From rforno at infowarrior.org Tue Dec 1 07:19:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Dec 2015 08:19:28 -0500 Subject: [Infowarrior] - Serving https? You might be sued for patent infringement Message-ID: <997BF5B6-612F-4914-AE56-3D329837ACFC@infowarrior.org> (Filed in that controversial IP-trolling Eastern Disrict of Texas, of course. ---rick) Sued for using HTTPS: Big brands told to cough up in crypto patent fight 1 Dec 2015 at 01:12, http://www.theregister.co.uk/2015/12/01/cryptopeak_sues_/ Scores of big brands ? from AT&T and Yahoo! to Netflix, GoPro and Macy's ? are being sued because their HTTPS websites allegedly infringe an encryption patent. It appears in May this year CryptoPeak Solutions, based in Longview, Texas, got its hands on US Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems." CryptoPeak reckons TLS-secured websites that use elliptic curve cryptography are infringing the patent ? so it's suing owners of HTTPS websites that use ECC. Top tip: loads of websites use ECC these days to securely encrypt their traffic. Starting in July, CryptoPeak began pursuing companies through the courts in the eastern district of Texas. Just in the past week or so, the patent-holding biz filed infringement claims against AT&T, Priceline, Pinterest, Hyatt Hotels, Best Western, and Experia. CryptoPeak has almost 70 cases in play now. It wants damages, royalties, and its legal bills paid. Here's the paperwork [PDF] it filed against insurance giant Progressive on November 25, as an example. "The defendant has committed direct infringement by its actions that comprise using one or more websites that utilize Elliptic Curve Cryptography Cipher Suites for the Transport Layer Security protocol," CryptoPeak alleged in its lawsuit against Progressive. "A representative example of a website owned, operated and/or controlled by the defendant that utilizes ECC Cipher Suites for TLS is progressive.com." According to Qualys' SSL Labs, progressive.com does indeed support elliptic curve Diffie-Hellman key exchanges among other cipher suites. The patent in question was crafted by crypto gurus Dr Adam Young and Dr Marcel "Moti" Yung, and granted in 1997. Its outline states: This invention relates to cryptosystems, and in particular to the escrowing and recovering of cryptographic keys and data encrypted under cryptographic keys. The escrow and recovery process assures that authorized entities like law-enforcement bodies, government bodies, users, and organizations, can when allowed or required, read encrypted data. The invention relates to cryptosystems implemented in software, but is also applicable to cryptosystems implemented in hardware. Perhaps crucially, it describes a means for "generating public keys" and "publishing public keys", and it's certainly true that ECC does involve generating public keys and using them. But the patent is focused on "a key recovery agent to recover the user's private key or information encrypted under said user's corresponding public key" ? which is really not the point of ECC. Yet, CryptoPeak seems to think there's some overlap between today's ECC implementations and the patent it holds. It is not clear just what else, if anything, the outfit does. The company has little in the way of an online footprint outside of the litigation related to the '150 patent. Some people might even call it a "patent troll." The wealthy giants being sued also seem to have a less-than-favorable view of CryptoPeak. Netflix has filed a motion for dismissal [PDF] of the case on the grounds that the infringement claims are invalid and do not clearly show infringement. "The defect in these claims is so glaring that CryptoPeak?s only choice is to request that the court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims," Netflix's legal eagles wrote in their filing. Tadlock, the Texan law firm representing CryptoPeak, told us: "We are not in a position to comment on the pending cases." El Reg also contacted a bunch of the organizations accused of infringing the patent; all were not immediately available for comment, except AT&T ? which told us: "We cannot comment on pending litigation." ? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 1 07:21:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Dec 2015 08:21:50 -0500 Subject: [Infowarrior] - UK's Snooper's Charter Hands Over Access To User Data To Several Non-Law Enforcement Agencies Message-ID: <921E2029-89A1-4E8C-AE8D-A30E551AA5A1@infowarrior.org> UK's Snooper's Charter Hands Over Access To User Data To Several Non-Law Enforcement Agencies < - > Despite the parade of child-murdering, drug-dealing, criminal-masterminding horrors that serve as slightly-less-dry interludes to the bill's text, access to "all" retained data will be provided to a long list of mundane regulatory agencies, presumably for the sake of the children. ? Her Majesty?s Revenue and Customs ? Department for Transport ? Department of Enterprise, Trade and Investment in Northern Ireland ? A fire and rescue authority under the Fire and Rescue Services Act 2004 ? Food Standards Agency ? Gambling Commission ? Gangmasters Licensing Authority ? Health and Safety Executive ? National Health Service Business Services Authority ? Duty Manager of Ambulance Trust Control Rooms ? Northern Ireland Ambulance Service Health and Social Care Trust ? Northern Ireland Fire and Rescue Service Board Most of these agencies are granted access to all "communications data." The justification for this is laid out in the table starting on page 210 of the pdf, with most of these agencies utilizing Section 46(7)(b) ("for the purpose of preventing or detecting a crime or of preventing disorder"). But the bill contains several other justifications for the obtaining of user data, not all of which seem severe enough to warrant special legislation -- like "collecting any tax, duty, levy or other imposition" or "exercising functions relating to financial stability." Not exactly the terrorist-hunting, child kidnapper-finding wonderbill it's being depicted as -- often in its own pages. < - > https://www.techdirt.com/articles/20151126/07415632909/uks-snoopers-charter-hands-over-access-to-user-data-to-several-non-law-enforcement-agencies.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 1 11:14:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Dec 2015 12:14:45 -0500 Subject: [Infowarrior] - Adobe 'kills' Flash.... Message-ID: ... by renaming it. Because nothing says "See? We listen to our customers!" like sticking lipstick on a pig, right? http://tech.slashdot.org/story/15/12/01/149223/after-twenty-years-of-flash-adobe-kills-the-name -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 1 11:17:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Dec 2015 12:17:12 -0500 Subject: [Infowarrior] - Appeals Court Issues Fantastic 1st Amendment Ruling Against Censorious Sheriff Thomas Dart In His Crusade Against The Internet Message-ID: <810F19B5-B763-4D33-BCD4-F6E8979DC9A6@infowarrior.org> Appeals Court Issues Fantastic 1st Amendment Ruling Against Censorious Sheriff Thomas Dart In His Crusade Against The Internet https://www.techdirt.com/articles/20151130/17495832948/appeals-court-slams-sheriff-thomas-dart-yet-again-his-illegal-efforts-to-censor-internet.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 1 17:36:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Dec 2015 18:36:36 -0500 Subject: [Infowarrior] - Judge In FBI Case Was Forced To Redact His Mocking Of FBI's Ridiculous Arguments Message-ID: Judge In FBI Case Was Forced To Redact His Mocking Of FBI's Ridiculous Arguments https://www.techdirt.com/articles/20151201/00290232950/judge-fbi-case-was-forced-to-redact-his-mocking-fbis-ridiculous-arguments.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 2 10:30:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 2 Dec 2015 11:30:26 -0500 Subject: [Infowarrior] - =?utf-8?b?SGVyZSdzIEFpciBGb3JjZeKAmXMgJDQ5LjVN?= =?utf-8?q?_Plan_to_Outsource_Cyberweapon_and_Counterhack_Software?