to secure systems, and that, because it generally does not contain private data, privacy law is not a serious obstacle to sharing. The letter includes an example threat signature to illustrate that point. We can share cybersecurity information without waiving privacy law. Otherwise, what Congress will be doing is weakening privacy law and increasing government surveillance at time when the public agrees that stronger privacy and civil liberties protections are needed. The letter is attached. http://cyberlaw.stanford.edu/blog/2015/04/technologists-oppose-cisainformation-sharing-bills -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 16 11:39:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Apr 2015 12:39:02 -0400 Subject: [Infowarrior] - Abolish the TSA Message-ID: <8AF53F7B-48BD-48FE-B848-FA8CF2F89FE1@infowarrior.org> Abolish the TSA It?s time government employees stopped fondling airline passengers and taking their stuff. By CJ Ciaramella April 16 at 6:00 AM CJ Ciaramella is a reporter at the Washington Free Beacon and a contributor to Vice. http://www.washingtonpost.com/posteverything/wp/2015/04/16/abolish-the-tsa/ If the past 10 years have taught us anything, it?s that, one way or another, the TSA is going to get at your crotch. The latest data point comes from Denver, courtesy of CSBS4: A CBS4 investigation has learned that two Transportation Security Administration screeners at Denver International Airport have been fired after they were discovered manipulating passenger screening systems to allow a male TSA employee to fondle the genital areas of attractive male passengers. Apparently, the two screeners, one male and the other female, worked out a system. The female screener operating the body scanner would misidentify attractive men as women on the scanner, so that the machine would flag the extra, uh, bulk in their groin area, which then initiated a pat-down from her partner in lechery. I once had a similar experience at a TSA checkpoint. I had thoroughly emptied my pockets, but the body scanner nevertheless detected an object in my pants. Fortunately, my TSA agent did not appear to take any pleasure in the business and went about his duty with grim professionalism. At the time, I was merely annoyed at the inconvenience, not to mention the poor performance of the taxpayer-funded $170,000 millimeter wave scanner that I had assumed was able to tell the difference between a brick of C-4 and genitals. It turns out those scanners have never stopped a terrorist, but maybe one day the TSA screeners will inadvertently catch a cute jihadist. It?s a sign of just how resigned we?ve become to the TSA?s existence that most of the men getting felt up probably shrugged it off and thought, ?Well, that?s the TSA for you.? We?ve become desensitized to being scanned and prodded and told our toothpaste is too large and must therefore be confiscated in the name of national security. TSA?s expansion of its PreCheck program and an announcement that it would stop searching black women?s hair for weapons are what pass for progress. This is a raw deal. The federal government heaped a mountain of farcical security measures on the American public after 9/11, and now we?re supposed to give them a thumbs up for no longer taking nude photos of us and stealing pregnant ladies? insulin. Mind you, this is an agency that regularly employs kleptos and perverts, an agency that handed out security badges to criminals and on at least one occasion a dog. It does not hire the best and brightest, and those with any critical faculties understand that their job?confiscating snow globes and nail clippers?is a bad joke. ?Once, in 2008, I had to confiscate a bottle of alcohol from a group of Marines coming home from Afghanistan,? former TSA screener Jason Harrington wrote in Politico Magazine. ?It was celebration champagne intended for one of the men in the group ? a young, decorated soldier. He was in a wheelchair, both legs lost to an I.E.D., and it fell to me to tell this kid who would never walk again that his homecoming champagne had to be taken away in the name of national security.? And yet the agency keeps finding new and innovative ways to expand its mission and waste money in the process. Since 2007, the TSA has deployed Visible Intermodal Prevention and Response (VIPR) squads. These roving VIPR teams, apparently named by an ?80s action movie screenwriter, protect such homeland locations as bus stations, music festivals, trolleys, ports and rodeos. The program?s budget rose from $30 million in 2009 to more than $100 million by 2011, a pace that could be more accurately described as mission-jog than mission-creep. Since 2007, the TSA has also spent more than $900 million on a behavior detection program that has never been independently verified by researchers to be effective. But it was hard to learn more about the program, since TSA kept the particulars of how it worked a closely guarded secret. (National security, naturally.) It was only until someone leaked documents to The Intercept that the public learned what the TSA was on the look out for. It turns out TSA behavior detection officers are trained to detect such suspicious actions as ?exaggerated yawning,? ?excessive complaints about the screening process,? and ?face pale from recent shaving of beard,? among other signs. The TSA also likes to try to hide how incompetent it is, but it?s bad at that, too. The agency has repeatedly over-classified reports to hide embarrassing failures from both congressional investigators and the Department of Homeland Security Inspector General. Several federal air marshal whistleblowers have also come forward corroborating these reports. The agency?s proposed 2016 budget requests $7.35 billion in funding, a slight increase over the previous year but down from $7.8 billion in 2012. Things are moving in the right direction, but after a decade of security theater, how much longer should we be expected to tolerate it? One way to speed up the process would be to go back to private screeners, like all airports in the U.S. used before 9/11 and many airports in Europe still use. U.S. airports are currently allowed to opt-out of using TSA screeners, and since a pilot program began in the early 2000s, the number of airports that have joined the TSA?s screening partnership program has risen from five to 21. Private screeners are more flexible, arguably more efficient according to TSA-haters in Congress, and certainly easier to oversee on an airport-by-airport basis than TSA?s unionized workforce of roughly 50,000 screeners. Of course, privatized screeners are still under federal oversight and rules, which means the pat-downs and shoe-removal would continue, but at least TSA could focus more time on improving and streamlining its security procedures and less on catching employees filching laptops from passengers. The end goal, obviously, should be to abolish the TSA. Barring that, let?s at least roll back the absurd security regulations to something that comports with reality?you know, the place where the bottle of booze in your carry-on isn?t a national security threat?and reduce the agency to a small group of inspectors with clipboards who make sure that rules are being followed. The current, bloated TSA is a malignant lump on the federal bureaucracy, an embarrassing but persistent leftover of our post-9/11 mindset. Plagued by low morale and poor performance, the TSA will become harder dislodge every year it remains in existence. As a wise prophet from Nazareth once said, ?if your right hand causes you to stumble, cut it off and throw it away.? Considering where the TSA?s hands have been lately, it?s about time we lopped it off from the body politic. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 16 13:39:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Apr 2015 14:39:58 -0400 Subject: [Infowarrior] - WikiLeaks publishes Sony Archives Message-ID: https://wikileaks.org/sony/press/ Today, 16 April 2015, WikiLeaks publishes an analysis and search system for The Sony Archives: 30,287 documents from Sony Pictures Entertainment (SPE) and 173,132 emails, to and from more than 2,200 SPE email addresses. SPE is a US subsidiary of the Japanese multinational technology and media corporation Sony, handling their film and TV production and distribution operations. It is a multi-billion dollar US business running many popular networks, TV shows and film franchises such as Spider-Man, Men in Black and Resident Evil. In November 2014 the White House alleged that North Korea's intelligence services had obtained and distributed a version of the archive in revenge for SPE's pending release of The Interview, a film depicting a future overthrow of the North Korean government and the assassination of its leader, Kim Jong-un. Whilst some stories came out at the time, the original archives, which were not searchable, were removed before the public and journalists were able to do more than scratch the surface. Now published in a fully searchable format The Sony Archives offer a rare insight into the inner workings of a large, secretive multinational corporation. The work publicly known from Sony is to produce entertainment; however, The Sony Archives show that behind the scenes this is an influential corporation, with ties to the White House (there are almost 100 US government email addresses in the archive), with an ability to impact laws and policies, and with connections to the US military-industrial complex. WikiLeaks editor-in-chief Julian Assange said: "This archive shows the inner workings of an influential multinational corporation. It is newsworthy and at the centre of a geo-political conflict. It belongs in the public domain. WikiLeaks will ensure it stays there." Sony is a member of the MPAA and a strong lobbyist on issues around internet policy, piracy, trade agreements and copyright issues. The emails show the back and forth on lobbying and political efforts, not only with the MPAA but with politicians directly. In November 2013 WikiLeaks published a secret draft of the Trans-Pacific Partnership (TPP) IP Chapter. The Sony Archives show SPE's internal reactions, including discussing the impact with Michael Froman, the US Trade Representative. It also references the case against Megaupload and the extradition of its founder Kim DotCom from New Zealand as part of SPE's war on piracy. The connections and alignments between Sony Pictures Entertainment and the US Democratic Party are detailed through the archives, including SPE's CEO Lynton attending dinner with President Obama at Martha's Vineyard and Sony employees being part of fundraising dinners for the Democratic Party. There are emails setting up a collective within the corporation to get around the 5,000 USD limit on corporate campaign donations to give 50,000 USD to get the Democratic New York Governor Andrew Cuomo elected as "Thanks to Governor Cuomo, we have a great production incentive environment in NY and a strong piracy advocate that?s actually done more than talk about our problems." Sony Pictures Entertainment CEO Michael Lynton is on the board of trustees of RAND Corporation, an organisation specialising in research and development for the United States military and intelligence sector. The Sony Archives show the flow of contacts and information between these two major US industries, whether it is RAND wanting to invite George Clooney and Kevin Spacey to events, or Lynton offering contact to Valerie Jarrett (a close advisor to Obama) or RAND desiring a partnership with IMAX for digital archiving. With this close tie to the military-industrial complex it is no surprise that Sony reached out to RAND for advice regarding its North Korea film The Interview. RAND provided an analyst specialised in North Korea and suggested Sony reach out to the State Department and the NSA regarding North Korea's complaints about the upcoming film. The Sony documents also show Sony being in possession of a brochure for an NSA-evaluated online cloud security set-up called INTEGRITY. The archives also detail SPE's development of its own films and collecting "intelligence" on rival pictures, for example documents in the archive reveal the budget breakdown for Oliver Stone's rival picture Snowden, which is currently in production. The budget reveals the rights spend: 700,000 USD to the Guardian's Luke Harding, 600,000 USD to Oliver Stone for his work on the script and 1,000,000 USD to Snowden's Russian lawyer Anatoly Kucherena. WikiLeaks has a committment to preserving the historical archive. This means ensuring archives that have made it to the public domain remain there regardless of legal or poltical pressure, and in a way that is accessible and useable to the public. WikiLeaks' publication of The Sony Archives will ensure this database remains accessible to the public for years to come. Search the Sony emails Search the Sony documents Search all of The Sony Archives -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 16 14:50:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Apr 2015 15:50:38 -0400 Subject: [Infowarrior] - Senators Reach Deal On Massive Free Trade Bill No One Has Seen Message-ID: <88291446-ED7A-4F3A-A635-3D992EF5AB1B@infowarrior.org> Is anyone else reminded of how the 'Patriot' act got passed? Rush it through w/o reading it. Back then, it was "because, terrorism!" Now? Rush it through w/o significant hearings because it's a huge international deal years in the making that's "good for the economy." More disturbingly, TPP is a *free trade* deal. Why, then, was it classified for national security? In the absence of other viable reasons, I can only surmise it's been classified to keep critics, both public and legislative, from "interfering" with deliberations until it was too late for them to meaningfully make a difference. --rick Senators Reach Deal On Massive Free Trade Bill No One Has Seen http://www.huffingtonpost.com/2015/04/16/fast-track-trade_n_7078804.html Congress? tax committees announced an agreement Thursday to speed through a bill to give President Barack Obama the fast-track authority that he will need to push mammoth new trade deals through Congress. While a deal had been believed to be in the works, news that it was actually done came as a surprise to even members of the House Ways and Means Committee and the Senate Finance Committee, which called a hearing on the pact with less than 12 hours' notice. < -- > Brown also expressed frustration that one of his staffers with a proper security clearance was not allowed to look at the emerging TPP deal unless Brown was also present. ?Staff can get access to DoD documents, often to Iran sanctions documents, to CIA briefings, but we can?t get access to Trans-Pacific Partnership texts,? Brown said. He noted that this made made it impossible for his staffer to stay up to speed while Brown was away in Ohio for two weeks. Froman countered that he had already made it much easier for lawmakers to look at documents by making them available on Capitol Hill, instead of only at the U.S. Trade Representative offices, and by no longer hiding what the foreign negotiators were saying in the talks. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 17 06:02:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Apr 2015 07:02:43 -0400 Subject: [Infowarrior] - Bloomberg Terminals Suffer Widespread Failures Message-ID: <019C0233-74F3-4D49-A6E6-D6E1B9C97397@infowarrior.org> Bloomberg Terminals Suffer Widespread Failures By CHAD BRAY and NEIL GOUGHAPRIL 17, 2015 http://www.nytimes.com/2015/04/18/business/dealbook/bloomberg-terminals-outage.html LONDON ? Bloomberg LP?s data terminals experienced failures on Friday that appeared to stretch from Hong Kong to London. The terminals, known as Bloomberg Professional, are the company?s signature product, connecting trading floors with its chat function and providing market data and news. Bankers and traders in Europe and Asia said that the terminals went down Friday morning in Europe, about an hour before the end of the Asian trading day. Some banks were reporting that their terminals appeared to be coming back online in London by midmorning on Friday. The company, in a statement on its website around noon in Europe, said, ?We are currently restoring service to those customers who were affected by today?s network issue and are investigating the cause.? CNBC.com reported that a Bloomberg representative said that the terminals were unavailable worldwide. The terminals are used by more than 315,000 financial professionals around the world, according to Bloomberg, and they provide a vast majority of the company?s revenue. Last year, Michael R. Bloomberg returned to the company he founded after serving three terms as the mayor of New York City. Many larger banks and financial companies have a variety of backup systems as well as alternative data suppliers, such as products from Thomson Reuters, in place to avoid a major disruption. One sales trader, based in Geneva, who spoke on the condition of anonymity because his company did not authorize him to give interviews, said the issues there started around 9 a.m. The trader?s company has a few dozen Bloomberg terminals and uses them mainly for buying and selling exchange-traded funds and credit and for research. None of the firm?s terminals were able to connect for at least 90 minutes. When asked what problems the failures created, the trader said: ?Problems? Simple: No prices. Nothing. So you can?t do anything at all.? The trader said that simply switching to a Thomson Reuters terminal was not an option for some. ?People are used to going through ?Berg, and so it?s confusing for a lot of us who never use Reuters,? he said. When asked what he would do for the rest of the day if the Bloomberg terminal did not return, the trader replied: ?Read research and drink coffee. Do it old school.? In Hong Kong, bankers reported that their terminals crashed not long after 3 p.m., well before the 4 p.m. close of trading on the local stock exchange. ?This is sort of a big deal,? said one Hong Kong banker, whose company?s policy did not authorize him to speak publicly. ?What I miss is the instant Bloomberg chats, which I rate higher than trading or data feeds. The fact is, Bloomberg connects 100 percent of the Street, and all that human intelligence is what makes markets hum.? Another employee of a Hong Kong financial firm said that traders had resorted to using ?old-fashioned emails? to communicate. By 9:30 a.m. in London, some banks were reporting that their terminals were back online. Chad Bray reported from London, and Neil Gough from Hong Kong. