From rforno at infowarrior.org Sat Aug 1 08:18:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 1 Aug 2015 09:18:43 -0400 Subject: [Infowarrior] - TPP stumbles Message-ID: Talks for Pacific Trade Deal Stumble Jonathan Weisman http://www.nytimes.com/2015/08/01/business/tpp-trade-talks-us-pacific-nations.html LAHAINA, Hawaii ? Trade negotiators from the United States and 11 other Pacific nations failed to reach final agreement on Friday, with difficult talks on the largest regional trade agreement ever deadlocking over protections for drug companies and access to agriculture markets on both sides of the Pacific. Trade ministers, in a joint statement, said late Friday they had made ?significant progress? and will return to their home countries to obtain high-level signoffs for a small number of final sticking points on the agreement, the Trans-Pacific Partnership, with bilateral talks reconvening soon. ?There are an enormous number of issues that one works through at these talks, narrowing differences, finding landing zones,? said Michael B. Froman, the United States trade representative. ?I am very impressed with the work that has been done. I am gratified by the progress that has been made.? Still, the breakdown is a setback for the Obama administration, which had promoted the talks here as the final round ahead of an accord that would bind 40 percent of the world?s economy under a new set of rules for commerce. President Obama?s trade push had been buoyed by Congress?s narrow passage in June of so-called fast track trade negotiating powers, and American negotiators had hoped other countries could come together once Congress had given up the right to amend any final agreement. In the end, a deal filled with 21st-century policies on Internet access, advanced pharmaceuticals and trade in clean energy foundered on issues that have bedeviled international trade for decades: access to dairy markets in Canada, sugar markets in the United States and rice markets in Japan. ?No, we will not be pushed out of this agreement,? said a defiant New Zealand trade minister, Tim Groser, who held out for better access for his country, the largest exporter of dairy in the world. Australia, Chile and New Zealand also continue to resist the push by the United States to protect the intellectual property of major pharmaceutical companies for as long as 12 years, shielding them from generic competition as they recoup the cost of developing next-generation biologic medicines. ?There?s always been more than one issue,? said Representative Sander Levin, Democrat of Michigan, who is here as an observer. The trade ministers who gathered at the luxury hotels of Maui this week for talks that went deep into the night did have some successes. They reached agreement on broad environmental protections for some of the most sensitive, diverse and threatened ecosystems on Earth, closing one of the most contentious chapters of the Pacific accord. They also reached agreement on how to label exports with distinct ?geographic indications,? such as whether sparkling wine can be called champagne. And they agreed on a code of conduct and rules against conflicts of interest for arbitrators who would serve on extrajudicial tribunals to hear complaints from companies about whether their investments were unfairly damaged by government actions. But the failure to complete the deal ? eight years in the making ? means the next round of negotiations will push the United States ratification fight into 2016, a presidential election year. Most Republican candidates are very likely to back it, but a final agreement would force the Democratic front-runner Hillary Rodham Clinton to declare her position, which she has avoided. This week, she told reporters, ?I did not work on T.P.P.? as secretary of state, although she gave a 2012 speech in Australia declaring the accord ?the gold standard in trade agreements.? The push for the Pacific deal has already split most Democrats from their president. Further delay raises the prospect that a deal sealed by President Obama might have to be ratified by his successor, just as George H. W. Bush?s North American Free Trade Agreement was secured by Bill Clinton. The failure of the Maui talks pointed to the extreme difficulty of reaching agreement with so many countries, each with its own political dynamics. Vietnam, Malaysia and New Zealand were willing to make significant concessions to gain access to United States markets. But with Canada?s prime minister, Stephen Harper, fighting for his political life ahead of national elections in October, Canada would not budge on opening its poultry and dairy markets. Chile, with a new, left-of-center government and existing free trade agreements with each of the countries in the Pacific deal, including the United States, saw no reason to compromise, especially on its demand for a short window of protection for United States pharmaceutical giants. Australia?s delegation insisted that pharmaceutical market protections beyond five years would never get through Parliament, and the United States team was demanding 12. Ildefonso Guajardo, Mexico?s secretary of economy, was defiant on the hard line he took against the export of Japanese cars with any less than 65 percent of their parts from T.P.P. countries. ?I am fighting for the interests of my country,? he said. The bright spot might have been the environmental negotiations. The completed environmental chapter would cover illegal wildlife trafficking, forestry management, overfishing and marine protection, and it could prove to be a landmark, setting a new floor for all future multilateral accords. ?As centers of biodiversity, T.P.P. countries cover environmentally sensitive regions from tundra to island ecosystems, and from the world?s largest coral reefs to its largest rain forest,? reads a summary of the environment chapter, obtained by The New York Times. ?T.P.P.?s Environment chapter addresses these challenges in detail.? Under the agreement, the 12 countries ? from Peru and its rain forest to Vietnam and the diverse Mekong Delta ? must commit to obeying existing wildlife trafficking treaties and their own environmental laws. Environmentally destructive subsidies, such as cheap fuel to power illegal fishing vessels and governmental assistance for boat making in overfished waters, are banned. The chapter singles out the ?long-term conservation of species at risk,? such as sea turtles, sea birds and marine mammals and ?iconic marine species such as whales and sharks.? Failure to comply would subject a signatory to the same government-to-government compliance procedures as any other issue covered by the trade agreement, potentially culminating in trade sanctions. United States negotiators hope that just the threat of economic sanctions will bolster relatively weak environmental ministries in countries like Peru, Malaysia and Vietnam. Some environmental groups, and many Democrats in Congress, are very likely to be dissatisfied. They complain that agreeing to a series of ?obligations? falls short of ?requirements.? The Sierra Club has complained that the United States has not pursued trade remedies against countries obliged to environmental enforcement under existing accords, such as the United States-Peru free trade deal. But most major environmental groups remained circumspect, or cautiously optimistic, until they could read the details. ?Negotiators have accomplished much, but the hard work is far from over,? said David McCauley, senior vice president for policy at the World Wildlife Fund. ?Individual nations now must live up to their T.P.P. conservation obligations, including putting in place effective measures to ensure that they are responsible traders in wildlife and products provided by our forests and oceans.? The impact of the Pacific accord?s environmental chapter could be broad, both for the nations in the deal and those outside. The 12 participating countries account for more than a quarter of the global seafood trade and about a quarter of the world?s timber and pulp production. Five of the countries rank among the world?s most biologically diverse countries. Some, like Vietnam and Malaysia, have long been on the watch list for illegal wildlife trafficking, such as the illicit trade in rhino horns. Japan has long been scrutinized for its treatment of whales and dolphins. The World Bank has estimated that as much as 80 percent of Peru?s logging exports are harvested illegally. Under the terms of the new accord, member countries would be required to strengthen port inspections and document checks, a provision that could expand the scope of the deal beyond the 12 countries. Illegal wildlife and timber harvests bound for countries like China go through ports of the 12 countries. And countries in the deal are required to take action if they discover contraband that has been harvested illegally, even if the product is not illegal in their country. Negotiators say they substantially narrowed the number of outstanding issues. They vowed to keep the momentum going. But, as one non-United States official said, if talks go into hiatus for long, it could be easier for many of the countries to say no than yes. Correction: August 1, 2015 An earlier version of this article misstated the position of Ildefonso Guajardo, Mexico?s secretary of economy, on car exports. He was taking a hard line against the export of Japanese cars with any less than 65 percent of their parts from T.P.P. countries, not on Mexican car and truck exports. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 1 08:18:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 1 Aug 2015 09:18:49 -0400 Subject: [Infowarrior] - =?utf-8?q?U=2ES=2E_Decides_to_Retaliate_Against_C?= =?utf-8?q?hina=E2=80=99s_Hacking?= Message-ID: <44B8886D-8658-41EE-86B5-527563B5292F@infowarrior.org> U.S. Decides to Retaliate Against China?s Hacking David E. Sanger http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict. The decision came after the administration concluded that the hacking attack was so vast in scope and ambition that the usual practices for dealing with traditional espionage cases did not apply. But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses ? for example, diplomatic protests or the ouster of known Chinese agents in the United States ? to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries. That does not mean a response will happen anytime soon ? or be obvious when it does. The White House could determine that the downsides of any meaningful, yet proportionate, retaliation outweigh the benefits, or will lead to retaliation on American firms or individuals doing work in China. President Obama, clearly seeking leverage, has asked his staff to come up with a more creative set of responses. ?One of the conclusions we?ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,? said one senior administration official involved in the debate, who spoke on the condition of anonymity to discuss internal White House plans. ?We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.? In public, Mr. Obama has said almost nothing, and officials are under strict instructions to avoid naming China as the source of the attack. While James R. Clapper Jr., the director of national intelligence, said last month that ?you have to kind of salute the Chinese for what they did,? he avoided repeating that accusation when pressed again in public last week. But over recent days, both Mr. Clapper and Adm. Michael S. Rogers, director of the National Security Agency and commander of the military?s Cyber Command, have hinted at the internal debate by noting that unless the United States finds a way to respond to the attacks, they are bound to escalate. Mr. Clapper predicted that the number and sophistication of hacking aimed at the United States would worsen ?until such time as we create both the substance and psychology of deterrence.? Admiral Rogers made clear in a public presentation to the meeting of the Aspen Security Forum last week that he had advised President Obama to strike back against North Korea for the earlier attack on Sony Pictures Entertainment. Since then, evidence that hackers associated with the Chinese government were responsible for the Office of Personnel Management theft has been gathered by personnel under Admiral Rogers?s command, officials said. Admiral Rogers stressed the need for ?creating costs? for attackers responsible for the intrusion, although he acknowledged that it differed in important ways from the Sony case. In the Sony attack, the theft of emails was secondary to the destruction of much of the company?s computer systems, part of an effort to intimidate the studio to keep it from releasing a comedy that portrayed the assassination of Kim Jong-un, the North Korean leader. According to officials involved in the internal debates over responses to the personnel office attack, Mr. Obama?s aides explored applying economic sanctions against China, based on the precedent of sanctions the president approved against North Korea in January. ?The analogy simply didn?t work,? said one senior economic official, who spoke on the condition of anonymity to discuss internal White House deliberations. North Korea is so isolated that there was no risk it could retaliate in kind. But in considering sanctions against China, officials from the Commerce Department and the Treasury offered a long list of countersanctions the Chinese could impose against American firms that are already struggling to deal with China. The Justice Department is exploring legal action against Chinese individuals and organizations believed responsible for the personnel office theft, much as it did last summer when five officers of the People?s Liberation Army, part of the Chinese military, were indicted on a charge of the theft of intellectual property from American companies. While Justice officials say that earlier action was a breakthrough, others characterize the punishment as only symbolic: Unless they visit the United States or a friendly nation, none of them are likely to ever see the inside of an American courtroom. ?Criminal charges appear to be unlikely in the case of the O.P.M. breach,? a study of the Office of Personnel Management breach published by the Congressional Research Service two weeks ago concluded. ?As a matter of policy, the United States has sought to distinguish between cyber intrusions to collect data for national security purposes ? to which the United States deems counterintelligence to be an appropriate response ? and cyber intrusions to steal data for commercial purposes, to which the United States deems a criminal justice response to be appropriate.? There is another risk in criminal prosecution: Intelligence officials say that any legal case could result in exposing American intelligence operations inside China ? including the placement of thousands of implants in Chinese computer networks to warn of impending attacks. Other options discussed inside the administration include retaliatory operations, perhaps designed to steal or reveal to the public information as valuable to the Chinese government as the security-clearance files on government employees were to Washington. One of the most innovative actions discussed inside the intelligence agencies, according to two officials familiar with the debate, involves finding a way to breach the so-called great firewall, the complex network of censorship and control that the Chinese government keeps in place to suppress dissent inside the country. The idea would be to demonstrate to the Chinese leadership that the one thing they value most ? keeping absolute control over the country?s political dialogue ? could be at risk if they do not moderate attacks on the United States. But any counterattack could lead to a cycle of escalation just as the United States hopes to discuss with Chinese leaders new rules of the road limiting cyberoperations. A similar initiative to get the Chinese leadership to discuss those rules, proposed by Mr. Obama when he met the Chinese leader at Sunnylands in California in 2013, has made little progress. The United States has been cautious about using cyberweapons or even discussing it. A new Pentagon strategy, introduced by the secretary of Defense, Ashton B. Carter, in the spring, explicitly discussed retaliation but left vague what kind of cases the United States viewed as so critical that they would prompt that type of retaliation. In response to the Office of Personnel Management attack, White House officials on Friday announced the results of a 30-day ?cybersecurity sprint? that began in early June after the federal personnel office disclosed the gigantic theft of data. Tony Scott, the government?s chief information officer, who ordered the review, said in a blog post that agencies had significantly ramped up their use of strong authentication procedures, especially for users who required access to sensitive parts of networks. By the end of the 30th day, officials said that more than half of the nation?s largest agencies, including the Departments of Transportation, Veterans Affairs and the Interior, now required strong authentication for almost 95 percent of their privileged users. For Mr. Obama, responding to the theft at the Office of Personnel Management is complicated because it was not destructive, nor did it involve stealing intellectual property. Instead, the goal was espionage, on a scale that no one imagined before. ?This is one of those cases where you have to ask, ?Does the size of the operation change the nature of it?? ? one senior intelligence official said. ?Clearly, it does.? -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 1 08:18:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 1 Aug 2015 09:18:53 -0400 Subject: [Infowarrior] - America classifies way too much information---and we are all less safe for it Message-ID: <3FE5EBBB-42EC-4A88-A037-686301A8380E@infowarrior.org> America classifies way too much information---and we are all less safe for it By Tom Blanton July 31 at 8:06 PM Tom Blanton is director of the National Security Archive at George Washington University. https://www.washingtonpost.com/opinions/the-united-states-is-not-safer-when-its-citizens-are-left-in-the-dark/2015/07/31/641b53fa-36e2-11e5-b673-1df005a0fb28_story.html Warning: If you hold a security clearance, reading this column could expose you to information that potentially violates your security agreement. Reading this column will certainly expose you to information that is currently classified by some securocrats, though not by others. The inspectors general of the State Department and the intelligence community have made a security referral to the Justice Department regarding Hillary Clinton?s e-mails on the grounds that some of them were ?potentially classified.? So is this column. Watch out: Your clearance is at stake. Let me get the suspense over with. Here?s a classified fact: We, the United States, based medium-range ballistic missiles carrying nuclear warheads in Turkey in 1962, which angered Soviet leader Nikita Khrushchev so much that he put his own into Cuba. Wait: I?ve read all about that. It?s been declassified, hasn?t it? Well, yes. Except ? in the immortal words of John F. Kennedy ? ?there?s always some son of a bitch who doesn?t get the word.? The word is the Cold War is over, yet Cold War secrecy rules still control the government?s information systems. The Defense Department still can?t bring itself to declassify nukes in Turkey, and Italy, and the 50 or so other countries where we idiotically stationed them during the Cold War. Here at the National Security Archive, in our ?Dubious Secrets? series, we have published hundreds of U.S. government documents that one office or official considers declassified, while another insists must stay secret. Whom do you listen to? We have two versions of the same page of White House e-mail, addressed to then-deputy national security adviser Colin Powell, with the top and bottom blacked out from one review, and the middle blacked out from another, 10 days later. Turns out it was the same reviewer both times. So goes the highly subjective process of classification. But let?s talk about Clinton. Thank goodness she used a private e-mail server when she was secretary of state. If she had used the State Department system, practically none of her e-mail would survive. That?s how bad State?s electronic archiving was then. Instead, the State Department has 30,000 of her messages, and history is becoming much the wiser. Her critics, not so much. Now, the same folks who clamored to see those messages seem to want to lock them up in classified vaults. Foolishness. They intend to redact the e-mails, thus putting red flags right on messages that circulated for years in unclassified form, thus highlighting the secrets they contain, if there really are any. Keeping the e-mails unclassified would actually be the best way to protect anything sensitive ? through obscurity. There were significant efficiency gains for our national security when the secretary of state ran her main e-mail account in unclassified form. No artificial barriers to information sharing. A bright line against including truly classified documents. A standing rebuke to the massive overclassification all around her. I?ve seen a couple-million pages of documents that were classified when the government put them on paper or computer screens. I can say from experience that few deserved such consideration. There are real secrets. This is where I diverge from the Julian Assanges and the Chelsea Mannings of the world. I don?t want the designs of binary chemical warheads getting out, nor the identities of any brave Iranian or Chinese voices who talk to our embassies or CIA stations. The bottom lines of our diplomats in negotiations, I think we should keep to ourselves until such time as the deals are done. But the real secrets make up only a fraction of the classified universe, and no secret deserves immortality. In fact, essential to the whole idea of democratic government is that secret deals with dictators will come out eventually, not least to deter the worst deals from being made. WikiLeaks produced hysteria in Washington with its large-scale release of U.S. diplomatic cables in 2010. The House Judiciary Committee asked me to talk about whether lawmakers should amend the Espionage Act to prosecute those guys. Bad idea, I said. I predicted that there would be little damage to real national security because most classified cables can be published within a few years with no harm done. I showed Congress the estimates over the years of how much gets classified that doesn?t deserve to be. Ronald Reagan?s executive secretary for the National Security Council, Rodney B. McDaniel, said 90 percent. Thomas H. Kean, the Republican head of the 9/11 Commission, said 75 percent of what he saw that was classified should not have been. In fact, the congressional inquiry into 9/11 concluded that secrecy had kept the American people ? our best allies in the fight against terrorism ? from engaging with the threat they faced. The only responders with enough information to disrupt any of the Sept. 11 attacks were the passengers on United Flight 93, who heard through their cellphones what was happening on other planes and attempted to retake control of their own, saving who knows how many lives in the process. The best defense of an open society is open information. We are not safer in the dark. Those inspectors general poring over Clinton?s e-mails need to get back to their transparency and accountability jobs, where they should focus on opening ? not closing ? the files that will empower a free citizenry to protect our country and ourselves, and hold our leaders to account. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Aug 2 13:51:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 2 Aug 2015 14:51:23 -0400 Subject: [Infowarrior] - Germany pauses treason investigation into Netzpolitik.org journalists Message-ID: <4B17FE50-8DC0-41D3-9E58-D00AF50C99E8@infowarrior.org> Germany pauses treason investigation into Netzpolitik.org journalists Thousands take to the Berlin streets in support of the site and press freedom. by Glyn Moody - Aug 2, 2015 1:40pm EDT http://arstechnica.com/tech-policy/2015/08/germany-pauses-treason-investigation-into-netzpolitik-org-journalists/ The investigation of two journalists on the German digital rights news site Netzpolitik.org for alleged treason was halted Friday by Germany's prosecutor general, Harald Range, following widespread protests by the media and politicians. The Guardian reports that Range said he was pausing inquiries "for the good of press and media freedom" and that he would "await the results of an internal investigation into whether the journalists from the news platform netzpolitik.org had quoted from a classified intelligence report before deciding how to proceed." The head of German intelligence services, Hans-Georg Maassen, still defended the idea of bringing criminal charges against the site's writers. He told the German weekly Bild am Sonntag "to continue the fight against extremism and terrorism?it was necessary to guard against the publication of documents classified as confidential or secret." As Ars reported last Thursday, Netzpolitik.org published two leaked documents earlier this year detailing plans to expand surveillance of social networks by the Federal Office for the Protection of the Constitution, of which Maassen is president. Initially, the investigation was believed to be into whoever was responsible for the leaks, but the search was widened last week to include two Netzpolitik.org journalists: Markus Beckedahl, the site's editor-in-chief, and Andre Meister. News that the journalists were under investigation for treason drew widespread condemnation from dozens of leading German newspapers and radio stations. Correctiv.org re-published the leaked documents and then reported itself to Germany's prosecutor general on the grounds that it was as guilty as the Netzpolitik.org team and should therefore be investigated as well. The Guardian noted that several German politicians have weighed in on the affair. The leading Green MP Renate K?nast called the investigation a "humiliation to the rule of law," accusing Range of targeting the two journalists while ignoring the "massive spying and eavesdropping [conducted] by the NSA in Germany." The latter is still a sensitive subject among the German public. On Saturday, thousands marched in Berlin to demonstrate their support for the Netzpolitik.org journalists and press freedom. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 3 11:33:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 3 Aug 2015 12:33:02 -0400 Subject: [Infowarrior] - Reporter Who Exposed ECHELON Finds Vindication in Snowden Archive Message-ID: <983EE704-64A8-4A2A-B0DD-A2C170FB9C62@infowarrior.org> After 27 Years, Reporter Who Exposed ECHELON Finds Vindication in Snowden Archive https://firstlook.org/theintercept/2015/08/03/17-years-reporter-exposed-echelon-finds-vindication-snowden-archive/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 3 14:44:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 3 Aug 2015 15:44:58 -0400 Subject: [Infowarrior] - DHS Highlights Privacy Concerns In Senate Cybersecurity Bill Message-ID: <205BD052-0B7F-4AC7-899C-40CF441D3298@infowarrior.org> Department Of Homeland Security Highlights Privacy Concerns In Senate Cybersecurity Bill http://techcrunch.com/2015/08/03/department-of-homeland-security-highlights-privacy-concerns-in-senate-cybersecurity-bill -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 3 14:48:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 3 Aug 2015 15:48:50 -0400 Subject: [Infowarrior] - ICANN posts proposal to end US oversight of Internet Message-ID: ICANN posts proposal to end US oversight of Internet AFP ? 2 hours 29 minutes ago https://in.news.yahoo.com/icann-posts-proposal-end-us-171818173.html The overseers of the Internet on Monday published a keenly anticipated proposal to step out from under US oversight. Under the plan, nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) would create a separate legal entity that would be contracted to handle key technical functions of the online address system. A "Customer Standing Committee" would monitor performance of what would essentially be an ICANN subsidiary, and a review process involving stake-holders would be put in place. ICANN would remain based in Southern California, and any major structural or operational changes to the foundation of the Internet's addressing system would require approval of the nonprofit organization's board of directors. The 199 page proposal was posted online at icann.org, where a note said that a public comment period would end on September 8. ICANN president Fadi Chehade said last month that the end of the US role is now set for mid-2016, with the transition pushed back by a year to allow time for input from the Internet community and review by the US government and Congress. ICANN will become an independent entity without US government oversight for the Internet's domain and address system, Chehade said, noting that the transition is likely to take place between July and September 2016. "We will further empower the community to ensure the accountability of ICANN as an institution," Chehade said in an interview with AFP in Washington. "By making this independent and neutral we are enhancing the longevity of this model." Chehade said governments around the world appear to be coming around to accepting the existing "multistakeholder" model that allows for all groups of Internet users and interested parties to participate, instead of a "multilateral" model led by governments. The US government in March 2014 outlined its plan to step away from its oversight role and fully privatize the functions of ICANN. Chehade noted that the transition away from US government oversight has been in planning since ICANN -- a nonprofit corporation under contract to the US government -- was created in 1998. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 3 17:16:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 3 Aug 2015 18:16:55 -0400 Subject: [Infowarrior] - CISA sponsors reach deal to help speed Senate passage Message-ID: <591E1CAE-F430-4A42-8440-E1796BFC81E6@infowarrior.org> Cyber bill sponsors reach deal to help speed Senate passage By Cory Bennett - 08/03/15 05:11 PM EDT http://thehill.com/policy/cybersecurity/250134-cyber-bill-backers-reach-initial-deal-to-help-speed-passage The bipartisan co-sponsors of a major cybersecurity bill reached a preliminary deal on amendments that could help speed the measure through the Senate before August recess. Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the top two lawmakers on the Senate Intelligence Committee, are backing the Cybersecurity Information Sharing Act (CISA). Their bill would boost the exchange of data on hackers between companies and the government. Supporters, including industry groups and a bipartisan group of lawmakers, argue this exchange is necessary to better understand and thwart potential cyberattacks. But privacy advocates argue the bill simply shuttles more private data on American citizens to government intelligence agencies, empowering surveillance programs. In response, privacy-minded Senators, led by Sens. Ron Wyden (D-Ore.) and Patrick Leahy (D-Vt.), have been angling to significantly alter the bill. But Burr and Feinstein on Friday started circulating a managers? amendment, obtained by The Hill, that would address some ? but not all ? of the privacy concerns that have stalled the bill since March. The deal could help usher CISA through the upper chamber in the last moments before the Senate breaks for a month. Senate Majority Leader Mitch McConnell (R-Ky.) last week vowed to act on CISA before leaving town. But even the bill?s supporters have expressed doubt that lawmakers have enough floor time to wade through all the desired amendments, absent a major deal that limits the add-ons that could be offered. Multiple Senate offices, including Feinstein?s, confirmed the document's authenticity. But several aides cautioned that the text was not necessarily final and that it didn?t indicate a broader deal had been struck on all desired changes. Still, the managers? amendment could be a first step toward that broader deal. Several Senate offices hoping to change CISA indicated the pact was a positive sign, even if it falls short of what they ultimately want. The changes would restrict how the government can share and use the data it would collect under CISA. Civil liberties groups and technologists argue the current bill would allow the National Security Agency (NSA) to use CISA data to snoop on people for numerous reasons unrelated to cyber crime. The amendment would strike ?serious violent felonies? from the list of approved uses in an attempt to mitigate that fear. It would also add clarifying language to ensure information collected through CISA could only be shared within the government for ?cybersecurity purposes.? CISA contains provisions requiring ?real-time? sharing once an agency has received cyber threat data. Privacy advocates have chafed at this portion of the bill. ?This is a very significant privacy change, and it has been another top bipartisan and privacy group concern,? said a summary of the amendment being circulated. The amendment also directly addresses one of Leahy?s top worries: that private sector information shared would be exempt from Freedom of Information Act (FOIA) requirements. The CISA edit ?eliminates the creation of a new exemption in the Freedom of Information Act specific to cyber information,? the summary said. Still, the language fails to address some of the major issues driving opposition to the bill. It would not, for example, eliminate all direct sharing between the private sector and government intelligence agencies. This has been a sticking point for the White House, which has long argued all data swaps should go through the Department of Homeland Security (DHS). The administration and privacy advocates believe the DHS, as a civilian agency, is best suited to scrub personal data and control the flow of cyber threat information within the government. The managers? amendment only ?clarifies the types of cyber information sharing that are permitted to occur outside the ?DHS portal? created by the bill,? according to the summary. Sen. Mark Warner (D-Va.) is also hoping to attach language that would give the Department of Homeland Security (DHS) more cyber authorities. The amendment does not touch on his efforts. Access, a digital privacy group that has been working with Wyden to continue stalling the bill, said the Burr-Feinstein agreement won?t bring privacy advocates around. ?Changes under the managers' amendment won't stop the government from instantly passing along information to intelligence agencies,? said Nathan White, Access senior legislative manager. ?Law enforcement can still use information to prosecute whistleblowers under the Espionage Act.? Norma Krayem, a lobbyist who has been involved in the recent CISA debates, thinks the Senate still has a ways to go. ?The tipping point on proceeding on cybersecurity could actually come from the administration supporting action in the Senate,? explained Krayem, who co-chairs the Data Protection and Cybersecurity division at law firm Holland & Knight. ?However, it still depends on three basic factors," she added. "Whether or not substantial changes are made in the underlying bill; if a sufficient amount of amendments are allowed to address privacy concerns and ultimately, are there 60 votes to move forward? It?s like the ?known unknowns.?? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 4 07:06:11 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 4 Aug 2015 08:06:11 -0400 Subject: [Infowarrior] - Microsoft Launches Special 'Scott McNealy' Edition Of Windows Message-ID: Microsoft Launches Special 'Scott McNealy' Edition Of Windows https://www.techdirt.com/articles/20150802/07341031825/microsoft-launches-special-scott-mcnealy-edition-windows.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 4 07:06:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 4 Aug 2015 08:06:41 -0400 Subject: [Infowarrior] - Smartphone's battery life can be used to invade your privacy Message-ID: <5C8B2C1C-0C06-4518-982C-D1BEA21A55B4@infowarrior.org> (c/o AJR) How your smartphone's battery life can be used to invade your privacy http://www.theguardian.com/technology/2015/aug/03/privacy-smartphones-battery-life -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 4 13:00:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 4 Aug 2015 14:00:15 -0400 Subject: [Infowarrior] - Anti-Whistleblower 'Ag-Gag' Law Ruled Unconstitutional Message-ID: Anti-Whistleblower 'Ag-Gag' Law Ruled Unconstitutional https://www.techdirt.com/articles/20150803/17565031843/anti-whistleblower-ag-gag-law-ruled-unconstitutional.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 4 18:17:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 4 Aug 2015 19:17:07 -0400 Subject: [Infowarrior] - Google and AT&T have been dragged into the wiretapping allegations against Apple Message-ID: <01D53685-F626-424C-89EC-57DF83473355@infowarrior.org> Google and AT&T have been dragged into the wiretapping allegations against Apple ? Jim Edwards ? Aug. 4, 2015, 11:53 AM Google and AT&T have both filed motions in a US federal lawsuit that alleges Apple wire-tapped users who ditched their iPhones for Android phones. Apple denies the claims..... Read more: http://www.businessinsider.com/google-and-att-have-been-dragged-into-the-wiretapping-lawsuit-against-apple-2015-8?op=1#ixzz3htJY0w5f -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 08:13:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 09:13:34 -0400 Subject: [Infowarrior] - A chat with Black Hat's unconventional keynote speaker Message-ID: <5F555171-7284-4804-98C5-F06062CA3EC7@infowarrior.org> (Jennifer rocks, is a solid voice of reason on civil liberties issues, and I'm thankful to know her both before and during my time at the Stanford CIS. --rick) A chat with Black Hat's unconventional keynote speaker by Violet Blue | @violetblue | 17 hours ago http://www.engadget.com/2015/08/04/a-chat-with-black-hats-unconventional-keynote-speaker/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 08:50:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 09:50:55 -0400 Subject: [Infowarrior] - Why DHS opposes CISA (hint: not for privacy concerns) Message-ID: Want To Know Why DHS Is Opposing CISA? Because It's All A Surveillance Turf War https://www.techdirt.com/articles/20150804/11491231848/want-to-know-why-dhs-is-opposing-cisa-because-all-surveillance-turf-war.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 08:51:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 09:51:24 -0400 Subject: [Infowarrior] - =?utf-8?q?China_to_Set_Up_=E2=80=98Security_Offic?= =?utf-8?q?es=E2=80=99_Inside_Internet_Companies?= Message-ID: <814185C7-A51D-42BD-BC11-84B67BB60846@infowarrior.org> China to Set Up ?Security Offices? Inside Internet Companies by Lulu Yilun Chen August 4, 2015 ? 11:41 PM EDT Updated on August 5, 2015 ? 3:23 AM EDT http://www.bloomberg.com/news/articles/2015-08-05/china-to-set-up-security-offices-inside-internet-companies China plans to set up ?network security offices? staffed by police inside major Internet companies, a move to strengthen the government?s grip on the world?s largest population of Web users. The Ministry of Public Security will add police officers at ?critical? companies to help boost defenses against cyber-attacks and fight criminal activity, the state-run Xinhua News Agency reported, citing a ministry conference. The initiative is also intended to safeguard users? information, Xinhua said without naming specific companies or websites. The country?s largest Internet companies include Alibaba Group Holding Ltd., Tencent Holdings Ltd. and Baidu Inc. China?s government has long controlled Web content, blocking pornography, dissident websites and any other information it deems a threat to the ruling Communist Party. It is planning to build a national cyber safety net as part of a sweeping security bill being considered by the top lawmaking body. The draft bill, now seeking public feedback, will enable national and local governments to cut Internet access in cases of major public-security incidents, according to a statement on its website. For example, China blocked some instant-messaging services in the western province of Xinjiang last year because of social unrest, Caixin reported, citing a government notice. ?It?s probably part of this cybersecurity paranoia that seems to be gripping China,? said Doug Young, author of ?The Party Line: How the Media Dictates Public Opinion in Modern China.? ?Having the watchdog sit in their office would be a constant reminder that the government is watching them.? ?Purifying Cyberspace? Alibaba works with the government to combat criminal activity on the Internet and protect its customers, the Hangzhou-based company said in an e-mail. Baidu said in an e-mail it was checking the Xinhua report, while a Tencent representative didn?t respond to calls and e-mails seeking comment. President Xi Jinping designated ?representatives of new media? as a key focus for the ruling party?s outreach in May, according to Xinhua. China had 668 million Internet users at the end of June, according to a government research institute. Technology leaders should ?demonstrate positive energy in purifying cyberspace,? Xi said at the end of the party?s first national United Front conference, Xinhua reported. He called for regular contact with representatives of new media to build support for the party?s agenda. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 10:27:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 11:27:23 -0400 Subject: [Infowarrior] - Pennsylvania embraces pre-crime for sentencing Message-ID: <947FF6E9-05A9-462B-8D86-E15493F2ED27@infowarrior.org> Should Prison Sentences Be Based On Crimes That Haven?t Been Committed Yet? http://fivethirtyeight.com/features/prison-reform-risk-assessment/?ex_cid=538twitter -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 10:32:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 11:32:15 -0400 Subject: [Infowarrior] - TPP leak shows hideous US desires for IP enforcement Message-ID: <2C11FDBE-6AA1-4CDD-B124-D576E54402C8@infowarrior.org> TPP Leaks Shows US Stands Firm That Companies Should Be Free To Abuse Patents & Copyrights https://www.techdirt.com/articles/20150805/00144231854/tpp-leaks-shows-us-stands-firm-that-companies-should-be-free-to-abuse-patents-copyrights.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 18:11:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 19:11:28 -0400 Subject: [Infowarrior] - We're heading Straight for AOL 2.0 Message-ID: <333238DC-D9B6-4805-9706-7000E165BD4B@infowarrior.org> We're heading Straight for AOL 2.0 August 5, 2015 http://jacquesmattheij.com/aol-20 Before ?HTTP?, whenever a new kind of application was invented (say ?file sharing?, or ?address book? or ?messaging?) someone would sit down with a bunch of others and would discuss this problem at some length. Then they?d draft up a document describing the problem they intended to solve and the protocol layer they came up with to address this problem. That document would then be sent out to various parties that might have an interest in using this protocol who then would supply their feedback and as a result of that a more complete version of the original document would be released. And so on until the resulting protocol was considered mature enough for implementation. This process, centered around documents called ?RFC?s is what got us IP (the internet protocol), TCP (the transport control protocol), HTTP (the world wide web), SMTP (email), the DNS (the domain name system), FTP (the file transfer protocol) and many other extremely useful building blocks for the modern internet. The implementation of these protocols and their integration into applications was then left to the rest of the world, the standards body had - beyond maybe a reference implementation - no interest in that stage of the proceedings and certainly no commercial interest. Protocols came, were adopted and eventually replaced, either by something better or they died due to a lack of adoption. And then something strange and for the most part un-expected happened. Where before all of the protocols were layered on top of the Transport Control Protocol (or UDP in some cases), or TCP in computer programmer lingo, a protocol was invented that was so successful that it in turn became a transport layer all by itself (not without associated problems). The reason for this is that instead of delivering software to the end users which then implemented this protocol using executables for the various platforms HTTP allowed to deliver both the visual part of the application (the user interface) and (eventually) the rest of the client portion of the application in one go. The existence of firewalls (which block off a lot of the ports otherwise accessible for peer-to-peer and client-server computing) further accelerated this to the point where instead of drafting RFCs for publicly available and open protocols companies now deliver one half of their application and some custom protocol over HTTP and never mind inter-operability with other services or playing nice. The end result of all that is that we?re rapidly moving from an internet where computers are ?peers? (equals) to one where there are consumers and ?data owners?, silos of end user data that work as hard as they can to stop you from communicating with other, similar silos. Imagine an internet where every other protocol except for the most closely related to ?plumbing? ones (TCP/IP/UDP/DNS) are no longer open but closed. That may sound far-fetched but even though the number of RFCs is still growing the last RFC with an article in the wikipedia list of rfcs is the iCalendar Specification (RFC 5545) and it dates from 2009. Since then there has been a lot of movement on the web application front but none of those has resulted in an open protocol for more than one vendor (or open source projects) to implement. One explanation is that we now have all the protocols that we need, another is that more and more protocols are layered on top of HTTP in a much more proprietary manner. This is a dangerous development, the end-game of which is an internet that is about as closed as it could get by removing all the interoperability and replacing it with custom and incompatible protocols over HTTP, maybe with the occasional server talking to another server in the background. Email will probably be the last to go, when the last user of it finally gives up and moves to gmail so they can continue to communicate with their contacts or maybe they give up entirely. RSS (an open content syndication protocol on top of HTTP, which I think is a nice way to illustrate that it is possible to use HTTP as a layer and play nice at the same time) is already an endangered species, XMPP support is slowly but surely being removed (just imagine a phone system where every number you call to may require a different telephone), NNTP has been ?mostly dead? for years (though it still has some use the real replacement of usenet for discussion purposes appears to be Reddit and mailinglists) and so on. The only protocols that are developed nowadays that are open are typically related to plumbing (moving bits of data around), not application level protocols which determine how a whole class of applications around a similar theme can talk to each other. The biggest internet players count users as their users, not users in general. Interoperability is a detriment to such plays for dominancy. So there are clear financial incentives to move away from a more open and decentralized internet to one that is much more centralized. Facebook would like its users to see Facebook as ?the internet? and Google wouldn?t mind it if their users did the same thing and so on. It?s their users after all. But users are not to be owned by any one company and the whole power of the internet and the world wide web is that it?s peer to peer, in principle all computers connected to it are each others equals, servers one moment, clients the next. If the current trend persists we?re heading straight for AOL 2.0, only now with a slick user interface, a couple more features and more users. I personally had higher hopes for the world wide web when it launched. Wouldn?t it be ironic if it turned out that the end-run the WWW did around AOL because it was the WWW was open and inclusive ended up with different players simply re-implementing the AOL we already had and that we got rid of because it was not the full internet. So, if you?re going to design a webapp and you wish to help revert this trend (assuming that is still possible): Please open up your protocols, commit to keeping them open and publish a specification. And please never do what twitter did (start open, then close as soon as you gain traction). Posted by Jacques Mattheij August 5, 2015 -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 18:13:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 19:13:24 -0400 Subject: [Infowarrior] - Warrant required for mobile phone location tracking, US appeals court rules Message-ID: Warrant required for mobile phone location tracking, US appeals court rules Fed's position would "convert an individual's cell phone into a tracking device." by David Kravets - Aug 5, 2015 5:30pm EDT http://arstechnica.com/tech-policy/2015/08/warrant-required-for-mobile-phone-location-tracking-us-appeals-court-rules/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 18:29:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 19:29:45 -0400 Subject: [Infowarrior] - Senate Punts on Cybersecurity Bill Message-ID: Few if any national issues, emergencies, or topics warrants Congresscritters working over a scheduled recess. After all, money. /sarc Senate Punts on Cybersecurity Bill http://www.nationaljournal.com/tech/senate-cybersecurity-bill-still-in-limbo-20150805 Senate Majority Leader Mitch McConnell withdrew the cyberinformation-sharing bill from consideration, leaving the Senate to take it up again in September. By Kaveh Waddell August 5, 2015 Senators are heading home for the August recess without voting on the cybersecurity bill. Lawmakers worked for days on an agreement about which amendments to include on the cyber bill, but Senate leaders pulled the plug at the last minute on a vote scheduled first for 10:30 a.m, then for 2 p.m. Then they decided to skip town. Under the deal senators struck Wednesday afternoon, the cyber bill will come up again in September after recess, and 21 Democratic and Republican amendments will receive votes. The bill?put forward by the top members of the Senate Intelligence Committee, Sens. Richard Burr and Dianne Feinstein?would offer incentives to the private sector to share information about cyberthreats with the government. Supporters, including senators from both parties and many in the private sector, say the information sharing legislation would make for stronger cyberdefenses against hackers. But privacy advocates in and out of the Senate have raised flags about the bill's treatment of Americans' sensitive information, saying it will violate personal privacy, and security experts have questioned the bill's effectiveness. Several Republican senators said Wednesday that negotiators discussed timing for both the cyber bill and the Iran deal, which will be the first topic that the Senate takes up when it returns from the August recess. When the cyber bill does come up, 21 amendments?10 GOP and 11 Democratic?will also get a vote. Democrats weren't happy that nothing got done over the last week. "We've spent now, on two different bills, what, how many weeks debating abortion? We've got to debate some real things like cybersecurity, and have real amendments, not pretend amendments," said Sen. Patrick Leahy Wednesday morning. Senators from both sides of the aisle have called for changes to the Cyber Information Sharing Act and have put forward dozens of proposals. The amendments included offerings from the Senate's privacy advocates?Democrats Leahy and Ron Wyden, and Republicans Rand Paul and Mike Lee?as well as efforts to increase the cybersecurity of federal agencies from Sens. Mark Warner and Ron Johnson. But not all the proposed amendments were on-topic. Paul proposed three changes that have nothing to do with cybersecurity: one to allow the government to audit the fed, another about immigration policy, and a third that would allow servicemen and servicewomen to carry weapons onto military bases. Paul's unrelated amendments were among the bigger hurdles that the Republican caucus had to deal with in reaching an agreement amongst themselves, a GOP Senate aide said Wednesday. Earlier Wednesday, Feinstein spoke on the Senate floor about more than a dozen "privacy-information improvements" she and Burr made to the bill, recited a list of cyberattacks that affected millions of Americans in the past year, and named some of the bill's supporters in the private sector. "I make these remarks in hopes that it can clear the air somewhat and when a cloture vote does come at 2 o'clock, that we have the votes to proceed," Feinstein said. The Senate got a late start on the cyber bill this week in part because Senate Majority Leader Mitch McConnell prioritized a vote on defunding Planned Parenthood. After senators voted not to move forward on that measure, McConnell filed cloture on CISA. The earliest the Senate was allowed to vote to move forward on CISA was Wednesday morning. Sarah Mimms and Alex Rogers contributed to this article. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 19:47:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 20:47:50 -0400 Subject: [Infowarrior] - =?utf-8?q?OT=3A_The_New_Devil=E2=80=99s_Dictionar?= =?utf-8?q?y?= Message-ID: So....very......true! The New Devil?s Dictionary http://www.theverge.com/a/new-devils-dictionary -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 5 20:30:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 5 Aug 2015 21:30:45 -0400 Subject: [Infowarrior] - China's 'official' response to US cyberwar policy (Xinhua) Message-ID: Op-Ed: U.S. should think twice before retaliating against China over unfounded hacking charges English.news.cn | 2015-08-03 15:09:28 | Editor: huaxia http://news.xinhuanet.com/english/2015-08/03/c_134475713.htm WASHINGTON, Aug. 2 (Xinhua) -- The United States is on the brink of making another grave mistake under the name of protecting cyber security, as it is reportedly considering retaliatory measures against China for unfounded hacking accusations. Senior U.S. government and intelligence officials were quoted by a U.S. newspaper as saying Friday that President Barack Obama's administration has determined to retaliate against China for its alleged theft of personnel information of more than 20 million Americans from the database of the Office of Personnel Management (OPM), but the forms and specific measures of the retaliation have not been decided. The report added that Obama has allegedly ordered his staff to come up with "a more creative set of responses," while a U.S. official hinted that the United States will employ "a full range of tools to tailor a response." The decision came amid a growing chorus in the United States demonizing China as the culprit behind the massive breach of the OPM computer networks. As witnessed by most past similar cases, the U.S. government, Congress and media once again called for punishing China for this after a top U.S. intelligence official indirectly pointed a finger at China. Obviously, cyber security has become another tool for Washington to exert pressure on China and another barrier that restrains the further development of China-U.S. relations. Washington will be blamed for any adverse effects this might have on its ties with China, as all the U.S. accusations against China were made without providing concrete evidence. The U.S. government was also self-contradictory for declining to directly name China as the attacker on the one hand, while deciding to target China for retaliation on the other. By repeatedly blaming China for hacking into its government computers, Washington apparently tries to portray Beijing as the No. 1 bad guy in cyber space, but this is doomed to fail because the United States is the most powerful country with the most advanced cyber technologies. As exposed by former U.S. defense contractor Edward Snowden, the U.S. government has been notoriously and blatantly engaged in worldwide surveillance operations against numerous other countries. To divert criticism against its relentless espionage activities, it portrays itself as a victim of cyber attacks. By heating up the issue of the OPM hacking, Washington perhaps also aims to pressure China to restore the bilateral cyber work group which was suspended last year after Washington sued five Chinese military officers on so-called charges of commercial espionage despite strong protests from China. China has repeatedly stated that it is against all forms of cyber attacks and will crack down on them, as it has long been a major victim of such illegal activities, many of which originated from the United States. China has also called for conducting cooperation with the U.S. side and any other country to protect cyber security and its peaceful order. Just like protecting its territorial sovereignty and integrity, China is strongly determined to protect the safety of its cyber space and reserves all rights to counter any outside threats and intrusions. It will meet any form of political or economic retaliation with corresponding countermeasures. The United States, which made a mistake last year with its false charges against the Chinese officers, should not repeat the mistake by taking retaliatory measures against China over the OPM incident. If it stubbornly implements retaliatory measures against China in cyber space, it will be known for being a cyber bully and will have to shoulder responsibility for escalating confrontation and disrupting the peaceful order in the cyber space. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 6 09:44:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 6 Aug 2015 10:44:18 -0400 Subject: [Infowarrior] - =?utf-8?q?OPM_won_a_cybersecurity_award=2E_For_?= =?utf-8?b?4oCYbW9zdCBlcGljIEZBSUwu4oCZ?= Message-ID: OPM won a cybersecurity award. For ?most epic FAIL.? By Andrea Peterson August 6 at 8:51 AM https://www.washingtonpost.com/news/the-switch/wp/2015/08/06/opm-won-a-cybersecurity-award-for-most-epic-fail/ LAS VEGAS -- The Office of Personal Management won a cybersecurity award Wednesday night. But it was for "most epic FAIL." The government agency was "honored" at The Pwnies, a comedic awards show held at the Black Hat USA cybersecurity conference, for breaches that exposed the personal information of tens of millions of current and former federal workers, including the fingerprints of more than a million people who applied for government background checks. The Pwnie Awards get it's name from the hacker slang "pwn" for "owning" or taking over something. It comes complete with trophies in the form of golden "My Little Pony"-style toys. "These people have let you down not only as an industry, but as personal human beings," said security researcher Chris Valasek in his description of the category OPM won during the event."It's the equivalent of your parents saying they're not angry at you, they're just disappointed." No one from the agency appeared to accept the award. OPM was also nominated for "epic 0wnage," but lost to controversial commercial surveillance vendor Hacking Team -- which had its inner-workings exposed last month after a cyberattack. Morgan Marquis-Boire, the director of Security at First Look Media and a researcher who worked on reports that tied the Italian company to governments with questionable human rights records before the leaks, jokingly accepted the award on Hacking Team's behalf. This was the 9th consecutive year of the Pwnies in Las Vegas and nominees competed in ten categories, including ones honoring researchers who discovered the best security vulnerability. There's was also a best song category that features -- what else -- sick beats about cybersecurity. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 7 07:26:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 7 Aug 2015 08:26:29 -0400 Subject: [Infowarrior] - =?utf-8?q?Waiting_for_Android=E2=80=99s_inevitabl?= =?utf-8?q?e_security_Armageddon?