= Message-ID: Here's Air Force?s $49.5M Plan to Outsource Cyberweapon and Counterhack Software By Aliya Sternstein December 1, 2015 http://www.nextgov.com/cybersecurity/2015/12/here-air-forces-495m-plan-outsource-cyberweapon-counterhack-software/124066/ The Air Force is finalizing a $49.5 million plan to hire private sector coders who, by developing software, can sabotage adversary computer systems and thwart incoming hack attacks. An official contract for the "Offensive Cyberspace Operations Defensive Cyberspace Operations Real-Time Operations and Innovation Cyber Development Custom Software Engineering Services" program is slated for publication Jan. 29, 2016. SHELTER, the nickname for the mouthful of a project title, is a 5.5-year deal that would add to the Defense Department?s growing arsenal of cyberweapons. Technically referred to as "exploits," "payloads" and "implants" in a draft contract released Monday, these sophisticated, malicious programs are not exclusive to defense company computer labs. Via the Internet black market, hidden behind firewalls, anyone -- including terrorists -- can buy them from script kiddies, financially motivated hackers or other anonymous sources. (The Pentagon definition for exploit is "software or a sequence of commands that takes advantage of a vulnerability in order to cause unanticipated behavior to occur on computer software, hardware or something electronic, usually computerized.) In a Monday analysis of the cyber capabilities of the Islamic State, Stratfor research analyst Tristan Reed points out the extremist group doesn't need HTML skills to project power online. "Capabilities to carry out cyberterrorism do not necessarily have to come from within the Islamic State,? he said. ?A thriving underground market exists,? where ?offensive skills for hire and exploits in popular software not publicly known (referred to as "zero day" exploits)? are available, and ?often the buyers and sellers do not have to know each other's identities." Currently, ISIS is more interested in publicizing website breaches and hijacking social media accounts than engaging in destructive online attacks, according to Stratfor. But other nation states of potential concern such as Iran are building the kind of malware capable of impairing critical infrastructure like transportation systems, security experts say. And so is the Air Force, Monday?s proposed statement of work proclaims. Private sector professionals are wanted for hack attack and counterhack software development efforts. The branch, for example, needs a contractor for the "development and/or identification of capabilities" to "exploit and mitigate previously known and unknown hardware and operating system vulnerabilities." The Air Force wants to be able to find security holes in its own systems and find holes in all manner of technologies to wriggle inside the ones owned by adversaries. The goal is to be able to quickly pinpoint vulnerabilities, specifically in: ? Targeted hosts ? Servers ? Systems ? Routers ? Switches ? Cellular, Wi-Fi, WiMAX, and Bluetooth connections ? Mobile devices, operating systems, internal components ? Cloud computing technologies The selected vendors will be assigned the responsibility of designing tools for either fixing flaws spotted or taking advantage of them, according to the proposal. The work statement calls for the "generation of payloads for developed identified capabilities," along with research into containing malware. Speed is key to dominance in cyberspace, and professionals will be expected to "find vulnerabilities with or without source code," in accordance with "government established timelines,? the draft contract states. The contractors also will build tools to neutralize malicious code found seeping through the Defensewide "global information grid" network. In addition to attacking and blocking cyber aggressors, the software could be employed in law enforcement, counterintelligence operations, software quality assurance, reverse engineering of malicious logic, and command and control, the documents state. The price ceiling for the deal is $49.5 million and the Air Force is taking questions on the proposal until Dec. 18. The new software initiative seems to be a move toward incorporating digital maneuvers into physical attacks. The branch's new forward-looking Air Force Future Operating Concept contemplates a 2035 where cyber forces have the ability to "achieve desired effects rapidly," and where "in a contested cyberspace environment, a focus on precise, predictable effects, fully synchronized with actions planned in the other domains . . . enables AF cyberspace operations to ensure the required degree of freedom of action." Nextgov has contacted the Air Force for comment. Networks in the skies will be no match for Air Force cyber warriors, military officials recently told reporters. According to Ars Technica, Air Force Maj. Gen. Burke ?Ed? Wilson said the Air Force has conducted tests ?where we asked the question, what if we?instead of jamming a target?put a tool on an aircraft that allowed us to touch a target with cyber? And yes, we can touch a target from an air-enabled network.? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Dec 3 11:55:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 3 Dec 2015 12:55:49 -0500 Subject: [Infowarrior] - Pentagon Opens All Frontline Combat Jobs to Women Message-ID: Pentagon Opens All Frontline Combat Jobs to Women Mark Thompson @MarkThompson_DC TIME Politics Military http://time.com/4134976/pentagon-combat-women/ Women will be allowed to serve as fully-fledged members of front-line U.S. military combat units, Defense Secretary Ashton Carter announced Thursday. ?They?ll be allowed to drive tanks, fire mortars, and lead infantry soldiers into combat,? Carter said, so long as they meet the same physical standards as their male comrades. ?They?ll be able to serve as Army Rangers and Green Berets, Navy SEALs, Marine Corps infantry, Air Force parajumpers and everything else that was previously open only to men.? Female advocates cheered the change. ?It?s a thrilling day for women serving in the military?and for women across the country,? said Nancy Duff Campbell of the National Women?s Law Center. ?Thousands of women will now have the opportunity to be all that they can be and our nation?s military will be the stronger for it. Hip, hip, hooray!? The impact of the decision will take some time. ?Implementation won?t happen overnight,? Carter said. Women will have to be trained to fill the slots. While some have already undergone such schooling?three women passed the tough Army Ranger course earlier this year, for example?the Pentagon wants to ensure that it achieves a still-unspecified ?critical mass? of such women before introducing them into previously all-male units. A senior Army officer has estimated that while half of incoming male recruits want to ?go infantry,? for example, only 10% of female recruits share that sentiment. The decision comes after decades of allowing women to move ever closer to front-line, direct-ground-combat units: infantry, armor and special operations. While they have been allowed in supporting roles alongside such units?in intelligence and logistics, for example?they were barred by Pentagon policy from standard service in most such outfits. While the Army had recommended to Carter in October that women be allowed to serve in all combat slots, the Marines had recommended against it. Carter?s announcement represents an historic change for the U.S. military. But some of the leeriness accompanying it has been eased by the smooth integration of openly gay men and women into military service. In fact, the Marines also were the service most opposed to allowing them to serve in uniform, saying it would hurt morale and recruiting. Neither has happened in the four years since the ban was lifted. There has been opposition to the change even inside the Army. ?The average fighting load is 35% of average man?s bodyweight but half the bodyweight of an average Army woman,? William Gregor, a retired 23-year Army officer now at the service?s School of Advanced Military Studies at Fort Leavenworth, Kan., wrote in 2011. ?Keeping the men and women together can only diminish the training benefit received by men because the load or the march rate or both must be kept within the range of strength and endurance of the women.? The Marines steadily built a case that their front-line units should remain all-male. ?To move forward in expanding opportunities for our female service members without considering the timeless, brutal, physical and absolutely unforgiving nature of close combat is a prescription for failure,? an internal Marine study completed in August concluded. ?Those who choose to turn a blind eye to those immutable realities do so at the expense of our Corps? war-fighting capability and, in turn, the security of the nation.? Gregory Newbold, a retired Marine lieutenant general, says physical strength is only part of the combat calculus. ?It?s the fighting power of the unit that?s more relevant, and when you interject things that are corrosive, then you degrade fighting power,? he says. ?It?s the sexual dynamic that?s important here?somebody has to get up early to clean the urinals and pick up trash, and Johnny says `Well Suzy isn?t doing it because they like Suzy,? or Suzy says `I?m doing it because they hate me.? That?s human nature, and it?s corrosive in small combat units.? But an internal Marine report disputes that. ?Any initial detrimental effects on cohesion can eventually be mitigated with good training and solid leadership, it concluded. Instead of simply setting physical requirements for individual Marines, the corps pitted all-male squads against mixed-gender units. ?The majority of the operationally relevant differences occurred in the most physically demanding tasks, such as casualty evacuations, long hikes under load, and negotiating obstacles,? one internal Marine assessment said. ?We have seen numerous cases of compensation during physically demanding tasks, in