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 17 11:52:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Apr 2015 12:52:36 -0400 Subject: [Infowarrior] - Friday Fun: Stormtrooper complaint letter Message-ID: <5FC4F182-C378-437D-9158-EE29832F6F7E@infowarrior.org> The force awakens? A stormtrooper complains about yet another helmet redesign. By Alexandra Petri April 16 at 7:12 PM http://www.washingtonpost.com/blogs/compost/wp/2015/04/16/the-force-awakens-a-stormtrooper-complains-about-yet-another-helmet-redesign/ Dear Chancellor Palpatine Emperor Palpatine Lord Vader Whoever Is In Charge Of These Things Now, For many years I have served the Republic/Empire/Whatever We Have Now, faithfully and to the best of my ability. Yes, I am a stormtrooper, and I am at the end of my rope. I have written you before to complain about the uniforms ? first during the Clone Wars, when the tactical disadvantages they created were fairly obvious, then again during the fight against the Rebellion, when exactly the same issues continued to present themselves. I am writing to you again now, hoping against hope. Sometimes these letters just feel like dropping my concerns down a chute into the vacuum of space. I see there?s been another redesign made to our uniforms. I can?t understand the rationale behind this. The first time I wrote to you, there was still hope in my heart. The Republic, I felt, would listen to the concerns of its fighting men. The uniforms were, after all, just a first run, and if they failed at their mission of protecting fighters and offering them visibility and mobility, it surely was not from any sort of wanton malice. Now I am not so sure. I am hoping this works despite all experience to the contrary, just as you did when you built that second, larger Death Star. Just to recap, in case you somehow missed my previous letters, the problems with our uniforms are as follows: 1) Visibility. Visibility, visibility, visibility. You cannot see a thing in these helmets. I cannot stress this enough. Imperial marksmanship has long been the laughingstock of the galaxy. But it?s not that we are poor marksmen. It?s these force-forsaken helmets. Why must we fight every battle with a giant bucket on our heads out of which we cannot see? Is it pride? I appreciate your vote of confidence in our fighting ability, the assumption that we could theoretically defeat whatever rebel scum we confronted with the equivalent of one arm tied behind our backs. That is a wonderful thought, and I don?t mean to diminish it in any way. Possibly someone in authority feels that is more glorious if we win all our victories while severely, severely handicapped by our equipment, but at a certain point you get tired of seeing 100% of your friends die. 2) Difficulty distinguishing friends from foes. Not only can?t we see, but once the helmets are on, we can?t tell who anyone is. I know that we are supposed to be indistinguishable as a fighting force, and I cannot deny that we look terrifically imposing on parade. But this does create the real possibility that someone who was not one of us might put one of these helmets on and move among us, undetected. This just seems like an unnecessary risk in the service of a unified aesthetic, like putting an exhaust port that led to the main reactor of the Death Star conveniently at the end of a long trench. I would think I was being paranoid about this possibility if the first Death Star had not LITERALLY been invaded from within and a valuable prisoner stolen by a team of rebels doing just this. We could not even single the intruders out because they appeared baffled and had poorer-than-usual marksmanship. That just describes everyone who is forced to put one of these force-forsaken buckets on his head. 3) Lack of protection. The armor doesn?t work. What is the point of wearing armor like this if all you have to do is sort of loosely hit somewhere in our general vicinity and we drop like flies? I don?t understand it. It?s heavy. It limits our movements. We cannot swim in it. Why would we wear it if it offered no tactical advantages whatever? Because it looks nice? It does look nice, but at a certain point, we have to stop worrying about looking nice and think about fighting a war. Imagine how well we would do if our casualties were a mere 50% in each engagement, instead of something approaching 90%. 4) Camouflage. It doesn?t. Unless we are fighting in snow, which we seldom are, and then I get the feeling that if we camouflage it is by accident. Otherwise, you can always see us from miles away because even if we have specialized armor to be scout troops on a forest moon, it is still bright white with black trim. I know what a compelling look that is, but you know what would be more compelling? ANY CAMOUFLAGE WHATSOEVER SO MY FRIENDS DIDN?T ALL DIE. 5) Unresponsiveness of Senior Leadership I have written about this before. I have written many letters and even got my friends to sign a petition. But nothing has resulted. We have had two armor redesigns, now, and NEITHER OF THEM has addressed ANY of the issues I mentioned. I don?t want to insult our designers in any way. They have a vision, and I respect that. I wish I had a vision, but I cannot see a thing out of my helmet. Look, I understand that the eyes-without-a-face look is menacing and has always been a key motif in our design vocabulary. I understand that one of the things the Empire has always had going for it is a clear aesthetic. White, black and red. I respect that. It?s dynamic. I would gladly hire an Imperial decorator for my living space, because we really know how to commit to a theme. The first time I wrote a letter like this, shortly afterward, there was indeed a helmet redesign. I was excited until I tried mine on and, in fact, the visibility was worse than it had been before. With what goal were these helmets redesigned? Is this a fashion statement? What IS it? At this point I?m not even angry. I just don?t understand. You just sort of changed the design to make it look less ? angular? I guess? And now there?s yet another redesign, and still no better outcome. This new design doesn?t make anything better, either. It?s just got more black trim on the face. The eye holes are the same and the visibility seems the same. And all the problems that I mentioned above REMAIN THE SAME. I?m beginning to lose hope. Please, do something about this. I appreciate your aesthetic evolution and experimentation, but this isn?t a music video. All my friends are dead. Sincerely, TK-424 Alexandra Petri writes the ComPost blog, offering a lighter take on the news and opinions of the day. From rforno at infowarrior.org Fri Apr 17 18:39:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Apr 2015 19:39:18 -0400 Subject: [Infowarrior] - DOJ Said Leaning Against Comcast Deal Message-ID: <12E6A6EE-5957-494A-922B-9945B57BBEDD@infowarrior.org> U.S. Antitrust Lawyers Said Leaning Against Comcast Deal by David McLaughlinTodd Shields 1:56 PM EDT April 17, 2015 Staff attorneys at the U.S. Justice Department?s antitrust division are nearing a recommendation to block Comcast Corp.?s bid to buy Time Warner Cable Inc., according to people familiar with the matter. Attorneys who are investigating Comcast?s $45.2 billion proposal to create a nationwide cable giant are leaning against the merger out of concern that consumers would be harmed and could submit their review as soon as next week, said the people. The division?s senior officials will then decide whether to file a federal lawsuit seeking to block the tie-up. Comcast shares dropped 2.1 percent to $58.42 in New York, while Time Warner Cable fell 5.4 percent to $149.61. The spread between the current prices and the offer price widened to $18.35 from $13.35 yesterday, indicating investors are more pessimistic about the deal winning regulatory approval. A rejection of the deal would be a blow to Comcast, which has sought to gain valuable cable assets in major U.S. cities including New York and Los Angeles, where Time Warner Cable is dominant. Expanding Comcast?s broadband Internet and video footprint would help it better compete with satellite, Web and telecommunications competitors that have taken hundreds of thousands of TV subscribers from the Philadelphia-based company in recent years. < - > http://www.bloomberg.com/news/articles/2015-04-17/u-s-antitrust-lawyers-said-to-be-leaning-against-comcast-merger -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Apr 18 16:20:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Apr 2015 17:20:51 -0400 Subject: [Infowarrior] - =?windows-1252?q?FBI_can=92t_cut_Internet_and_pos?= =?windows-1252?q?e_as_cable_guy_to_search_property=2C_judge_says?= Message-ID: <73B78134-6B09-4309-A373-A0AE850DD452@infowarrior.org> FBI can?t cut Internet and pose as cable guy to search property, judge says "This is a monumental ruling protecting Americans' privacy in the modern age." by David Kravets - Apr 18, 2015 12:50pm EDT http://arstechnica.com/tech-policy/2015/04/fbi-cant-cut-internet-and-pose-as-cable-guy-to-search-property-judge-says/ A federal judge issued a stern rebuke Friday to the Federal Bureau of Investigation's method for breaking up an illegal online betting ring. The Las Vegas court frowned on the FBI's ruse of disconnecting Internet access to $25,000-per-night villas at Caesar's Palace Hotel and Casino. FBI agents posed as the cable guy and secretly searched the premises. The government claimed the search was legal because the suspects invited the agents into the room to fix the Internet. US District Judge Andrew P. Gordon wasn't buying it. He ruled that if the government could get away with such tactics like those they used to nab gambling kingpin Paul Phua and some of his associates, then the government would have carte blanche power to search just about any property. "Permitting the government to create the need for the occupant to invite a third party into his or her home would effectively allow the government to conduct warrantless searches of the vast majority of residents and hotel rooms in America," Gordon wrote in throwing out evidence the agents collected. "Authorities would need only to disrupt phone, Internet, cable, or other 'non-essential' service and then pose as technicians to gain warrantless entry to the vast majority of homes, hotel rooms, and similarly protected premises across America." The government had urged the court to uphold the search, arguing that it employs "ruses every day in its undercover operations." (PDF) The government noted that US judges have previously upheld government ruses to gain access into dwellings. In 1966, the Supreme Court authorized an agent to pose as a drug buyer to get consent to go inside a house. In 1980, an agent posing as a drug dealer's chauffeur was upheld. Seven years later, agents posed as real estate investors to access a bedroom and closet of a suspect. And in 1989, an agent posed as a UPS delivery man to get inside a drug house, the government argued. But operatives posing as gas company or water district workers seeking permission to enter the premises to check for leaks were deemed illegal searches. That's because the occupants provided "involuntary" consent to enter because they were duped into believing a life-threatening emergency was afoot, Phua's defense pointed out. In the Phua case, the FBI and a Nevada gaming official clandestinely filmed the rooms while building a case that ultimately accused Phua, his son, and others of running a World Cup soccer bookmaking ring where "hundreds of millions of dollars in illegal bets" were taking place. The investigation started last summer when Caesars Palace staff got suspicious that the men were ordering a substantial amount of electronic gear and Internet connections. The seven other defendants reached plea deals, but Phua challenged the search on constitutional grounds. The court's decision likely ends the case against the 50-year-old Malaysian. Thomas Goldstein, one of Phua's lawyers and one of the nation's top Supreme Court litigators who runs the SCOTUSblog, chided what he described as "the government's misconduct." "This is a monumental ruling protecting Americans' privacy in the modern age," he said in a statement. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Apr 18 17:40:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Apr 2015 18:40:36 -0400 Subject: [Infowarrior] - Congress cannot be taken seriously on cybersecurity Message-ID: <2B36A0AE-5CE6-4678-9FDA-53BAD3288747@infowarrior.org> Congress cannot be taken seriously on cybersecurity Trevor Timm @trevortimm Saturday 18 April 2015 07.30 EDT http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-taken-seriously-on-cybersecurity Members of Congress - most of whom can?t secure their own websites, and some of whom don?t even use email - are trying to force a dangerous ?cybersecurity? bill down the public?s throat. Everyone?s privacy is in the hands of people who, by all indications, have no idea what they?re talking about. Leaders are expected to bring its much-maligned series of ?cybersecurity? bills to the floor sometime in the next couple weeks - bills that we know will do little to help cybersecurity but a lot to help intelligence agencies like the NSA vacuum up even more of Americans? personal information. The bills? authors deny that privacy is even an issue, but why we?re trusting Congress at all on this legislation, given their lack of basic knowledge on the subject, is the question everyone should be asking. Just look at Congress? own cybersecurity practices. None of the members of the Senate?s Intelligence Committee - the most influential cybersecurity oversight body in Congress - have websites that use HTTPS encryption, which is increasingly becoming the standard for websites who want to provide basic security protections for the people who visit them (Google and others have had it for years). It?s such a vital tool that the executive branch recently promised to move all its websites over to HTTPS within two years - many of its agencies, though not all, have already made the switch. But there?s not even a hint that Congress is attempting to do the same. (The website of the Senate Intelligence Committee, which is in charge of cybersecurity oversight on the Senate side, also looks like it was designed in 1996.) An overlooked but important Politico article published in January examined Congress? own cybersecurity practices when it comes to defending their networks. Reporter Tal Kopan quoted several Congressional staffers saying Congress barely does anything to protect itself from cyberattacks, despite being a juicy target for foreign intelligence agencies. ?Few could remember any kind of IT security training, and if they did, it wasn?t taken seriously?, Kopan reported And how many Congressional staffers and their bosses protect their emails or phone calls with encryption? ACLU?s Chief technologist Chris Soghoian told me yesterday that using any sort of encryption tools ?is the exception rather than the norm.? He said: ?Most members of Congress and most congressional staff use unencrypted email and unencrypted telephones. Their communications are undoubtedly targeted by foreign intelligence services, just as the NSA targets the communications of foreign political leaders and their staff.? Not exactly encouraging. Consider the qualifications of the members who are in charge of cybersecurity oversight and who are leading the push for these invasive new laws. The man in charge of the subcommittee on cybersecurity and the NSA in the House, Representative Lynn Westmoreland, has a background in construction and is best known for trying to pass a Ten Commandments law (while only being able to name three of them). His actual expertise in cybersecurity is anyone?s guess, besides having an NSA facility in his district. It gets worse. The Congressman who oversees the appropriation of billions of dollars in cybersecurity funding for the Department of Homeland Security, Representative John Carter, said this about cybersecurity and encryption recently: ?I don?t know anything about this stuff?. Yes, that is an exact quote. And of course there?s Senator John McCain, who has been one of the loudest voices pushing several invasive ?cybersecurity? spying bills and wants control of cybersecurity oversight to be placed under his Armed Services committee. McCain, who doesn?t even use email, has been consistently demanding more cybersecurity powers, but maybe he should try to fix his own cybersecurity problems first before moving on to everyone else?s. This is the security error message I got when trying to access his website on Thursday and Friday: The only thing McCain seems to know a lot about when it comes to cybersecurity is hyperbole. He declared the Sony hack an ?act of war? and called the voluntary, slight delay in the release of The Interview ?the greatest blow to free speech that I?ve seen in my lifetime probably.? He also claimed that Sony?s negligent security practices were somehow Obama?s fault, though doesn?t seem to mind that Sony?s approach to security (termed ?a complete joke? by one former employee) was so lax that they?re now being sued. Congress never really bothered to ask actual security experts whether these bills really make sense. Earlier this week, 65 actual security professionals and academics signed a letter slamming these ?info-sharing? bills as both unnecessary and dangerous. Congress doesn?t have to be completely ignorant about technology issues. They used to have a whole office which would give them all the expert advice they asked for. It was called the Office of Technology Assessment and it gave Congress nonpartisan advice on technical matters. Newt Gingrich killed it when he became speaker of the House of Representatives in the mid-1990s. As Vox?s Timothy Lee explained, when Representative Rush Holt, a member of Congress who knew a thing or two (he was a nuclear physicist), tried to revive it, his plan was voted down almost 2-1. So there you have it: Congress has intentionally chosen to stay ignorant of technical issues. When they try to reassure you about the bills that are coming up for vote not being about increasing surveillance, just remember: most of them have no idea what they?re talking about. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Apr 19 09:22:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Apr 2015 10:22:04 -0400 Subject: [Infowarrior] - =?windows-1252?q?Infosec=92s_Alternative_Subcultu?= =?windows-1252?q?re_on_Display_at_Security_BSides?= Message-ID: Infosec?s Alternative Subculture on Display at Security BSides By Stephen Lynch April 16, 2015 https://blog.opendns.com/2015/04/16/infosecs-alternative-security-bsides/ Next week, thousands of people will attend RSA Conference, the biggest information security event in the world. But at OpenDNS?s offices in San Francisco?s SoMA neighborhood, an alternative event will be taking place, one that is growing in popularity among security professionals, eschews the flashiness of larger trade shows, and focuses on providing alternative viewpoints and practical methodology. Taking place from Sunday to Monday, April 19 and 20, the Sixth Annual Security BSides San Francisco conference will feature a diversity in community-curated workshops and sessions seldom seen at larger security conferences. The show?s agenda ranges from workshops on reverse engineering Android apps to talks about media?s perception of the infosec community. On Sunday, a talk about analyzing malicious domains runs alongside ?How to Sell Security Without Selling Your Soul,? a discussion of how to attract and retain good people in the industry. ?BSides is the punk rock event of the security industry,? said Banasidhe, one of the core organizers of BSidesSF and executive producer of BSides Las Vegas. ?Volunteers are putting in so much of their own free will and their own heart into the event. No one is doing it for the money. No one is doing it for the fame. It comes from the community, for the community.? Unlike big budget conferences like RSA and Blackhat, BSides relies heavily on the infosec community for sponsorship and support. BSides San Francisco will be almost entirely staffed by volunteers, and the BSides Las Vegas is still accepting community donations for its August event. While two of the biggest events?BSides San Francisco and BSides Las Vegas?are both scheduled so they benefit from the large crowds attending established security conferences like RSA, smaller satellite un-conferences abound. The Security BSides organization bills itself more as a framework for building events for and by members of the information security community. With a roster of more than 60 BSides conferences listed on the main website, BSides counts cities from Algiers to Warsaw as past event locations. According to Banasidhe, the fact that the events have taken place on every continent except for Antarctica shows how much untapped demand there is for access to security education. ?In the case of Las Vegas and San Francisco, we?re providing alternatives for people who, for example, might be unemployed or students,? said Banasidhe. ?It?s an extra couple of days of infosec training in an arena that allows them to learn without breaking the bank. BSides allows them to do with in their own backyards.? OpenDNS Security Labs Researcher Kevin Bottomley agrees. ?The event is almost free, which is nice. You meet really cool people, and not just those in the information security,? he said. ?You could meet people from HR or someone who is interested in learning more about the security industry. It could be an IT guy whose company has gotten phished in the past, and he may want to be more knowledgeable of it and find ways to fight it.? Bottomley, who is giving his own talk at BSides SF on the evolution of modern phishing campaigns, also points to the different and varied topics at BSides as another reason to attend the conference. ?There was some pretty cool physical security stuff at BSides a couple years ago, which is something you don?t see at more mainstream events. At BSides, I always like to check out the Lockpick Village and see how fast I can tear through all of their locks.? But more than just novelty, Bottomley says that the diversity of BSides provides him with a much-needed perspective by showcasing other aspects of the infosec community than the ones he focuses on for his day-to-day work. ?BSides is good for networking, good for meeting people from other companies,? he said. ?It gives me a chance to see what other people are doing, what they?re presenting on. Usually you focus on one narrow aspect of security for most months or years at a time. This is an opportunity to listen to what other people have to say.? BSides SF is happening April 19 & 20 in San Francisco. For more information, visit http://www.securitybsides.com/w/page/90944586/BSidesSF2015 -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Apr 19 09:27:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Apr 2015 10:27:43 -0400 Subject: [Infowarrior] - Army may create cyber career field for civilians Message-ID: Army may create cyber career field for civilians April 15, 2015 By David Vergun http://www.army.mil/article/146485/Army_may_create_cyber_career_field_for_civilians/ WASHINGTON (April 15, 2015) -- To better manage personnel, "the Army created the Cyber Branch 17 [for Soldiers] and is exploring the possibility of creating a cyber career field for Army civilians," Lt. Gen. Edward C. Cardon told senators. Cardon, commander of U.S. Army Cyber Command, or ARCYBER, testified before the Senate Armed Services subcommittee on emerging threats and capabilities during a hearing on "Military Cyber Programs and Posture," April 14. Establishing a cyber career management field for civilians may be easier than recruiting enough of them to fill it, and then retaining that talent, he said. Recruiting and retaining Army civilian cyber talent "is challenging," he said, "given internal federal employment constraints regarding compensation and a comparatively slow hiring process." Current efforts to attract and retain top civilian talent include "extensive marketing efforts, and leveraging existing programs and initiatives run by the National Security Agency, Office of Personnel Management, and National Science Foundation," he said. Also, he said that the "targeted and enhanced use of recruiting, relocation and retention bonuses, and repayment of student loans will improve efforts to attract, develop and retain an effective cyber civilian workforce. These authorities exist but require consistent and predictable, long-term funding." His last comment about predictable funding was an apparent reference to the congressional use of continuing resolutions, the possibility of renewed sequestration and other unknowns like overseas contingency operations, compensation reform and other factors. Within the Army's $126.5 billion fiscal year 2016 budget now in lawmaker's hands, $1.02 billion of that is for cyber, including $90 million to build out the new Cyber Center of Excellence operations headquarters on Fort Gordon, Georgia, he said. Cardon did not give a breakdown in the number of civilians, enlisted and officers the Army would need as cyber grows. Instead, he lumped them together in one number. "After a detailed study, the Army determined it needs 3,806 military and civilian personnel with core cyber skills," he said. CYBER'S UNIFORMED SIDE Filling the cyber ranks with Soldiers seems to be going much better, Cardon told lawmakers. "We just started using six-year enlistments. We're having no trouble filling that. We're working through developing the best model to retain them." Furthermore, the Cyber Center of Excellence, or CoE, in collaboration with ARCYBER and other stakeholders, is working to implement a cyber career management field for enlisted personnel "that will encompass accessions, career management, and retention this fiscal year." He said that the Army recently approved special-duty assignment pay, assignment incentive pay, and bonuses for Soldiers serving in operational cyber assignments. Another carrot the Army recently offered, he said, is expansion of cyber educational programs, including training with industry, fellowships, civilian graduate education, and utilization of inter-service education programs including the Air Force Institute of Technology and the Naval Postgraduate School. "We are confident these will serve as additional incentives to retain the best personnel for this highly technical field." Guard and Reserve retention initiatives include bonuses for Soldiers transitioning into cyber from the active side, he said. There will also be accession bonuses for commissioned and warrant officers going into Reserve-component cyber. CYBER TEAMS FORMING As of today, 25 of 41 Cyber Mission Force teams "are on mission now and we expect to have all 41 on mission by the end of fiscal year 2016," Cardon told lawmakers. "We're employing the teams as they reach initial operating capability." He said that the Army is also building 21 additional Army Reserve and National Guard Cyber Protection Teams. Those teams will be employed with combatant commanders as part of the joint cyber effort, he said. Air Force Lt. Gen. James K. McLaughlin, deputy commander of U.S. Cyber Command, then described where that joint effort is headed capability-wise: There will be a total of 133 cyber teams from all the services, McLaughlin said. "We're halfway through fielding those teams." They should all be stood up by the end of FY16, unless sequestration returns. Besides defending the Department of Defense's own networks and the U.S. homeland, Cyber Command will have a role to play in protecting allies as well as the U.S. private sector, he added. U.S. A 'GLASS HOUSE' In describing U.S. vulnerability to cyber attacks, particularly the civilian sector, Eric Rosenbach, principal cyber advisor to the defense secretary, told senators that the United States is like a "glass house." He warned lawmakers that although the United States has a robust and growing cyber offensive capability, it is not wise to overuse that capability when attacked because it could provoke rogue nations to demonstrate their own offensive cyber capabilities. Back-and-forth attacks would most certainly ensue and escalate, to the detriment of the United States. Rather, Rosenbach advocated an interagency approach. For example, when Sony Pictures Entertainment was attacked by North Korea in November, the U.S. response was led by the Treasury Department, which imposed additional economic sanctions. U.S. Cyber Command was in on that planning, along with other agencies. That is an example of an effective but restrained response, he said, advocating looking at each attack from a cost-benefit analysis perspective. A senator then told Rosenbach that he thought it might be a good idea, should the United States go to war, to take out the enemy's air defenses through a cyber attack on their electrical grid. Rosenbach replied that he would discuss the matter with them in the closed session, which followed. DEFENSE CONTRACTORS VULNERABLE "We know that a lot of the defense contractors have been penetrated and intellectual property pulled out, so we're trying to use new contracting mechanisms" to limit that from happening, Rosenbach said, adding that for them and the rest of private industry, creating effective cyber defenses represents a "significant investment." Although the private sector is especially vulnerable to cyber attacks, Rosenbach said DOD is not invulnerable. For instance, he told lawmakers that U.S. Transportation Command "has been penetrated by some adversaries, the Chinese in particular, who know that by going to the supply chain they may be able to hit us at a weaker point." CLOSING COMMENTS Cardon stressed to the senators that cyber security is every Soldier's business. "We're exposing all officers to cyber security because this has to become part of the foundational education that we expect them to have," he said. "This is a competitive space, so, we're never really going to be done in this space," he said, regarding the future of cyber space efforts. "This is going to have to be something that we just constantly assess on a regular basis.? -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Apr 19 09:30:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Apr 2015 10:30:24 -0400 Subject: [Infowarrior] - Another reason not to trust the FBI Message-ID: <3EAC48DC-9098-4296-A880-BAA974A0EC80@infowarrior.org> FBI overstated forensic hair matches in nearly all trials before 2000 By Spencer S. Hsu April 18 at 5:44 PM The Justice Department and FBI have formally acknowledged that nearly every examiner in an elite FBI forensic unit gave flawed testimony in almost all trials in which they offered evidence against criminal defendants over more than a two-decade period before 2000. Of 28 examiners with the FBI Laboratory?s microscopic hair comparison unit, 26 overstated forensic matches in ways that favored prosecutors in more than 95 percent of the 268 trials reviewed so far, according to the National Association of Criminal Defense Lawyers (NACDL) and the Innocence Project, which are assisting the government with the country?s largest post-conviction review of questioned forensic evidence. The cases include those of 32 defendants sentenced to death. Of those, 14 have been executed or died in prison, the groups said under an agreement with the government to release results after the review of the first 200 convictions. The FBI errors alone do not mean there was not other evidence of a convict?s guilt. Defendants and federal and state prosecutors in 46 states and the District are being notified to determine whether there are grounds for appeals. Four defendants were previously exonerated. The admissions mark a watershed in one of the country?s largest forensic scandals, highlighting the failure of the nation?s courts for decades to keep bogus scientific information from juries, legal analysts said. The question now, they said, is how state authorities and the courts will respond to findings that confirm long-suspected problems with subjective, pattern-based forensic techniques ? like hair and bite-mark comparisons ? that have contributed to wrongful convictions in more than one-quarter of 329 DNA-exoneration cases since 1989. < - > http://www.washingtonpost.com/local/crime/fbi-overstated-forensic-hair-matches-in-nearly-all-criminal-trials-for-decades/2015/04/18/39c8d8c6-e515-11e4-b510-962fcfabc310_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Apr 19 13:56:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Apr 2015 14:56:22 -0400 Subject: [Infowarrior] - Secret Files Reveal the Structure of Islamic State Message-ID: <307D633F-E225-45E1-A5D4-23EF3E8CC78E@infowarrior.org> Excellent reporting from Der Spiegel. ?rick Secret Files Reveal the Structure of Islamic State http://www.spiegel.de/international/world/islamic-state-files-show-structure-of-islamist-terror-group-a-1029274.html -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 20 12:57:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Apr 2015 13:57:09 -0400 Subject: [Infowarrior] - MPAA Pirated Clips From Google Commercials To Make Its Own MPAA Propaganda Videos Message-ID: <07E8B589-FF44-42B7-80B3-19BCCE71DFF0@infowarrior.org> MPAA Pirated Clips From Google Commercials To Make Its Own MPAA Propaganda Videos https://www.techdirt.com/articles/20150419/23371230725/mpaa-pirated-clips-google-commercials-to-make-own-mpaa-propaganda-videos.