= Message-ID: Waiting for Android?s inevitable security Armageddon Editorial: Android's update strategy doesn't scale, and that's recipe for disaster. by Ron Amadeo - Aug 6, 2015 4:00pm EDT http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 7 09:33:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 7 Aug 2015 10:33:37 -0400 Subject: [Infowarrior] - News Corp DMCA's itself last night Message-ID: <4F5553ED-1B13-42D1-AD85-B812D96F37DA@infowarrior.org> Another bit of copyright awesome..... News Corp. Makes Copyright Claim Over News Corp's Live Video Stream Of The GOP Debate https://www.techdirt.com/articles/20150806/19510931877/news-corp-makes-copyright-claim-over-news-corps-live-video-stream-gop-debate.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 7 12:03:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 7 Aug 2015 13:03:06 -0400 Subject: [Infowarrior] - FBI: When It Comes To @ISIS Terror, Retweets = Endorsements Message-ID: <3A98BB36-7320-452E-96C2-51EE4A64D847@infowarrior.org> FBI: When It Comes To @ISIS Terror, Retweets = Endorsements Ryan J. Reilly Justice Reporter, The Huffington Post Posted: 08/07/2015 07:58 AM EDT | Edited: 2 hours ago http://www.huffingtonpost.com/entry/twitter-terrorism-fbi_55b7e25de4b0224d8834466e?5r110pb9 WASHINGTON -- The FBI's best informant has played a role in dozens of terrorism cases over the past several years and provided endless intelligence on extremists across the United States. The informant is young, rich, well-connected, easily distracted and really into reality television. The informant's name? Twitter. The social network is an "extraordinarily effective way to sell shoes, or vacations, or terrorism," and it puts propaganda in the pocket of kids and those with troubled minds, FBI Director James Comey said recently. "It's buzz, buzz, buzz, buzz, buzz. It's the constant feed ... the devil on your shoulder all day long, saying, 'Kill, kill, kill.'" FBI agents have cited suspects' tweets in a slew of recent terrorism cases. Federal prosecutors have charged several Twitter users who allegedly support the Islamic State with lying to federal agents about their Twitter activity. In other cases, the FBI has pointed to Twitter activity -- including retweets -- as probable cause for terrorism charges. In one case, a 17-year-old pleaded guilty to providing "material support" to a designated foreign terrorist organization by tweeting out links. Law enforcement officials are ramping up their monitoring of Twitter. The company received 2,879 information requests from federal, state and local law enforcement authorities within the U.S. in 2014 -- a 66 percent increase from the 1,735 it received in 2013, according to its transparency report. Overall, there was a 72 percent jump in the number of accounts affected by such requests in the second half of 2014. The requests could be seeking additional user information, IP addresses and even the content of direct messages sent through the network. Twitter's report does not specify how many requests came from the federal government in particular. But it's notable that FBI agents investigating terrorism are likely based in some of the locations with the highest number of Twitter requests in the second half of 2014. There were 195 requests made in Virginia, 170 requests out of New York state, and 125 requests that originated in the nation's capital. Among the recent terrorism cases that pointed to Twitter, the feds brought criminal charges against Ali Shukri Amin, a 17-year-old from Virginia who operated the Twitter account @AmreekiWitness, simply for sending certain tweets. The government -- which in press releases alternatively referred to Amin as a "Manassas Man" and a "Virginia Teen" -- focused on Amin's tweets about ways to use Bitcoin to financially support the Islamic State, also known as ISIL and ISIS. Amin has pleaded guilty and, in a statement of facts, agreed that he had operated the Twitter account, which "boasted over 4,000 followers," as a "pro-ISIL platform during the course of over 7,000 'tweets.'" After the teen pleaded guilty in June, Dana Boente, the top federal prosecutor in the Eastern District of Virginia, said the case "demonstrated that those who use social media as a tool to provide support and resources to ISIL will be identified and prosecuted with no less vigilance than those who travel to take up arms with ISIL." Hamza Ahmed, 19, was indicted earlier this year for lying to federal agents about his travel plans and about how well he knew someone who had traveled to Syria. While Ahmed said he knew the person only "vaguely" from high school, the FBI pointed to a series of tweets between the pair in which Ahmed said, "Lol my bro I love you." Bilal Abood, 37, was arrested in May and charged with making a false statement to the FBI, in part about his Twitter activity. A review of his computer revealed that he "had been on the internet viewing ISIS atrocities such as beheadings and using his twitter account to tweet and retweet information" on Abu Bakr al-Baghdadi, the leader of the Islamic State, and had reportedly used his Twitter account to "pledge obedience" to Baghdadi, according to the indictment. Abood allegedly denied pledging obedience. An affidavit from an FBI agent said that particular post "was retweeted by others." Arafat Nagi, a 44-year-old from Lackawanna, New York, arrested last week, made statements to federal law enforcement that were "inconsistent with his statements on the Twitter account that has been linked to him," according to an affidavit from an FBI agent. One tweet from April 2014, the agent wrote, demonstrates that Nagi was "promoting ISIL and their cause on Twitter." Agents also did an extensive review of Nagi's Twitter account, noting that 140 of the 278 Twitter handles he followed "featured profile pictures of ISIL flags, photos of al-Baghdadi or Osama bin Laden, photos of weapons or of individuals in military fatigues, photos of recent beheadings or other images which could reasonably be described as violent or terrorism-related in nature." Of Nagi's own 412 followers, the FBI said, approximately 187 "showed images that could reasonably be described as violent or terrorism-related in nature." Keonna Thomas, a 30-year-old from Philadelphia who went by @YoungLioness on Twitter, was charged in April with attempting to provide material support for the Islamic State. In an affidavit in support of probable cause, an FBI agent pointed to tweets that Thomas "re-posted on Twitter" supporting the militant group. Comey, the FBI director, maintains that Americans still have protection against the government going after them for simple speech because the feds know they'll have to prove beyond a reasonable doubt that a suspect purposefully engaged in illegal conduct. "Knowing it was wrong, you provided material support for a terrorist organization or some other offense," Comey said, explaining how the FBI sees these suspects in response to Huffington Post questions during a meeting with reporters last month. "That is the bulwark against prosecuting someone for having an idea or having an interest. You have to manifest a criminal intent to further the aims prohibited by the statute." Asked if reposting materials alone would cross the line, Comey said the answer would be different based on the individual circumstances. "It would depend upon what your mental state is in doing it," the FBI director said. "I can imagine an academic sharing something with someone as part of research would have a very different mental intent than someone who is sharing that in order to try and get others to join an organization or engage in an act of violence. So it's hard to answer in the abstract like that." But Comey said it was "pretty darn clear" where the line was. "The government is required to prove beyond a reasonable doubt that you acted with a criminal intent to violate the statute. That is how we know people don't stumble, fall into, accidentally end up with a criminal violation," Comey said. "We're required to prove you knew what you were doing, you knew it was wrong, and you did it anyway. That's why I'm a big, big believer that that's a very important burden on the government." That may sound cautious in theory, but Lee Rowland wants to be sure the government isn't sweeping too broadly in practice. The senior staff attorney for the American Civil Liberties Union's Speech, Privacy & Technology Project said that pure speech, even unpopular speech, should be protected. "The First Amendment prohibits the government from making it a crime to engage in speech, including hearing or agreeing with controversial or unpopular ideas," Rowland said. "So if someone is being charged with a crime simply for retweeting the content of a terrorist group, that would violate the First Amendment, full stop." "Of course there's also the question of intent there: repeating speech is not automatically an endorsement. ? There are viral anti-terrorism activists who have reposted or retweeted speech or images by ISIS, for example, to highlight the group's cruelty," said Rowland. "So a RT alone is certainly not an endorsement and in many situations may be a criticism of the original speaker, and that's particularly true with terrorism, because I believe many people may believe terrorism is self-evidently immoral." Robert Chesney, a law professor at the University of Texas at Austin, said he suspects the government may, in fact, resist bringing cases that are purely about social media activity. "If you're the prosecutor, it's all well and good to say we're going to prosecute, as material support, a retweet or what have you, but nobody wants to go into court with that as the entire basis -- or even the grand jury with that as the whole basis," Chesney said. "Any good investigator would say, all right, now we have a person of interest. Let's make sure we get that person in contact with the cooperating witness or confidential informant. Then we'll get them talking much more substantively and we'll flesh this out." Chesney compared deciding when to intervene with a person tweeting extremist views to the "old 'Minority Report' problem," a reference to the short story and movie in which people got busted pre-crime. "The positive way to spin that story is that they're not going after people just for dumb retweets, that they get in there and they find out through a cooperator what the person is really focused on, how serious they are. And if it turns out to be something big, the case is brought on that basis," Chesney said. "The negative way to describe it is that it's entrapment, that these are people who do these dumb things and then they get led down the treacherous path." He suggested prosecutions based on tweets might be viewed differently depending on whether the ultimate target is what Americans see as a "domestic" cause -- say, an ultra-conservative anti-government group or a radical environmental organization -- or a "foreign" cause -- like Islamic terrorism. It's "clearly true," Chesney said, that people will be more concerned about law enforcement efforts "that are perceived as involving homegrown or domestic institutions or individuals, versus that which is perceived as 'the other' or foreign." Charging someone for social media activity alone might not be as politically viable in the former situation. "RTs do not equal endorsements, I think should go without saying," Chesney said. "But it gets interesting if you're retweeting really nasty beheading videos and stuff," he added. "Really, that's not endorsement? What does it mean to retweet something?" ?CORRECTION: ?An earlier version of this story mistakenly stated that Nagi is from Texas. He is from New York. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Aug 9 14:07:11 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 9 Aug 2015 15:07:11 -0400 Subject: [Infowarrior] - Netscape IPO 20-year anniversary Message-ID: Netscape IPO 20-year anniversary: Read Fortune's 2005 oral history of the birth of the web http://fortune.com/2015/08/09/remembering-netscape/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Aug 9 20:34:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 9 Aug 2015 21:34:53 -0400 Subject: [Infowarrior] - Even more DMCA idiocy Message-ID: <98116ECA-9A8D-4DF3-BF8E-4288715823AB@infowarrior.org> (c/o Dan) http://arstechnica.com/tech-policy/2015/08/dmca-takedown-laser-brings-down-vimeo-videos-with-pixels-in-title/ DMCA takedown laser brings down Vimeo videos with ?Pixels? in title Most videos existed well before Columbia Pictures' awful film of same name. by Sam Machkovech - Aug 9, 2015 1:10pm PDT The Internet didn't really need another reason to hate July's critically panned Columbia Pictures film Pixels, but it got one in the form of a sketchy DMCA takedown. The request comes from a copyright troll, and it's directed at a number of videos hosted on Vimeo. TorrentFreak got the scoop on Saturday by discovering a successful takedown request filed by Entura International, an "anti-piracy" organization acting on Columbia Pictures' behalf. Entura targeted films that had nothing to do with the Adam Sandler film, with the exception of having the word "Pixels" in their titles. One of those takedowns hit a 2006 short film titled Pixels, and its creators, the filmmaking group NeMe, took to Vimeo's support forums to express their disdain. They noted that the DMCA takedown request counted as a "strike one," in spite of allegedly not violating any of Columbia Pictures' copyrights. It forced the short film's creators to provide "an assortment of statements." Most of the other films noted in the Chilling Effects report had nothing to do with the Sandler film, with the ironic exception of a trailer for the film in question. Additionally, TorrentFreak reported that the film's source material, a two-minute CGI film in which video game icons came to life, had received a takedown. As of press time, that video had been restored to Vimeo. Vimeo's forum moderators encouraged NeMe and other affected filmmakers to file a counter DMCA notice, but as of press time, most affected films remain down due to an apparent automatic compliance with the DMCA request. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 10 09:10:39 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 10 Aug 2015 10:10:39 -0400 Subject: [Infowarrior] - =?utf-8?q?The_Pentagon=E2=80=99s_Dangerous_Views_?= =?utf-8?q?on_the_Wartime_Press?= Message-ID: The Pentagon?s Dangerous Views on the Wartime Press The Editorial Board Brian Stauffer http://www.nytimes.com/2015/08/10/opinion/the-pentagons-dangerous-views-on-the-wartime-press.html?_r=0 The Defense Department earlier this summer released a comprehensive manual outlining its interpretation of the law of war. The 1,176-page document, the first of its kind, includes guidelines on the treatment of journalists covering armed conflicts that would make their work more dangerous, cumbersome and subject to censorship. Those should be repealed immediately. Journalists, the manual says, are generally regarded as civilians, but may in some instances be deemed ?unprivileged belligerents,? a legal term that applies to fighters that are afforded fewer protections than the declared combatants in a war. In some instances, the document says, ?the relaying of information (such as providing information of immediate use in combat operations) could constitute taking a direct part in hostilities.? The manual warns that ?Reporting on military operations can be very similar to collecting intelligence or even spying,? so it calls on journalists to ?act openly and with the permission of relevant authorities.? It says that governments ?may need to censor journalists? work or take other security measures so that journalists do not reveal sensitive information to the enemy.? Allowing this document to stand as guidance for commanders, government lawyers and officials of other nations would do severe damage to press freedoms. Authoritarian leaders around the world could point to it to show that their despotic treatment of journalists ? including Americans ? is broadly in line with the standards set by the United States government. One senior Pentagon official, who was asked to explain when a journalist might be deemed an ?unprivileged belligerent,? pointed to the assassination of the Afghan military commander Ahmad Shah Massoud in September 2001. That example is preposterous because Mr. Massoud was killed by assassins who posed as television journalists and hid explosives in a camera. They were not, in fact, journalists. The manual?s argument that some reporting activities could be construed as taking part in hostilities is ludicrous. That vaguely-worded standard could be abused by military officers to censor or even target journalists. Equally bizarre is the document?s suggestion that reporters covering wars should operate only with the permission of ?relevant authorities? or risk being regarded as spies. To cover recent wars, including the civil war in Libya in 2011 and the war in Syria, reporters have had to sneak across borders, at great personal risk, to gather information. For the Pentagon to conflate espionage with journalism feeds into the propaganda of authoritarian governments. Egypt, for instance, has tried to discredit the work of Western journalists by falsely insinuating that many of them are spies. Even more disturbing is the document?s broad assertion that journalists? work may need to be censored lest it reveal sensitive information to the enemy. This unqualified statement seems to contravene American constitutional and case law, and offers other countries that routinely censor the press a handy reference point. Of the 61 journalists killed last year, 59 percent died covering wars, according to the Committee to Protect Journalists, which published a critical analysis on the Pentagon?s new manual. In earlier documents on the law of armed conflict, the American military has offered more sensible guidance on the treatment of journalists. A guidebook published in 2012 by the United States Army Judge Advocate General?s Legal Center and School says that journalists should be protected as civilians ?provided they take no action adversely affecting their status as civilians.? A spokesman for the National Security Council declined to say whether White House officials contributed to or signed off on the manual. Astonishingly, the official pointed to a line in the preface, which says it does not necessarily reflect the views of the ?U.S. government as a whole.? That inane disclaimer won?t stop commanders from pointing to the manual when they might find it convenient to silence the press. The White House should call on Secretary of Defense Ashton Carter to revise this section, which so clearly runs contrary to American law and principles. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 10 09:12:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 10 Aug 2015 10:12:37 -0400 Subject: [Infowarrior] - HTC Doesn't Protect Fingerprint Data Message-ID: <3BF72676-F68A-4F5B-86D5-C0E1903E9689@infowarrior.org> HTC Doesn't Protect Fingerprint Data http://it.slashdot.org/story/15/08/10/1258243/htc-doesnt-protect-fingerprint-data Biometric authentication is becoming commonplace ? fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 10 12:32:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 10 Aug 2015 13:32:53 -0400 Subject: [Infowarrior] - Judge in HP case trolls HP brilliantly Message-ID: <8F0807C8-B0AA-4052-B076-372EF4533289@infowarrior.org> Judge Trolls Lawyers Without Saying Anything At All http://abovethelaw.com/2015/08/judge-trolls-lawyers-without-saying-anything-at-all/ Judge Charles Breyer proves that a redaction can be worth a thousand words........ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 10 16:03:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 10 Aug 2015 17:03:22 -0400 Subject: [Infowarrior] - Google Creates New Company Called Alphabet, Restructures Stock Message-ID: <7DCCB3E1-DDA6-458B-965D-5C4F28F8BF9A@infowarrior.org> Google Creates New Company Called Alphabet, Restructures Stock Brian Womack August 10, 2015 ? 4:49 PM EDT http://www.bloomberg.com/news/articles/2015-08-10/google-to-adopt-new-holding-structure-under-name-alphabet- Google Inc. is changing its corporate structure to separate its search, YouTube and other Web companies from its research and investment divisions. The shares rose in late trading. Alphabet will be the name of what will effectively be a new holding company, the Web company said in a blog post Monday. It will include Google Inc. and Calico, a separate unit that includes Google Ventures, Google Capital, Google X and other subsidiaries. Larry Page will be Alphabet?s chief executive officer, while co-founder Sergey Brin will be president. Ruth Porat will be chief financial officer. Sundar Pichai, Page?s deputy, will be promoted to become CEO of Google Inc., which generates the bulk of Google?s $60 billion in annual revenue. Google is adopting this structure in order to make clearer the difference between its main business and longer-term endeavors, as Page and Brin take on more strategic roles, while leaving operational management to trusted deputies. ?We?ve long believed that over time companies tend to get comfortable doing the same thing, just making incremental changes,? Page wrote in the post. ?Our company is operating well today, but we think we can make it cleaner and more accountable.? Shares of Google fell less than 1 percent to $663.14 at Monday?s close in New York. The stock is up 25 percent this year, with much of the gains coming after the company reported quarterly results last month. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 11 08:16:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 11 Aug 2015 09:16:46 -0400 Subject: [Infowarrior] - No-fly list uses 'predictive assessments' instead of hard evidence, US admits Message-ID: No-fly list uses 'predictive assessments' instead of hard evidence, US admits In May filing, Justice Department and FBI officials admit stopping US and other citizens from travelling is based on what the government believes they might do Spencer Ackerman in New York @attackerman Monday 10 August 2015 12.51 EDT Last modified on Monday 10 August 2015 13.07 EDT http://www.theguardian.com/us-news/2015/aug/10/us-no-fly-list-predictive-assessments The Obama administration?s no-fly lists and broader watchlisting system is based on predicting crimes rather than relying on records of demonstrated offenses, the government has been forced to admit in court. In a little-noticed filing before an Oregon federal judge, the US Justice Department and the FBI conceded that stopping US and other citizens from travelling on airplanes is a matter of ?predictive assessments about potential threats?, the government asserted in May. ?By its very nature, identifying individuals who ?may be a threat to civil aviation or national security? is a predictive judgment intended to prevent future acts of terrorism in an uncertain context,? Justice Department officials Benjamin C Mizer and Anthony J Coppolino told the court on 28 May. ?Judgments concerning such potential threats to aviation and national security call upon the unique prerogatives of the Executive in assessing such threats.? It is believed to be the government?s most direct acknowledgement to date that people are not allowed to fly because of what the government believes they might do and not what they have already done. The Justice Department said it must meet a standard of ?reasonable suspicion? that a blacklisted individual poses a threat, a step below probable cause. The declaration comes in a longstanding case, brought by the American Civil Liberties Union (ACLU), arguing that the government does not provide significant steps for someone caught in the ?predictive assessments? to get off the blacklists. On Friday, the ACLU asked Judge Anna Brown to conduct her own review of the error rate in the government?s predictions modeling ? a process the ACLU likens to the ?pre-crime? of Philip K Dick?s science fiction. ?I believe this is the first case in which a court is being asked to review the basis for the government?s predictive model for blacklisting people who have never even been charged, let alone convicted, of a violent crime,? said ACLU attorney Hina Shamsi. In March, as a result of the lawsuit, the Department of Homeland Security began informing people of their inclusion on a flight blacklist and permitting them to file a ?redress inquiry?. The resulting non-adversarial process has the government perform ?careful consideration? of its reasons for blacklisting, with the Transportation Security Agency director as final arbiter. The ACLU considers the new process insufficient. But the Obama administration is seeking to block the release of further information about how the predictions are made, for the same reason it opposes providing greater information for challenging watchlist inclusion: damage to national security. ?If the Government were required to provide full notice of its reasons for placing an individual on the No Fly List and to turn over all evidence (both incriminating and exculpatory) supporting the No Fly determination, the No Fly redress process would place highly sensitive national security information directly in the hands of terrorist organizations and other adversaries,? the assistant director of the FBI?s counterterrorism division, Michael Steinbach, wrote in a declaration to Brown. Terrorist organizations would have ?every incentive? to manipulate the Department of Homeland Security?s procedures for challenging no-fly list inclusion, Steinbach argued, ?in order to discover whether they or their members are subject to investigation or intelligence operations, what sources and methods the Government employs to obtain information or what type of intelligence information is sufficient to trigger an investigation in the first place?. Joined by Clayton Grigg of the FBI?s terrorist screening center, Steinbech asserted that ?mere guesses or ?hunches?, or the reporting of suspicious activity alone, are not sufficient to establish reasonable suspicion?. On Friday, the ACLU told Brown that the administration?s predictive assessments pose an ?extremely high risk of error?. Marc Sageman, a former CIA counterterrorism analyst and current academic researcher of terrorism, submitted a brief for the ACLU arguing that the government?s predictive model underpinning the blacklist inclusion was not responsibly rigorous. ?[T]here is no indication that the government has assessed the scientific validity and reliability of its predictive judgments or the information that leads to those judgments, nor has it used a scientifically valid model for predicting, and accounting for, the rate of error that might arise from those predictive judgments. Due to these failures alone, the government?s predictive judgments cannot be considered reliable,? Sageman told the court on Friday. Without a ?scientifically validated process?, Sageman asserted, the government?s judgements about who does and does not pose a terrorist threat to aviation ?amount to little more than the ?guesses? or ?hunches? that Mr Grigg says are not sufficient to meet the criteria?. Previous court filings, in this case and a related one, suggest that placement on the no-fly and other watchlists results not merely from threat assessments. In April 2014, five people, all of whom are Muslim, claimed that they were suddenly forbidden from flying after declining FBI pressure to become informants or in order to place pressure upon them to do so. Informants, along with social media postings, have become a driving factor in the FBI?s uptick in arrests of people suspected of ties to al-Qaida and the Islamic State. In July 2014, the Intercept published an internal watchlisting guidance indicating that nominations to government watchlists were growing, with few rejections. Social media posts were among acceptable criteria, and acquittals in court did not necessarily lead to removals from the list, the Intercept?s document showed. ?The government is depriving innocent people like our clients of their constitutionally protected liberties without providing a fair process for them to challenge the blacklisting and clear their names,? the ACLU?s Shamsi said. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 11 12:22:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 11 Aug 2015 13:22:18 -0400 Subject: [Infowarrior] - =?utf-8?q?Oracle_Deletes_CSO=E2=80=99s_Screed_Aga?= =?utf-8?q?inst_Hackers_Who_Report_Bugs?= Message-ID: <2A569A8D-99B6-4AC5-9967-48F0312ACD76@infowarrior.org> (Oh, MAD, what *will* you say next? ---rick) Oracle Deletes CSO?s Screed Against Hackers Who Report Bugs http://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/ If you take apart Oracle?s software and find a hackable vulnerability, don?t tell the company. Or at least not its chief security officer. ?If you are trying to get the code in a different form from the way we shipped it to you?you are probably reverse engineering,? writes Oracle CSO Mary Ann Davidson. ?Don?t. Just ? don?t. ? That, in short, is the message of a nearly 3,000-word rant Oracle Chief Security Officer Mary Ann Davidson wrote on her company blog yesterday. The post was deleted sometime before Tuesday morning, but is still visible on the Internet Archive. Davidson rails against customers who report bugs to the company, and complains that she?s increasingly having to write responses to them telling them to stop violating their license agreement, which forbids the reverse engineering of their software. ?Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. ? she writes. ?This is why I?ve been writing a lot of letters to customers that start with ?hi, howzit, aloha? but end with ?please comply with your license agreement and stop reverse engineering our code, already.'? The post set off an immediate firestorm in the security industry, which?aside from Oracle?has increasingly adopted a friendly attitude toward reverse engineers and benign hackers. Standard practice for a company that receives a report of a new vulnerability in their software, a so-called ?zero-day? bug, is to credit the researcher or even pay a ?bug bounty? monetary reward. Practically every major tech company from Google to Microsoft, and increasingly other companies from United Airlines to Tesla, now run some version of those reward programs. Davidson, who has a long history of adversarial relationships with security researchers, took a harshly opposite tone. ?We will also not provide credit in any advisories we might issue,? she wrote. ?You can?t really expect us to say ?thank you for breaking the license agreement.'