which males have shifted positions to take over certain aspects of the tasks from females, such as loading ammo into trucks or heaving loaded packs on top of a wall.? The corps has pointed out that the more than 400 female Marines who earned combat decorations in Afghanistan and Iraq earned them in what might be called combat-lite. ?None of those awards reflected a female Marine having to `locate, close with and destroy the enemy? in deliberate offensive combat operations,? a recent Marine report said. ?Rather, these actions were all in response to enemy action in the form of IED strikes, enemy attacks on convoys or friendly bases, or attacks on female Marines? assigned to all-female units designed to screen and interview foreign females. True enough, but hardly surprising: female Marines have been barred from ?deliberate offensive combat operations.? The advance of women toward the front lines has been a long time coming, and female trailblazers recall the challenges. Ann Dunwoody, the first four-star general in the U.S. military, recalls the Army banning barrettes and bobby pins to keep hair in place under jump-school helmets, claiming they were hazardous while parachuting. ?It was an attempt to get us to cut our hair, and look manly,? says Dunwoody, who retired in 2012. She refused to go along. ?I taped my hair to my head with masking tape?it looked ridiculous.? Eventually, the Army relented. Darlene Iskra, who became one of the Navy?s first female divers in 1980, recalls the grueling physical harassment instructors would mete out during six weeks of scuba training. They?d yank off trainees? masks and turn off their air supply, to ensure the fledgling divers were ready for dangerous undersea missions. Iskra spent her first three weeks in the pool with a female partner before each was paired with a male partner for the rest of the course. ?We noticed after we got our new buddies that the pool harassment went down by about half,? says Iskra, who went on to become the first woman to command a Navy ship in 1990. ?But our new male buddies said the harassment had gone up about half.? In a perfect world, everyone wearing a U.S. military uniform would be an asexual brute with a stunningly high IQ who doesn?t eat much, is adept at following orders and leery of challenging authority. Given that such a creature has never existed, the nation has spent more than 200 years building its military, one compromise at a time. The Pentagon just made its biggest compromise ever about who can serve on the front lines in a U.S. military uniform. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 4 07:52:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Dec 2015 08:52:17 -0500 Subject: [Infowarrior] - Dick Cheney gets honored by Congress (ycmtsu.) Message-ID: U.S. First Shields its Torturers and War Criminals From Prosecution, Now Officially Honors Them Glenn Greenwald Dec. 4 2015, 5:43 a.m. https://theintercept.com/2015/12/04/u-s-first-shields-its-torturers-and-war-criminals-from-prosecution-now-officially-honors-them/ As Vice President, Dick Cheney was a prime architect of the worldwide torture regime implemented by the U.S. government (which extended far beyond waterboarding), as well as the invasion and destruction of Iraq which caused the deaths of at least 500,000 people and more likely over a million. As such, he is one of the planet?s most notorious war criminals. President Obama made the decision in early 2009 to block the Justice Department from criminally investigating and prosecuting Cheney and his fellow torturers, as well as to protect them from foreign investigations and even civil liability sought by torture victims. Obama did that notwithstanding a campaign decree that even top Bush officials are subject to the rule of law and, more importantly, notwithstanding a treaty signed in 1984 by Ronald Reagan requiring that all signatory states criminally prosecute their own torturers. Obama?s immunizing Bush-era torturers converted torture from a global taboo and decades-old crime into a reasonable, debatable policy question, which is why so many GOP candidates are now openly suggesting its use. But now, the Obama administration has moved from legally protecting Bush-era war criminals to honoring and gushing over them in public. Yesterday, the House of Representatives unveiled a marble bust of former Vice President Cheney, which ? until a person of conscience vandalizes or destroys it ? will reside in Emancipation Hall of the U.S. Capitol. < - > Yesterday, the U.S. government unambiguously signaled to the world that not only does it regard itself as entirely exempt from the laws of wars, the principal Nuremberg prohibition against aggressive invasions, and global prohibitions on torture (something that has been self-evident for many years), but believes that the official perpetrators should be honored and memorialized provided they engage in these crimes on behalf of the U.S. government. That?s a message which most of the U.S. media and thus large parts of the American population will not hear, but much of the world will hear it quite loudly and clearly. How could they not? In other news, U.S. officials this week conceded that a man kept in a cage for 13 years at Guantanamo, the now-37-year-old Mustafa al-Aziz al-Shamiri, was there due to ?mistaken identity.? As Joe Biden said yesterday, ?I actually like Dick Cheney.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 4 12:09:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Dec 2015 13:09:46 -0500 Subject: [Infowarrior] - Judge: Prenda lawyer must sell condo, liquidate assets to pay $2.5M debt Message-ID: <7BEE9DFC-0D32-418E-89C9-7950F7E5145F@infowarrior.org> Judge: Prenda lawyer must sell condo, liquidate assets to pay $2.5M debt by Cyrus Farivar - Dec 4, 2015 12:47pm EST "The debtor has a pattern and practice of dishonesty with the courts." http://arstechnica.com/tech-policy/2015/12/judge-prenda-lawyer-must-sell-condo-liquidate-assets-to-pay-2-5m-debt/ A federal judge in Minnesota has ordered one of the men behind the notorious Prenda Law group to liquidate his assets. Paul Hansmeier must now sell his condominium, among other assets, in order to pay back $2.5 million of debts more quickly rather than having the case drag out for years. "Here, the debtor has a pattern and practice of dishonesty with the courts," US Bankruptcy Judge Kathleen Sanberg said during the Thursday hearing. She ordered Hansmeier to convert his Chapter 13 (wage earner's plan) bankruptcy filing to a Chapter 7 (liquidation). Under Chapter 13, Hansmeier could have paid his creditors much more slowly. "This case was designed for one purpose only, to thwart the collection efforts of debtors," the judge added. "It was not because the debtor now wants to pay creditors in full." The move is the latest in the lengthy saga of Prenda Law, a porn copyright troll scheme which began to collapse in 2013. Hansmeier and his colleague John Steele are believed to be the masterminds behind Prenda Law, the name under which they acquired copyrights to porn films and then sued thousands for allegedly downloading them. They are believed to have made several million dollars until the project fell apart in 2013 under a barrage of sanctions. This spring, a federal appellate judge in California flatly described Prenda Law as "extortion." Last month, Minnesota's Office of Lawyers Professional Responsibility requested that Hansmeier be disbarred or suspended. And in June 2015, Hansmeier, Steele, and their third colleague Paul Duffy were found in contempt of court by an Illinois federal judge. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Dec 5 10:50:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 5 Dec 2015 11:50:18 -0500 Subject: [Infowarrior] - NYT runs first Page 1 editorial since 1920 Message-ID: Gun Debate Yields Page One Editorial Ravi Somaiya http://www.nytimes.com/2015/12/05/us/gun-debate-yields-page-1-editorial.html The New York Times is running an editorial on its front page on Saturday, the first time the paper has done so since 1920, calling for greater regulation on guns in the aftermath of a spate of mass shootings. The editorial, headlined ?The Gun Epidemic,? describes it as ?a moral outrage and a national disgrace that people can legally purchase weapons designed specifically to kill with brutal speed and efficiency.? It suggests drastically reducing the number of firearms, and ?eliminating some large categories of weapons and ammunition.? ?It is not necessary to debate the peculiar wording of the Second Amendment,? it reads. ?No right is unlimited and immune from reasonable regulation.? In a statement, the publisher of The Times, Arthur Sulzberger Jr., said the paper was placing an editorial on Page 1 for the first time in many decades ?to deliver a strong and visible statement of frustration and anguish about our country?s inability to come to terms with the scourge of guns.? ?Even in this digital age, the front page remains an incredibly strong and powerful way to surface issues that demand