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 20 13:22:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Apr 2015 14:22:14 -0400 Subject: [Infowarrior] - Saving a Plane That Saves Lives Message-ID: <70BBA489-85FD-4C55-B358-1BBEEAE7BDDF@infowarrior.org> Saving a Plane That Saves Lives By MARTHA McSALLYAPRIL 20, 2015 http://www.nytimes.com/2015/04/20/opinion/saving-a-plane-that-saves-lives.html?_r=0 WASHINGTON ? WHEN American troops find themselves fighting for their lives, there is no better sound than an A-10, a plane officially nicknamed the Thunderbolt II but known affectionately by the troops as the Warthog, firing its enormous 30-millimeter gun at the enemy. It might not be pretty, but the A-10 is our most capable close air-support aircraft, and its arrival on the battlefield signals survival for our troops and annihilation for our enemies. Yet over the last two years, the Obama administration and the Air Force leadership have been working overtime to mothball our entire A-10 fleet, 13 years ahead of schedule. They claim that other, newer planes can do the same job, that it?s too slow and vulnerable and that it?s too expensive. I appreciate the budget pressures that the Pentagon faces these days. But those arguments have serious flaws ? and if we retire the A-10 before a replacement is developed, American troops will die. Before running for office, I was an A-10 squadron commander with 325 combat hours. During my time in uniform and since coming to the House and taking up the fight to keep the plane, I have heard countless stories from American soldiers about how the A-10 saved their lives. In 2008, Marine Master Sgt. Richard Wells and his team were on patrol in Afghanistan when they were ambushed. ?It was the first time in my life that I thought to myself, ?This is it, we?re going to die, we?re not going to make it out of this,? ? he recalled in a recent interview. The Marines were severely outnumbered, cornered, and in close combat with dozens of insurgents. Because of the poor weather, fast-moving fighters above the clouds were unable to identify the targets or get close enough to engage. Soon two Marines were seriously wounded, and the enemy was 50 feet away. Suddenly two A-10s descended below a heavy layer of clouds. The planes are extremely maneuverable and designed to fly close to the ground. Coming within 400 feet of the mountains, they made nearly a dozen gun passes each, giving Sergeant Wells?s team cover to run to safety. Without the A-10 and the exceptional training and bravery of its pilots, six Marines would have died that day. True, other planes and drones can do close air support. But every close-air-support scenario is different, and every platform brings strengths and weaknesses to the fight. The A-10 has unique strengths for the most complex and dangerous such missions. It can loiter over the battlefield for long periods without refueling. It can maneuver in difficult terrain at low altitudes, fly slowly enough to visually identify enemy and friendly forces and survive direct hits. And it?s one of our most lethal aircraft, especially against moving targets, with its 1,174 rounds of ammunition, missiles, rockets and bombs. Not only is the A-10 best equipped for close air support, but it is crucial to leading combat search and rescue missions of downed pilots. After the barbaric murder of a captured Jordanian F-16 pilot by ISIS, these capabilities are more important than ever ? indeed, A-10s are on round-the-clock alert during American missions against ISIS. The A-10 was designed as a Cold War tank killer, and its cannon is the only one in the Air Force that can fire armor-piercing depleted-uranium 30-millimeter bullets. In a recent hearing, I asked the general in charge of our forces in South Korea what the loss of the A-10 would mean for our anti-armor capabilities. It would leave a major gap, he conceded. Critics knock the age of our A-10 fleet; the last one was delivered in 1984. But with maintenance and upgrades ? we just spent $1 billion on improvements to the A-10 fleet ? age by itself isn?t a reason to retire the plane. And it?s far from the oldest plane in our fleet: Those same critics celebrate the B-52, the youngest of which is almost 53 years old and won?t be retired until 2040. Those trying to retire the A-10 also claim it isn?t ?survivable? ? an amazing claim, given the long list of stories about the plane?s ability to take fire and still fly. In 2003, Capt. Kim Campbell was flying over Baghdad when her A-10 was hit by a surface-to-air missile, punching a large hole in the plane and knocking out its hydraulics. Most planes would have been destroyed; Captain Campbell switched into a mode only available in the A-10 ? manual reversion, where you fly the aircraft by brute force, manually pulling on cables when you move the control stick ? and flew home safely. Last year the Air Force said it needed to close A-10 squadrons to free up maintenance personnel. Arguing to scrap a lifesaving workhorse like the A-10 to solve a staffing challenge, while maintaining 15 different musical bands, makes one question the Air Force?s priorities. Despite all those changing arguments, Air Force leadership told me during a hearing in March that the A-10 decision is simply about money. And yet the A-10 has the lowest per-flight-hour cost of any aircraft. The A-10 remains in high demand: Warthogs are deployed to the Middle East, where they have been inciting fear in the ranks of Islamist terrorists since their deployment in September, and Romania, where 12 A-10s from the squadron I commanded train with our allies in the face of increased Russian aggression. Yet the administration and the Pentagon persist. Recently, Air Force leaders said the fight to save the A-10 was ?emotional.? Of course it is. Just ask the families of Master Sergeant Wells and his men. The A-10 has supporters because we know it works ? and that the American military can?t afford to retire it. Martha McSally, a Republican representative from Arizona, is a retired Air Force colonel. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 20 14:56:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Apr 2015 15:56:49 -0400 Subject: [Infowarrior] - Another case dropped to protect Stingrays Message-ID: Prosecutors drop robbery case to preserve stingray secrecy in St. Louis A pistol-whipped victim, who required 18 stitches, is "shocked" at the outcome. by Cyrus Farivar - Apr 20, 2015 8:00am EDT http://arstechnica.com/tech-policy/2015/04/prosecutors-drop-robbery-case-to-preserve-stingray-secrecy-in-st-louis/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 20 19:27:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Apr 2015 20:27:50 -0400 Subject: [Infowarrior] - Internet Security Marketing: Buyer Beware Message-ID: <89A6AB7B-48C1-4F15-B49F-602F5F26B280@infowarrior.org> (X-posted. And I agree with Paul?s comments, too. ?rick) Internet Security Marketing: Buyer Beware Apr 20, 2015 9:00 AM PDT By Paul Vixie http://www.circleid.com/posts/20150420_internet_security_marketing_buyer_beware/ Co-authored by Frode Hommedal, a Senior Cyber Security Specialist for Telenor Security and Paul Vixie, CEO of Farsight Security. As security breaches increasingly make headlines, thousands of Internet security companies are chasing tens of billions of dollars in potential revenue. While we, the authors, are employees of Internet security companies and are happy for the opportunity to sell more products and services, we are alarmed at the kind of subversive untruths that vendor "spin doctors" are using to draw well-intentioned customers to their doors. Constructive criticism is sometimes necessarily harsh, and some might find the following just that, harsh. But we think it's important that organizations take a "buyers beware" approach to securing their business. Attack Maps Anything that can be communicated graphically, especially if there's color animation involved, will sell better. Buyers, being human, are visual creatures, and they inevitably feel greater, although misplaced understanding when value propositions are presented in pictorial form. Because quarter-on-quarter and same-quarter-next-year revenue growth is the main indicator of commercial health, there's an understandable tendency to show potential customers an "attack map." In an "attack map", the world is shown in some form, and attacks are depicted (with color animation) as some kind of missile, launched from a country of origin, landing on a victim. What could be simpler? Your business is under attack from state-sponsored criminals, or just plain old "foreigners", and your prospective vendor appears to be able to track these attacks as easily as NORAD can track incoming ballistic missiles. The marketing message is: If you buy from us, we will tell you where the attacks are coming from, so that you can defend yourself. Or, even better, if you buy from us, we can defend you in real-time, using our cool tool. We don't disagree with the underlying messages ? there are a lot of attacks and a lot of attackers, and, if your company is online, you're a potential victim. You may need to outsource the specialized skill of knowing where attacks are currently coming from, and you may even need to buy a better firewall that can respond to real-time telemetry so as to deflect or repel targeted attacks that have no signature in any traditional sense of the word "signature". Yet "attack maps" lead to grave misunderstandings, such as: ? "In the Cloud, everything is crystal clear, look here, we instantly see where attacks are coming from." Except that we don't! Most of the time we have absolutely no clue as to where an attack is really originating from. ? "In the Cloud, we can neatly distinguish benign user behavior from attack behavior." Except, we can't! This is actually one of the really hard problems of information security. ? "In the Cloud, we have instant knowledge and visibility when an attack occurs." Except, we don't! We really don't! The latest statistics say it usually takes around 200 days to discover an espionage intrusion. Most "attack maps" don't show actual "attacks." Instead, they are populated by event data ? beautifully animated yet unfiltered, unverified, non-prioritized event data that while visually compelling is worthless from a security perspective. Yet organizations will show these "maps" to decision makers, who, at best, will be mildly jazzed but ignore it ? but, in the worse and more common case, will make decisions based on this garbage, either prioritizing resources or spending where they aren't needed against where they are needed, or learning a false sense of security, or, just as likely, a false sense of insecurity. The only beneficiaries from the resulting wrong-think will be shareholders and employees of the garbage-spewing security vendor, and of course, the bad guys, who as it turns out will have even less to worry about as they go about their work attacking us all. Real attacks are so fuzzy and so numerous that no human can possibly follow them. If someone shows you color animation and claims that it offers any kind of clarity or indeed any kind of human understanding, then you should treat this as a "rigged demo" and ask why they are insulting you in this way. Threat group attribution A few years ago Mandiant released the APT1 group report, which garnered front-page news coverage. As a result, many security companies have made threat group attribution their most important marketing tool. While there is some good work being done on attribution, it is extremely difficult to do and then most organizations have difficulty using the data to better protect their networks. The other issue is, to quote Jeffrey Carr, is accountability and liability. When security vendors misidentify or get the information wrong about a particular threat group, there are no real consequences. Since there is very little anyone can do to actually disprove attribution, vendors see little risk in offering this data to their customers. Like with attack maps, threat group attribution can be more of a distraction than useful information and could cause you to spend your resources where you shouldn't. Threat Intel There is some genuinely good threat intelligence available in the market and we as security professionals need to listen and learn. Yet much of what is currently being marketed as threat intelligence plainly is not. Instead, it is weak, technical threat indicators and, although these can be useful in the right hands, these artifacts are not "intelligence". This wrong-think term sends the following message: The answer is right there. We just buy this service, and we should have a pretty good idea of what's going on and what we need to worry about. But when a feed is just weak threat indicators, like IP addresses and domain names, you aren't really getting any wiser. To use this information properly, you need a security infrastructure that can digest it. Then, and more importantly, you need people capable of vetting, verifying and prioritizing it all. To quote Sean Mason: You simply do not dump all indicators into production. Even within a security company who is a vendor of security services, it can be hard to convince the leadership team that we (a) do not have, yet (b) really do need, a clear picture of our own threat landscape. And if we can't bridge what we know about our own infrastructure and assets, with an idea of what our threat landscape is, all of the "threat intelligence" in the world won't do much good when the pushing and shoving inevitably starts. Security solutions Just as "data" is being sold as "intelligence", a lot of security technologies are being sold as "security solutions" rather than what they for the most part are, namely very narrow focused appliances that as a best case can be part of your broader security effort. Too many of these appliances do unfortunately not easily integrate with other appliances or with the rest of your security portfolio, or with your policies and procedures. Instead, they are created to work and be operated as completely stand-alone devices. This really is not what we need. To quote Alex Stamos, we need platforms. Reusable platforms that easily integrate with whatever else we decide to put into our security effort. The weaknesses exploited by bad guys may appear to be on the perimeter of a victim's network, or in the components of a victim's infrastructure, but in fact the weaknesses we mostly see are in the culture of organizations and in the psychology of the staff and especially of the leadership, and no "security solution" wrapped in a black box can fix that. The users who are wowed by "attack maps" are probably also clicking on "get rich quick" schemes in their e-mail. The buyers of magical security boxes they don't understand based on the promise of permanent safety are probably not applying vendor patches to their infrastructure, and that infrastructure is likely to be made up of other magical boxes that nobody quite understands. Don't let a vendor get away with hand-waving, proprietary solutions, or opaque assurances. If you don't understand how it works ? really understand it, mind you! ? or you don't see how it will integrate with the rest of your security effort, don't buy it. Wishes for 2015 We live in an elbow of human history where our militaries, police and governments cannot protect us from common attacks, because those attacks are not physical, and those attacks occur in a part of reality that has no borders. Military, police and government forces are very good at defending borders, which is why attackers have changed their tactics so as to make borders irrelevant. So now every connected organization and individual has to defend themselves from a world-wide set of attackers, which is unprecedented in the last thousand years during which "nations" mattered more. This situation will change, because it's too inefficient to last. But meanwhile we have to stop playing "cops and robbers" and pretending that all of us are potential targets of nation-states, or pretending that any of our security vendors are like NORAD. Perhaps if a few decision makers can be convinced that they've been mesmerized by color animation that has no real meaning, by threat "intelligence" that isn't, by security "solutions" that aren't, then 2015 could be a much-needed turning point in the history of Internet security. There are no silver bullets in Internet security ? no way to kill the monster in a way that it stays dead. We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game ? we put one bad guy in prison for every hundred or so new bad guys who come into the field each month. There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we. What would do more good for most organizations than increased Internet security spending, is a tough love school out in the mountains where the leadership team learns what actual threats feel like and what kind of team work and planning it takes to build a secure environment. Security does not come from locks or weapons or cameras ? rather, it comes from attitude and awareness and positioning. Safety when walking from a restaurant to your car in a dangerous inner-city neighborhood doesn't depend on martial arts as much as posture, situational awareness, inner calm, self-honesty, and certainty of purpose. Safety on the Internet is no different. By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 21 11:21:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Apr 2015 12:21:34 -0400 Subject: [Infowarrior] - Fwd: Is Adobe punishing users who prefer manual updates? References: Message-ID: Begin forwarded message: > From: Chris > > I can?t see any reason to delay the update notification for users who prefer to be notified to update their systems. Seems insane to delay a security update for that long. > > ?Chris > > From https://helpx.adobe.com/flash-player/release-note/fp_17_air_17_release_notes.html > > April 14, 2015 > > In today's scheduled release, we've updated Flash Player and AIR with important bug fixes and security updates. > > Current Flash Player users that have enrolled in the "Allow Adobe to install updates (recommended)" update mechanism will be automatically updated over the next 24 hours. No additional work is required on your part. > > Users that have selected "Notify me to install updates" will receive an update notification dialog within 7 days from today. Please note that Windows users will need to restart their system or log out and in to activate the update notification dialog. From rforno at infowarrior.org Tue Apr 21 12:16:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Apr 2015 13:16:12 -0400 Subject: [Infowarrior] - Major Record Labels Use Lawsuit Against MP3Skull To Try To Backdoor In SOPA Message-ID: <747A8641-6BD2-401D-9906-AD71572C02B0@infowarrior.org> Major Record Labels Use Lawsuit Against MP3Skull To Try To Backdoor In SOPA https://www.techdirt.com/articles/20150421/00181730734/major-record-labels-use-lawsuit-against-mp3skull-to-try-to-backdoor-sopa.