? Oracle didn?t immediately respond to WIRED?s request for comment. In the meantime here are a few of the response tweets from the security community, many of which excoriate Oracle for rejecting free security advice and make the undeniable point that the company?s real enemies?nation-state hackers and cybercriminals?won?t abide by Oracle?s draconian prohibition on reverse engineering. < -- > http://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 11 12:47:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 11 Aug 2015 13:47:30 -0400 Subject: [Infowarrior] - Oracle responds to MAD screed Message-ID: (c/o Jericho) https://twitter.com/Jose_Pagliery/status/631149599386914818 -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 11 16:18:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 11 Aug 2015 17:18:41 -0400 Subject: [Infowarrior] - WH issues cybersecurity rules for contractors Message-ID: White House issues cybersecurity rules for contractors By Cory Bennett - 08/11/15 04:43 PM EDT http://thehill.com/policy/cybersecurity/250869-white-house-issues-cybersecurity-rules-for-contractors The Obama administration has released draft guidelines that would require government contractors handling sensitive data to meet baseline security requirements and report digital intrusions to authorities. The rules would also allow the Department of Homeland Security (DHS) to deploy its own network monitoring programs at a contractor if it is not meeting the necessary standards. ?The proposed guidance will strengthen government agencies? clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems,? said proposal from the Office of Management and Budget (OMB). The new rules are part of a broad effort to secure government networks in the wake of a spate of cyberattacks at high-profile agencies and contractors. In the recent digital assault on the U.S. government that exposed more than 22 million people?s data, suspected Chinese hackers were able to crack Office of Personnel Management networks after lifting a contractor?s security credentials. That contractor, KeyPoint Government Solutions, is one of two major background check processors that were breached in separate incidents last year. The other contractor, U.S. Investigations Services, has since lost some of its government contracts. Combined, the digital hits exposed files on roughly 70,000 federal employees, many of whom held security-clearance-level positions with the DHS. With its updated guidelines, the administration is hoping to prevent future contractor breaches as the government increasingly turns to these outside companies to ?for a variety of information technology services,? the OMB said. The White House believes part of the problem has been inconsistency in the data security standards for federal contracts. Agencies have issued varying guidelines that have only complicated things, said Christian Henel, a government contract attorney with Thompson Hine. "There have been some standards that agencies have enforced, but each one has control over which standard they enforce and why," he said. "It?s not been uniform. OMB is attempting to remedy that." The new rules would direct agencies to ensure that contractors operating government systems are following security processes set by the National Institute of Standards and Technology. If companies are found not to be properly monitoring their own networks, the guidelines would allow for federal agencies to go in with their own examination tools. Henel said this clause may lead to some pushback from contractors. "I could see that as being potentially burdensome," he said. Finally, the rules would make companies report more, although not all, cyberattacks to the government. ?At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency,? the OMB said. The public has until Sept. 10 to comment on the draft. The final guidelines are expected sometime this fall. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 12 11:57:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Aug 2015 12:57:25 -0400 Subject: [Infowarrior] - LEOs vs Reality regarding encryption Message-ID: August 12, 2015 | By Jamie Williams At it Again: Law Enforcement Officials? Anti-Encryption New York Times Op-Ed https://www.eff.org/deeplinks/2015/08/it-again-law-enforcement-officials-anti-encryption-new-york-times-op-ed Yesterday, Manhattan District Attorney Cyrus Vance, Jr. and law enforcement officials from Paris, London, and Madrid published an anti-encryption op-ed in the New York Times?an op-ed that amounts to nothing more than a blatant attempt to use fear mongering to further their anti-privacy, anti-security, and anti-Constitutional agenda. They want a backdoor. We want security, privacy, and respect for the Fourth Amendment?s guarantee that we be ?secure? in our papers. After all, the Founding Fathers were big users of encryption. The government?s use of horror stories to convince us that we should unlock our doors and give it free reign to pry inside our lives is nothing new. FBI Director James Comey is notorious for his examples of how cell-phone encryption will lead law enforcement to a ?very dark place.? Yesterday?s op-ed adopts Comey?s signature tactic, focusing on the fatal shooting of a man in Illinois in June of this year and suggesting?without any evidence?that but for encryption built into both of the victim?s two phones (both found at the crime scene), police would have been able to track down the shooter. Never mind that of the two devices mentioned in the article, one of them (the Samsung Galaxy S6) isn?t actually encrypted by default. The op-ed goes on to cite numerous other ?examples,? again divorced from any actual facts, of cases in which encryption supposedly ?block[ed] justice??including 74 occasions over a nine-month period in which the Manhattan district attorney?s office encountered locked iPhones. Vance has touted this statistic before. But a spokesperson for his office told Wired last month that the office handles approximately 100,000 cases in the course of a year, meaning that officials encountered encryption in less than 0.1% of cases. And Vance has never been able to explain how even one of these 74 encrypted iPhones stood in the way of a successful prosecution. The op-ed faults Apple and Google for attempting to offer their customers strong, user-friendly encryption. An iPhone with iOS8 automatically encrypts text messages, photos, contacts, call history, and other sensitive data though the use of a passcode. But contrary to the suggestion of the op-ed?s authors, Google has already backed off its promise to offer its users encryption by default, and Google would have been able to unlock the specific model of Samsung phone at issue. But what?s more important than the op-ed?s shortage of facts is how out of touch it is with not only the fundamental importance of encryption and how encryption works, but also the U.S. Constitution. The op-ed calls for an ?appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes.? This single sentence demonstrates the numerous ways in which the authors are untethered from reality. First, the benefits of encryption are in no way ?marginal??unless you view ensuring the privacy and security of innocent individuals across the globe as trivial goals. The author?s here reveal their failure to appreciate the need for encryption to protect against not only security breaches, but also criminals (the folks they are supposed to be protecting us from) and of course pervasive and unconstitutional government surveillance. Second, when the authors say they want an ?appropriate balance,? what they are really asking for is a backdoor?or golden key?to allow government officials to decrypt any encrypted messages. As The Intercept explained in an article outlining the many things wrong with the op-ed, Vance and his counterparts in Paris, London, and Madrid are ?demand[ing]?in the name of the ?safety of our communities??a magical, mathematically impossible scenario in which communications are safeguarded from everyone except law enforcement.? We?ve said it before and we?ll say it again: It is technologically impossible to give the government an encryption backdoor without weakening everyone?s security. Computer scientists and cybersecurity experts agree, and have been telling the government as much for nearly two decades. And earlier this year, one Congressman with a technical background called encryption backdoors ?technologically stupid." Everyone who understands how encryption works agrees. Third, law enforcement isn?t currently and won?t in the future ?go dark? as a result of encryption. The government voiced the same concerns over encryption stifling criminal investigations during the Crypto Wars of the 1990s?i.e., Crypto Wars, Part I?which saw efforts by the government to prevent the development and distribution of strong consumer encryption technologies. (Protecting your ability to use strong encryption was one of EFF?s very first victories.) Such concerns have proven to be unfounded in the past. Just a few weeks ago, former NSA director Mike McConnell, former Homeland Security director Michael Chertoff, and former deputy defense secretary William Lynn?in a Washington Post op-ed in support of ubiquitous encryption?remarked that despite losing Part I of the Crypto Wars, [T]he sky did not fall, and we did not go dark and deaf. Law enforcement and intelligence officials simply had to face a new future. As witnesses to that new future, we can attest that our security agencies were able to protect national security interests to an even greater extent in the ?90s and into the new century. The same is true today. And as the former national security officials recognize, ?the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring.? At its core, yesterday?s op-ed demonstrates a fundamentally different vision for the future than the one we have here at EFF. Our vision is for a world where the privacy of communications are protected and where we can use the best tools possible to protect it. The vision of Vance, Comey, and others in the anti-encryption camp is for a world where no one is secure and where everyone is vulnerable. Their vision is not consistent with reality. And we hope the public is not swayed by their fear tactics. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 12 12:22:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Aug 2015 13:22:03 -0400 Subject: [Infowarrior] - Lenovo used a hidden Windows feature to ensure its software could not be deleted Message-ID: Lenovo used a hidden Windows feature to ensure its software could not be deleted by Owen Williams Tweet http://thenextweb.com/insider/2015/08/12/lenovo-used-a-hidden-windows-feature-to-ensure-its-software-could-not-be-deleted/ A recently uncovered feature ? which had been swept under the rug ? allowed new Lenovo laptops to use new Windows features to install the company?s software and tools even if the computer was wiped. The oddity was first noted by Ars Technica forum user ?ge814? and corroborated by Hacker News user ?chuckup.? The users discovered the issue in May when using a new Lenovo laptop that automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD. The only problem is that nobody actually asked for this software, and it persisted between clean installs of Windows. Lenovo was essentially exploiting a rootkit on its own laptops to ensure its software persists if wiped. How it works The mechanism triggering this is called the Lenovo Service Engine, which downloads a program called OneKey Optimizer used for ?enhancing PC performance by updating firmware, drivers and pre-installed apps as well as ?scanning junk files and find factors that influence system performance.? It also sends ?system data to a Lenovo server to help us understand how customers use our products? but the company claims it?s not ?personally identifiable information.? The problem is, users have no idea this is going on and it was very hard to get rid of. If Windows 7 or 8 is installed, the BIOS of the laptop checks ?C:\Windows\system32\autochk.exe? to see if it?s a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet. Lenovo already quietly fixed part of the bug but didn?t exactly make it loud and clear. In a July 31 security bulletin it vaguely refers to a vulnerability found in the Lenovo Service Engine that found a way attackers could exploit the mechanism by using a malicious server to install software. The company issued a patch to remove the functionality altogether between April ? May of 2015, though it requires manual execution to disable the functionality. Users do not appear to receive it automatically. Allowed by Microsoft Here?s the kicker: the mechanism Lenovo was using is actually a Microsoft sanctioned technique, called the ?Windows Platform Binary Table? first introduced in November 2011 and updated for the first time in July of this year. The document had only two mentions online before today, one from an apparent Lenovo software engineer asking for help tinkering with laptop ACPI tables. The feature allows computer manufacturers to push software for installation from the BIOS to the system, meaning it?ll persist between installations of Windows regardless of it?s a clean installation or not. The document was modified upon discovery of the Lenovo exploit to say that it exists to allow ?critical software? like ?anti-theft software? to persist across reinstallation of operating systems, but obviously computer manufacturers like Lenovo have a different idea of what that actually means (see also: the time Lenovo installed software that hijacked secure internet traffic). Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don?t require the OEM to notify the owner of the laptop that such a mechanism is in place. Both users reported being confused about how Lenovo software was installed on their computers after performing an installation from a DVD. A wide range of Lenovo laptops are affected by the issue: Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models), Flex 3-1470/1570/1120, G40-80/G50-80/G50-80 Touch/V3000, S21e, S41-70/U40-70, S435/M40-35, Yoga 3 14, Yoga 3 11, Y40-80, Z41-70/Z51-70 and Z70-80 / G70-80. A scary future The revelation is one that makes me slightly nervous: a truly clean, untouched install of Windows is now very difficult to achieve and computer manufacturers are quietly installing software without user knowledge. Other manufacturers could have been using the technique without user knowledge, but it?s unclear at this time. At least there?s good news: if you own one of these laptops you can disable the feature right now by downloading the utility at this link. The bad news: it wasn?t already done for you. When we asked Lenovo for comment, they directed us back to the bulletin that describes the patch. Microsoft is yet to respond with a comment. It?s worth noting that almost all computers execute the autochk.exe file on boot, with an extensive white paper published earlier this year on the technique ? this is just the first time we?ve seen it in action. If you have an affected laptop, let us know in the comments. We?d love to talk to you. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 12 12:44:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Aug 2015 13:44:27 -0400 Subject: [Infowarrior] - Germany drops treason inquiry into Netzpolitik journalists Message-ID: <56B0A5FF-D934-4EB7-AB48-004297E59196@infowarrior.org> Germany drops treason inquiry into Netzpolitik journalists Associated Press in Berlin Monday 10 August 2015 05.38 EDT http://www.theguardian.com/world/2015/aug/10/germany-drops-treason-inquiry-netzpolitik-journalists German prosecutors have dropped a much-criticised treason investigation into two journalists who reported on secret plans to expand online surveillance in the country. Prosecutors notified Netzpolitik.org in July that its founder, Markus Beckedahl, and fellow journalist Andre Meister were under investigation, triggering widespread criticism from free-speech advocates. The website specialises in coverage of online privacy and digital culture. The justice minister, Heiko Maas, questioned the decision to open a treason inquiry, and last week he fired the chief federal prosecutor, Harald Range, after the two clashed over public allegations by Range of political interference, which the minister denied. Germany halts treason inquiry into journalists after protests Read more On Monday the federal prosecutor?s office said it was closing the case because it believed the leaked documents on which the website?s reports were based were not a ?state secret?, and that other conditions for treason charges had not been met. The inquiry, which was opened after a criminal complaint filed by Germany?s domestic intelligence agency, also targeted the unidentified source of the leaked documents. Monday?s statement said investigating the source would now be a matter for lower-ranking local prosecutors. Beckedahl suggested the decision to drop the inquiry was not enough. ?We want to know precisely whether we were subject to surveillance measures during the almost three-month investigation,? he said. Beckedahl said he hoped the case would motivate authorities to improve protection for whistleblowers in Germany. German officials have reiterated their commitment to press freedom amid embarrassment over the inquiry. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 12 20:12:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Aug 2015 21:12:23 -0400 Subject: [Infowarrior] - Harvard student loses Facebook internship after pointing out privacy flaws Message-ID: <78F818EB-2F7F-4C3D-A504-E6013099FFD8@infowarrior.org> Harvard student loses Facebook internship after pointing out privacy flaws By Allison Pohle @AllisonPohle Boston.com Staff | 08.12.15 | 5:57 PM http://www.boston.com/news/nation/2015/08/12/harvard-student-loses-facebook-internship-after-pointing-out-privacy-flaws/zASZFdUjn6PoliUiR9kVHJ/story.html Three months ago, Harvard student Aran Khanna was preparing to start a coveted internship at Facebook when he launched a browser application from his dorm room that angered the social media behemoth. His application, called Marauder?s Map ? a clever name that Harry Potter fans will appreciate ? was a Chrome extension that used data from Facebook Messenger to map where users were when they sent messages. The app also showed the locations, which were accurate to within three feet, in a group chat with people he barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms. The app capitalized on a privacy flaw that Facebook had been aware of for about three years: the Facebook Messenger app automatically shared users? locations with anyone who they messaged. Khanna tweeted about the app on May 26 and posted about it on Reddit and Medium. Marauder?s Map began to go viral. Facebook, never one to miss a trend, quickly caught on. Within three days, Facebook asked Khanna to disable the app. The company also deactivated location sharing from desktops, which meant Khanna?s app wouldn?t work even if he hadn?t taken it down. And the company that Mark Zuckerberg famously launched from his Harvard dorm room withdrew its internship offer from this Harvard student, who apparently made the mistake of...launching an app from his dorm room. Before it was disabled, the extension was downloaded more than 85,000 times, Khanna said. About a week later, Facebook released a Messenger app update trumpeted as follows in a news release: ?With this update, you have full control over when and how you share your location information.? The description didn?t mention the previous default settings. Nor did it point out that users who didn?t activate the update would continue to share their locations by default unless they manually altered their privacy settings. Matt Steinfeld, a Facebook spokesman, said the company had been working on a Messenger update long before Khanna?s blog post was published. ?This isn?t the sort of thing that can happen in a week,? Steinfeld told Boston.com. ?Even though we move very fast here, they?d been working on it for a few months.? Khanna, who detailed the experience in a case study published Tuesday for the Harvard Journal of Technology Science, told Boston.com he created the app to show the consequences of unintentionally sharing data. That way, he said, users could decide for themselves whether or not it was a violation of their privacy. Facebook Messenger, the company?s mobile messaging app, had been set up with automatic geolocation sharing since it launched in 2011. CNET drew attention to the issue in 2012 and showed users how to switch off location services. Various updates to the app improved its usability and even introduced fun cat emoji stickers, but the geolocation sharing remained. Khanna used Messenger frequently when he started studying at Harvard, but didn?t realize how much information he was unintentionally sharing until he began to look at his message history. The day after Marauder?s Map was posted, Khanna said his future manager at Facebook called him and asked him not to talk to the press. That evening, Khanna received a call from Facebook?s global communications lead for privacy and public policy, who reiterated that Khanna shouldn?t talk to the press because the story had become damaging. Khanna complied, redirecting all press inquiries back to Facebook. The next day, Facebook asked him to deactivate the extension. He did, but also updated his Medium post and the extension?s description to make it clear that Facebook asked him to disable the map. Three days after the extension was posted, and two hours before he was supposed to leave to start his internship, Khanna received a call from a Facebook employee telling him that the company was rescinding his summer internship offer. Khanna said he was told that he violated the Facebook user agreement when he scraped the site for data. However, Khanna told Boston.com that the data was from his own messages, which meant he used information accessible to all Facebook users, not just to employees. Khanna then received an email from Facebook?s head of global human resources and recruiting, who told him that his Medium post didn?t meet the high ethical standards expected of interns. Khanna was told that the issue wasn?t the Messenger app itself, but instead the way his blog described how Facebook collected and shared user data. ?This mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people?s privacy and safety,? Steinfeld told Boston.com. ?Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it?s inconsistent with how we think about serving our community.? In his first letter to investors back in 2012, Mark Zuckerberg said that Facebook follows an approach they coined the ?Hacker Way.? ?The word ?hacker? has an unfairly negative connotation from being portrayed in the media as people who break into computers,? he wrote. ?In reality, hacking just means building something quickly or testing the boundaries of what can be done.? Khanna thought his extension ? which he built quickly and which tested boundaries ? was performing a public good by showing users how their data was being used. ?I didn?t write the program to be malicious,? he said. In the end, Khanna had a pretty great summer after all. He accepted another internship with a tech start-up in Silicon Valley. And, he said, the back-and-forth with Facebook turned out to be an ?internship experience? in itself that taught him a great deal. In the closing of his letter to investors, Zuckerberg said one of the five core values of Facebook is for its employees to ?be bold.? But not too bold. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 12 20:57:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Aug 2015 21:57:57 -0400 Subject: [Infowarrior] - =?utf-8?q?Oracle=E2=80=99s_Cantankerous_CSO=3A_a_?= =?utf-8?q?Symptom_or_the_Cause=3F?= Message-ID: <486E187E-58A2-4D8A-AF6B-0A2141F7E775@infowarrior.org> Oracle?s Cantankerous CSO: a Symptom or the Cause? Posted by: Paul August 12, 2015 14:300 comments CSO Davidson?s blog post attacking vulnerability researchers struck many as off-key, but little of what she said was new. In-brief: Oracle CSO Mary Ann Davidson?s screed against vulnerability researchers was a shock ? unless you?ve been listening to what she and her employer have been saying for the last two decades. https://securityledger.com/2015/08/oracles-cantankerous-cso-a-symptom-or-the-cause/ In almost two decades on the job, Oracle?s Chief Security Officer Mary-Ann Davidson has earned a reputation for verbally shooting first and asking questions later. Its her schtick, so to speak. And, so far, it has worked out well for her ? at least until this week, when Davidson arguably shot herself in the foot with a wildly off-key blog post (mirrored on Pastebin) in which she railed against the work of independent vulnerability researchers and third-party testing firms. The blog post, which went up on Monday, was quickly taken down and then unabashedly disowned by Oracle. Edward Screven, the company?s Chief Corporate Architect, said in a statement to media that Davidson?s blog ?does not reflect our beliefs or our relationships with our customers.? Oracle, he said, ?has a robust programme (sp) of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure.? That may be true, but nothing that Davidson wrote in her post was new ? at least to those within the information security industry who are familiar with her and her opinions. Davidson has long been a staple at security conferences and is known as a contrarian on issues like independent vulnerability research, bug bounty programs and the like. Indeed, despite Oracle?s official disavowal, the post on the company?s blog was vintage Mary Ann Davidson: cantankerous, confrontational and unapologetic. After nodding briefly in recognition to the anxiety that customers have about the security of their networks and critical applications in the face of nation-state actors, Davidson goes on to excoriate both customers and independent security experts who would even consider testing her employer?s software. Customers, she notes, don?t have access to the raw source code for Oracle?s products so they can?t ?see whether there is a control that prevents the attack the scanning tool is screaming about.? Even if they do find a security hole, customers can?t develop a patch for it ? ?only the vendor can do that.? So why bother, right? Finally, Davidson reminds readers that doing static analysis on Oracle?s software is ?almost certainly violating the license agreement.? No surprise: consultants and independent third-party testing firms incur most of Davidson?s wrath. She speaks derisively of the independent code auditor who ?reverse engineers? Oracle?s code, creates ?a big fat printout (and) drops it on the customer, who then sends it to us.? She also casts aspersions on the value of independent code audits, calling the output of both static and dynamic code analysis ?not much more than a pile of steaming ? FUD,? using the acronym for ?fear, uncertainty and doubt? in place of the word s**t. Clever. Davidson speaks admiringly of the high barriers that Oracle puts up to such sinful (her word, not mine) activity. ?We require customers to log a service request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).? Assuming they clear that high bar, Oracle responds with, in essence, a cease and desist letter. ?Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so,? she brags. And what does she offer in place of the work of independent researchers and customers? In essence, nothing. Customers should simply trust the tech industry?s equivalent of the old boys network: ?large-ish vendors? who, by Davidson?s account ?have fairly robust assurance programs now (we know this because we all compare notes at conferences).? What?s wrong with this? Just about everything. Needless to say, assurances from jet setting CxOs that ?all is well? with product security because they had a drive by conversation in the hallway at some conference doesn?t even pass the laugh test. As security experts in the fast-growing vulnerability discovery and application security testing fields noted in public statements yesterday, debates about ?responsible disclosure? (as it used to be called) and whether independent experts are within their rights to look for security holes in widely used software went out of style along with the flip phone. ?Vendors need to be responsive to their customers? valid requests for assurance, and to security researchers who are trying to make the software we all consume better,?said Chris Wysopal, the CTO of Veracode* in an e-mail statement. ?Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.? Casey Ellis, the CEO of the vulnerability marketplace Bugcrowd pointed out another obvious point: threatening well-meaning customers and contractors with lawsuits just clears the field for the cyber criminals. ?Cybercriminals and nation-state actors (who are the primary users of exploits in Oracle?s software) aren?t going to honor Mary Ann?s request, nor will they heed Oracle?s EULA,? wrote Ellis. ?When the crowd contains the smartest folks around the table? the last thing you want to do is silence them.? Clearly, Oracle is embarrassed by Davidson?s screed. But should it be? The bigger truth may be that Davidson and her long, long tenure at Oracle have only been possible because she and her views dovetail so well with that of the company and its longtime CEO, Larry Ellison. In the early 2000s, when Oracle?s competitor, Microsoft, was reckoning with its CEO?s Trustworthy Computing memo and rebuilding its entire software development process to emphasize security, Ellison was firing off wild claims that his company?s software was ?unhackable? and brow beating reporters who suggested otherwise. Sure, it was a boast that was proven false almost immediately, but Oracle has stuck with the ?do as I say not as I do? line ever since. Similarly, when the subject of working with independent vulnerability researchers has come up over the past two decades, Davidson has batted them away with aplomb, insisting that Oracle hires its own, internal ?hackers? and has no need for the labor or ideas of outsiders. Today, Oracle is in the minority of ?large-ish? software vendors in not offering bug bounties in some form for talented, independent researchers. How?s that working? Well, Oracle published patches for 193 vulnerabilities in its most recent quarterly Critical Patch Update (CPU) release in July ? that was more than a 90% increase in the number of vulnerabilities from the previous CPU. And, as the security firm Onapsis noted, more than 53% of those vulnerabilities affect business-critical applications, including the company?s Fusion Middleware, Hyperion, Enterprise Manager Grid Control, E-Business Suite, Supply Chain Products Suite, PeopleSoft, Siebel CRM, Commerce Platform and Java SE. Back in the day, setting up a bounty program or courting ?hackers? (as Microsoft long has) may have been daunting for a button-down company like Oracle. But these days, there are plenty of companies that will do all that dirty work for you, including start-ups like hackerone, bugcrowd and bugbountyhq. All firms like Oracle have to do is open their minds (and their wallets). Oracle?s answer so far is still ?no.? Needless to say, when spies and criminals are looting homes and businesses all around you, screaming at your neighbors to ?get off your lawn? probably isn?t helping you, nor is it addressing the big problem. Davidson?s blog post underscores how far her company has drifted from its peers and, frankly, common sense. Here?s hoping that Oracle starts to turn the ship around ? with or without Davidson at the helm. (*) Veracode has been a sponsor of The Security Ledger. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 14 07:00:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 14 Aug 2015 08:00:55 -0400 Subject: [Infowarrior] - Why Jargon Feeds on Lazy Minds Message-ID: Why Jargon Feeds on Lazy Minds Posted on November 26, 2012 in Business http://scottberkun.com/2012/why-jargon-feeds-on-lazy-minds/ [Note: this post was first published at Harvard Business Review and has been edited] If I could give every single business writer, guru or executive one thing to read every morning before work, it?d be this essay by George Orwell: Politics and the English Language. Not only is this essay short, brilliant, thought-provoking and memorable, it calls bullshit on most of what passes today as speech and written language in management circles. And if you are too lazy to read the article, all you need to remember is this: never use a fancy word when a simpler one will do. If your idea is good, no hype is necessary. Explain it clearly and people will get it, if there truly is something notable to get. If your idea is bad: keep working before you share it with others. And if you don?t have time for that, you might as well be honest. Because when you throw jargon around, most of us know you?re probably lying about something anyway. The people who use the most jargon have the least confidence in their ideas. The people who use the least jargon have the most confidence. In honor of Orwell here?s a list of jargon I often hear that should be banned rarely used. Flat out, these words are never used for good reason. Words that should be banned: < li=""> ? Transformative ? Next-generation ? Seamless ? Game-changing ? Revolutionary ? Ideation (oh how I hate this word) ? Disruptive ? Incentivize ? Innovation (see this post specifically about the i-word) ? Innovation Infrastructure ? Customer-centric ? Radical ? See this jargon Lorem Ipsum generator for more These are the lazy words of our time and whenever I see them used I feel justified in challenging the claims. To use these words with a straight face is to assume the listener is an idiot. They are intellectual insults. They are shortcuts away from good marketing and strong thinking since they try to sneak by with claims they know they cannot prove or do not make any sense. Marketers and managers use jargon because it?s safe. No one stops them to ask: exactly what is it you are breaking through? What precisely are you transforming, and how are you certain the new thing will be better than the old (e.g. New Coke)? If no one, especially no one in power, challenges its use, jargon spreads, choking the life out of conversations and meetings forever. Pay attention to who uses the most jargon: it?s never the brightest. It?s those who want to be perceived as the best and the brightest, something they know they are not. They use cheap language tricks to intimidate, distract, and confuse, hoping to sneak past those afraid to ask what they really mean. I?m going to do my best for the rest of the year to question people who use these lazy, deceptive, and inflated terms. Maybe then they?ll use their real marketing talents and tell me a story so powerful that I believe, all on my own, will transform this, or revolutionize that. What jargon do you hear these days that you?d like to add to the list above? Let me know. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 14 11:14:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 14 Aug 2015 12:14:31 -0400 Subject: [Infowarrior] - Russian antivirus firm faked malware to harm rivals - Ex-employees Message-ID: <37CD718B-ECAA-48E1-AE10-A278D7210F7C@infowarrior.org> (c/o GS) Exclusive: Russian antivirus firm faked malware to harm rivals - Ex-employees By Joseph Menn SAN FRANCISCO Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees. They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs. Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said. "Eugene considered this stealing," said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation. Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives. < - > INJECTING BAD CODE In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal. Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well. VirusTotal had no immediate comment. < - > http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814 -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 15 14:46:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 15 Aug 2015 15:46:46 -0400 Subject: [Infowarrior] - AT&T Helped N.S.A. Spy on an Array of Internet Traffic Message-ID: (Not surprising, obviously. --rick) AT&T Helped N.S.A. Spy on an Array of Internet Traffic By JULIA ANGWIN, CHARLIE SAVAGE, JEFF LARSON, HENRIK MOLTKE, LAURA POITRAS and JAMES RISEN August 15, 2015 The National Security Agency?s ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T. While it has been long known that American telecommunications companies worked closely with the spy agency, newly disclosed N.S.A. documents show that the relationship with AT&T has been considered unique and especially productive. One document described it as ?highly collaborative,? while another lauded the company?s ?extreme willingness to help.? AT&T?s cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T. The N.S.A.?s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil, far more than its similarly sized competitor, Verizon. And its engineers were the first to try out new surveillance technologies invented by the eavesdropping agency. < - > http://mobile.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 15 14:59:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 15 Aug 2015 15:59:21 -0400 Subject: [Infowarrior] - Fwd: Dianne Feinstein is worried net neutrality might help the terrorists References: <1439657478.10771.3.camel@herddog> Message-ID: <2F723672-3E19-4C6D-AC6F-133F17F6F3C0@infowarrior.org> -- It's better to burn out than fade away. > Begin forwarded message: > > From: Chris B > > http://www.theverge.com/2015/8/14/9156699/dianne-feinstein-terrorism-net-neutrality > > In a remarkable feat, internet providers have apparently succeeded in > making the net neutrality fight about terrorism. In a newly-published > letter delivered to the Federal Communications Commission in May, Sen. > Dianne Feinstein (D-Ca) raised concerns that the new net neutrality > rules might be used to shield terrorists. In particular, Feinstein was > concerned that Dzhokar Tsarnaev had studied bomb-making materials on the > internet ? specifically, online copies of AQAP's Inspire magazine ? and > that many broadband providers had complained to her that net neutrality > rules would prevent them from honoring any orders to block that content. > > It's quite a bind, and in the letter, Feinstein entreats FCC chair Tom > Wheeler to assure providers that it isn't true. The senator acknowledges > that there are laws against material support for terrorism, and Title II > only applies to legal web traffic, but "nonetheless, there is apparently > confusion among at least some broadband providers on whether they may > take such actions in order to promote national security and law > enforcement purposes." > > This argument is nonsense for at least three different reasons. For > one, there's no current effort to wipe Inspire off the internet > entirely, nor is it clear what those grounds would be. If law > enforcement agencies do want to take down a network of sites as a result > of criminal activity, there's a clear process for them to do so. In > fact, this happens all the time! Here's one example; here's another. > This is not a real problem facing law enforcement agencies, and even if > it were, it has nothing to do with Title II. The same Title II > regulations have applied to landline telephones for years, and that > hasn't stopped cops from singling out specific phone numbers for > wiretaps or more drastic measures. Fast lane or no, you can still pull > someone over if you've got the evidence to justify it. > > In other words, this isn't about terrorism; it's about broadband > providers doing whatever they can to throw a wrench in the FCC's net > neutrality proposals. After countless ill-fated lawsuits, providers seem > to have decided that making a counter-terrorism case is their best bet, > and Senator Feinstein, never one to back down from a counter-terrorism > fight, seems to have taken the bait. Of course, it's alarming to see the > specter of recent terrorist killings being used to cynically further an > unrelated domestic policy agenda, but hopefully this is just a one-off > kind of thing. > > From rforno at infowarrior.org Sun Aug 16 11:04:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 16 Aug 2015 12:04:00 -0400 Subject: [Infowarrior] - New Pentagon rules may change war reporting Message-ID: New Pentagon rules may change war reporting http://news.yahoo.com/pentagon-rules-may-change-war-reporting-032755501.html Washington (AFP) - New guidelines in a US military war manual may change the rules for reporters covering conflicts, but it remains to be seen how the Pentagon will implement the new policy. Media watchdog organizations have expressed shock and concern that reporters could be treated as "unprivileged belligerents" under the Defense Department's new Law of War Manual, which provides guidance for US commanders and others. The Pentagon has insisted it "supports and respects the vital work that journalists perform." But some media advocates see too much room for maneuver in the guidelines. Reporters Without Borders joined other organizations this past week in expressing concern, sending a letter to Defense Secretary Ashton Carter urging consultations on the issue. In the letter to the US defense chief, the Paris-based group said it was concerned that journalists could lose "privileged" status in combat areas merely by "the relaying of information," which, according to the guidelines, "could constitute taking a direct part in hostilities." "This terminology leaves too much room for interpretation, putting journalists in a dangerous situation," said the group's secretary general, Christophe Deloire, in the letter. Deloire said governments "have a duty to protect journalists covering armed conflicts" under a United Nations resolution and that his group was "disappointed that this manual takes a step in the wrong direction." The New York-based Committee to Protect Journalists expressed similar concerns last month, saying the Pentagon "has produced a self-serving document that is unfortunately helping to lower the bar" for press freedom. And The New York Times, in an editorial this month, called for the repeal of provisions affecting media, warning they would make the work of journalists covering armed conflict "more dangerous, cumbersome and subject to censorship." The newspaper said the rules could put reporters in the same category assigned to guerrillas or members of Al-Qaeda. Treating journalists as potential spies, the newspaper argued, feeds into the propaganda of authoritarian governments that attempt to discredit Western journalists by falsely accusing them of espionage. Heidi Kitrosser, a professor of constitutional law at the University of Minnesota who follows issues of free speech and government secrecy, agreed on the potential for curbing press freedoms. "The breadth of the manual's language and its potential applications is alarming," she told AFP. She added that the shift "is troubling for its conflict with US constitutional principles and also for its potential invoking by authoritarian regimes to support their own suppression of journalists." Steven Aftergood, who monitors US government secrecy at the Federation of American Scientists, said implementation of the policy will be critical, noting that it merely codifies existing practices and laws. "A lot depends on how those laws are interpreted in practice," he told AFP. "What seems clear is that extreme positions on either side of the issue are mistaken. In other words, total suppression of news coverage of war is obviously unacceptable. But so is the notion of absolute press freedom." Aftergood added "there are likely to be legitimate battlefield secrets that the military is within its rights to protect. But how to navigate between those extreme positions is less clear and is hard to state in the abstract." "In the US, at least, constitutional values should lead us to favor freedom of the press," he said. The Pentagon said some elements of the manual may have been misconstrued, but that it was willing to work to allay any concerns. "We've begun reaching out to leaders in the media to initiate a dialog on the manual. We expect this discussion will begin soon," Lieutenant Colonel Joe Sowers told AFP. In an earlier email, Sowers said that the Pentagon stands "by the legal accuracy of the manual." "But the fact that it is being construed in the way it has been is something of major concern to us." -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 18 12:19:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 18 Aug 2015 13:19:40 -0400 Subject: [Infowarrior] - US to extend Internet oversight role Message-ID: <957A51C3-3CA6-4A5D-80FC-01945E294581@infowarrior.org> US to extend Internet oversight role http://news.yahoo.com/us-extend-internet-oversight-role-100100771.html A plan under consideration would see the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) create a separate legal body that would be contracted to handle key technical functions of the online address system (AFP Photo/Joe Raedle) San Francisco (AFP) - The US is extending its oversight of a body that controls part of the Internet's structure, the Department of Commerce said, postponing a possible handover of responsibilities to a private entity. Assistant secretary for communications Lawrence Strickling posted an update Monday on plans to hand over domain name system oversight to a private body. A plan under consideration would see the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) create a separate legal body that would be contracted to handle key technical functions of the online address system. Such a system would help put to rest questions about why the US has a unique role in the functioning of the global Internet. But Strickling said more work is needed before a handover is ready. "It has become increasingly apparent over the last few months that the community needs time to complete its work, have the plan reviewed by the US Government and then implement it if it is approved," he wrote. The extension allows the US to continue its current arrangement with ICANN until 2016, and extend for three more years if need be. ICANN assigns domain names for the Internet including the ".com" or ".co" parts of addresses. The US government in March 2014 outlined its plan to step away from its oversight role and fully privatize the functions of ICANN. ICANN published a report on the plan earlier this month. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 19 07:23:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 19 Aug 2015 08:23:55 -0400 Subject: [Infowarrior] - Chinese police arrest 15,000 for Internet crimes Message-ID: Translation: See, America? China takes cybercrime seriously, so stop blaming us for it all the time. --rick Chinese police arrest 15,000 for Internet crimes http://news.yahoo.com/chinese-police-arrest-15-000-internet-crimes-124628954.html BEIJING (Reuters) - Police in China said on Tuesday they had arrested about 15,000 people for crimes that "jeopardized Internet security", as the government moves to tighten controls on the Internet. Since taking over in 2013, President Xi Jinping has led an increasingly harsh crackdown on China's Internet, which the Communist Party views with greater importance and acknowledges it needs to control, academics and researchers say. Police have investigated 7,400 cases of cyber crime, the Ministry of Public Security said in a statement on its website. It did not make clear over what period the arrests were made, but referred to a case dating to last December. China launched a six-month program last month, code-named "Cleaning the Internet". "For the next step, the public security organs will continue to increase their investigation and crackdown on cyber crimes," the ministry said. The campaign would also focus on breaking major cases and destroying online criminal gangs, it added. The sweep targeted websites providing "illegal and harmful information" besides advertisements for pornography, explosives and firearms and gambling. In total, the police said they investigated 66,000 websites. China runs one of the world's most sophisticated online censorship mechanisms, known as the Great Firewall. Censors keep a tight grip on what can be published, particularly material that could potentially undermine the ruling Communist Party. In February, China's internet watchdog said it would ban from March 1 internet accounts that impersonate people or organizations, and enforce the requirement for people to use their real names when registering online accounts. (Reporting by Sui-Lee Wee; Editing by Clarence Fernandez) -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 19 07:25:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 19 Aug 2015 08:25:01 -0400 Subject: [Infowarrior] - Police Snap Up Cheap Cellphone Trackers Message-ID: <9FC0CF6F-772B-47F0-B447-96CFF787E006@infowarrior.org> Police Snap Up Cheap Cellphone Trackers Jennifer Valentino-DeVries Updated Aug. 18, 2015 5:44 p.m. ET http://www.wsj.com/articles/police-snap-up-cheap-cellphone-trackers-1439933271 Local law-enforcement agencies are buying cellphone-tracking equipment that is cheaper and smaller than earlier systems, according to documents reviewed by The Wall Street Journal, but it isn?t always clear whether court orders are needed to use the devices. The systems, which go by trade names such as ?Jugular? and ?Wolfhound,? are handheld and sometimes come with antennas so small they can be attached to clothing, according to public documents. The gadgets cost only a few thousand dollars each?far less than more sophisticated systems, and well within the reach of many local agencies. ?It?s extremely affordable and literally fits in your hand,? said Scott Schober, the president of Berkeley Varitronics Systems Inc., which makes the Wolfhound and several other cellphone and Wi-Fi detection systems. The use of the devices to help locate specific cellphones, like many new types of surveillance, is cloaked in secrecy. The Journal contacted dozens of state and local agencies that had public records indicating they had likely purchased this type of phone-locating equipment. Some didn?t respond. All others said they couldn?t provide information on the devices, including the legal procedures the department follows before using them. ?We can?t disclose any legal requirements associated with the use of this equipment,? said Elise Armacost, a spokeswoman for the Baltimore County Police, which purchased Jugular and Trachea devices from KEYW Corp. KEYW -1.86 % , according to the records. ?Doing so may disclose how we use it, which, in turn, interferes with its public-safety purpose.? The tools are a reminder that surveillance technology is changing rapidly, becoming more accessible to smaller law-enforcement departments and presenting a challenge to lawmakers and civil-liberties advocates. More than a dozen states have recently passed laws limiting the use of location-tracking tools, for instance by requiring warrants for cellphone tracking except in emergency situations. Unlike other cellphone-tracking methods, these covert devices might not require court orders under current federal laws, said Orin Kerr, a former federal prosecutor and law professor at George Washington University. That?s because the Jugular and similar devices passively gather radio waves emitted whenever the phones communicate with a cell tower, according to public documents and people familiar with such tools. The other tracking procedures involve more active and intrusive surveillance, such as recording routing data sent by a phone. At least 25 state and local agencies appear to have bought such devices for investigative use since 2010, the first year the records showed such purchases, according to government purchase-order data reviewed by the Journal. The data, which are not comprehensive, were obtained from SmartProcure, a company that provides access to purchasing information submitted by state, local and federal agencies. In many cases, the devices are mentioned by name; some simply describe the equipment. The largest purchaser of the passive cellphone-finding equipment in the SmartProcure records was the federal government, including the Defense and Justice department agencies such as the Drug Enforcement Administration. The Justice Department declined to comment; Defense didn?t respond to a request for comment. The local agencies buying the gear range from those in large cities to smaller enclaves such as Sunrise, Fla., as well as state agencies such as state police. The Florida Department of Law Enforcement in 2011 and 2013 filed notices of its intent to buy this type of equipment from KEYW, a Hanover, Md., cybersecurity and intelligence company, saying the department ?needs something which is more portable, more reliable and ?covert? in functionality, and is able to utilize advances in technology.? The department declined to comment further. KEYW declined to comment on its technology, except to say that this part of its business represents about 1% to 2% of its revenue. David Bursten, the public information officer for the Indiana State Police, which purchased KEYW equipment in 2013 for $6,500 under a label of ?recreational equipment,? said the department wouldn?t discuss investigative techniques. ?Unfortunately, the criminal element reads the paper as well, and we are not interested in making a tough job tougher by educating the very criminals? the department is fighting, he said. Mr. Bursten didn?t specify the legal requirements for use of the devices, but he said his agency seeks judicial review and follows court recommendations even in investigations that don?t need court orders or search warrants. ?This eliminates any question about the appropriateness of any particular investigative strategy,? he said. He added that the labeling of the equipment as recreational was likely a mistake. John Sawicki, an attorney and computer-forensic expert in Florida, said he hasn?t seen a case in which these technologies have been mentioned. ?It?s absolutely something I will be on the lookout for,? he said. Experts familiar with the technology say there are several ways in which these tools are typically used. Some of the documents said the devices would be used with tools known as ?stingrays,? which act as fake cellphone towers and get phones in the area to link to them. Stingrays are larger and frequently mounted on surveillance vans or planes, and may cost more than $100,000 each. Heath Hardman, a former signals analyst with the U.S. Marine Corps, said that based on the public documents, the covert equipment could be described as a ?finishing tool,? likely used ?to locate a target phone with precision, up close and covertly,? after another tracking method determines the phone?s general area. Mr. Schober, of Berkeley Varitronics, said such devices can also track phones without a stingray, if law enforcement sends a message to a phone and gets it to communicate with a tower. Or officers could wait for the phone to communicate with the tower on its own. The Wolfhound device sold by Mr. Schober?s company is most frequently used to locate cellphones in prisons and other places where they aren?t allowed at all, and where there are no questions about the devices? legal use. But he said law enforcement had recently shown more interest in other uses. ?Passive detection? devices don?t allow officers to listen in on conversations, said Mr. Schober and others. The devices are especially attractive to local agencies because of their price, Mr. Schober said. His company?s Wolfhound Pro sells for $2,400. KEYW?s tools are more sophisticated and pricier. According to purchase orders, its Jugular device costs about $6,500 to $8,500, depending on accessories. Mr. Schober said the legal status of the devices has been a selling point: ?A lot of the guys using it are saying, ?I don?t have to tell anyone I?m using it?because your device is completely passive, so I?m not getting into any privacy issues,? ? he said. But Linda Lye, an attorney for the American Civil Liberties Union in California, said she worried that such tools would often be used to find cellphones inside people?s homes. She believes this could violate the Fourth Amendment, which says people have the right to be secure from unreasonable searches in their homes. Several civil-liberties and technology advocates said that if state lawmakers want to limit cellphone tracking, they should make sure their laws cover this passive technology. ?Everyone is really behind the curve on this,? said Daniel Rigmaiden, a civil-liberties advocate who provided initial public documents to the Journal and has been following such legislation. Write to Jennifer Valentino-DeVries at Jennifer.Valentino-DeVries at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 19 07:28:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 19 Aug 2015 08:28:52 -0400 Subject: [Infowarrior] - =?utf-8?q?Manipulation_of_feds=E2=80=99_personal_?= =?utf-8?q?data_is_a_major_danger_in_OPM_cyber_heist?= Message-ID: <8EB90DE7-D197-4A33-AEE4-F331AECA2B0C@infowarrior.org> Manipulation of feds? personal data is a major danger in OPM cyber heist Federal Diary By Joe Davidson August 18 at 6:30 PM http://www.washingtonpost.com/blogs/federal-eye/wp/2015/08/18/manipulation-of-personal-data-is-a-bigger-danger-than-info-theft-in-opm-cyber-heist/?tid=hpModule_14fd66a0-9199-11e2-bdea-e32ad90da239 The Office of Personnel Management (OPM) data breach shows us how espionage is done in the digital world. It?s not only about the theft of information, it?s also about the potential manipulation of personal data. Records can be changed to make a federal employee appear less trustworthy or possibly destroyed to make a person disappear, at least in the computer files. Meanwhile, about 22 million federal workers, contractors, job applicants and their families, whose information was stolen, are still waiting for some relief, if only in the form of the services the government promised after the two breaches were announced in June. Almost all of the victims had their security clearance background investigation information stolen. They haven?t been officially notified yet, nor have they been told how they will get the services, including identity restoration support, identity theft insurance, credit monitoring and fraud monitoring. Even the promised call center is still a promise. [Weeks later, services for cyber theft victims still a work in progress] News on that front is expected next week when the Obama administration plans to announce the outside contractor that will provide the services. ?If you are affected, you will not be able to receive personalized information until notifications begin and the call center is opened,? according to OPM. Federal employees will just have to hope the thieves, allegedly Chinese government operatives, don?t open bogus accounts at Wal-Mart. They probably have far more serious use for the data than that. [Following the OPM data breach, Uncle Sam needs to step up recruitment of cyber talent] In addition to stealing OPM?s records, the cyber thieves could have destroyed or corrupted data, making it suspect and useless. ?The breach itself is issue A,? said William ?Bill? Evanina, director of the federal National Counterintelligence and Security Center. But what the thieves do with the information is another question. ?Certainly we are concerned about the destruction of data versus the theft of data,? he said. ?It?s a different type of bad situation.? Destroyed or altered records would make a security clearance hard to keep or get. James Clapper, the director of national intelligence, told MSNBC last month ?the next type of attack will involve deletion or manipulation of data as opposed to perhaps stealing it or denying service.? Jani Antikainen and Pasi Eronen, in an article on the Overt Action Web site, said that could result in the government not trusting its own personnel data, and therefore not its people. Nothing is worse than the loss of trust. ?Suddenly, cleared personnel would have different relatives and some suspicious names in their ?who do you know? networks,? they wrote. ?These unauthorized changes would thus deliver a massive blow to the trustworthiness of all data in the system?.maliciously manipulating official forms and records on a large scale would turn them toxic and into a source of great mistrust.? Clapper?s office has warned employees they could be hit by various social engineering tools ?bad actors? could use ?to gain your trust and extract further information or manipulate you to take actions you would not otherwise take.? The social engineering tools include phishing (for example, using an e-mail attachment to install malicious software), social media deception and human targeting. Using data gathered in the cyber theft could provide thieves the information needed to get close to a government worker with a security clearance. Under human targeting, ODNI warned that employees ?may unexpectedly meet someone at a venue of interest, such as a conference or child?s school event, who shares your interests or views and establishes an ongoing relationship. Your new friend may test you by getting you to do seemingly small ?favors? for them or getting you to talk about trivial work-related information. Over time, trivial information may lead them to information that is of interest.? Similarly, ODNI said using social media deception ?attackers may create a fake profile to befriend their victims while posing as a former acquaintance, job recruiter, or someone with a shared interest. Using a fake online persona, an attacker may try and get their victims to reveal more information about themselves or their employers.? While dangers from the breach for intelligence community workers posted abroad have ?the highest risk equation,? Evanina said ?they also have the best training to prevent nefarious activity against them. It?s the individuals who don?t have that solid background and training that we?re most concerned with, initially, to provide them with awareness training of what can happen from a foreign intelligence service to them and what to look out for.? Using stolen personal information to compromise intelligence community members is always a worry. ?That?s a concern we take seriously,? he said. And one that will linger for a long time. ?This is not something we need to have our employees be worried about until Christmas, then it will go away,? Evanina said. ?This is an enduring threat.