attention,? Mr. Sulzberger said. ?And, what issue is more important than our nation?s failure to protect its citizens?? The editorial reflects the intensifying debate over gun laws that is taking place in the days following two recent mass shootings ? one in Colorado Springs on Nov. 27, and another in San Bernardino, Calif., on Wednesday in which 14 people were shot and killed. The front page of The Daily News on Thursday collected Twitter posts from Republican politicians offering their prayers to the victims, around the headline ?God Isn?t Fixing This.? The last time The Times ran an editorial on the front page was in June 1920, when it lamented the nomination of Warren G. Harding as the Republican presidential candidate. It was a move, The Times wrote, that would ?be received with astonishment and dismay by the party whose suffrages he invites.? -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 6 19:14:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 6 Dec 2015 20:14:34 -0500 Subject: [Infowarrior] - Social-Media Sites Face Pressure to Monitor Terrorist Content Message-ID: Social-Media Sites Face Pressure to Monitor Terrorist Content Deepa Seetharaman, Alistair Barr and Yoree Koh Dec. 6, 2015 7:30 p.m. ET http://www.wsj.com/articles/social-media-sites-face-pressure-to-monitor-terrorist-content-1449448238 Facebook Inc. FB 1.72 % typically counts on its 1.5 billion users to report offensive content, but last week, the social network went looking for it. On Thursday, Facebook removed a profile page used by one of two people suspected of killing 14 people the previous day in San Bernardino, Calif. A spokesman said the page violated Facebook?s community standards that, among other things, bar posts, photos or videos that support terrorism or glorify violence. The suspect, Tashfeen Malik, had published a post around the time of the shooting, but Facebook declined to disclose its contents. Facebook declined to say how it found the profile and determined its authenticity. The move underscores the growing pressure on sites such as Facebook, Alphabet Inc. GOOGL 1.43 % ?s YouTube and Twitter Inc. TWTR -3.40 % to monitor, and sometimes remove, violent content and propaganda from terror groups. It is unclear how closely each company works with governments, how frequently they remove content and how it is identified. ?When it comes to terrorist content, it?s certainly a tricky position for companies, and one that I don?t envy,? said Jillian York, the Electronic Frontier Foundation?s director of international freedom of expression, in an email. ?Still, I worry that giving more power to companies?which are undemocratic by nature?to regulate speech is dangerous.? All three companies employ technology to scan for images related to child sexual exploitation. Hany Farid, chair of the computer-science division at Dartmouth College, who helped develop the system, said he expected it to be expanded to other types of questionable content. But that is a challenge for several reasons. The child-exploitation scans employ a database of known images, created by the National Center for Missing and Exploited Children. There is no similar database for terror-related images. In addition, disturbing images often appear in news content, and social-media companies don?t want to become news censors. At a September town hall meeting, Facebook Chief Executive Mark Zuckerberg cited a widely shared photograph of Aylan Kurdi, a 3-year-old refugee who died fleeing Syria and washed ashore in Turkey as an example of an image that might have been deemed inappropriate by a computer algorithm, but shouldn?t have been censored. That leaves social-media companies making difficult judgment calls. In 2014, YouTube quickly removed videos of the beheadings of two American journalists by Islamic State. Twitter adopted a similarly passive approach to the same images, which remained on the service until reported by users. In August, Twitter quickly took down video of two Virginia TV reporters who were gunned down during a live news broadcast. A Twitter spokesman declined to say whether it has suspended any accounts related to the San Bernardino shooting incident. The spokesman declined to comment when asked if Twitter is re-evaluating its policy in light of Facebook?s approach to those shootings. The volume of material on social-media sites is a challenge. Some 400 hours of video are uploaded to YouTube every minute. The online-video site doesn?t remove videos itself, waiting for users to flag content as objectionable. The site has had a ?promotes terrorism? flag for several years. It hasn?t changed this approach recently, according a person familiar with the situation. YouTube has given roughly 200 people and organizations the ability to ?flag? up to 20 YouTube videos at once. That includes the U.K. Metropolitan Police?s Counter Terrorism Internet Referral Unit which has been using its ?super flagger? authority to seek reviews?and removal?of videos it considers extremist. Facebook has quietly become more aggressive in removing such content, privacy experts say. In 2012, Facebook said fan pages glorifying a shooter who opened fire in a Colorado movie theater didn?t violate its terms and services because they weren?t a credible threat to others. But last year, it removed pages honoring a gunman who killed six people at the University of California, Santa Barbara. Ms. York discovered last year that informational Facebook pages for ISIS, Hamas and other terrorist groups were taken down. The pages included information from Wikipedia and weren?t promoting terrorism, Ms. York said, adding that it was her ?first clue? that the company was scanning posts pre-emptively and censoring the terror-related ones. Facebook said it has ?hundreds? of people on its community operations team, which vets content reported by users from four offices world-wide. User reports are graded so more serious ones, including those involving terrorism, are handled first. Write to Deepa Seetharaman at Deepa.Seetharaman at wsj.com, Alistair Barr at alistair.barr at wsj.com and Yoree Koh at yoree.koh at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 7 11:42:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 7 Dec 2015 12:42:38 -0500 Subject: [Infowarrior] - Deja vu again: Feds to roll out new terror alert system Message-ID: (The security state continues to evolve. I'm thinking Sea Foam and Burnt Umber will be some of the colors used in this new scheme. --rick) Feds to roll out new terror alert system Julian Hattem http://thehill.com/policy/national-security/262279-feds-to-roll-out-new-terror-threat-system Federal officials are planning to roll out a new terror threat system in coming days, on the heels of new warnings about home-grown attacks. The new system would be the third major federal warning system in the years since Sept. 11, 2001, beginning with the original color-coded Homeland Security Advisory System, which was abandoned in 2011. The current National Terrorism Advisory System is meant to notify the public about an ?imminent? or ?elevated? threat to the country. However, it has never been used, in part because the bar for triggering an alert is too high, Homeland Security Secretary Jeh Johnson said on Monday morning. ?It depends on a specific credible threat to the homeland,? Johnson said at an event hosted by Defense One. ?I believe we need to get beyond that and go to a new system that has an intermediate level to it. I?ll be announcing soon, hopefully, what our new system is, which I think reflects our new environment and new realities.? ?We need a system that informs the public at large of what we are seeing,? he added. ?Removing some of the mystery about the global terrorist threat, what we are doing about it and what we are asking the public to do. I am hoping we will announce this in full in the coming days.? Johnson?s announcement on Monday came hours after President Obama made a rare address from the Oval Office on Sunday evening, warning the country about ?a new phase? of terrorism in light of attacks in San Bernardino, Calif., and Paris. While the investigation is ongoing into the San Bernardino violence, which killed 14 people, officials say that it appears to have been inspired by extremists such as the Islamic State in Iraq and Syria (ISIS). However, there has not been any evidence that ISIS actively directed the attack, officials say. As such, the plot would have been nearly impossible for law enforcement and intelligence agents to detect. The absence of communications back and forth to ISIS or extensive meetings with senior leaders means that the couple involved in the shooting could carry out their plan without setting off any federal alarm bells. That needs to change, Johnson said. ?We?ve moved to a new phase in the global terrorist threat that involves not just terrorist-directed attacks from overseas, but terrorist-inspired attacks here on the homeland and in other countries,? he said. ?In this environment ? not having a specific credible piece of intelligence reflecting a specific plot is not the end of the story.