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 21 15:18:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Apr 2015 16:18:51 -0400 Subject: [Infowarrior] - DHS to set up cyber security office in Silicon Valley Message-ID: <378250D0-A94E-48CF-86B5-785B562AB7C7@infowarrior.org> U.S. Homeland Security to set up cyber security office in Silicon Valley By By Bill Rigby | Reuters ? 1 hour 15 minutes ago https://ca.news.yahoo.com/dhs-set-cybersecurity-office-silicon-valley-181422929.html SAN FRANCISCO (Reuters) - The U.S. Department of Homeland Security is in the final stages of planning to set up a satellite office in California's Silicon Valley, aiming to build relationships with the technology industry and scout for talent there, the department's secretary said on Tuesday. The move would be unprecedented and signals the intent of government to smoothe relationships with tech companies in the wake of damaging revelations over digital surveillance by former National Security Agency contractor Edward Snowden. "We want to strengthen critical relationships in Silicon Valley and ensure the government and the private sector benefits from each other's research and development," said U.S. Secretary of Homeland Security Jeh Johnson at a presentation at the RSA conference on computer security in San Francisco. "We want to convince some of the talented workforce here in Silicon Valley to come to Washington. The new U.S. Digital Service provides the option for talent to flow and rotate between private industry and our government teams," he said. U.S. tech companies such as Microsoft Corp, Google Inc and Facebook Inc have had an uneasy relationship with the U.S. government and its security agencies since Snowden's revelations, aligning themselves publicly with their customers' right to privacy over the government's desire for more effective surveillance of potential threats. Johnson exhorted the tech industry to dial back its push for greater encryption on Tuesday, saying that it made it harder for government agencies to detect criminal activity. "The current course we are on, towards deeper and deeper encryption, in response to the demands of the marketplace, is one that presents real challenges to those in law enforcement and national security," said Johnson. "Encryption is making it harder for your government to find criminal activity... We need your help to find the solution." (Reporting by Bill Rigby; Editing by Diane Craft) From rforno at infowarrior.org Tue Apr 21 19:01:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Apr 2015 20:01:15 -0400 Subject: [Infowarrior] - White House backs House cybersecurity bills Message-ID: (X-posted) (Once again, a display of politcians? onesided logic - "something must be done, this is something we can get done, therefore we must do it regardless of any concerns expressed by others.?) White House backs House cybersecurity bills By Cory Bennett - 04/21/15 05:34 PM EDT http://thehill.com/policy/cybersecurity/239592-white-house-supports-house-cyber-bills-with-reservations The White House on Tuesday publicly supported two major cybersecurity bills set to be voted on by the House later this week. The measures would increase the exchange of hacking data between the government and private sector. Companies would receive liability protections when sharing data with civilian federal agencies, such as the Department of Homeland Security (DHS) or Treasury Department. In two Statements of Administration Policy, the White House offered support for the bills even as it expressed some reservations. Its chief concern is liability protections for companies that it warned might go too far. ?Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,? the White House said. The administration said overly broad liability protections in both bills could "remove incentives for companies to protect their customers' personal information and may weaken cybersecurity writ large." Both cybersecurity bills are expected to be approved by the House with more than 300 votes, but the White House support could help efforts in the Senate. The White House insisted it believes the two chambers can work together on "a reasonable solution that strikes an appropriate balance." In January, the White House offered its own legislative cyber info-sharing proposal that would funnel all cyber info-sharing through the Departmen of Homeland Security (DHS). Such an approach is more palatable to privacy advocates, who believe the DHS is better suited to scrub personal information from the cyber data before it goes to the rest of the government. ?This approach will help protect privacy, provide for appropriate transparency, and be more effective operationally,? the White House said. Privacy advocates ? who oppose both bills ? maintain the House measures would allow the federal government to freely share sensitive data on Americans between agencies, and use it for a broad range of criminal investigations and surveillance efforts. ?This sharing must be governed by certain narrow use limitations ? an essential part of overlapping privacy and civil liberties protections that also rely on transparent oversight,? the White House said. Backers of the bills point to language limiting the the data to cybersecurity uses. The White House would like to see that language strengthened. ?The administration would seek to clarify that information shared with the federal government can be used for investigating, prosecuting, disrupting, or otherwise responding to appropriate crimes," it said. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 22 07:25:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Apr 2015 08:25:33 -0400 Subject: [Infowarrior] - Poor, poor, DC government Message-ID: <2CC731BA-5F2A-4674-B61C-7E46C70AE8F7@infowarrior.org> Note the chart. I guess MPD is in full-on panic mode with only one solution: add more cameras around town, say every 50-100 yards or so. Because that'll fix the budget shortfall, for sure! --rick Speeding up, slowing down, is there a method to madness of D.C. drivers? http://www.washingtonpost.com/local/trafficandcommuting/speeding-up-slowing-down-is-there-a-method-to-madness-of-dc-drivers/2015/04/21/daf00330-e83c-11e4-9767-6276fc9b0ada_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 22 07:27:08 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Apr 2015 08:27:08 -0400 Subject: [Infowarrior] - McConnell bill to extend NSA surveillance to 2020 Message-ID: <4A5CBB20-AF2C-4228-9F05-D701695BBAF5@infowarrior.org> McConnell introduces bill to extend NSA surveillance By Ellen Nakashima April 22 at 7:07 AM http://www.washingtonpost.com/world/national-security/mcconnell-introduces-bill-to-extend-nsa-surveillance/2015/04/21/fa4b66aa-e89d-11e4-aae1-d642717d8afa_story.html Senate Majority Leader Mitch McConnell introduced a bill Tuesday night to extend through 2020 a controversial surveillance authority under the Patriot Act. The move comes as a bipartisan group of lawmakers in both chambers is preparing legislation to scale back the government?s spying powers under Section 215 of the Patriot Act. It puts McConnell (R-Ky.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.), the bill?s co-sponsor, squarely on the side of advocates of the National Security Agency?s continued ability to collect millions of Americans? phone records each day in the hunt for clues of terrorist activity. That NSA program was revealed publicly almost two years ago by a former agency contractor, Edward Snowden. The disclosure touched off a global debate over the proper scope of surveillance by U.S. spy agencies and led President Obama to call for an end to the NSA?s collection of the records. In filing the bill, McConnell and Burr invoked a Senate rule that enabled them to bypass the traditional committee vetting process and take the bill straight to the floor. No date has been set for such consideration. The move provoked a swift response from Sen. Patrick J. Leahy (Vt.), the ranking Democrat on the Judiciary Committee, who has been working with other panel members on legislation to end the government?s mass collection of phone and other records for national security purposes. ?Despite overwhelming consensus that the bulk collection of Americans? phone records under Section 215 of the USA Patriot Act must end, Senate Republican leaders are proposing to extend that authority without change,? he said in a statement Tuesday night. ?This tone deaf attempt to pave the way for five and a half more years of unchecked surveillance will not succeed. I will oppose any reauthorization of Section 215 that does not contain meaningful reforms.? A bipartisan group of lawmakers on the House Judiciary Committee has been working with Leahy and his colleagues to craft a new version of the Freedom Act, legislation to end bulk record collection that failed to pass the Senate last year. They may introduce their bill Wednesday. The current Section 215 authority expires on June 1. It is far from certain that supporters of a ?clean? reauthorization have the votes to prevail. Some veteran Hill aides say such a prospect is highly unlikely ? especially in the House ? given the number of libertarians who have been highly critical of government surveillance powers. Indeed, McConnell?s move puts him at odds with the candidate he has endorsed for president, Sen. Rand Paul, a fellow Kentucky Republican, who pledged to end the NSA program ? which he called ?unconstitutional surveillance? ? if elected. Under the program, the NSA gathers from U.S. phone companies phone data, including numbers dialed, call times and dates, but not the content. Following the outcry over the program, the Obama administration added some additional protections such as requiring a judge to approve each phone number before the agency can run a search on it in its database. Paul Kane contributed to this report. Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 22 07:27:35 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Apr 2015 08:27:35 -0400 Subject: [Infowarrior] - McConnell bill to extend NSA surveillance to 2020 Message-ID: McConnell introduces bill to extend NSA surveillance By Ellen Nakashima April 22 at 7:07 AM http://www.washingtonpost.com/world/national-security/mcconnell-introduces-bill-to-extend-nsa-surveillance/2015/04/21/fa4b66aa-e89d-11e4-aae1-d642717d8afa_story.html Senate Majority Leader Mitch McConnell introduced a bill Tuesday night to extend through 2020 a controversial surveillance authority under the Patriot Act. The move comes as a bipartisan group of lawmakers in both chambers is preparing legislation to scale back the government?s spying powers under Section 215 of the Patriot Act. It puts McConnell (R-Ky.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.), the bill?s co-sponsor, squarely on the side of advocates of the National Security Agency?s continued ability to collect millions of Americans? phone records each day in the hunt for clues of terrorist activity. That NSA program was revealed publicly almost two years ago by a former agency contractor, Edward Snowden. The disclosure touched off a global debate over the proper scope of surveillance by U.S. spy agencies and led President Obama to call for an end to the NSA?s collection of the records. In filing the bill, McConnell and Burr invoked a Senate rule that enabled them to bypass the traditional committee vetting process and take the bill straight to the floor. No date has been set for such consideration. The move provoked a swift response from Sen. Patrick J. Leahy (Vt.), the ranking Democrat on the Judiciary Committee, who has been working with other panel members on legislation to end the government?s mass collection of phone and other records for national security purposes. ?Despite overwhelming consensus that the bulk collection of Americans? phone records under Section 215 of the USA Patriot Act must end, Senate Republican leaders are proposing to extend that authority without change,? he said in a statement Tuesday night. ?This tone deaf attempt to pave the way for five and a half more years of unchecked surveillance will not succeed. I will oppose any reauthorization of Section 215 that does not contain meaningful reforms.? A bipartisan group of lawmakers on the House Judiciary Committee has been working with Leahy and his colleagues to craft a new version of the Freedom Act, legislation to end bulk record collection that failed to pass the Senate last year. They may introduce their bill Wednesday. The current Section 215 authority expires on June 1. It is far from certain that supporters of a ?clean? reauthorization have the votes to prevail. Some veteran Hill aides say such a prospect is highly unlikely ? especially in the House ? given the number of libertarians who have been highly critical of government surveillance powers. Indeed, McConnell?s move puts him at odds with the candidate he has endorsed for president, Sen. Rand Paul, a fellow Kentucky Republican, who pledged to end the NSA program ? which he called ?unconstitutional surveillance? ? if elected. Under the program, the NSA gathers from U.S. phone companies phone data, including numbers dialed, call times and dates, but not the content. Following the outcry over the program, the Obama administration added some additional protections such as requiring a judge to approve each phone number before the agency can run a search on it in its database. Paul Kane contributed to this report. Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 22 11:05:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Apr 2015 12:05:42 -0400 Subject: [Infowarrior] - Your Tractor is Copyrighted Message-ID: (c/o Dan) We Can?t Let John Deere Destroy the Very Idea of Ownership ? Kyle Wiens Business ? 04.21.15 ? 