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 19 07:39:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 19 Aug 2015 08:39:38 -0400 Subject: [Infowarrior] - Notes on the Ashley-Madison dump Message-ID: <410577A3-1EB4-45E0-8A7E-BBC1C4186000@infowarrior.org> Notes on the Ashley-Madison dump By Robert Graham http://blog.erratasec.com/ Ashley-Madison is a massive dating that claims 40 million users. The site is specifically for those who want to cheat on their spouse. Recently, it was hacked. Yesterday, the hackers published the dumped data. It appears legit. I asked my twitter followers for those who had created accounts. I have verified multiple users of the site, one of which was a throw-away account used only on the site. Assuming my followers aren't lying, this means the dump is confirmed. It's over 36-million accounts. That's not quite what they claim, but it's pretty close. However, glancing through the data, it appears that a lot of the accounts are bogus, obviously made up things for people who just want to look at the site without creating a "real" account. It's heavily men. I count 28-million men to 5 million woman, according to the "gender" field in the database (with 2-million undetermined). However, glancing through the credit-card transactions, I find only male names. It's full account information. This includes full name, email, and password hash as you'd expect. It also includes dating information, like height, weight, and so forth. It appears to contain addresses, as well as GPS coordinates. I suspect that many people created fake accounts, but with an app that reported their real GPS coordinates. Passwords hashed with bcrypt. Almost all the records appear to be protected with bcrypt. This is a refreshing change. Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in "clear text", so that they can be immediately used to hack people). Hackers will be able to "crack" many of these passwords when users chose weak ones, but users who strong passwords are safe. Maybe 250k deleted accounts. There are about 250k accounts that appear to have the password information removed. I don't know why, maybe it's accounts that have paid to be removed. Some are marked explicitly as such, others imply that. Partial credit card data. It appears to have credit card transaction data -- but not the full credit card number. It does have full name and addresses, though. This is data that can "out" serious users of the site. You can download everything via BitTorrent. The magnet number is 40ae8a90de40ca3afa763c8edb43fc1fc47d75f1. If you've got BitTorrent installed, you can use this to download the data. It's 9.7 gigabytes compressed, so you'll need a good Internet connection. The hackers call themselves the "Impact Team". Their manifesto is here. They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it's fun and #2 because they can. They probably used phishing, SQL injection, or re-used account credentials in order to break in. Some stories in the press: http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/ http://arstechnica.com/security/2015/08/data-from-hack-of-ashley-madison-cheater-site-purportedly-dumped-online/ http://fusion.net/story/184982/heres-what-we-know-about-the-ashley-madison-hack/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 19 19:50:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 19 Aug 2015 20:50:36 -0400 Subject: [Infowarrior] - Under Armour goes lawsuit-crazy Message-ID: <9D6F5B9C-4B5C-4054-8FA4-362F86A49244@infowarrior.org> Under Armour is suing pretty much every company using the name ?Armor? http://www.washingtonpost.com/news/business/wp/2015/08/19/under-armour-is-suing-pretty-much-every-company-using-the-name-armor/ In 2013, a Bible-quoting high school football champ named Terrance Jackson, upset that most of the clothing options for his 3-year-old son were covered in skulls and crossbones, decided to start his own ?inspirational apparel? company with a scripture-inspired name, Armor & Glory. The family business hasn?t grown much since then, printing a few hundred shirts and spending nothing on marketing outside of a 1,500-fan Facebook page. But it recently received some major attention from America?s second-biggest sportswear empire, Under Armour, which demanded the small Maryland company change its name or face all-out legal war. The trademark-infringement lawsuit filed this month in Maryland federal court has sparked a messy David-versus-Goliath battle in the fringes of American athletic wear and cast an unflattering spotlight on how fiercely the Baltimore-based giant intends to guard its brand and fight its way to the top. But at a time when the fight for retail is getting tougher, the new lawsuit has also exposed just how messy protecting a trademark can get. Over the last year, Under Armour has taken aim at a series of companies mostly for using the word ?Armor? in their names. ?It?s trademark bullying at its finest. I?m the little kid in the group and they?re trying to kick dirt on my new shoes,? said Jackson, 37, who said the name came to him one morning, from ?the full armor of God? cited in Ephesians 6:11. ?When God gave this [name] to me, I never thought once about those guys. We don?t even spell it like them.? In its lawsuit, Under Armour, the mega-brand whose ?Protect This House? slogan and army of star athletes helped it sell more than $3 billion of sportswear last year, says Armor & Glory?s name ?is likely to cause confusion, mistake and deception? as to the two companies? connection, which would ?dilute the distinctiveness? and ?further damage and irreparably injure? Under Armour?s brand. < - > http://www.washingtonpost.com/news/business/wp/2015/08/19/under-armour-is-suing-pretty-much-every-company-using-the-name-armor/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 07:53:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 08:53:47 -0400 Subject: [Infowarrior] - DOJ FOIA follies Message-ID: <91AE09E9-BB60-45B1-93A5-6F3A5C636CA9@infowarrior.org> DOJ Tells Me It Can't Find A Copy Of The Reason.com Gag Order Request It Already Released https://www.techdirt.com/articles/20150814/18055031952/doj-tells-me-it-cant-find-copy-reasoncom-gag-order-request-it-already-released.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 07:53:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 08:53:55 -0400 Subject: [Infowarrior] - Jeb Bush Comes Out (wrongly) Against Encryption Message-ID: <325017B3-4FF8-4838-8AD7-954D51ADD9D3@infowarrior.org> Jeb Bush Comes Out Against Encryption Jenna McLaughlin Aug. 19 2015, 3:40 p.m. https://firstlook.org/theintercept/2015/08/19/jeb-bush-comes-encryption/ Republican presidential candidate Jeb Bush said Tuesday that encryption makes it harder for law enforcement to track down ?evildoers? ? and called for a ?much better, more cooperative relationship? with Apple, Google, and other tech companies that are building uncrackable private communication apps into their new products. ?If you create encryption, it makes it harder for the American government to do its job ? while protecting civil liberties ? to make sure that evildoers aren?t in our midst,? Bush said in South Carolina at an event sponsored by Americans for Peace, Prosperity, and Security, a group with close ties to military contractors. Bush said, ?We need to find a new arrangement with Silicon Valley in this regard because I think this is a very dangerous kind of situation.? But when the event moderator, former CNN anchor Jeanne Meserve, brought up scientists? conclusions that giving law enforcement special access to communications also gives hackers more access, Bush didn?t explain his position any further. ?Good point, except we ought to have much more cooperation when it comes to cybersecurity,? he said. Federal law enforcement officials, led by FBI Director James Comey, have been pressuring companies that are widely providing strong encryption, warning that the government is in danger of ?going dark? when it comes to tracking criminals. But computer scientists have been trying to explain for more than two decades that they can?t provide law enforcement with special access to digital devices and services without inherently weakening them. Providing a ?backdoor? to law enforcement is the same as drilling a hole into the system?s security ? a hole that criminals can also exploit. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 07:53:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 08:53:59 -0400 Subject: [Infowarrior] - Ashley Madison Still Trying To Abuse The DMCA To Hide Leak Message-ID: <6521341E-7C78-4ECA-BB8F-B6358758EB74@infowarrior.org> Ashley Madison Still Trying To Abuse The DMCA To Hide Leak https://www.techdirt.com/articles/20150819/11522432008/ashley-madison-still-trying-to-abuse-dmca-to-hide-leak.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 07:57:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 08:57:05 -0400 Subject: [Infowarrior] - Security State: Bag Checks at Movies, coming soon Message-ID: Largest U.S. movie chain searching bags after recent theater attacks http://www.washingtonpost.com/news/morning-mix/wp/2015/08/20/largest-u-s-movie-chain-searching-bags-after-recent-theater-attacks/?tid=hp_mm -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 08:02:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 09:02:02 -0400 Subject: [Infowarrior] - New data uncovers the surprising predictability of Android lock patterns Message-ID: <2653F630-DB77-426B-A964-F6653988F02D@infowarrior.org> New data uncovers the surprising predictability of Android lock patterns http://arstechnica.com/security/2015/08/new-data-uncovers-the-surprising-predictability-of-android-lock-patterns/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 13:14:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 14:14:28 -0400 Subject: [Infowarrior] - Your Toner Is No Good Here: Region-Coding Ink Cartridges... For The Customers Message-ID: Your Toner Is No Good Here: Region-Coding Ink Cartridges... For The Customers Everyone likes buying stuff with a bunch of built-in restrictions, right? The things we "own" often remain the property of the manufacturers, at least in part. That's the trade-off we never asked for -- one pushed on us by everyone from movie studios to makers of high-end cat litter boxes and coffee brewers. DRM prevents backup copies. Proprietary packets brick functions until manufacturer-approved refills are in place. Here's another bit of ridiculousness, via Techdirt reader techflaws. German news outlet c't Magazin is reporting that Xerox printers are going further than the normal restrictions we've become accustomed to. For years, printer companies have made sure users' printers won't run without every single slot being filled with approved cartridges. This includes such stupidity as disabling every function (including non-ink-related functions like scanning) in all-in-one printers until the printer is fed. < - > https://www.techdirt.com/articles/20150815/02480731963/your-toner-is-no-good-here-region-coding-ink-cartridges-customers.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 16:32:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 17:32:20 -0400 Subject: [Infowarrior] - AM subscribers included WH, Congress workers Message-ID: Cheating website subscribers included WH, Congress workers By JACK GILLUM and TED BRIDIS Aug. 20, 2015 4:45 PM EDT http://bigstory.ap.org/article/065953e72e9649e0bc6efb69b06295ed/evidence-infidelities-spreads-online-wake-hack WASHINGTON (AP) ? Hundreds of U.S. government employees ? including some with sensitive jobs in the White House, Congress and law enforcement agencies ? used Internet connections in their federal offices to access and pay membership fees to the cheating website Ashley Madison, The Associated Press has learned. The AP traced many of the accounts exposed by hackers back to federal workers. They included at least two assistant U.S. attorneys; an information technology administrator in the Executive Office of the President; a division chief, an investigator and a trial attorney in the Justice Department; a government hacker at the Homeland Security Department and another DHS employee who indicated he worked on a U.S. counterterrorism response team. Few actually paid for their services with their government email accounts. But AP traced their government Internet connections ? logged by the website over five years ? and reviewed their credit-card transactions to identify them. They included workers at more than two dozen Obama administration agencies, including the departments of State, Defense, Justice, Energy, Treasury, Transportation and Homeland Security. Others came from House or Senate computer networks. The AP is not naming the government subscribers it found because they are not elected officials or accused of a crime. Hackers this week released detailed records on millions of people registered with the website one month after the break-in at Ashley Madison's parent company, Toronto-based Avid Life Media Inc. The website ? whose slogan is, "Life is short. Have an affair" ? is marketed to facilitate extra-marital affairs. Many federal customers appeared to use non-government email addresses with handles such as "sexlessmarriage," ''soontobesingle" or "latinlovers." Some Justice Department employees appeared to use pre-paid credit cards to help preserve their anonymity but connected to the service from their office computers. "I was doing some things I shouldn't have been doing," a Justice Department investigator told the AP. Asked about the threat of blackmail, the investigator said if prompted he would reveal his actions to his family and employer to prevent it. "I've worked too hard all my life to be a victim of blackmail. That wouldn't happen," he said. He spoke on condition of anonymity because he was deeply embarrassed and not authorized by the government to speak to reporters using his name. The AP's analysis also found hundreds of transactions associated with Department of Defense networks, either at the Pentagon or from armed services connections elsewhere. Defense Secretary Ash Carter confirmed the Pentagon was looking into the list of people who used military email addresses. Adultery can be a criminal offense under the Uniform Code of Military Justice. "I'm aware it," Carter said. "Of course it's an issue because conduct is very important. And we expect good conduct on the part of our people. ... The services are looking into it and as well they should be. Absolutely." The AP's review was the first to reveal that federal workers used their office systems to access the site, based on their Internet Protocol addresses associated with credit card transactions. It focused on searching for government employees in especially sensitive positions who could perhaps become blackmail targets. The government hacker at the Homeland Security Department, who did not respond to phone or email messages, included photographs of his wife and infant son on his Facebook page. One assistant U.S. attorney declined through a spokesman to speak to the AP, and another did not return phone or email messages. A White House spokesman said Thursday he could not immediately comment on the matter. The IT administrator in the White House did not return email messages. Federal policies vary for employees by agency as to whether they would be permitted during work hours to use websites like Ashley Madison, which could fall under the same category as dating websites. But it raises questions about what personal business is acceptable ? and what websites are OK to visit ? for government workers on taxpayer time, especially employees who could face blackmail. The Homeland Security Department rules for use of work computers say the devices should be used for only for official purposes, though "limited personal use is authorized as long as this use does not interfere with official duties or cause degradation of network services." Employees are barred from using government computers to access "inappropriate sites" including those that are "obscene, hateful, harmful, malicious, hostile, threatening, abusive, vulgar, defamatory, profane, or racially, sexually, or ethnically objectionable." The hackers who took credit for the break-in had accused the website's owners of deceit and incompetence, and said the company refused to bow to their demands to close the site. Avid Life released a statement calling the hackers criminals. It added that law enforcement in both the U.S. and Canada is investigating and declined comment beyond its statement Tuesday that it was investigating the hackers' claims. ___ Associated Press writers Alicia Caldwell and Lolita C. Baldor in Washington and Raphael Satter in London contributed to this report. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 17:36:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 18:36:36 -0400 Subject: [Infowarrior] - Google Ordered to Remove Links to Stories About Google Removing Links to Stories Message-ID: <4331DE08-E777-45AD-A9A0-BEB212A5B022@infowarrior.org> Google Ordered to Remove Links to Stories About Google Removing Links to Stories Kate Knibbs Filed to: Meta 8/20/15 5:45pm http://gizmodo.com/google-ordered-to-remove-links-to-stories-about-google-1725473144 Europe?s ?Right to be forgotten? laws have come to an apex of dumb: The UK?s Information Commissioner?s office has ordered Google to remove links to stories about Google removing links to stories. My brain hurts. Google has 33 days to take down links to stories about a previous ?Right to be forgotten? order. Last year, the EU created a mechanism for people to ask Google to scrub certain results from searches for their names. Hundreds of thousands of links were purged as people polished their digital histories. One was a person from the UK who wanted to remove references to a minor crime they committed 10 years ago. Google took down links referencing the criminal history of this person in results from searches for their name. Then Google?s capitulation to Europe?s regulation made news, and some of those news stories referenced the individual by name. And that?s when things got weird. Basically, the Streisand Effect prompted an ouroboros of historical revisionism. Now Google has to remove references to the news about removing references from results on searches for this person?s name. ?The commission does not dispute that journalistic content relating to decisions to delist search results may be newsworthy and in the public interest,? Deputy Information Commissioner David Smith wrote in a statement, acknowledging that the IC was asking that Google block access to legitimate journalism. Smith continued: ?However, that interest can be adequately and properly met without a search made on the basis of the complainant?s name providing links to articles which reveal information about the complainant?s spent conviction.? Smith fails to mention how the IC will handle purging news stories about the news stories about purging the news stories about purging news stories, or how it will handle purging news stories about purging news stories about the news stories about purging the news stories. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 20 19:48:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Aug 2015 20:48:59 -0400 Subject: [Infowarrior] - Spotify's New Privacy Policy is Atrocious Message-ID: Spotify's New Privacy Policy is Atrocious http://gizmodo.com/wow-spotifys-new-privacy-policy-is-atrocious-1725495810 -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 21 07:50:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Aug 2015 08:50:29 -0400 Subject: [Infowarrior] - DOJ Issues First Annual Media Subpoena Report Message-ID: <728A6674-A72E-4C0A-B5CF-E3B05C4FE317@infowarrior.org> DOJ Issues First Annual Media Subpoena Report https://www.techdirt.com/articles/20150820/07283832013/doj-issues-first-annual-media-subpoena-report.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 21 08:04:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Aug 2015 09:04:34 -0400 Subject: [Infowarrior] - NSA preps quantum-resistant algorithms to head off crypto-apocalypse Message-ID: <6B4CFBB8-1994-4121-9053-2280354EAF85@infowarrior.org> NSA preps quantum-resistant algorithms to head off crypto-apocalypse Quantum computing threatens crypto as we know it. The NSA is taking notice. by Dan Goodin - Aug 21, 2015 7:02am EDT http://arstechnica.com/security/2015/08/nsa-preps-quantum-resistant-algorithms-to-head-off-crypto-apocolypse/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 21 11:59:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Aug 2015 12:59:45 -0400 Subject: [Infowarrior] - Spotify Clears Up Its Controversial Privacy Policy Message-ID: <23FC0613-8FF9-4EFD-B4EE-246782B4B65E@infowarrior.org> Spotify Clears Up Its Controversial Privacy Policy Author: Brian Barrett. Brian Barrett Security https://www.wired.com/2015/08/spotify-clears-up-its-privacy-policy/ Yesterday, Spotify?s new privacy policy created quite a stir. Today, the company released a statement in which CEO Daniel Ek clarified how exactly the privacy permissions would be used. ?Let me be crystal clear here: If you don?t want to share this kind of information, you don?t have to. We will ask for your express permission before accessing any of this data ? and we will only use it for specific purposes that will allow you to customize your Spotify experience.? In other words, these will enable opt-in experiences, something that Spotify regrettably neglected to mention when it first announced the changes. The app won?t go scanning for your photos, but it?s reserving the right to access them if and when you want it to. The privacy settings don?t seem quite so creepy in that light. Even more helpful? Putting what Spotify is asking for in the context of its contemporaries. We read through the Android app privacy policies of Pandora, Rdio, Tidal, Google Play Music, and Beats Music (soon to be Apple Music) to see which of the Spotify permissions that have rankled people show up there as well. As it turns out, most streaming-music apps ask for similar things, and often for good reason. Most of the concern centers around three categories: the collection of locally stored contacts, photos, or media files; location and sensor data; and sharing information with third parties. That?s what we?ll focus on below. < - > To some of you, that may sound creepy. If so, you are probably right to leave Spotify for something less invasive. That?s also, though, the inherent trade-off for playlists that can (very well, anecdotally) anticipate your needs based on where you are and when. Third parties: This is the arguably gross part, but it?s also not new or unique. Advertising is a part of staying in business, and Spotify shares data (which it says is ?de-identified,? as opposed to specific personal information) with ?partners who help [them] with marketing and advertising efforts.? Besides which, all apps need to allow at least some form of third-party communication in cases of legal liability. This is about as standard as it gets. Unfortunately, there?s no way for Spotify to fine-tune the permissions language that Android uses to show users what an app wants and needs to access. That, combined with too-vague description of the new policy, landed the company in some hot water. Today?s statement goes a long way to ease those concerns. There?s an even better solution on the horizon, though. Starting in Android 6.0 (Marshmallow), which will be released later this fall to select devices and eventually trickle its way down throughout the Android ecosystem, you?ll be able to allow specific permissions within every app you use. Don?t want Rdio to access your calendar? You can block it, but allow everything else. It?s a much more user-friendly way to manage access to your phone, at least until you realize just how important some of permissions are to basic features and functions. Spotify?s not perfect, and it could do well to not reach so deeply into your privacy cookie jar (and to be clearer about why it wants to in the first place). Before you cancel your subscription, though, it?s important to understand two things. First, for better or worse it?s using this intel to help build a better product. Second, you?re going to be giving away basically the same access anywhere where you turn. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 21 13:07:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Aug 2015 14:07:38 -0400 Subject: [Infowarrior] - Army graduates first female Rangers Message-ID: Army graduates first female Rangers Jonathan Serrie http://www.foxnews.com/politics/2015/08/21/army-graduates-first-female-rangers/ FORT BENNING, Ga. ? They are the first women to wear the prestigious Ranger tab. In a Friday morning ceremony at the Army's Ranger headquarters in Fort Benning, Georgia, 1st Lt. Shaye Haver and Capt. ten Griest graduated from the Army?s elite Ranger School, ending its six decade history as an all-male institution. ?I think that if females continue to come to this course that they can be encouraged by what we have accomplished,? Haver said. ?But hopefully they're encouraged by the legacy of the Rangers community as well. It was good enough to make us come. It was good enough to help force ourselves through.? Both female and male members of the Ranger class endured weeks of limited food and sleep, while performing combat-related tasks in rugged environments -- including woods, mountains and swamps. Army officials say they were under no pressure to give the women preferential treatment. ?What we've been very consistent on is we said there would be no change in standards,? Maj. Gen. Scott Miller, commander of the Maneuver Center of Excellence at Fort Benning, said. Both male and female soldiers say they would not have wanted it any other way. ?No woman that I know wanted to go to Ranger School if they changed the standards, because then it degrades what the tab means,? Griest said. ?It would lower training for everyone and reduce that quality of training for the entire Army.? Some of the male Rangers admit they were initially skeptical about their female counterparts? ability to succeed on the rugged course. But that quickly changed for 2nd Lt. Michael Janowski, when he had to ask his fellow soldiers to help him haul a particularly heavy load. ?I got a lot of deer in the headlights looks,? Janowski recalled. ?A lot of people were like, ?I can't take any more weight.? Shay was the only one who volunteered to take that weight. She took the weight off me. She carried it up the last half of the road. It literally saved me. I probably wouldn't be sitting here now if it weren't for Shay.? Although the female graduates now wear the prestigious tab and are considered Rangers, they are still barred from serving in the infantry and Special Operations units, including the 75th Ranger Regiment. However, that may change as the military assesses plans to integrate women into positions traditionally restricted to men only. "I think the decisions to open up further combat units, of course, will be up to senior leaders in the military,? Griest said. ?But I do hope that my performance in Ranger School has been able to inform that decision, as to what they can expect from women in the military -- that we can handle things physically and mentally on the same level as men.? Jonathan Serrie joined Fox News Channel (FNC) in April 1999 and currently serves as a correspondent based in the Atlanta bureau. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 21 15:22:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Aug 2015 16:22:20 -0400 Subject: [Infowarrior] - Feds Keep Magically Finding Documents They Insisted Didn't Previously Exist Message-ID: Feds Keep Magically Finding Documents They Insisted Didn't Previously Exist from the funny-how-that-works dept https://www.techdirt.com/articles/20150819/16391232010/feds-keep-magically-finding-documents-they-insisted-didnt-previously-exist.shtml We just wrote about a FOIA request where the government said there were no responsive documents, even though it had already released the very responsive document. It appears that this kind of thing is a common problem in the government -- and it doesn't seem to get solved until you sue the government. Here are two examples. First up, Gawker had sought the email communications of Hillary Clinton deputy Philippe Reines, focused on his conversations with journalists. The State Department came back with a no responsive records reply, which was clearly bullshit, since Reines was known for regularly emailing reporters. So Gawker sued and guess what just happened: the State Department just magically found 17,855 emails that are likely responsive. How about that? Next, we've got Vice, where "FOIA terrorist" Jason Leopold is employed. As you may remember, back in 2014, Ed Snowden claimed that he had made multiple attempts at raising concerns internally at the NSA. Eventually, the Director of National Intelligence released a single email between Snowden and the NSA's General Counsel, which was just asking a specific question. The NSA did hint (in a different FOIA request response) at the likelihood of there being more emails it didn't plan to release. Leopold sent a more specific FOIA request to the NSA... and was told there were "no responsive documents." And, as he's done more than basically anyone, Leopold sued. And at a hearing in that case, the government is now admitting that there are three more emails that Snowden sent to the NSA's Oversight & Compliance Office, though the DOJ claims that none of these emails were actually raising questions about NSA surveillance. It's certainly possible that, in this case, it's true that there really were no more responsive documents, but the late addition noting these three other emails, once again, suggests that when sued, the government suddenly starts finding more documents than when directly asked under FOIA. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 22 07:57:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 22 Aug 2015 08:57:50 -0400 Subject: [Infowarrior] - OT: Five Hundo Message-ID: <5BA71DA5-F888-4B19-8EFC-CEEF0E21B4DB@infowarrior.org> Five Hundo Posted August 21, 2015 by Joshua M Brown http://thereformedbroker.com/2015/08/21/five-hundo/ You?ll read all the superlatives this weekend..... Biggest one-day drop since _____. Ninth largest ____ ever. Greatest spike in the Vix since ____. 4 out of every 5 ____ have now fallen ____ percent. On and on. It?s a parlor game. Maybe this kind of thing is helpful for context. Maybe it?s just rubbernecking. Whatever. What?s really important is to remember that days like today are why we call them risk assets. The S&P 500 historically provides you with a 7% average annual real return over the long term. That?s doubling your money roughly every 10 years. But 7% average annual returns are not the same as 7% annual returns. The word ?average? appears in that statement. How are averages formed? By pinging violently back and forth between extremely varied numbers, such as +30% and -16% and +9% and -22% etc. In fact, you almost never get the long-run 7% on the nose in any given calendar year. The asset class that has historically doubled your money every ten years is equally capable of making you feel like shit on the way there. Fortunately, never for very long. Have a good weekend and pat yourself on the back. The pain of today is where the rewards of tomorrow originate from. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 22 07:58:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 22 Aug 2015 08:58:37 -0400 Subject: [Infowarrior] - =?utf-8?q?OT=3A_5_Things_Investors_Shouldn?= =?utf-8?b?4oCZdCBEbyBOb3c=?= Message-ID: <4EE888CA-F91A-4E7E-B1C5-D635BAE035AC@infowarrior.org> 5 Things Investors Shouldn?t Do Now Stocks slumped world-wide this week, with U.S. and European markets off more than 5% and the Shanghai Composite Index losing more than 11%. Oil prices also skidded, dropping more than 6%. Traders feared that slowing growth in China, the devaluation of the Chinese currency and the overhang of too much debt could stifle global economic recovery. Here are five things you should know about how not to react. 21 Aug 2015 5:38pm By Jason Zweig ? 1 Don't fixate on the news. The more often you update yourself on the market?s fluctuations, the more volatile and risky it will appear to you ? even though short, sharp declines of 5% to 25% are common. The U.S. stock market has, in the past few years, been extraordinarily placid by historical standards. Even the sudden drops of the past few days are well within the long-term norm. Fixating on fluctuations in the short term will make it harder for you to remain focused on your long-term investing goals. ? ? 2 Don't panic. While stocks are certainly not cheap, they aren?t wildly overpriced, given today?s levels of interest rates and inflation. U.S. stocks are trading at 24.9 times the average of their long-term, inflation-adjusted earnings, according to data from Yale University economist Robert Shiller ? down from 27 in February. Over the full sweep of bull and bear markets in the past 30 years, they?ve traded at an average of 23.8 times adjusted earnings. ? 3 Don't be complacent. You should use the latest turbulence as a pretext to ask yourself honestly whether you are prepared to withstand a much worse decline. Did you make it through the epic bear market of 2007-09 without selling all your stocks? Are you extremely well diversified, with plenty of cash, some bonds, and with large and small stocks from markets around the world? Then you can probably weather a further decline. But if you sold in earlier bear markets or you are heavily concentrated in a few stocks or sectors, you should consider raising some cash or diversifying more broadly to protect against the risk that you will take even more drastic action at the worst time. ? 4 Don't get hung up on the talk of a "correction." A correction is typically defined as a decline in price of 10% on a widely followed index like the S&P 500 or Dow Jones Industrial Average. The term doesn?t have official status, however; until fairly recently, declines of 5% and even 15% or 20% were often called ?corrections.? A market decline of 10% has no real significance in and of itself. What matters is the outlook for the future; that doesn?t depend on whether the market is down 10.2% rather than 9.8%. ? 5 Don't think you--or anyone else--knows what will happen next. After a market drop, or at any other time, no one knows what the market will do next. The one thing you can be fairly sure of is that the louder and more forcefully a market pundit voices his certainty about what is going to happen next, the more likely it is that he will turn out to be wrong. Stocks could drop another 10% from here, or another 25% or 50%; they could stay flat; or they could go right back up again. Diversification and patience ? and, above all, self-knowledge ? are your best weapons against this irreducible uncertainty. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 22 07:59:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 22 Aug 2015 08:59:24 -0400 Subject: [Infowarrior] - Fwd: [IP] Boston Public Broadcaster WGBH Files Bogus DMCA Notice On Public Domain Video Uploaded By Carl Malamud References: Message-ID: <1B7C0887-1F6F-49C0-9452-CD8F83C232C2@infowarrior.org> -- It's better to burn out than fade away. > Begin forwarded message: > > From: "Dave Farber" > Subject: [IP] Boston Public Broadcaster WGBH Files Bogus DMCA Notice On Public Domain Video Uploaded By Carl Malamud > Date: August 22, 2015 at 12:12:14 AM EDT > To: "ip" > Reply-To: dave at farber.net > > > > ---------- Forwarded message ---------- > From: Lauren Weinstein > > Date: Friday, August 21, 2015 > Subject: [ NNSquad ] Boston Public Broadcaster WGBH Files Bogus DMCA Notice On Public Domain Video Uploaded By Carl Malamud > To: nnsquad at nnsquad.org > > > Boston Public Broadcaster WGBH Files Bogus DMCA Notice On Public Domain Video Uploaded By Carl Malamud > > https://www.techdirt.com/articles/20150821/16573132031/boston-public-broadcaster-wgbh-files-bogus-dmca-notice-public-domain-video-uploaded-carl-malamud.shtml > > The latest is that he was alerted to the fact that > YouTube had taken down a video that he had uploaded, due to a > copyright claim from WGBH, a public television station in > Boston. The video had nothing to do with WGBH at all. It's > called "Energy -- The American Experience" and was created by > the US Dept. of Energy in 1974 and is quite clearly in the > public domain as a government creation (and in case you're > doubting it, the federal government itself lists the video as > "cleared for TV." WGBH, on the other hand, has nothing > whatsoever to do with that video. It appears that some clueless > individual at WGBH went hunting for any videos having to do with > the PBS show WGBH produces, called American Experience and just > assumed that based on the title, the public domain video that > Malamud uploaded, was infringing. Because that's the level of > "investigation" that apparently the censorious folks at WGBH do > when looking to issue takedown notices. Malamud reached out to > WGBH and apparently the folks there were most unhelpful. The > station's general counsel refused to apologize and simply told > Carl that since "American Experience" was "unusual" to be in the > title, it was okay for them to issue a bogus DMCA notice. > Another lawyer , Eric Brass, told Malamud that they wouldn't be > able to do anything about it until next week. > > - - - > > Next time WGBH has a pledge drive, keep this event in mind. > > --Lauren-- > Lauren Weinstein (lauren at vortex.com ): http://www.vortex.com/lauren -------------- next part -------------- An HTML attachment was scrubbed... URL: From rforno at infowarrior.org Sat Aug 22 17:41:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 22 Aug 2015 18:41:56 -0400 Subject: [Infowarrior] - Torrent Trackers Ban Windows 10 Over Privacy Concerns Message-ID: Torrent Trackers Ban Windows 10 Over Privacy Concerns ? By Ernesto ? on August 22, 2015 https://torrentfreak.com/torrent-trackers-ban-windows-10-over-privacy-concerns-150822/ The level of Windows 10 paranoia reached new heights this week when reports suggested that Microsoft would wipe torrents and pirated software from people's hard drives. Nonsense, of course, but all the recent privacy concerns were enough to have the operating system banned from several torrent trackers. Since the release of Windows 10 last month many media reports have focused on various privacy intrusions. The WiFi password sharing feature, for example, or the extensive sharing of personal data and information back to Microsoft?s servers. The list goes on and on. While we?re the last ones to defend these policies, it is worth pointing out that many other large tech companies have similar privacy violating policies. Reading rants about Windows 10 privacy on Facebook is particularly ironic. This week things took a turn for the worse. Slowly but steadily reports started pouring in that Windows 10 has a built-in piracy kill switch. If we were to believe some of the reports, Microsoft would nuke all torrents downloaded from The Pirate Bay. The truth is nowhere near as dystopian though. The controversy originates from a single line in Microsoft?s Service Agreement which allows the company to download software updates and configuration changes that may prevent people from ?playing counterfeit games.? This change isn?t limited to Windows 10 but covers many services. Also, there is no indication that this will ever be used to target third-party games, which is highly unlikely. Still, the recent privacy concerns have some torrent tracker staffers worried. During the week TF received reports informing us that several private trackers have banned Windows 10, or are considering doing so. The staffers at iTS explain that Windows 10 is off-limits now because of the extensive amount of data it shares. This includes connections to MarkMonitor, the brand protection company which is also involved in the U.S. Copyright Alert System. ?Unfortunately Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company called MarkMonitor,? iTS staff note. ?Amongst other things Windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures,? they add. While this may sound scary, Microsoft has been working with MarkMonitor for years already. Among other things, the company helps to keep scammers at bay. There is no evidence that any piracy related info is being shared. Still, the connection is raising red flags with other tracker operators as well. More trackers reportedly ban Windows 10 and others including BB and FSC are consider to follow suit. ?We have also found [Windows 10] will be gathering information on users? P2P use to be shared with anti piracy group,? BB staff writes to its users. ?What?s particularly nasty is that apparently it sends the results of local(!!) searches to a well known anti piracy company directly so as soon as you have one known p2p or scene release on your local disk ? BAM!? The same sentiment is shared at FSC where staff also informed users about the threat. ?As we all know, Microsoft recently released Windows 10. You as a member should know, that we as a site are thinking about banning the OS from FSC. That would mean you cannot use the site with the OS installed,? FSC staff writes. While a paranoid mindset is definitely not a bad thing for people in the business of managing a torrent community, banning an operating system over privacy concerns is a bit much for most. Especially since many of the same issues also affect earlier versions of Windows. Luckily, the most invasive privacy concerns can be dealt with by configuring Windows properly. Or any other operating system, application or social network for that matter. Instead of banning something outright, it may be a good idea to inform the public on specific dangers and educate them how they can be alleviated. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 22 18:03:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 22 Aug 2015 19:03:49 -0400 Subject: [Infowarrior] - Republicans think if your data is encrypted, the terrorists win Message-ID: <17E11D76-848E-4D82-98E8-17670B879C76@infowarrior.org> Republicans think if your data is encrypted, the terrorists win Trevor Timm Encryption ? used in everything from online banking to email ? is so ubiquitous, one wonders if candidates have ever talked to a computer scientist http://www.theguardian.com/commentisfree/2015/aug/22/republicans-think-encrypted-data-terrorists-win Saturday 22 August 2015 07.00 EDT Last modified on Saturday 22 August 2015 07.03 EDT Jeb ?I?m my own man? Bush sounds more and more like his know-nothing ex-president brother every day. This time, in between defending the Iraq War and saying he might bring back torture if elected president, he?s demanding that tech companies stop letting billions of the world?s citizens use encryption online to protect their information because of ?evildoers.? Bush?s comments echo the dangerous sentiments of FBI director Jim Comey, who has publicly campaigned against Apple and Google for attempting to make our cell phones and communications safer by incorporating strong encryption in iPhones and Android devices. At a campaign stop earlier this week Jeb Bush said: ?If you create encryption, it makes it harder for the American government to do its job ? while protecting civil liberties ? to make sure that evildoers aren?t in our midst.? There are so many things wrong with that statement it?s hard to know where to start. First of all, he seems to either be attacking, or just doesn?t understand, that the entire internet - and much of the economy really - is based around strong encryption. Every time he logs onto his email, uses online banking or wants to check his medical records online, there is some form of encryption that is protecting his data from criminals. So the fact that technology companies are ?creating? encryption protects all of us. He was likely talking about end-to-end encryption implemented by Apple and the popular messaging app WhatsApp that lock out even the companies themselves to the content of text messages, so that only the two people talking to each other can ever see them. While opponents claim this is ?helping terrorists,? even the most pro-government former intelligence officials readily admit there are still plenty of ways to track criminals who use encryption, and by attempting to outlaw it we put billions of completely innocent people at a much higher risk of having their personal information stolen by foreign governments or criminals. Unfortunately, Bush?s comments seem to be part of a pattern with the 2016 presidential candidates, none of whom seem to understand the basic precepts of technology, and the critical role encryption plays in all of our cybersecurity. Republican candidate Carly Fiorina, who has been getting a lot of attention in recent weeks, sounded even more out of touch at the second-tier Republican debate a couple weeks ago when she lamented that companies need to ?tear down cyberwalls? when asked about whether Apple and Google should be implementing end-to-end encryption. Putting aside the fact that ?cyberwalls? are not a thing, it?s quite disturbing that candidates are so willing to undermine the backbone of the internet so off-handedly. Fiorina, who by virtually all accounts, was a failure as CEO of Hewlett-Packard ten years ago, showed off her (lack of) technical knowledge. While she may have been joking, even Hillary Clinton?s comment about ?wiping? her notorious email server ?with a cloth? is distressing as well. Her own comments on the encryption issue, while vague, did not give the sense that she understands the issue either. It begs the questions: how many candidates have technologists or computer scientists advising their campaigns? Given how almost every week there is yet another security breach at a major company, and that voters are concerned about their online privacy, you?d think at least some of the candidates would attempt to capitalize on it by merely having a coherent policy that does not make them sound like they?ve never touched a computer (or sent a fax) before without the assistance of their aides. Strong end-to-end encryption is one of the best defenses against the massive cyber-attacks that have become all too frequent. If there is not a giant pile of data that is accessible by anyone, then the criminals can?t get it either. While it?s still shameful that current White House has refused to rein in its FBI director?s dangerous plans, at least behind the scenes White House officials reportedly know it?s a dangerous idea and President Obama deserves a bit of credit for acknowledging how important encryption is in many circumstances. In the modern world, the importance of strong encryption cannot be overstated. When will our presidential candidates understand that? -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Aug 23 15:48:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 23 Aug 2015 16:48:30 -0400 Subject: [Infowarrior] - OT: Guide to Stock Market Corrections Message-ID: For those who worry what next week will bring, may I present some voice of sanity and reason .... Guide to Stock Market Corrections http://www.ritholtz.com/blog/2013/12/guide-to-stock-market-corrections/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 24 16:46:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Aug 2015 17:46:28 -0400 Subject: [Infowarrior] - Courts Will Let the FTC Punish Companies for Bad Cybersecurity Message-ID: Courts Will Let the FTC Punish Companies for Bad Cybersecurity Adam Clark Estes Filed to: FTC 8/24/15 2:45pm http://gizmodo.com/courts-will-let-the-ftc-punish-companies-for-bad-cybers-1726165129 Last week, hackers released a ton of data stolen from Ashley Madison, and scared the shit out of internet users everywhere. Now, with an uncanny sense of timing, an appeals court says the Federal Trade Commission has the power to regulate companies? cyber security. That?s good news for you! A United States appeals court just unanimously upheld a lower court ruling that will let the FTC pursue a lawsuit against Wyndham Hotels for not protecting its customer?s personal financial data. Hackers pulled off a hat trick of breaches back in 2008 and 2009 that ultimately led to the theft of well over half a million Wyndham guests? credit card information. The FTC?s rather sensical argument for Wyndham?s failure was that the hospitality company ?unreasonably and unnecessarily? left its customer information available to hackers. Wyndham accused the government of overreaching, but when you step back and think about it, this is exactly why the FTC exists: to protect consumers. Protecting consumer data is fairly new but well precedented territory for the FTC. While the agency has a long history of defending consumers against identity theft and breaches in health information, the increasingly frequency of hacks into companies that store financial data show that consumers remain at risk. The FTC is considering a case against Target, for instance, over the hack that exposed the credit card numbers of as many as 40 million Target customers. Today?s appellate court ruling will provide further precedent for the FTC to take action, and if Wyndham appealed, the Supreme Court would have to get involved. Circuit Judge Thomas Ambro called Wyndham?s argument alarmist, and then he made a funny?but insightful?joke. ?It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,? said Ambro. Sounds like a pretty funny supermarket but also pretty dangerous. The same holds true for companies that don?t protect user data. It?s fun for the hackers, sure. But it?s inevitably dangerous for any American who trusts these companies to protect their private information. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Aug 25 17:25:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Aug 2015 18:25:05 -0400 Subject: [Infowarrior] - Louisiana townsfolk terror-freak over Hebrew "welcome home" sign Message-ID: <4D84E2BF-F48F-4041-A9CD-1E10FA8C1FB4@infowarrior.org> Louisiana townsfolk terror-freak over Hebrew "welcome home" sign http://boingboing.net/2015/08/25/louisiana-townsfolk-terror-fre.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 26 13:53:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Aug 2015 14:53:28 -0400 Subject: [Infowarrior] - More legal views from John Yoo Message-ID: <1E51B99F-AD31-43AF-8426-95E6AA8CD1BC@infowarrior.org> OLC: President May Withhold WMD Info from Congress http://fas.org/blogs/secrecy/2015/08/olc-nsi/ Despite an explicit statutory requirement to keep Congress ?fully and currently informed? about the proliferation of weapons of mass destruction, the President may withhold proliferation-related information from Congress if he determines that doing so could harm the national security, according to a sweeping opinion from the Justice Department Office of Legal Counsel (OLC) that was prepared in 2003. The opinion, written by then-OLC deputy John C. Yoo, was released this week under the Freedom of Information Act. < - > In its response to a Freedom of Information Act request, the Office of Legal Counsel said that the 2003 Yoo opinion ?is protected by the deliberative process and attorney-client privileges and [is] exempt from mandatory disclosure pursuant to FOIA Exemption Five.? Nevertheless, wrote OLC Special Counsel Paul P. Colborn, ?we are releasing it to you as a matter of discretion.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 26 16:39:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Aug 2015 17:39:27 -0400 Subject: [Infowarrior] - Newly Released Emails Reveal Cozy Relationship Between U.S. Trade Officials and Industry Reps Over Secret TISA Deal Message-ID: <2AA42E99-58BA-4225-B642-41539ECFB71B@infowarrior.org> August 26, 2015 | By Maira Sutton Newly Released Emails Reveal Cozy Relationship Between U.S. Trade Officials and Industry Reps Over Secret TISA Deal https://www.eff.org/deeplinks/2015/08/new-foia-released-emails-reveal-cozy-relations-between-us-trade-officials-and -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Aug 26 16:46:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Aug 2015 17:46:22 -0400 Subject: [Infowarrior] - Windows 10 Reserves The Right To Block Pirated Games And 'Unauthorized' Hardware Message-ID: Windows 10 Reserves The Right To Block Pirated Games And 'Unauthorized' Hardware https://www.techdirt.com/articles/20150820/06171332012/windows-10-reserves-right-to-block-pirated-games-unauthorized-hardware.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 05:59:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 06:59:18 -0400 Subject: [Infowarrior] - Leaked data shows women on Ashley Madison were mostly fake Message-ID: Leaked data shows women on Ashley Madison were mostly fake http://www.engadget.com/2015/08/27/ashley-madison-barely-has-female-users/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 06:01:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 07:01:21 -0400 Subject: [Infowarrior] - 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies' Message-ID: <2D900055-274E-4707-919C-12547C881F9E@infowarrior.org> 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies' https://www.techdirt.com/blog/wireless/articles/20150819/08372732005/study-15-wireless-users-now-tracked-stealth-headers-zombie-cookies.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 06:20:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 07:20:05 -0400 Subject: [Infowarrior] - Lisbeth Salander returns, for better or worse Message-ID: <0D5555C2-E3C1-4437-B75B-7AFC774D99B1@infowarrior.org> Early review seems mixed given the situation. -- rick ?The Girl in the Spider?s Web? review: Lisbeth Salander hacks on http://www.washingtonpost.com/entertainment/books/the-girl-in-the-spiders-web-review-lisbeth-salander-hacks-on/2015/08/26/49ee9c3c-4a63-11e5-8ab4-c73967a143d3_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 11:51:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 12:51:00 -0400 Subject: [Infowarrior] - =?utf-8?q?Germany_trades_citizens=E2=80=99_metada?= =?utf-8?q?ta_for_NSA=E2=80=99s_top_spy_software?= Message-ID: Germany trades citizens? metadata for NSA?s top spy software Spies keen to use XKeyscore, less keen to tell German government or citizens. by Glyn Moody (UK) - Aug 27, 2015 11:32am EDT http://arstechnica.com/tech-policy/2015/08/germany-hands-over-citizens-metadata-in-return-for-nsas-top-spy-software/ In order to obtain a copy of the NSA's main XKeyscore software, whose existence was first revealed by Edward Snowden in 2013, Germany's domestic intelligence agency agreed to hand over metadata of German citizens it spies on. According to documents seen by the German newspaper Die Zeit, after 18 months of negotiations the US and Germany signed an agreement that would allow the Federal Office for the Protection of the Constitution (Bundesamtes f?r Verfassungsschutz?BfV) to obtain a copy of the NSA's most important program, and to adopt it for the analysis of data gathered in Germany. This was a lower level of access compared to the non-US "Five Eyes" nations?the UK, Australia, Canada, and New Zealand?which had direct access to the main XKeyscore system. In return for the software, the BfV would "to the maximum extent possible share all data relevant to NSA's mission." Unlike Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), the domestic-oriented BfV does not employ bulk surveillance of the kind also deployed on a vast scale by the NSA and GCHQ. Instead, it is only allowed to monitor individual suspects in Germany, and even to do that must obtain the approval of a special parliamentary commission. Because of this targeted approach, BfV surveillance is mainly intended to gather the content of specific conversations, whether in the form of emails, telephone exchanges, or even faxes, if anyone still uses them. Inevitably, though, metadata is also gathered, but as Die Zeit explains, "whether the collection of this [meta]data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts." The BfV had no problems convincing itself that it was consistent with Germany's laws to collect metadata, but rarely bothered since?remarkably?all analysis was done by hand before 2013, even though metadata by its very nature lends itself to large-scale automated processing. This explains the eagerness of the BfV to obtain the NSA's XKeyscore software after German agents had seen its powerful metadata analysis capabilities in demonstrations. It may also explain the massive expansion of the BfV that the leaked document published by Netzpolitik had revealed earlier this year. As Die Zeit notes, the classified budget plans "included the information that the BfV intended to create 75 new positions for the 'mass data analysis of Internet content.' Seventy-five new positions is a significant amount for any government agency." The BfV may have been keen to deploy XKeyscore widely, but it wasn't so keen to inform the German authorities about the deal with the NSA. Peter Schaar, who was data protection commissioner at the time, told Die Zeit: "I knew nothing about such an exchange deal [of German metadata for US software]." He says that he only discovered that the BfV was using XKeyscore when he asked the surveillance service explicitly after reading about the program in Snowden's 2013 revelations. The same is true for another key oversight body: "The Parliamentary Control Panel learned that the BfV had received XKeyscore software and had begun using it. But even this very general briefing was only made after the panel had explicitly asked following the Snowden revelations," according to Die Zeit. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 13:23:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 14:23:01 -0400 Subject: [Infowarrior] - Tech Giants Want to Punish DMCA Takedown Abusers Message-ID: <7BE9BC3A-5882-4A74-84EF-4EA447F89387@infowarrior.org> Tech Giants Want to Punish DMCA Takedown Abusers - TorrentFreak By Ernesto https://torrentfreak.com/tech-giants-want-to-punish-dmca-takedown-abusers-150927/ The CCIA, which represents global tech firms including Google, Facebook and Microsoft, has published an extensive research paper on the future of copyright in the digital landscape. One of the main suggestions is to extent current copyright law, so that senders of wrongful DMCA takedown notices face serious legal consequences. Every day copyright holders send millions of DMCA takedown notices to various Internet services. Most of these requests are legitimate, aimed at disabling access to copyright-infringing material. However, there are also many overbroad and abusive takedown notices which lead to unwarranted censorship. These abuses are a thorn in the side of major tech companies such as Google, Facebook and Microsoft. These companies face serious legal consequences if they fail to take content down, but copyright holders who don?t play by the rules often walk free. This problem is one of the main issues highlighted in a new research report (pdf) published by the CCIA, a trade group which lists many prominent tech companies among its members. The report proposes several changes to copyright legislation that should bring it in line with the current state of the digital landscape. One of the suggestions is to introduce statutory damages for people who abuse the takedown process. ?One shortcoming of the DMCA is that the injunctive-like remedy of a takedown, combined with a lack of due process, encourages abuse by individuals and entities interested in suppressing content,? CCIA writes. ?Although most rightsholders make good faith use of the DMCA, there are numerous well-documented cases of misuse of the DMCA?s extraordinary remedy. In many cases, bad actors have forced the removal of material that did not infringe copyright.? The report lists several examples, including DMCA notices which are used to chill political speech by demanding the takedown of news clips, suppress consumer reviews, or retaliate against critics. Many Internet services are hesitant to refuse these type of takedown requests at it may cause them to lose their safe harbor protection, while the abusers themselves don?t face any serious legal risk. The CCIA proposes to change this by introducing statutory damage awards for abusive takedown requests. This means that the senders would face the same consequences as the copyright infringers. ?To more effectively deter intentional DMCA abuse, Congress should extend Section 512(f) remedies for willful misrepresentations under the DMCA to include statutory awards, as it has for willful infringement under Section 504(c),? CCIA writes. In addition to tackling DMCA abuse the tech companies propose several other changes to copyright law. One of the suggestions is to change the minimum and maximum statutory damages for copyright infringement, which are currently $750 and $150,000 per work. According to the CCIA the minimum should be lowered to suit cases that involve many infringements, such as a user who hosts thousands of infringing works on a cloud storage platform. The $150,000 maximum, on the other hand, is open to abuse by copyright trolls and rightsholders who may use it as a pressure tool. The tech companies hopes that U.S. lawmakers will consider these and other suggestions put forward in the research paper, to improve copyright law and make it future proof. ?Since copyright law was written more than 100 years ago, the goal has been to encourage creativity to benefit the overall public good. It?s important as copyright is modernized to ensure that reforms continue to benefit not just rightsholders, but the overall public good,? the CCIA concludes. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 16:49:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 17:49:53 -0400 Subject: [Infowarrior] - wtf ... FBI: Katrina showed us need for Stingray purchases Message-ID: <0DB387CB-CA04-4812-B0BE-D2F01F93FE69@infowarrior.org> FBI ordered more cell phone trackers in wake of Hurricane Katrina Post-storm, procuring cell site simulators became "essential" https://www.muckrock.com/news/archives/2015/aug/27/stingray-katrina/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Aug 27 16:51:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Aug 2015 17:51:24 -0400 Subject: [Infowarrior] - American Drones Are Killing ISIS Hackers Now Message-ID: <1A314387-C7F4-461E-A3E2-360727A893D4@infowarrior.org> Ping of Death? Killbits? Now this is cyberwar! American Drones Are Killing ISIS Hackers Now Adam Clark Estes Filed to: ISIS 8/27/15 4:05pm http://gizmodo.com/american-drones-are-killing-isis-hackers-now-1727024896 ISIS talks a big talk when it comes to hacking, and United States forces just showed they?re not going to put up with it. The Obama administration just announced that a drone strike has killed the organization?s top cyber-terrorist, Junaid Hussain. At least one American leader says the rest of the ISIS hackers should watch their backs. ?This is a serious blow to ISIS and a swift act of justice against a top cyber jihadist and recruiter,? said Rep. Michael McCaul, chair of the House Homeland Security Committee. ?The strike sends an unmistakable message to the terror group?s ranks: plot against us, even on social media, and we will find you.? It was just three months ago that ISIS announced the beginning of an ?electronic war? against the U.S. And while most of the so-called hacks that ISIS has bragged about on social media appear to be harmless, the U.S. is using very harmful killer robots to combat the threat. The Navy?s ?Loose tweets sink fleets? quote has never seemed so prescient. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 28 09:24:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Aug 2015 10:24:34 -0400 Subject: [Infowarrior] - Chrome will freeze Flash ads on sight from Sept 1 Message-ID: <6E5B0E12-3907-477A-B755-95957B925966@infowarrior.org> Google makes it official: Chrome will freeze Flash ads on sight from Sept 1 If your ads aren't on web giant's network, they better be HTML5 ? or they're dead to Chrome 28 Aug 2015 at 00:49, Shaun Nichols http://www.theregister.co.uk/2015/08/28/google_says_flash_ads_out_september/ Google is making good on its promise to strangle Adobe Flash's ability to auto-play in Chrome. The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default ? effectively freezing out "many" Flash ads in the process. Netizens can right-click over the security-challenged plugin and select "Run this" if they want to unfreeze an ad. Otherwise, the Flash files will remain suspended in a grey box, unable to cause any harm nor any annoyance. Click-to-play ... Run if you wish Back in June, Google warned that, in cooperation with Adobe, it would change the way Flash material is shown on websites. Basically, "essential" Flash content (such as embedded video players) are allowed to automatically run, while non-essential Flash content, much of that being advertisements, will be automatically paused. As we explained a couple of months ago, it's effectively taking Chrome's "Detect and run important plugin content" feature, and making it the default: only the "main plugin content on websites" will be run automatically. That should put a stop to irritating ads around the sides of pages. Google's reasoning for the move is largely performance-based, apparently. The Chocolate Factory worries that with too many pieces of Flash content running at once, Chrome's performance is hamstrung, and, more critically, battery life is drained in notebooks and tablets running the Flash plugin. Crucially, the move will help kill the spread of malware via malicious Flash files, particularly dodgy adverts that have popped up on sites used by millions and millions of people. Google said advertisers who are worried about having their ads switched off should consider converting their Flash artwork to HTML5. According to the cyber-goliath, "most Flash ads uploaded to [Google] AdWords are automatically converted to HTML5." So, in other words, if you're not on Google's ad network, you're locked out of Chrome ? unless you also switch to HTML5 artwork. Interestingly, Google's security engineers have been helping Adobe's programmers to shore up Flash with anti-hacker defenses. ? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 28 12:38:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Aug 2015 13:38:19 -0400 Subject: [Infowarrior] - D.C. appeals court has lifted an injunction against the NSA phone call records program Message-ID: <9FD11840-F7B9-4729-BF2F-64291C1EE6E5@infowarrior.org> A D.C. appeals court has lifted an injunction against the NSA phone call records program https://www.facebook.com/ellen.nakashima.1 https://www.washingtonpost.com/world/national-security/dc-circuit-overturns-ruling-against-nsa-bulk-collection-program/2015/08/28/d91c1876-4d92-11e5-84df-923b3ef1a64b_story.html A federal appeals court in the District of Columbia has lifted an injunction against the National Security Agency?s call records program on grounds that the plaintiff has not proved his own phone records were collected and so lacks standing to sue. The move lifts a ban on the NSA?s collection that had been imposed ?and temporarily stayed?by a U.S. District Court judge in December 2013. The program, after it was acknowledged by the government in the summer of 2013, spurred heated national, congressional and legal debate over whether it was proper and lawful for the NSA to collect millions of Americans? phone records in an effort to detect terrorist plots. [Read the federal appeals court ruling that lifts an injunction against the NSA phone call records program] Congress in June put an end to the program, passing a law that barred the government from collecting phone and other records in bulk. But the NSA is continuing to do so as it transitions the program to phone companies by December. In Friday?s ruling, a three-judge panel of the U.S. Court of Appeals for the District of Columbia sent the case back to the lower court for further deliberation on the standing issue. Circuit Court Judge Stephen F. Williams, wrote that the lead plaintiff, conservative legal activist Larry Klayman, ?lack[s] direct evidence? that records involving his calls ?have actually been collected.? Klayman, the lead plaintiff in the lawsuit, is a customer of Verizon Wireless. The only phone company that the government has acknowledged was part of the program is Verizon Business Network Services. The Department of Justice declined to comment on the case. The panel?s ruling reverses the judgment of U.S. District Judge Richard J. Leon, who found that Klayman ?demonstrated a substantial likelihood of success? in his bid to prove that his Fourth Amendment right to privacy was violated and that the NSA program was likely unconstitutional. [Judge: NSA?s collecting of phone records is pr obably unconstitutional] But it did not dismiss the case. Klayman can still try to prove that he has standing. The ruling?s significance is limited by its procedural nature and the fact that it does not address the constitutionality or legality of the surveillance program. Klayman lashed out at the panel for its timing. ?An ill-informed first-year law student could have written this within one day,? he said. ?Why did you wait nearly two years after Leon issued his decision? You delayed getting to the issues. During that time the constitutional rights of Americans continue to be violated.? He nonetheless said that he was confident he would prevail. He said that he could amend his complaint to include plaintiffs who are customers of Verizon Business Network Services. He accused the panel of ?reacting to the politics of the Washington Republican establishment?who say, ?Do what you want, NSA.? ? ?Nobody?s against doing surveillance of terrorists,? he said. ?What we?re saying is get a warrant.? To date, the only appeals court to rule on the merits of the NSA program is the Second Circuit Court of Appeals in New York, which in May held the collection violated the Patriot Act and was ?unprecedented and unwarranted.? That court will hear argument next week on the American Civil Liberties Union?s request that the agency be required to end the collection immediately ?not in November. The court in Klayman?s case observed that Klayman?s effort to prove standing was complicated by the possibility that the government could withhold information that would bolster his allegations. ?Plaintiffs? claims may well founder in that event,? said Circuit Court Judge Janice Rogers Brown. ?But such is the nature of the government?s privileged control over certain classes of information.? The ruling, said Harley Geiger, senior counsel for the Center for Democracy and Technology, ?demonstrates that excessive secrecy limits debate and reform. It leads to unbalanced surveillance programs and provides victims with little or no recourse.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Aug 28 12:36:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Aug 2015 13:36:56 -0400 Subject: [Infowarrior] - Ashley Madison CEO Noel Biderman resigns after third leak of emails Message-ID: <06E01995-E82B-4D84-9F56-571724161F12@infowarrior.org> Ashley Madison CEO Noel Biderman resigns after third leak of emails Sam Thielman http://www.theguardian.com/technology/2015/aug/28/ashley-madison-neil-biderman-stepping-down The chief executive of extramarital affairs website Ashley Madison has left the company after a third leak of emails and suggestions that he had affairs despite earlier denials. ?Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc (ALM) and is no longer with the company,? said an unattributed statement on the Ashley Madison website. ?Until the appointment of a new CEO, the company will be led by the existing senior management team.? In July details of more than 37m accounts were stolen from the website, whose tagline is: ?Life is short. Have an affair.? The company is now being sued for emotional distress and Canadian police are investigating links between the hack and two suicides. The company said that Biderman?s resignation was ?in the best interest of the company and allows us to continue to provide support to our members and dedicated employees? and that it remained ?steadfast in our commitment to our customer base?. < - > The third and latest data dump, posted at the site that first released the user database, appears to be a download of emails from Biderman?s personal Gmail account. The second torrent ? released by an entity calling itself the Impact Team ? contained emails that seemed to be from Biderman?s work account and its release had already done damage to his personal reputation: the executive told the New York Daily News in 2014 that he had never cheated on his wife, but the hacked documents suggested otherwise. ? In the US and Canada, the National Suicide Prevention Hotline is 1-800-273-8255. In the UK, the Samaritans can be contacted on 08457 90 90 90. In Australia, the crisis support service Lifeline is on 13 11 14. Hotlines in other countries can be found here. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Aug 29 08:12:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 29 Aug 2015 09:12:13 -0400 Subject: [Infowarrior] - OT: I agree with George Will. (the end is near!) Message-ID: Affirming a right to die with dignity By George F. Will Opinion writer August 28 at 8:12 PM SAN DIEGO https://www.washingtonpost.com/opinions/distinctions-in-end-of-life-decisions/2015/08/28/b34b8f6a-4ce7-11e5-902f-39e9219e574b_story.html Brittany Maynard was soon to die. The question was whether she could do so on her own terms, as a last act of autonomy. Dr. Lynette Cederquist, who regrets that Maynard had to move to Oregon in order to do so, is working with others to change California law to allow physician assistance in dying. Maynard, a 29-year-old newlywed, knew that her brain cancer would fill her final months with excruciating headaches, seizures, paralysis, loss of eyesight and the ability to speak. Radiation and chemotherapy would have purchased mere months. ?I?m not killing myself,? she said. ?Cancer is killing me.? She would not put her loved ones through her cancer?s depredations. Advances in public health and medical capabilities for prolonging life ? and dying ? intensify interest in end-of-life issues. Reductions in heart disease and stroke have increased the number of people living to experience decrepitude?s encroachments, including dementia. ?Dementia,? Cederquist says, ?is a whole different dilemma.? Assisted suicide perhaps should be allowed only when survival is estimated at six months or less, but at that time persons suffering dementia have lost decisional capacity. Physician-assisted dying has been done surreptitiously ?as long as we have been practicing medicine,? says Cederquist, professor of internal medicine at the University of California at San Diego. Today, even in the 46 states without physician-assisted dying, doctors may legally offer ?terminal sedation? ? say, a life-shortening dose of morphine ? when intense physical suffering cannot otherwise be satisfactorily alleviated. Some Catholic and other ethicists endorse a ?double effect? standard: If the intent is to alleviate suffering but a consequence is death, the intent justifies the act. Cederquist says the most common reason for requesting assistance in dying is not ?intolerable physical suffering.? Rather, it is ?existential suffering,? including ?loss of meaning,? as from the ability to relate to others. The prospect of being ?unable to interact? can be as intolerable as physical suffering and cannot be alleviated by hospice or other palliative care. In some countries, doctors actively administer lethal injections. No U.S. jurisdiction allows doctors to go beyond writing prescriptions for life-ending drugs to be self-administered orally by persons retaining decisional capacity. Almost 30 percent of Medicare expenditures are for patients in the last six months of life and about 16 percent of patients die in, or soon after leaving, intensive care units. Financial reasons should not be decisive in setting end-of-life policy, but Cederquist notes that reducing ?expensive and inappropriate care? ? costly and agonizing resistance to imminent death ? ?is the lowest-tech thing we can do in medicine.? Hence the importance of ?slow medicine geriatrics,? avoiding a ?rush to those interventions that build on each other? and thereby enmesh doctors and patients in ethical conundrums. The American Medical Association remains opposed to physician assistance in dying; the California Medical Association has moved from opposition to neutrality. Litigation has been unsuccessful in seeking judicial affirmation of a right that California?s legislature should establish. Legislation to do this has been authored by Assemblywoman Susan Eggman, chair of the Democratic caucus. There are reasons for wariness. An illness?s six-month trajectory can be uncertain. A right to die can become a felt obligation, particularly among bewildered persons tangled in the toils of medical technologies, or persons with meager family resources. And as a reason for ending life, mental suffering itself calls into question the existence of the requisite decisional competence. Today?s culture of casual death (see the Planned Parenthood videos) should deepen worries about a slippery slope from physician-assisted dying to a further diminution of life?s sanctity. Life, however, is inevitably lived on multiple slippery slopes: Taxation could become confiscation, police could become instruments of oppression, public education could become indoctrination, etc. Everywhere and always, civilization depends on the drawing of intelligent distinctions. Jennifer Glass, a Californian who died Aug. 11, drew one. She said to her state legislators, ?I?m doing everything I can to extend my life. No one should have the right to prolong my death.? The Economist reports that in the 17 years under Oregon?s pioneering 1997 law, just 1,327 people have received prescriptions for lethal medications ? about 74 a year ? and one-third of those did not use them. Possessing the option was sufficient reassurance. There is nobility in suffering bravely borne, but also in affirming at the end the distinctive human dignity of autonomous choice. Brittany Maynard, who chose to be with loved ones when she self-administered her lethal medications, was asleep in five minutes and soon dead. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Aug 30 17:22:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 30 Aug 2015 18:22:45 -0400 Subject: [Infowarrior] - Supercookies are back, and they're as unappealing as ever Message-ID: <5F4BEE85-36FA-4154-B6ED-44E25214FFF0@infowarrior.org> (c/o Dan) Supercookies are back, and they're as unappealing as ever Supercookies are back in force. But if supercookies are so great for consumers, why aren't mobile carriers bragging about using them? By Michael Kassner | August 28, 2015, 9:18 PM PST http://www.techrepublic.com/article/supercookies-are-back-and-theyre-as-unappealing-as-ever/ I first learned that supercookies (AKA perma-cookies, PrecisionIDs, or the more generic term tracking headers) were being used by mobile carriers to track people traversing their mobile networks in 2014. The rationale behind tracking is to provide better advertising content. Whether that's okay depends on which side of the privacy fence you stand. Nader Ammari, Gustaf Bj?rksten, Peter Micek, and Deji Olukotun, staff at the digital-rights organization Access.org and authors of the paper The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy (PDF), informed me that tracking started much earlier, in 2000 to be exact. Dr. Kevin Fu, professor and medical-device security researcher at the University of Michigan, noticed his wife's phone was leaking information to web servers. "Some wireless web browsers reveal your phone number to web servers you visit," wrote Fu. "As a result, advertisers can obtain your phone number to annoy you by running up your airtime." In 2010, Dr. Collin Mulliner, Technische Universit?t in Berlin, Germany, published additional research on tracking headers in the paper Privacy Leaks in Mobile Phone Internet Access. However, neither Fu's nor Mulliner's efforts resulted in any pushback by consumers or government agencies. It took Robert McMillan's October 2014 WIRED article Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine to get the kettle boiling. "The company (Verizon) - one of the country's largest wireless carriers, providing cell phone service for about 123 million subscribers ? calls this a Unique Identifier Header, or UIDH," wrote McMillan. "It's a kind of short-term serial number that advertisers can use to identify you on the web, and it's the lynchpin of the company's internet advertising program." As it turned out, people were less than thrilled about tracking headers, prompting an investigation by the FCC, legislation by the US Congress, and more than a few lawsuits. The two mobile carriers implicated in 2014 ? AT&T and Verizon ? stopped (AT&T) or offered an opt-out (Verizon) for their particular type of tracking header. How does a tracking header track? Figure A explains how tracking headers work using a fictional character named Kavita. Simply put, the mobile carrier receives the HTTP request from Kavita and adds the details to her data profile. The mobile carrier then creates a chunk of data that identifies Kavita and adds it to the original HTTP request as a custom HTTP header. As to why mobile providers even do this, there's money in it for them. Figure B shows how. The mobile carrier can monetize this by providing additional information about Kavita, at a cost, to the website listed in the HTTP request. Supercookies are back Tracking headers are back in play, and more mobile carriers than AT&T and Verizon are using them. To determine which mobile carriers are involved and the prevalence of tracking headers, the people at Access developed the Am I Being Tracked? website illustrated at the beginning of the article. "The website performs several simple tests to determine whether users are being tracked," the paper's authors write. The procedure is as follows: ? Determine whether the device making the request is a mobile device operating on a 3G, 4G, or LTE carrier network. ? Extract the user's IP address from the normal HTTP header (not the injected header). ? Look up the IP address in an IP geolocation database, matching the IP address with publicly available information about where the IP range is located. ? Look for any unusual or custom headers in the HTTP request and, if found, they are logged. ? Results of the test are returned to the user stating whether the user is being tracked. After six months of activity (as of the time the paper was published), the Am I Being Tracked? web tool had processed nearly 180,000 tests, and over 15% were identified as being tracked. Figure C shows the results listed by carrier. Figure C The authors conclude their paper with lots of questions, "Despite these small victories, tracking headers are still being used around the world, and important questions remain. How extensive is the use of these tracking headers? What kind of information have carriers been collecting with them? Does their use violate users' privacy? And what should be done about them, if anything?" Final thoughts After reading a draft of this column, my friend got right to the point, "If tracking headers are good for us, one might think the mobile carriers would at least let us know." -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Aug 30 18:36:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 30 Aug 2015 19:36:29 -0400 Subject: [Infowarrior] - Windows 10 Worst Feature Installed On Windows 7 And Windows 8 Message-ID: <1AB518A9-E806-4452-B627-3794807353E6@infowarrior.org> (c/o dan) Windows 10 Worst Feature Installed On Windows 7 And Windows 8 AUG 30, 2015 @ 6:20 AM http://www.forbes.com/sites/gordonkelly/2015/08/30/windows-10-spying-on-windows-7-and-windows-8/ Laughing at Microsoft MSFT +0.00%?s controversial data mining and privacy invasions within Windows 10? Well Windows 7 and Windows 8 users should laugh no longer as this most hated spying is now headed your way? Software specialist site gHacks has discovered that Microsoft has pushed four new updates to both Windows 7 and Windows 8 which introduce new data collecting and user behaviour tracking features. The four updates in question and the official Microsoft descriptions are: ? KB3068708 Update for customer experience and diagnostic telemetry ? This update introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1) ? KB3022345 (replaced by KB3068708) Update for customer experience and diagnostic telemetry ? This update introduces the Diagnostics and Telemetry tracking service to in-market devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1) ? KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 ? This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels. (Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1) ? KB3080149 Update for customer experience and diagnostic telemetry ? This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1) Furthermore gHacks notes that ? these four updates ignore existing user preferences stored in Windows 7 and Windows 8 (including any edits made to the Hosts file) and immediately starts exchanging user data with vortex-win.data.microsoft.com and settings-win.data.microsoft.com. ? These, and maybe others, appear to be hardcoded which means that the Hosts file is bypassed automatically?, gHacks explains. I have reached out to Microsoft about the new patches and will update when the company?s response if/when it is received. But until then the bigger question for those uncomfortable with these changes is: How do you stop them? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Aug 31 14:40:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 31 Aug 2015 15:40:03 -0400 Subject: [Infowarrior] - Prepare to Sigh .... Beloit's Mindset List for the Class of 2016 Message-ID: <816795A5-A9AB-4BFF-AD69-29F69FB0602B@infowarrior.org> This year?s entering college class of 2016 was born into cyberspace and they have therefore measured their output in the fundamental particles of life: bits, bytes, and bauds. They have come to political consciousness during a time of increasing doubts about America?s future, and are entering college bombarded by questions about jobs and the value of a college degree. They have never needed an actual airline ?ticket,? a set of bound encyclopedias, or Romper Room. Members of this year?s freshman class, most of them born in 1994, are probably the most tribal generation in history and they despise being separated from contact with friends. They prefer to watch television everywhere except on a television, have seen a woman lead the U.S. State Department for most of their lives, and can carry school books--those that are not on their e-Readers--in backpacks that roll. The class of 2016 was born the year of the professional baseball strike and the last year for NFL football in Los Angeles. They have spent much of their lives helping their parents understand that you don?t take pictures on ?film? and that CDs and DVDs are not ?tapes.? Those parents have been able to review the crime statistics for the colleges their children have applied to and then pop an Aleve as needed. In these students? lifetimes, with MP3 players and iPods, they seldom listen to the car radio. A quarter of the entering students already have suffered some hearing loss. Since they've been born, the United States has measured progress by a 2 percent jump in unemployment and a 16-cent rise in the price of a first class postage stamp. Each August since 1998, Beloit College has released the Beloit College Mindset List, providing a look at the cultural touchstones that shape the lives of students entering college this fall. The creation of Beloit?s former Public Affairs Director Ron Nief and Keefer Professor of the Humanities Tom McBride, authors of The Mindset Lists of American History: From Typewriters to Text Messages, What Ten Generations of Americans Think Is Normal (John Wiley and Sons), it was originally created as a reminder to faculty to be aware of dated references. It quickly became an internationally monitored catalog of the changing worldview of each new college generation. Mindset List websites at themindsetlist.com and Beloit.edu, as well as the Mediasite webcast and their Facebook page receive more than a million visits annually. For those who cannot comprehend that it has been 18 years since this year?s entering college students were born, they should recognize that the next four years will go even faster, confirming the authors? belief that ?generation gaps have always needed glue.? < -- > http://www.beloit.edu/mindset/previouslists/2016/ -- It's better to burn out than fade away.