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 7 14:34:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 7 Dec 2015 15:34:40 -0500 Subject: [Infowarrior] - Mitch McConnell To Obama: Please, Just Tell Us What Law You Need To Ban Encryption And You'll Get It Message-ID: <58E093C1-136D-4873-98B4-08061A1B8215@infowarrior.org> Senator Mitch McConnell To Obama: Please, Just Tell Us What Law You Need To Ban Encryption And You'll Get It https://www.techdirt.com/articles/20151206/15493433005/senator-mitch-mcconnell-to-obama-please-just-tell-us-what-law-you-need-to-ban-encryption-youll-get-it.shtml from the begging-to-undermine-american-security dept Senate Majority Leader Mitch McConnell has always been a friend of the intelligence community, but he's using the attack in San Bernadino to ramp up the anti-encryption insanity to new levels, practically begging President Obama to tell him what law he wants to ban encryption, and McConnell will help make sure Congress delivers. McConnell's statement was laying out what he thought President Obama should do in response to ISIS, and includes this ridiculous line: He should tell us what legal authorities he needs to defeat encrypted online communications, and what is needed to reestablish our capture, interrogation, and surveillance capabilities. "Defeat encrypted online communications"? Is he crazy? We need encrypted online communications to better protect us, and yet McConnell is trying to undermine those communications. He's actively proposing to make us all less safe. And, of course, talking about "reestablishing" our "surveillance capabilities" is about giving the NSA more surveillance powers. McConnell was, of course, the key person who tried to block any attempt at rolling back the NSA's unconstitutional phone records collection program. Now, we know that President Obama didn't go quite as far as McConnell asked, but he did still push for a more "voluntary" solution -- which may morph into Congress doing something if people don't speak out loudly about what an incredibly dumb idea this is. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 7 14:57:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 7 Dec 2015 15:57:49 -0500 Subject: [Infowarrior] - Homeland chair moves to rein in 'dark' networks Message-ID: <64CAD969-2F49-47F9-BB26-9A213C00F1B3@infowarrior.org> Homeland chair moves to rein in 'dark' networks http://thehill.com/policy/cybersecurity/262322-homeland-chair-moves-to-rein-in-dark-networks By Julian Hattem - 12/07/15 02:13 PM EST The head of the House Homeland Security Committee is pushing a new initiative to deal with the proliferation of encrypted devices that critics say allow terrorists to communicate without detection. The effort by Chairman Michael McCaul (R-Texas) will not force concessions on tech companies, he said Monday. Instead, it would create ?a national commission on security and technology challenges in the digital age,? which McCaul promised would be tasked with providing specific recommendations for dealing with an issue that has become a priority for law enforcement officials. ?A legislative knee-jerk reaction could weaken Internet protections and privacy for everyday Americans, while doing nothing puts American lives at risk and makes it easier for terrorists and criminals to escape justice,? he said in remarks at the National Defense University in Washington, D.C. ?It is time for Congress to act because the White House has failed to bring all parties together ? transparently ? to find solutions.? McCaul is planning to introduce his bill in the coming days. The new commission would be composed of tech industry leaders, privacy advocates, academics and law enforcement officials. ?This will not be like other blue ribbon panels: established and forgotten,? he promised. ?The threats are real, so this legislation will require the commission to develop a range of actionable recommendations that protect privacy and public safety.? McCaul?s push could prove to be a middle ground in the debate over encryption, which has created a rift between Silicon Valley and federal officials in Washington. Leaders at the FBI and elsewhere warn that the increasingly common use of unbreakable encryption makes it impossible for them to obtain a suspect?s communications even with a warrant. Yet tech companies and privacy supporters say that weakening the technology would make everybody less safe. A vulnerability allowing the FBI to access someone?s messages could easily be exploited by Chinese spies or nefarious hackers, they note. FBI Director James Comey had previously pushed for Congress to update a federal wiretapping law to offer a way around the encryption protections, but the Obama administration has backed off that solution amid rising opposition from Silicon Valley and concerns about weakening of overall security. The White House has expressed concerns about encryption but also appears reluctant to publicly scold technology companies. ?I will urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice,? President Obama said in an address from the Oval Office on Sunday evening. The terrorists behind last month?s deadly attacks in Paris had the encrypted messaging application Telegram on their phones, McCaul revealed on Monday. The disclosure was the most substantive evidence to support national security hawks' allegations that encryption technology must have been used to carry out the attacks. ?We know why it went undetected. It went undetected because they were communicating in a dark space,? he said on Monday. ?I can?t say that I have all the solutions to the problem, but I think the experts know how to get there, and I think that?s what this legislation will provide.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 8 07:33:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 8 Dec 2015 08:33:12 -0500 Subject: [Infowarrior] - CISA's privacy protections likely removed Message-ID: <97EBA190-3667-4DF2-9F76-CBDE0F362655@infowarrior.org> Final Text Of CISA Apparently Removed What Little Privacy Protections Had Been In There from the surprise-surprise dept https://www.techdirt.com/articles/20151207/17063433015/final-text-cisa-apparently-removed-what-little-privacy-protections-had-been-there.shtml Back in October, the Senate voted overwhelmingly to approve CISA, the Cybersecurity Information Sharing Act, which has nothing to with cybersecurity at all, and is almost entirely a surveillance bill in disguise. Want to know the proof: many of the most vocal supporters of CISA, who talked up how important "cybersecurity" is these days are the very same people now looking to undermine encryption. Either way, there were significant differences between the version approved in the House, and thus Congress needed to reconcile the bills -- and apparently that means removing what little privacy protections were already in the bill: And it now appears the final language is unlikely to include notable privacy provisions that digital rights and civil liberties groups insist are necessary to reduce the odds the bill enables greater government surveillance. Basically, it looks like Congressional leadership decided to pull the worst parts from the various bills and mash them together into a super bill of pure terribleness. Not only will it favor the Senate bill, over the House's, but it will also pull ideas from the competing bill that was put forth by the House Intelligence Committee, rather than the one put forth by the Homeland Security Committee. That, alone, should be rather telling. For all the talk about how this is about "security" and not at all about helping the intelligence community, why is it that the Intelligence Committee's bill whose language is surviving, while the Homeland Security Committee's language is being deleted? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 8 13:26:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 8 Dec 2015 14:26:55 -0500 Subject: [Infowarrior] - FBI admits it uses stingrays, zero-day exploits Message-ID: <771E1F7B-DCF1-48D3-8B72-5FB5B572392B@infowarrior.org> FBI admits it uses stingrays, zero-day exploits The "queen of domestic surveillance" inches closer to hot-button topics. by Dan Goodin - Dec 8, 2015 12:50pm EST http://arstechnica.com/tech-policy/2015/12/fbi-admits-it-uses-stingrays-zero-day-exploits/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 9 09:04:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 9 Dec 2015 10:04:20 -0500 Subject: [Infowarrior] - Another Huge Security Hole Has Been Discovered on Lenovo Computers Message-ID: <9972B966-B5FD-47B7-8166-61303713FF4C@infowarrior.org> Another Huge Security Hole Has Been Discovered on Lenovo Computers ? by Kif Leswing December 8, 2015, 10:42 AM EST http://fortune.com/2015/12/08/lenovo-solution-center-hack/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 9 09:41:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 9 Dec 2015 10:41:23 -0500 Subject: [Infowarrior] - Congress Eyes Social-Media Companies as Terror Fears Mount Message-ID: <00C854DA-94D3-447A-8F53-14D810C9B60B@infowarrior.org> Congress Eyes Social-Media Companies as Terror Fears Mount Damian Paletta Dec. 9, 2015 8:17 a.m. ET http://www.wsj.com/articles/congress-eyes-social-media-companies-as-terror-fears-mount-1449667043 Senior lawmakers on Tuesday introduced a bill that would require social-media companies to report online terrorist activity, escalating a dispute between Silicon Valley and Congress over technology companies? role in national security. Sens. Richard Burr (R., N.C.) and Dianne Feinstein (D., Calif.), the chairman and vice chairwoman of the Senate Intelligence Committee, said the bill would direct social-media and other firms to provide information when they discover communication that could be connected to a potential threat. A similar law already exists for companies that discover child pornography. A version of the legislation had already been included in a classified bill that authorized spending programs for intelligence agencies, but it was stripped from the final version. Now Mr. Burr and Mrs. Feinstein say they believe the measure should be revisited following the terror attacks last week in San Bernardino, Calif. ?Social media is one part of a large puzzle that law-enforcement and intelligence officials must piece together to prevent future attacks,? Mr. Burr said. "It?s critical that Congress works together to ensure that law-enforcement and intelligence officials have the tools available to keep Americans safe.? Islamic terrorist groups have used Twitter Inc., TWTR -1.19 % Facebook Inc., FB -0.27 % and other social media and messaging platforms to communicate and spread their message. The companies have sought to ban or block these users, but many easily resurface. Law-enforcement officials believe at least one of the San Bernardino, Calif., shooters, who killed 14 people on Dec. 2, posted a message on Facebook pledging allegiance to Islamic State, though it is unclear if that message also warned of an imminent attack. Social-media companies and Washington policy makers have been at odds for years over the tension between security and privacy. A spokesman for Twitter Inc. wouldn't comment on the specific legislation but said more generally that ?violent threats and the promotion of terrorism deserve no place on Twitter and our rules make that clear. We have teams around the world actively investigating reports of rule violations, and they work with law-enforcement entities around the world when appropriate.? A spokesman for Facebook didn't respond to a request for comment. The legislation has bipartisan support in Congress but it could meet resistance from privacy hawks. Enforcement of the law could be difficult as it might be hard to ascertain whether a company that transfers millions of messages a day became aware of a single threat. Sen. Ron Wyden (D., Ore.) warned that the legislation could threaten the existing cooperation between law enforcement and technology companies. ?I?m opposed to this proposal because I believe it will undermine that collaboration and lead to less reporting of terrorist activity, not more,? he said. ?It would create a perverse incentive for companies to avoid looking for terrorist content on their own networks, because if they saw something and failed to report it they would be breaking the law, but if they stuck their heads in the sand and avoided looking for terrorist content they would be absolved of responsibility.? The three-page bill is called the Requiring Reporting of Online Terrorist Activity Act. Write to Damian Paletta at damian.paletta at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 9 15:19:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 9 Dec 2015 16:19:28 -0500 Subject: [Infowarrior] - DiFi + DickBurr = Internet Enemies #1 and #2 Message-ID: <035A1BD0-C281-4D4C-B625-F92C6BF8F6B3@infowarrior.org> Feinstein Brings Back Horrible Bill Forcing Internet Companies To Report On Your 'Suspicious' Behavior https://www.techdirt.com/articles/20151209/01133533026/senator-feinstein-brings-back-horrible-bill-forcing-internet-companies-to-report-your-suspicious-behavior.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Dec 10 05:55:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Dec 2015 06:55:42 -0500 Subject: [Infowarrior] - Lucasfilm DMCA abuse over legit SW toy image Message-ID: <94AD84B9-1C76-4D78-BABC-8123BE9F4DC1@infowarrior.org> Lucasfilm Uses DMCA to Kill Star Wars Toy Picture - TorrentFreak By Andy https://torrentfreak.com/lucasfilm-uses-dmca-to-kill-star-wars-toy-picture-151210/ Star Wars: The Force Awakens has gone into an early and bizarre anti-piracy overdrive. Earlier this week a fansite posted an image of a 'Rey' action figure legally bought in Walmart but it was taken down by Facebook and Twitter following a DMCA notice. Meanwhile, webhosts are facing threats of legal action. When it?s released on December 15, Star Wars: The Force Awakens is likely to become one of the most popular sci-fi films of all time. Even for non-fans, the anticipation can be felt around the entire web. No surprise then that Disney and Lucasfilm, the two main companies behind the behemoth, are gearing up for an aggressive anti-piracy campaign should, heaven forbid, the movie leak onto the Internet. While that is completely understandable, over the past 48 hours the companies have been taking action to aggressively protect their rights in a way that is probably not supported by the law. The problems began earlier this week when fansite Star Wars Action News posted an update to its Facebook page. An excited Justin revealed that he?d just purchased an action figure of ?Rey? from America?s favorite store. ?Have we known this figure was coming? I just found her at Walmart ? no other new figures,? he reported. Crucially, Justin also posted up a couple of pictures of the boxed figure, which he had legally purchased ? not stolen ? from the store. However, it didn?t remain up for long. ?These pictures were removed from the post,? Justin wrote in an update. ?Facebook notified us they deleted the photos after someone reported them for copyright infringement.? But this is the Internet and things travel ? quickly. Jeremy Conrad at Star Wars Unity subsequently reposted the pictures and he too felt the heat, in a much bigger way. ?This morning I woke up to numerous DMCA takedown notices on the @starwarsunity Twitter account, the Facebook account, the Google+ Page, and my personal Twitter for posting the image of an action figure that was legally purchased at Walmart,? Conrad explains. ?My webhost also received a takedown email from them with a threat of a lawsuit of the image wasn?t removed.? A lawsuit. For displaying an entirely legal photograph. The copyright to which is presumably owned by Justin at Star Wars Action News. But it didn?t stop there. Acting on behalf of Lucasfilms, anti-piracy outfit Irdeto has been hitting Twitter, not only filing DMCA notices (below, edited) against people who posted the image, but those who dared to RE-TWEET those tweets. DMCA Takedown Notice Copyright owner: Lucasfilm Ltd. LLC. Name: David Gamble Company: Irdeto Job title: Operations Manager Email address: iiprod_ops at irdeto.com Description of original work: Star Wars: The Force Awakens ? Rey (Resistance Outfit) Figurine Links to original work: n/a Reported Tweet URL: https://twitter.com/supersorrell/status/674483899871928321 Description of infringement: A screen shot of an unreleased figurine for Star Wars: Force Awakens Description of infringement: A screen shot of an unreleased figurine for Star Wars: Force Awakens While taking down an image that they don?t own the copyrights to is certainly taking things too far, Lucasfilm appear to have their reasons for doing so. We?re not Star Wars experts here at TF but from what we understand there is an item printed on the Rey toy packaging that fans of the series will not want to see. That?s why we?re not publishing that picture in all its glory. That being said, this story would not be complete without referencing the image that has caused all the fuss. With a double-helping of SPOILER WARNINGS and a DON?T BLAME US on top, those who wish to see the image can do so here. https://torrentfreak.com/lucasfilm-uses-dmca-to-kill-star-wars-toy-picture-151210/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 11 09:55:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Dec 2015 10:55:22 -0500 Subject: [Infowarrior] - Obama to clarify his stance on encryption by the holidays Message-ID: Translation: continue watching Friday evenings, weekends, and related pre-holiday "dead times" when government offices traditionally release controversial data/policies/positions. --rick Obama to clarify his stance on encryption by the holidays Eric Geller http://www.dailydot.com/politics/white-house-encryption-policy-response-petition/ The Obama administration plans to clarify its stance on strong encryption before Washington shuts down for the holidays. Administration officials