9:00 am http://www.wired.com/2015/04/dmca-ownership-john-deere/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 22 16:49:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Apr 2015 17:49:07 -0400 Subject: [Infowarrior] - House Passes Controversial Cybersecurity Information-Sharing Bill Message-ID: <9EA6E5CB-CDE8-45F3-A478-1F47777248DF@infowarrior.org> House Passes Controversial Cybersecurity Information-Sharing Bill Posted 55 minutes ago by Cat Zakrzewski http://techcrunch.com/2015/04/22/house-passes-controversial-cybersecurity-information-sharing-bill/?ncid=rss The House of Representatives today passed The Protecting Cyber Networks Act on a 307-116 bipartisan vote. The bill aims to remove legal barriers so that American companies can share threat information with one another to defend against hacks, such as those that have recently plagued Sony and Target. The bills have broad support from the White House and industry groups, including some in tech. Privacy advocates have criticized information sharing bills as surveillance bills by another name. They worry that sharing cyber threat information with the government will give surveillance agencies even more access to citizens? personal information. But supporters of the bill say that this legislation has been amended to address those concerns, with more provisions than the Cybersecurity Information Sharing Act (CISA) bill that passed the House last year. The Protecting Cyber Networks Act requires two scrubs of personal information from the shared threat information, one by private sector companies and one by the government. They also argue that this bill has stricter provisions that would regulate how the government can use that information. There is no direct sharing with the National Security Agency allowed. Although the bill has stronger privacy provisions than CISA, that does not mean it?s perfect. Despite amendments, there are still concerns that broad interpretation of the bill could allow government agencies to abuse the information they gather through the bill. CISA never made it to the Senate floor because of such worries last year. The political climate around cybersecurity has changed since CISA failed last year. Since CISA was considered last year, Sony was hacked, the State Department and White House were breached and health insurance records were compromised at Anthem. In the past, Congress overlooked the issue of cybersecurity because it faced no public pressure to address it. But after these high profile hacks, it has backed itself into a corner where it has no option but to pass legislation that will address them. Rather than having a more robust debate about the potential abuses this bill could have, Congress had no choice but to pass the bill. The Sony hack was the final straw that made it clear the government had not done enough to address this issue. As we prepare for Congress to revisit surveillance reform, we can only hope this is not the PATRIOT Act all over again. It seems both proponents of the bill and the privacy advocates have a strong case when it comes to this bill. It provides a stronger defense for Americans? civil liberties than past legislation, but only time will tell if those protections go far enough and if this information sharing will effectively thwart future hacks. The Senate has advanced a similar bill out of the Intelligence Committee. The House will consider another cybersecurity bill, the National Cybersecurity Protection Advancement Act, tomorrow. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Apr 22 17:04:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Apr 2015 18:04:40 -0400 Subject: [Infowarrior] - =?windows-1252?q?How_to_Detect_Sneaky_NSA_=91Quan?= =?windows-1252?q?tum_Insert=92_Attacks?= Message-ID: How to Detect Sneaky NSA ?Quantum Insert? Attacks ? Kim Zetter Security ? 04.22.15 ? 12:40 pm Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain?s GCHQ, to hack into high-value, hard-to-reach systems and implant malware. Quantum Insert is useful for getting at machines that can?t be reached through phishing attacks. It works by hijacking a browser as it?s trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target?s machine from the rogue web page. Quantum Insert has been used to hack the machines of terrorist suspects in the Middle East, but it was also used in a controversial GCHQ/NSA operation against employees of the Belgian telecom Belgacom and against workers at OPEC, the Organization of Petroleum Exporting Countries. The ?highly successful? technique allowed the NSA to place 300 malicious implants on computers around the world in 2010, according to the spy agency?s own internal documents?all while remaining undetected. But now security researchers with Fox-IT in the Netherlands, who helped investigate that hack against Belgacom, have found a way to detect Quantum Insert attacks using common intrusion detection tools such as Snort, Bro and Suricata. The detection focuses on identifying anomalies in the data packets that get sent to a victim?s browser client when the browser attempts to access web pages. The researchers, who plan to discuss their findings at the RSA Conference in San Francisco today, have written a blog post describing the technical details and are releasing custom patches for Snort to help detect Quantum Insert attacks. < - > http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 23 08:58:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Apr 2015 09:58:01 -0400 Subject: [Infowarrior] - DOD releases new cyber strategy Message-ID: <1102A5FB-0DDB-4194-A25A-F8AC70B5ADDC@infowarrior.org> Defense Secretary unveils new Pentagon cyberstrategy http://www.washingtonpost.com/world/national-security/defense-secretary-unveils-pentagon-cyberstrategy/2015/04/22/959ffcd0-e90a-11e4-aae1-d642717d8afa_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 23 14:42:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Apr 2015 15:42:36 -0400 Subject: [Infowarrior] - Comcast Plans to Drop Time Warner Cable Deal Message-ID: <28C165FF-F95A-4BDC-8CED-E7760D6A2819@infowarrior.org> Comcast Plans to Drop Time Warner Cable Deal by Alex Sherman 3:00 PM EDT April 23, 2015 http://www.bloomberg.com/news/articles/2015-04-23/comcast-said-planning-to-withdraw-offer-for-time-warner-cable Comcast Corp. is planning to walk away from its proposed $45 billion takeover of Time Warner Cable Inc., people with knowledge of the matter said, after regulators planned to oppose the deal. Comcast is planning to make a final decision on its plans Thursday, and an announcement on the deal?s fate may come as soon as Friday, said one of the people, who asked not to be named discussing private information. This week, U.S. Federal Communications Commission staff joined lawyers at the Justice Department in opposing the planned transaction. FCC officials told the two biggest U.S. cable companies on Wednesday that they are leaning toward concluding the merger doesn?t help consumers, a person with knowledge of the matter said. An FCC hearing can take months to complete and effectively kill a deal by dragging out the approval process beyond the companies? time frame for completion. Justice Department staff is also leaning against the deal, Bloomberg reported last week. Comcast shares rose 2.2 percent to $60.06 at 3:07 p.m. in New York, while Time Warner Cable climbed 0.5 percent. Sena Fitzmaurice, a spokeswoman for Comcast, declined to comment. While the DOJ has to present a case in court to block the deal, an FCC hearing referral could prove to be the bigger obstacle to Comcast?s bid to expand its cable and Internet footprint. The last time the FCC staff proposed sending a merger to a hearing was over AT&T Inc.?s bid to buy T-Mobile USA Inc. in 2011, prompting the companies to drop the deal. The Justice Department had already brought a lawsuit seeking to block the merger. Comcast representatives came away from the FCC meeting with the impression the deal was in trouble, according to a person familiar with the matter. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 23 18:19:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Apr 2015 19:19:25 -0400 Subject: [Infowarrior] - Bypassing OS X Security Tools is Trivial, Researcher Says Message-ID: <139B7E38-6FE6-4372-8B38-C148E1C70083@infowarrior.org> Bypassing OS X Security Tools is Trivial, Researcher Says by Dennis Fisher April 23, 2015 , 2:35 pm https://threatpost.com/bypassing-os-x-security-tools-is-trivial-researcher-says/112410 SAN FRANCISCO?For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn?t much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. ?Gatekeeper doesn?t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,? Wardle said in a talk at the RSA Conference here Thursday. ?It only verifies the app bundle.? Backing up Gatekeeper is XProtect, Apple?s anti-malware system for OS X. Malware isn?t a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence. ?It?s trivial to bypass XProtect,? he said. OS X also now includes a sandbox, which Wardle said is well-designed, but there are a number of known kernel-level OS X vulnerabilities that can bypass the sandbox, as well. Google?s Project Zero has discovered and published several such bugs, and Wardle said using any one of them gets him the ability to bypass the sandbox. ?While the core sandbox technology is strong, there are plenty of bugs that can bypass it,? he said. One of the other key security technologies in OS X is the use of code signing. However, it?s not much of a task to get around that requirement, Wardle said. ?The code signing just checks for a signature and if it?s not there, it doesn?t do anything and lets the app run,? he said. ?I can unsign a signed app and the loader has no way to stop it from running.? Starting with OSX Mavericks, all of the code that runs in the kernel has to be signed. But the mechanism that checks for the signature is flawed, too, Wardle said. ?The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.? he said. ?He could just modify a kernel extension or load unsigned ones.? On the whole, the security tools in OS X don?t present much of a challenge for attackers right now, Wardle said. ?If Macs were totally secure, I wouldn?t be here talking,? Wardle said. ?It?s trivial for any attacker to bypass the security tools on Macs.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 24 07:35:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Apr 2015 08:35:50 -0400 Subject: [Infowarrior] - Crash Boys Message-ID: <1BFA600F-989B-441F-BA07-B67B612A2DAF@infowarrior.org> Crash Boys 7 Apr 24, 2015 5:00 AM EDT By Michael Lewis http://www.bloombergview.com/articles/2015-04-24/michael-lewis-has-questions-about-flash-crash The first question that arises from the Commodity Futures Trading Commission?s case against Navinder Singh Sarao is: Why did it take them five years to bring it? A guy living with his parents next to London's Heathrow Airport enters a lot of big, phony orders to sell U.S. stock market futures; the market promptly collapses on May 6, 2010; it takes five years for the army of U.S. financial regulators to work out that there might be some connection between the two events. It makes no sense. Trading on Speed A bunch of news reports have suggested that the CFTC didn?t have the information available to it to make the case. After the flash crash, the commission focused exclusively on trades that had occurred that day, rather than orders designed not to trade -- at least until some mysterious whistle-blower came forward to explain how the futures market actually worked. But this can?t be true. Immediately after the flash crash, Eric Hunsader, founder of the Chicago-based market data company Nanex, which has access to all stock and futures market orders, detected lots of socially dubious trading activity that May day: high-frequency trading firms sending 5,000 quotes per second in a single stock without ever intending to trade that stock, for instance. On June 18, 2010, Nanex published a report of its findings. The following Wednesday, June 23, the website Zero Hedge posted the Nanex report. Two days later the CFTC?s chief economist, Andrei Kirilenko, e-mailed Hunsader. ?He invited me out to D.C. and I talked with everyone there (and I mean everyone -- including a commissioner),? Hunsader says. ?The CFTC then flew out a programmer to our offices where we showed him how to work with our data. Took all of a day. We sent him back with our flash crash data, and that was pretty much the last we heard about that project.? In October 2010, Hunsader was still poring over data from the flash crash. ?Between October 7 and October 14, I noticed Sarao?s spoofing,? he says. Hunsader assumed it to be the work of an algorithm of some large high-frequency trading firm -- as this sort of deception had become common practice for big HFT firms. He told the CFTC about it in a phone call -- but that they hadn?t discovered it already for themselves surprised him. ?It?s important to know the CFTC had our data, and the ability to use it in August 2010,? Hunsader says. ?We were focused on stocks (the CFTC does futures), so they should have seen it right away.? Which raises another obvious question: If you are going to sit on this information for five years, why not sit on it forever? The people at the CFTC who decided to come forth, five years after the fact, with this new and improved explanation for the flash crash, must have known they would be creating a controversy with themselves at the center of it. It?s actually sort of brave of them. They?ve been ridiculed in the news media and will no doubt soon be hauled before various congressional committees. They?ll have annoyed their colleagues at the Securities and Exchange Commission, who now look like even greater fools than they did before, for not bothering to mention in their report on the crash the various nefarious activities of algorithmic traders, and instead offering up as the primary cause of the crash a stupid mistake made by a money manager in Kansas. The authors of the SEC report either consciously ignored or did not bother to acquire from the CFTC a lot of accessible, and damning, information about what was happening in the U.S. stock markets the day of the flash crash. The world will now want to know why they did this. (And why we should not instantly listen to Paul Volcker and fold these two regulators into one.) But it?s unfair to dwell too long on the regulators. Financial regulators, like editorial writers, are at best the markets? last line of defense; they are less inclined to join any battle than they are to wander in afterward and shoot the wounded. Traders who seek to manipulate the U.S. stock market are meant to encounter resistance from the market itself. During the flash crash, Navinder Sarao apparently used Jon Corzine?s now defunct MF Global to place orders and clear trades. Why didn?t MF Global see what he was up to, or at least call him to ask him about it? There?s now a big business on Wall Street of firms renting out their HFT infrastructure to prop shops. Does that business depend on the brokers paying no attention to what their customers are doing? Do the big Wall Street firms that rent out their technology bear any responsibility for what their customers do with the weapons they've been given? For that matter, why don?t U.S. securities exchanges assume any responsibility for what happens on them? Sarao?s manipulative orders were placed on the Chicago Mercantile Exchange. Why didn?t the CME notice what was going on? Or did they notice, and simply not care, as the behavior was standard practice for their high-frequency trading clients? Then there is the biggest question of all: How can a guy working from his parents? house in suburban England whose only actionable orders were to BUY stock market futures cause such a sensational collapse in U.S. stocks? On the day of the flash crash, Sarao never actually sold stocks. He was trying to trick the market into falling so that he could buy in more cheaply. But whom did he fool with his trick? Whose algorithms were so easily gamed that they responded to phony sell orders by creating a crash? Stupidity isn?t a crime. Still, it would be interesting to know who, at this particular poker table, on this particular day, was the fool. It would also be interesting to know how it occurred to Sarao that his trick might work. There?s a fabulous yet-to-be-told story here, about a smart kid in the U.K. who somehow figures out that the machines that execute the stock market trades of others might be gamed -- and so he games them. One day while he is busy trying to trick the U.S. stock market into falling, the market collapses, more sensationally than it has ever collapsed. And instead of digging some hole in Hounslow in which he might hide for a decade or so, or fleeing to Anguilla, where he has squirreled away his profits, he stays in his parents? home and keeps right on spoofing the U.S. stock market -- and then is shocked when people turn up to accuse him of wrongdoing. He?s not some kind of exception to the standard operating procedure in finance. He?s a parody of it. To contact the author on this story: Michael Lewis at mlewis1 at bloomberg.net To contact the editor on this story: Martin Schenker at mschenker at bloomberg.net -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 24 07:55:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Apr 2015 08:55:56 -0400 Subject: [Infowarrior] - Comcast Confirms End of Deal With Time Warner Cable Message-ID: <63414951-FC3B-4A12-815A-6DC6FA7BEFC1@infowarrior.org> (Translation: Washington actually agreed w/opponents and said "together is NOT better". -rick) Comcast Confirms End of Deal With Time Warner Cable By EMILY STEELAPRIL 24, 2015 http://www.nytimes.com/2015/04/25/business/media/comcast-time-warner-cable-deal.html Comcast confirmed Friday that it had called off its $45 billion takeover of Time Warner Cable, aborting its plans to create a truly national cable company with unprecedented control over the future of the country?s television and broadband markets. The deal would have brought together the country?s two largest cable operators at a time when the Internet acts as the ultimate gateway for information and entertainment, and when vast technology changes revolutionize how people watch and pay for television. Combined, the companies would have controlled as much as 57 percent of the nation?s broadband market and just under 30 percent of pay television service. That threshold appeared to be too much for federal regulators, who had signaled that they were leaning toward blocking the deal. ?Today, we move on,? Brian L. Roberts, Comcast?s chief executive, said in a statement. ?Of course, we would have liked to bring our great products to new cities, but we structured this deal so that if the government didn?t agree, we could walk away.? He said that Comcast is ?a unique company with strong momentum? and that it had delivered solid operating results during the period that it was trying for the takeover. ?I couldn?t be more proud of this company and I am truly excited for what?s next,? he said. Robert D. Marcus, chief executive of Time Warner Cable, said in a statement that the company has been ?laser-focused? throughout the deal process on improving the company?s operations and was confident that it would deliver value to shareholders. ?We have always believed that Time Warner Cable is a one-of-a-kind asset,? he said. ?We are strong and getting stronger.? Time Warner Cable is scheduled to announce earnings next week, when analysts expect the company to reveal more details about its plans for the future. Comcast and Time Warner Cable did not include a breakup fee in the deal. Announced with much fanfare in February 2014, the transaction faced intense scrutiny by government regulators, who feared that the deal harmed competition and was not in the public interest. It also set off loud criticism from lawmakers, consumers, public advocacy groups and media and technology companies. Mr. Roberts of Comcast had pitched the deal as an attempt to create a ?world-class blue-chip company committed to innovation? that would lead to cutting-edge video services and faster Internet speeds. But concerns grew that the transaction would place too much power over the future of the country?s entertainment and communications infrastructure in the hands of one company. Comcast also owns the entertainment group NBCUniversal, which it acquired in 2011. With a national platform, Comcast would have been able to build a stronger rival to streaming services like Netflix that threaten the traditional television business. It also could have thwarted television networks? attempts at creating their own streaming services by forcing them to hold back programming. At the same time, the company would have wielded more power over the broadband networks that those services need. Critics said customers would end up paying more for declining service and that the company would stave off competition and innovation in the online video business. Others said the deal would result in a lack of independent and diverse voices in television. The company also was scrutinized for failing to live up to commitments it had made in previous deals, like the NBCUniversal transaction. ?It shows that even big cable has to listen to the American people who spoke loudly and clearly on this and who understood how important this was to keep the communications infrastructure free and open, and protect it from gatekeeping,? said Michael Copps, a former Democratic member of the Federal Communications Commission and an adviser to the Common Cause public interest group. Comcast officials this week met with officials from the Federal Communications Commission and the Justice Department, who signaled that they were leaning against the merger. The collapse of the deal effectively put an end to a series of other transactions that would have reshaped the media industry. Charter Communications, the regional cable operator, will no longer acquire some of the Time Warner Cable markets that Comcast was planning to divest. Charter?s $10.4 billion deal for Bright House Networks also was contingent on Comcast?s purchase of Time Warner Cable. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 24 11:57:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Apr 2015 12:57:18 -0400 Subject: [Infowarrior] - =?utf-8?q?The_Word_That_Cannot_Be_Uttered_=28It?= =?utf-8?b?4oCZcyBEcm9uZXMp?= Message-ID: The Word That Cannot Be Uttered (It?s Drones) This is what happens when there is no accountability. President Obama has chosen to operate his drone war in such unprecedented, absurd and arguably illegal secrecy that even in a rare burst of compelled transparency yesterday, neither he nor his press secretary could actually bring themselves to say the word ?drone.? Over and over again, Obama called the drone strike that killed two al Qaeda hostages a ?counterterrorism operation.? < - > https://firstlook.org/theintercept/unofficial-sources/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Apr 24 11:57:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Apr 2015 12:57:23 -0400 Subject: [Infowarrior] - The Key War on Terror Propaganda Tool: Only Western Victims Are Acknowledged Message-ID: <8A168646-D4E6-4F35-BC48-EFDF6395960F@infowarrior.org> The Key War on Terror Propaganda Tool: Only Western Victims Are Acknowledged By Glenn Greenwald @ggreenwald Today at 11:08 AM In all the years I?ve been writing about Obama?s drone killings, yesterday featured by far the most widespread critical discussion in U.S. establishment journalism circles. This long-suppressed but crucial fact about drones was actually trumpeted as the lead headline on the front page of The New York Times yesterday: The reason for the unusually intense, largely critical coverage of drone killings yesterday is obvious: the victims of this strike were Western and non-Muslim, and therefore were seen as actually human. < - > https://firstlook.org/theintercept/2015/04/24/central-war-terror-propaganda-tool-western-victims-acknowledged/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Apr 25 09:14:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 25 Apr 2015 10:14:55 -0400 Subject: [Infowarrior] - =?windows-1252?q?Declassified_Report_Shows_Doubts?= =?windows-1252?q?_About_Value_of_N=2ES=2EA=2E=92s_Warrantless_Spying?= Message-ID: <757183FE-0B01-4A83-BAF0-441638DACBBA@infowarrior.org> Declassified Report Shows Doubts About Value of N.S.A.?s Warrantless Spying By CHARLIE SAVAGE APRIL 24, 2015 http://www.nytimes.com/2015/04/25/us/politics/value-of-nsa-warrantless-spying-is-doubted-in-declassified-reports.html WASHINGTON ? The secrecy surrounding the National Security Agency?s post-9/11 warrantless surveillance and bulk data collection program hampered its effectiveness, and many members of the intelligence community later struggled to identify any specific terrorist attacks it thwarted, a newly declassified document shows. The document is a lengthy report on a once secret N.S.A. program code-named Stellarwind. The report was a joint project in 2009 by inspectors general for five intelligence and law enforcement agencies, and it was withheld from the public at the time, although a short, unclassified version was made public. The government released a redacted version of the full report to The New York Times on Friday evening in response to a Freedom of Information Act lawsuit. Shortly after the terrorist attacks on Sept. 11, 2001, President George W. Bush secretly told the N.S.A. that it could wiretap Americans? international phone calls and collect bulk data about their phone calls and emails without obeying the Foreign Intelligence Surveillance Act. Over time, Stellarwind?s legal basis evolved, and pieces of it emerged into public view, starting with an article in The Times about warrantless wiretapping in 2005. The report amounts to a detailed history of the program. While significant parts remain classified, it includes some new information. For example, it explains how the Bush administration came to tell the chief judge of the Foreign Intelligence Surveillance Court at the time of the Sept. 11 attacks, Royce C. Lamberth, about the program?s existence in early 2002. James A. Baker, then the Justice Department?s top intelligence lawyer, had not been told about the program. But he came across ?strange, unattributed? language in an application for an ordinary surveillance warrant and figured it out, then insisted on telling Judge Lamberth. Mr. Baker is now the general counsel to the F.B.I. It also says that Mr. Baker developed procedures to make sure that warrant applications using information from Stellarwind went only to the judges who knew about the program: first Judge Lamberth and then his successor, Judge Colleen Kollar-Kotelly. The White House would not let Judge Kollar-Kotelly keep a copy of a letter written by a Justice Department lawyer, John C. Yoo, explaining the claimed legal basis of the program, and it rejected a request by Attorney General John Ashcroft to tell his deputy, Larry Thompson, about the program. The report said that the secrecy surrounding the program made it less useful. Very few working-level C.I.A. analysts were told about it. After the warrantless wiretapping part became public, Congress legalized it in 2007; the report said this should have happened earlier to remove ?the substantial restrictions placed on F.B.I. agents? and analysts? access to and use of program-derived information due to the highly classified status? of Stellarwind. In 2003, after Mr. Yoo left the government, other Justice Department officials read his secret memo approving the program ? most of which has not been made public ? and concluded that it was flawed. Advertisement Among other things, the report said, Mr. Yoo?s reasoning was premised on the assumption that the surveillance act, which requires warrants for national security wiretaps, did not expressly apply to wartime situations. His memo did not mention that a provision of that law explains how it applies in war: The warrant rule is suspended for the first 15 days of a war. The report has new details about a dramatic episode in March 2004, when several Justice Department officials confronted Alberto R. Gonzales, the White House counsel at the time, in the hospital room of Mr. Ashcroft over the legality of the program. The officials included Mr. Thompson?s successor as deputy attorney general, James B. Comey, who is now the F.B.I. director, and the new head of the office where Mr. Yoo had worked, Jack Goldsmith. The showdown prompted Mr. Bush to make two or three changes to Stellarwind, the report said. But while the report gives a blow-by-blow account of the bureaucratic fight, it censors an explanation of the substance of the legal dispute and Mr. Bush?s changes. Last year, the Obama administration released a redacted version of a memo that Mr. Goldsmith later wrote about Stellarwind and similarly censored important details. Nevertheless, it is public knowledge, because of documents leaked by the former intelligence contractor Edward J. Snowden, that one part of the dispute concerned the legality of the component of Stellarwind that collected bulk records about Americans? emails. Mr. Snowden?s disclosures included a working draft version of the N.S.A. inspector general?s contribution to this report, roughly 50 pages long. The final document ? with many passages redacted as still classified ? was part of Friday?s release. Another part of the newly disclosed report provides an explanation for a change in F.B.I. rules during the Bush administration. Previously, F.B.I. agents had only two types of cases: ?preliminary? and ?full? investigations. But the Bush administration created a third, lower-level type called an ?assessment.? This development, it turns out, was a result of Stellarwind. F.B.I. agents were asked to scrutinize phone numbers deemed suspicious because of information from the program. But the agents were not told why the numbers had been deemed suspicious, only ?not to use the information in legal or judicial proceedings.? That made some agents uncomfortable, and it was not clear how such mysterious leads fit into their rules for investigations. The Justice Department created the new type of investigation, initially called a ?threat assessment,? which could be opened with lower-grade tips. Agents now use them tens of thousands of times a year. But little came of the Stellarwind tips. In 2004, the F.B.I. looked at a sampling of all the tips to see how many had made a ?significant contribution? to identifying a terrorist, deporting a terrorism suspect, or developing a confidential informant about terrorists. Just 1.2 percent of the tips from 2001 to 2004 had made such a contribution. Two years later, the F.B.I. reviewed all the leads from the warrantless wiretapping part of Stellarwind between August 2004 and January 2006. None had proved useful. Still, the report includes several redacted paragraphs describing ?success? cases. A version of this article appears in print on April 25, 2015, on page A12 of the New York edition with the headline: Declassified Report Shows Doubts About Value of N.S.A.?s Warrantless Spying. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Apr 27 10:31:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Apr 2015 11:31:57 -0400 Subject: [Infowarrior] - Obama goes Kafka on TPP Message-ID: <85DD6930-0666-4A7A-93E7-56C9791C96C0@infowarrior.org> President Obama Demands Critics Tell Him What's Wrong With TPP; Of Course We Can't Do That Because He Won't Show Us The Agreement from the most-transparent-administration-in-history dept President Obama is apparently quite annoyed by the fact that his own party is basically pushing against his "big trade deals" (that are not really about trade). Senator Elizabeth Warren has been pretty aggressive in trashing the TPP agreement, highlighting the fact that the agreement is still secret (other than the bits leaked by Wikileaks). In response, President Obama came out swinging against the critics of TPP arguing that "they don't know what they're talking about." He insists that it's unfair to compare TPP to NAFTA because they're different deals: ?You need to tell me what?s wrong with this trade agreement, not one that was passed 25 years ago.? Well, Mr. President, I would love to do that, but I can't because you and your USTR haven't released the damn text. It takes an insane lack of self-awareness for the guy who once declared his administration "the most transparent in history" to demand people tell him what's wrong with his trade agreement, when that agreement is kept entirely secret. < - > https://www.techdirt.com/articles/20150424/14443230784/president-obama-demands-critics-tell-him-whats-wrong-with-tpp-course-we-cant-do-that-because-he-wont-show-us-agreement.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 28 06:44:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Apr 2015 07:44:33 -0400 Subject: [Infowarrior] - Encrypting Your Laptop Like You Mean It Message-ID: <4D2B222E-8BA8-4D66-A481-2A0A17F289F7@infowarrior.org> Encrypting Your Laptop Like You Mean It By Micah Lee @micahflee https://firstlook.org/theintercept/2015/04/27/encrypting-laptop-like-mean/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 28 14:22:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Apr 2015 15:22:15 -0400 Subject: [Infowarrior] - Facebook's login system is being hijacked by China's Great Firewall Message-ID: <74C8385C-E01C-4CB7-8B80-8A148A757B4D@infowarrior.org> Facebook's login system is being hijacked by China's Great Firewall ? By Russell Brandom ? on April 28, 2015 12:34 pm http://www.theverge.com/2015/4/28/8508117/facebook-connect-great-firewall-great-cannon-censorship For the last three days, China's Great Firewall has been intercepting the Javascript module from Facebook's login feature, Facebook Connect, which allows third-party sites to authorize users through their Facebook login. First reported on Sunday, the attack causes sites using Facebook Connect to redirect to a third-party page. Readers have confirmed to The Verge that the redirection attack is still under way, and sites using Facebook Connect are automatically redirecting when accessed without a VPN or a Javascript blocker. Local media in Beijing has also reported on the problem. Facebook did not immediately respond to a request for comment. Facebook Connect communicates login information from Facebook, allowing a Facebook login to extend to third party sites through a Javascript applet. The applet is enabled on thousands of sites across the web, including The Verge. On Sunday, the Great Firewall started intercepting that applet in transit and replacing it with a new single-line redirection code from two third-party sites. The result is that, for non-VPN users in China, any page with a Facebook Connect button has been redirecting to two sites: wpkg.org or ptraveler.com, an open-source software project and a personal travel blog respectively. It's unclear why the Chinese government would want to send users to these sites, although ptraveler.com seems to have been brought down by the flood of traffic. It's not the first time China has performed this kind of traffic interception. In March, a similar redirection was used to perform a denial-of-service attack on GitHub, apparently in retaliation for dissident content posted through the service. Since the new code is injected as content passes through China's national web filters, there's little doubt that the Chinese government is responsible for the attacks. The research group Citizen Lab has named the capability "The Great Cannon," a play on the Great Firewall censorship filter. It's difficult to say why Facebook Connect is being targeted, since the net effect for most users is simply to redirect the browser to an unrelated homepage. Facebook itself is officially blocked in China, although the block has been relaxed in recent years. Some have speculated that an injection attack like this could be used to spoof a Facebook login, but if such an attack is being carried out, it's likely targeted to only a handful of users and effectively invisible on the network scale. It's likely both sites have seen a huge uptick in traffic, but there's no clear reason why these sites would be targets for the Great Cannon, or why Facebook would be the conduit for that attack. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 28 14:22:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Apr 2015 15:22:45 -0400 Subject: [Infowarrior] - Fwd: when robots collude References: <20150428162916.5626F2281D8@palinka.tinho.net> Message-ID: <0F9CEA64-43C1-4767-BA65-C50F010F2D0B@infowarrior.org> > Begin forwarded message: > > From: dan > Subject: referral: when robots collude > Date: April 28, 2015 at 12:29:16 PM EDT > > > WHEN ROBOTS COLLUDE: Computers are adopting a legally questionable means > to crush the competition > http://uk.businessinsider.com/robots-colluding-to-manipulate-markets-2015-4 > From rforno at infowarrior.org Tue Apr 28 14:47:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Apr 2015 15:47:57 -0400 Subject: [Infowarrior] - Security Experts Hack Teleoperated Surgical Robot Message-ID: <8D489EE9-B514-44AC-8F97-5EB8848A1989@infowarrior.org> Security Experts Hack Teleoperated Surgical Robot The first hijacking of a medical telerobot raises important questions over the security of remote surgery, say computer security experts. http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Apr 28 17:40:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Apr 2015 18:40:59 -0400 Subject: [Infowarrior] - Tom Cotton's Push To Expand Patriot Act On Surveillance Message-ID: <843577A0-F739-4914-9814-0C8D0CC2E9D5@infowarrior.org> Tom Cotton's Push To Expand Patriot Act On Surveillance http://crooksandliars.com/2015/04/tom-cottons-push-expand-patriot-act < - > "The latest fight concerns three expiring provisions of the Patriot Act. Senate Minority Leader Mitch McConnell (R-Ky.) and Sen. Richard Burr (R-N.C.), who chairs the Select Committee on Intelligence, offered a bill this week that would extend the provisions for five-and-a-half years. The bill would cover the bulk collection of phone records under the Patriot Act?s 215 program, which generated enormous controversy when it was revealed by leaker Edward Snowden. The bill also would prolong two other measures : A so-called ?lone wolf? provision that allows the government to surveil potential terrorists who aren't directly connected to terrorist cells; and a section that allows the feds to use roving wiretaps to monitor suspects who rapidly change location or communication device.? < - > -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 30 09:01:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Apr 2015 10:01:42 -0400 Subject: [Infowarrior] - Update on IANA Transition & Negotiations with ICANN Message-ID: [Ianaplan] Update on IANA Transition & Negotiations with ICANN ? From: Andrew Sullivan ? To: ianaplan at ietf.org ? Date: Thu, 30 Apr 2015 12:57:53 +0100 ? List-id: IANA Plan Dear colleagues, This is an update to the community on the current discussion between the IETF and ICANN regarding the annual SLA or Supplemental Agreement. Each year, the IETF (via the IAOC) and ICANN specify a supplemental agreement to our Memorandum of Understanding, in order to ensure that any gaps or identified operational issues are addressed. As you are aware, inspired by the request from the IANA Stewardship Transition Coordination Group (ICG), last year we formed the IANAPLAN working group and achieved IETF consensus on the state of affairs with IANA registries published under the direction of the IETF. That consensus is captured in draft-ietf-ianaplan-icg-response-09, which was transmitted to the ICG. In that document the community sought to have some facts acknowledged as part of any IANA transition plan: o The protocol parameters registries are in the public domain. It is the preference of the IETF community that all relevant parties acknowledge that fact as part of the transition. o It is possible in the future that the operation of the protocol parameters registries may be transitioned from ICANN to subsequent operator(s). It is the preference of the IETF community that, as part of the NTIA transition, ICANN acknowledge that it will carry out the obligations established under C.7.3 and I.61 of the current IANA functions contract between ICANN and the NTIA [NTIA-Contract] to achieve a smooth transition to subsequent operator(s), should the need arise. Furthermore, in the event of a transition it is the expectation of the IETF community that ICANN, the IETF, and subsequent operator(s) will work together to minimize disruption in the use the protocol parameters registries or other resources currently located at iana.org. Understanding this consensus, the IETF leadership have been negotiating with ICANN to include text to satisfy these points in our annual Service Level Agreement. After some iterations, we arrived at text that we think captures the IETF consensus, but ICANN has informed us that they are unable to agree to that text right now. ICANN told us that, in their opinion, agreeing to that text now would possibly put them in breach of their existing agreement with the NTIA. It is our view that the substance of the statements above is already part of our agreement with ICANN, and that we are merely elaborating details of that existing agreement. We expect that as we continue towards the orderly winding down of NTIA's involvement in the IANA processes, our existing arrangements will be preserved, in keeping with IETF consensus. We will of course continue to assess the situation, agreements, and next steps, as well as developments in other operational communities. We think that the existing agreement between ICANN and the IETF makes good sense, and is good for the Internet. The IETF has stated very strongly that it supports that existing agreement. That strong support is a necessary condition for success, and we shall not waver in our commitment to the IETF's continued responsible stewardship of the protocol parameters registries. We note that the IETF community remains very satisfied with ICANN's current level of performance. The existing supplemental agreement, from last year, continues until it is replaced. We welcome your thoughts about this situation. We will continue to use the IANAPLAN mailing list for these discussions. Best regards, Jari Arkko IETF Chair Tobias Gondrom IAOC Chair Andrew Sullivan IAB Chair -- Andrew Sullivan ajs at anvilwalrusden.com -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 30 10:29:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Apr 2015 11:29:14 -0400 Subject: [Infowarrior] - =?utf-8?q?NASA=E2=80=99s_Messenger_probe_is_givin?= =?utf-8?q?g_up_on_life_this_afternoon?= Message-ID: <413E3BF0-7289-43C4-A353-5A8361E47AA2@infowarrior.org> (Impact details: http://messenger.jhuapl.edu/gallery/sciencePhotos/image.php?gallery_id=2&image_id=1602) NASA?s Messenger probe is giving up on life this afternoon by Kevin Roose NASA April 30, 2015 9:38 AM http://fusion.net/story/128495/nasas-messenger-probe-is-giving-up-on-life-this-afternoon/ Sometimes, you just can?t make it to Friday. Around 3:30 p.m. EDT this afternoon, NASA?s Messenger spacecraft, a $446 million probe that was launched in 2004 to study Mercury?s geology and atmosphere, is expected to crash into the planet, ending a successful four-year orbit. ?Following this last maneuver, we will finally declare the spacecraft out of propellant, as this maneuver will deplete nearly all of our remaining helium gas,? Daniel O?Shaughnessy, a mission systems engineer, said in a NASA press release. ?At that point, the spacecraft will no longer be capable of fighting the downward push of the sun?s gravity.? Messenger (which stands for ?MErcury Surface, Space ENvironment, GEochemistry, and Ranging?) was launched in 2004 and began orbiting Mercury in 2011. It has since circled the planet more than 4,000 times, and sent back more than 270,000 photos and 10 terabytes of data about Mercury?s surface, magnetic fields, and atmospheric composition. The probe weighs about 1,000 pounds, and is expected to leave a 50-foot-wide crater when it crash-lands near Mercury?s North Pole after running out of fuel. Not much was known about Mercury in 2004, when Messenger was launched. Since then, it has discovered lots of important facts about the planet, including the existence of enormous patches of subterranean ice in Mercury?s polar regions that could help tell us how water and other organic compounds made it from the outer solar system to Earth. The probe?s camera has also produced iconic images like this: NASA scientists, for their part, seem to be keeping it together emotionally. ?While spacecraft operations will end, we are celebrating MESSENGER as more than a successful mission,? said John Grunsfeld, associate administrator for the Science Mission Directorate at NASA. ?It?s the beginning of a longer journey to analyze the data that reveals all the scientific mysteries of Mercury.? If spacecraft snuff film is your thing, you can watch a webcast of the crash at SLOOH. And if not, the Messenger?s Twitter account will be capturing the bittersweet action: -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 30 14:08:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Apr 2015 15:08:41 -0400 Subject: [Infowarrior] - Humor: Nick Fury has tech problems Message-ID: Technology in the Avengers movies always seems to work flawlessly. But what if it didn't? In "The Avengers: Age of Technical Difficulties," Nick Fury has to deal with failing technology. http://www.cnet.com/news/watch-nick-fury-get-beat-by-technology-in-avengers-parody -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Apr 30 17:38:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Apr 2015 18:38:17 -0400 Subject: [Infowarrior] - Is the threat of cyberattack hyped? Message-ID: Is the threat of cyberattack hyped? By JOSH GERSTEIN 4/30/15 11:04 AM EDT http://www.politico.com/blogs/under-the-radar/2015/04/is-the-threat-of-cyberattack-hyped-206385.html Two former high-ranking U.S. officials presented different perspectives Wednesday on the current risk of a serious or catastrophic cyberattack against the U.S. Former National Security Agency Director Keith Alexander said the danger of such attacks is growing. He laid out scenarios where a bad actor might take down the power grid and mount a cyberattack on the financial sector at the same time, causing a high degree of panic, confusion and economic damage. "The use of cyber, both for criminal activity and for nation-state, has had a significant rise in the last seven, eight years. ... We see this only picking up," Alexander said at a discussion in Washington organized by the Aspen Security Forum. He said he was optimistic that Congress may be on the verge of passing long-debated cybersecurity legislation intended to facilitate information-sharing between industry and government. "We've told them it's a crisis," Alexander said of the message he's delivered to lawmakers. Director of National Intelligence James Clapper has also put cyber atop his annual list of threats to U.S. security. However, speaking to the same group, former National Counterterrorism Center Director Matt Olsen said that while the greatest risk of a devastating cyberattack remains in the future, more conventional forms of terrorism are a greater danger right now. "The threat from terrorism is our No. 1 threat and remains that and is becoming more complicated," said Olsen, a former federal prosecutor. He described cyber danger as an "emerging" threat on the upswing but an area where the capabilities of U.S. foes are still developing. Olsen also suggested that while groups like the Islamic State of Iraq and the Levant had "seized our attention" with videotaped beheadings and other atrocities, he still sees the Al Qaeda offshoot in Yemen, Al Qaeda of the Arabian Peninsula, as the greatest threat for an attack on the U.S. But he acknowledged that the emergence of smaller militant groups in places like Syria and Libya is complicating the government's efforts to keep tabs on the problem. "Some [groups] are focused on us and attacking us. Some are focused on regional goals, but they may soon turn their attention to the U.S." said Olsen, who's partnered with Alexander on a cybersecurity venture. "It?s also become more complicated because of the geographic spread. ... The strategy is hard." In light of President Barack Obama's acknowledgement last week that American and Italian aid workers were killed in a U.S. operation in Pakistan said to involve a drone strike, Olsen was asked to describe how the government decides to OK such attacks. He said he helped draft the policy Obama outlined in 2013 requiring that drone strikes be authorized only where an effort to capture a targeted militant is not feasible and where the threat of attack is imminent. "One of these questions that I think is really hard and that we?ve spent a lot of time on is this idea of what?s an imminent threat," said Olsen. "It might mean something ? less demanding in the context of a group like Al Qaeda as opposed to how you might in your everyday life think about imminent. The way we talk about it in these operations is: Is there anything more that has to happen for this group to be able to carry out an attack? And have they done what they need to do and we may not have another opportunity to deal with it, to do something that would stop them from carrying out an attack? And that?s the way we talk about: Do they pose an imminent threat?" Olsen described the judgment on feasibility of capture as a "common-sense" one and said it did not involve political considerations about the country involved. However, White House press secretary Josh Earnest said last week that questions about the reaction of local residents to U.S. troops factored into such decisions. The explanation led to the possible conclusion that the 2011 U.S. raid in which Osama bin Laden was killed in Abbottabad, Pakistan, was, in fact, not "feasible" under the current standards. Some tense moments at the session came when journalist and author Jim Bamford asked Alexander about testimony he gave to a House panel in 2012, assuring Rep. Hank Johnson (D-Ga.) that the NSA wasn't vacuuming up the communications of Americans. "Does the NSA routinely intercept American citizens' emails?" Johnson had asked. "No," the then-NSA director said. Bamford said NSA leaker Edward Snowden concluded that Alexander's testimony was not true. According to Bamford, Snowden cited a desire to rebut it as one of the reasons he decided to copy data he had access to about the agency's surveillance efforts and share it with journalists. Johnson "did ask a series of question on this, and I answered those, I think, exactly correct," Alexander said. "We went back over the record and ensured, with our legal folks, that I answered those exactly correct." Critics have said Alexander's answers ignored the fact that information on Americans' phone calls are routinely collected by the NSA's phone metadata program and the content of communications of Americans are regularly picked up as the agency pulls in Internet and email data from foreigners' accounts. Alexander emphasized that the phone program doesn't collect content of phone calls. He also said his answers were accurate because the surveillance conducted in the U.S. and revealed by Snowden takes place under legal authorities considered part of the Foreign Intelligence Surveillance Act. "But your answer was simply, 'No,'" Bamford replied. "You didn't explain all those things." "I don't buy that. I really don't buy that," Alexander insisted. (The whole Johnson-Alexander 2012 exchange is here.) Alexander also said that Snowden needed to take only two documents to reveal the phone metadata and PRISM programs but took more than a million, revealing a wide array of more traditional U.S. intelligence-gathering efforts that the former NSA chief said raise no civil liberties concerns for the American public. Alexander said that while he has no proof, he still believes Snowden may have been connected to the Russian intelligence service or another U.S. adversary. "Something doesn't look right to me," the ex-NSA chief said. The discussion Wednesday was billed as a preview of the annual Aspen Security Forum, set to take place in Colorado in July. CORRECTION (Thursday, 11:56 A.M.): The initial version of this post indicated inaccurately that bin Laden was captured in the 2011 raid. -- It's better to burn out than fade away.