met Thursday with the civil-society groups behind a petition urging the White House to back strong, end-to-end encryption over the objections of some law-enforcement and intelligence professionals. At that meeting, White House officials told representatives from the American Civil Liberties Union, Access, the Center for Democracy and Technology, Human Rights Watch, and New America's Open Technology Institute that they were eyeing a holiday deadline for their formal response, according to Kevin Bankston, OTI's director, who helped organize the meeting. A senior administration official confirmed that an encryption response was forthcoming but did not comment on the deadline. "The response we posted was an interim one," the official said of the brief reply to the petition, "and we will have a more fulsome response soon." Bankston called Thursday's discussion "a very hopeful meeting." He said that the officials present were Michael Daniel, President Obama's cybersecurity coordinator; Ed Felten and Alexander Macgillivray, Obama's deputy chief technology officers; and Daniel Prieto, director of civil liberties and privacy for the National Security Council. "They were mostly in listening mode," Bankston said, "but they did seem to share our overall goal of moving the discussion beyond the debate over encryption into a more productive conversation about how best to provide for national security in the current technological environment." As tech companies have improved the security of their products and have begun to offer encryption that even they cannot bypass, national-security officials have complained that those companies are aiding criminals and terrorists by stymying investigations. These officials want tech companies to add "backdoors" to their encryption that the government could access with a warrant. FBI Director James Comey, the staunchest advocate for making tech companies modify their products to facilitate investigations, has warned that criminals are "going dark" by encrypting their communications in indecipherable ways. Security experts overwhelmingly oppose backdoors, which they say would create opportunities for criminals, not just cops, to breach secure systems. President Obama has not taken a firm stance on backdoors. He told Re/code in February that "there?s no scenario in which we don?t want really strong encryption," but he called on tech companies to work with the government to make investigations easier in an Oval Office address on Sunday. His administration continues to pressure tech companies to make such accommodations. The White House considered a variety of backdoor policies but ultimately rejected them as unworkable. Mark Stroh, a White House spokesman, told the Daily Dot in October that "the administration is not seeking legislation at this time." The White House "seemed to very clearly understand the security implications of weakening encryption." Bankston hopes that the White House will go further now. "What we want to hear from the White House is for them to not only continue to hold to their current position?which is that they are not seeking legislation at this time?but have them drop the qualifier of 'at this time.'" "Our hope," he added, "is that, if they are willing to do that, we can move beyond this seemingly endless debate... and start talking about how can law enforcement and intelligence [agencies] adapt to a world where encryption is common, rather than pretending that we could ever make encryption adapt to law enforcement and intelligence [agencies]." The debate over whether businesses should weaken their encryption to help the government, known as the "crypto wars," began in the 1990s and took on new life after the Paris terrorist attacks in November and the San Bernardino shooting in December. Some officials and lawmakers have blamed encryption and called for a policy response, although there is no evidence that the perpetrators of both attacks relied on encryption to evade detection. "One of our key arguments at this stage," Bankston said, "is simply continuing to highlight?as was true in the '90s... during the original crypto wars, but is even more true now?no matter what U.S. law and U.S. companies do? strong end-to-end encryption is going to be widely available to anyone who wants it." Two lawmakers are working on legislation that could outlaw unbreakable encryption. The White House did not promise to rebuke those attempts, according to Bankston, but it is aware of the problems with such a law. "At this point, they clearly understand all of our concerns and arguments," he said. "In fact, many of those concerns and arguments were laid out in the White House?s own memos that were leaked a few months ago." Another participant in the meeting, who asked not to be named, said that the White House "seemed to very clearly understand the security implications of weakening encryption." "I think the civil society groups broadly shared their concerns... both from a security standpoint and also from a First Amendment standpoint about some of these harms associated with weakening encryption or mandating a backdoor," this person said. "The meeting participants really stressed that this was an important moment for the White House to be clear about their position." Civil-society groups hope that their talk launches "a series of meetings of more dialogue between not just us but other stakeholders as well," the participant said. "The participants in the room seemed to recognize the pressure domestically and globally and the importance of the U.S. to really lead on this issue." Bankston warned that requiring companies to weaken their encryption, whether through backdoors or other means, would "make us less secure, in terms of our cybersecurity, and also shoot our tech industry in the foot, in terms of its economic competitiveness." Correction: Department of Homeland Security officials were not present at the meeting. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 11 12:58:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Dec 2015 13:58:19 -0500 Subject: [Infowarrior] - Pepperidge Farm Sues Trader Joe's Because It Too Made A Cookie Message-ID: <6423FA14-99AC-47D8-A052-63538BC411EE@infowarrior.org> OFFS..... Pepperidge Farm Sues Trader Joe's Because It Too Made A Cookie https://www.techdirt.com/articles/20151207/05563233010/pepperidge-farm-sues-trader-joes-because-it-too-made-cookie.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 13 20:24:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 Dec 2015 21:24:28 -0500 Subject: [Infowarrior] - Fwd: The Pirate Bay Founder Is Giving Up References: <14618B6C-A47E-491C-A108-3318E97E0B27@well.com> Message-ID: c/o dan -- It's better to burn out than fade away. > Begin forwarded message: > > http://motherboard.vice.com/read/pirate-bay-founder-peter-sunde-i-have-given-up > > Pirate Bay Founder: ?I Have Given Up? > > Written by JOOST MOLLEN > December 11, 2015 // 02:26 PM EST > > ?The internet is shit today. It?s broken. It was probably always broken, but it?s worse than ever.? > > My conversation with, Peter Sunde, one of the founders and spokespersons of The Pirate Bay, did not start out optimistically. There?s good reason for that: In the last couple of months, the contemporary download culture shows heavy signs of defeat in the battle for the internet. > > Last month we saw Demonii disappear. It was the biggest torrent tracker on the internet, responsible for over 50 million trackers a year. Additionally, the MPAA took down YIFY and Popcorn Time. Then news got out that the Dutch Release Team, an uploading collective, made a legal settlement with anti-piracy group BREIN. > > While it might look like torrenters are are still fighting this battle, Sunde claims that the reality is more definitive: ?We have already lost.? > > Back in 2003 Peter Sunde, together with Fredrik Neij and Gottfrid Svartholm, started The Pirate Bay, a website that would become the biggest and most famous file-sharing website in the world. In 2009, the three founders were convicted of ?assisting [others] in copyright infringement? in a highly controversial trial. > > Sunde was incarcerated in 2014 and released a year later. After his time in jail he started blogging about the centralization of power by the European Union; ran as a candidate for the Finnish Pirate Party during the elections to the European Parliament; and founded Flattr, a micro donation system for software developers. > > I wanted to speak with Sunde about the current state of the free and open internet, but this conversation quickly changed into an ideological exchange about society and capitalism?which is, according to Sunde, the real problem. > > The following interview has been edited for clarity and length. > > MOTHERBOARD: Hey Peter, I was planning on asking you if things are going well, but you made it pretty clear that that isn?t the case. > Peter Sunde: No, I don?t see any good happening. People are too easy to content with things. > > Take the net neutrality law in Europe. It's terrible, but people are happy and go like "it could be worse.? That is absolutely not the right attitude. Facebook brings the internet to Africa and poor countries, but they?re only giving limited access to their own services and make money off of poor people. And getting government grants to do that, because they do PR well. > > Finland actually made internet access a human right a while back. That was a clever thing of Finland. But that?s like the only positive thing I have seen in any country anywhere in the world regarding the internet > > So, how bad is the state of the open internet? > > Well, we don?t have an open internet. We haven?t had an open internet for a long time. So, we can?t really talk about the open internet because it does not exist anymore. The problem is, nobody stops anything. We are losing privileges and rights all of the time. We are not gaining anything anywhere. The trend is just going in one direction: a more closed and more controlled internet. That has a big impact on our society. Because they are the same thing today. If you have a more oppressed internet, you have a more oppressed society. So that's something we should focus on. > > But still we think of the internet like this new kind Wild West place, and things are not in chains yet, so we don?t care because everything will be OK anyhow. But that is not really the case. We have never seen this amount of centralization, extreme inequality, extreme capitalism in any system before. But according to the marketing done by people like Mark Zuckerberg and companies like Google, it's all to help with the open network and to spread democracy, and so on. At the same time, they are capitalistic monopolies. So it?s like trusting the enemy to do the good deeds. It is really bizarre. > > Do you think because a lot of people don?t consider the internet to be real or a real place, they care less about its well-being? > > Well, one thing is, we have been growing up with an understanding of the importance of things like a telephone line or television. So if we would start to treat our telephone lines or TV channels like we treat the internet, people would get really upset. If someone would tell you, you can?t call a friend, you would understand then that this is a very bad thing that is happening. You understand your rights. But people don't have that with the internet. If someone would tell you, you can?t use Skype for that and that, you don?t get the feeling it?s about you personally. Just by being a virtual thing, it's suddenly not directed at you. You don't see someone spying on you, you don't see something censored, you don't see it when someone deletes stuff out of the search results out of Google. I think that?s the biggest problem to get people's attention. You don't see the problems, so people don?t feel connected to it. > > I would rather not care about it myself. Because it?s very hard to do something about it, and not become a paranoid conspiracy person. And you don?t want to be that. So rather just give up. That?s kind of what people have been thinking, I think. > > What is it exactly that you have given up? > > Well, I have given up the idea that we can win this fight for the internet. > > The situation is not going to be any different, because apparently that is something people are not interested in fixing. Or we can't get people to care enough. Maybe it's a mixture, but this is kind of the situation we are in, so its useless to do anything about it. > > We have become somehow the Black Knight from Monty Python?s Holy Grail. We have maybe half of our head left and we are still fighting, we still think we have a chance of winning this battle. > > So what can people do to change this? > > Nothing. > > Nothing? > > No, I think we are at that point. I think it?s really important people understand this. We lost this fight. Just admit defeat and make sure next time you understand why you lost this fight and make sure it doesn?t happen again when we try and win the war. > > Right, so what is this war about and what should we do to win it? > > Well, I think, to win the war, we first of need to understand what the fight is and for me it?s clear that we are dealing with ideological thing: extreme capitalism that?s ruling, extreme lobbying that?s ruling and the centralization of power. The internet is just a part of a bigger puzzle. > > And the other thing with activism is that you have to get momentum and attention and such. We have been really bad at that. So we stopped ACTA, but then it just came back with a different name. By that time, we had used all our resources and public attention on that. > > The reason that the real world is the big target for me, is because the internet is emulating the real world. We are trying to recreate this capitalistic society we have on top of the internet. So the internet has been mostly fuel on the capitalistic fire, by kind of pretending to be something which will connect the whole world, but actually having a capitalistic agenda. > > Look at all the biggest companies in the world, they are all based on the internet. Look at what they are selling: nothing. Facebook has no product. Airbnb, the biggest hotel chain in the world, has no hotels. Uber, the biggest taxi company in the world, has no taxis whatsoever. > > "I have given up the idea that we can win this fight for the internet." > The amount of employees in these companies are smaller then ever before and the profits are, in turn, larger. Apple and Google are passing oil companies by far. Minecraft got sold for $2.6 billion and WhatsApp for like $19 billion. These are insane amounts of money for nothing. That is why the internet and capitalism are so in love with each other. > > You told me the internet is broken, that it was always broken. What do you mean by that and do we have extreme capitalism to blame for it? > > Well, the thing is the internet is really stupid. It works really simply in a simple manner and it doesn?t take any adjustments for censorship. Like, if one cable is gone, you take the traffic through some other place. But thanks to the centralization of the internet, (possible) censorship or surveillance tech is a whole lot harder to get around. Also, because the internet was an American invention, they also still have control of it and ICANN can actually force any country top level domain to be censored or disconnected. For me that?s, a really broken design. > > But it has always been broken, we just never really cared about it, because there always have been a few good people that made sure that nothing bad happened before. But I think that?s the wrong idea. Rather let bad thing happen as quick as possible so we can fix them and make sure it does not happen in the future. We are prolonging this inevitable total failure, which is not helping us at all. > > So, we should just let it crash and burn down, pick up the pieces and start over? > > Yes, with the focus on the big war on this extreme capitalism. I couldn?t vote, but I was hoping Sarah Palin won last time in the US elections. I?m hoping Donald Trump wins this year?s election. For the reason that it will fuck up that country so much faster then if a less bad President wins. Our whole world is just so focused on money, money, money. That?s the biggest problem. That?s why everything fucks up. That?s the target we have to fix. We need to make sure that we are going to get a different focus in life. > > Hopefully technology will give us robots that will take away all the jobs, which will cause like a massive worldwide unemployment; somewhat like 60 percent. People will be so unhappy. That would be great, because then you can finally see capitalism crashing so hard. There is going to be a lot of fear, lost blood, and lost lives to get to that point, but I think that?s the only positive thing I see, that we are going to have a total system collapse in the future. Hopefully as quick as possible. I would rather be 50 then be like 85 when the system is crashing. > > This all sounds quite like some sort of Marxist revolution: a total crash of the capitalist system. > > Well, yeah, I totally agree with that. I?m a socialist. I know Marx and communism did not work before, but I think in the future you have the possibility of having total communism and equal access to everything for everybody. Most people I meet, no matter if they are a communist or a capitalist, agree with me on this, because they understand the potential. > > So, is there like a concrete thing we should focus on? Or do we need to aim for a new way of thinking? A new ideology? > > Well, I think the focus needs to be that the internet is exactly the same as society. People might realize that it?s not a really good idea to have all of our data and files on Google, Facebook and company servers. All of these things need to be communicated al the way to the political top, of course. But stop treating internet like it's a different thing and start focusing on what you actually want your society to look like. We have to fix society, before we can fix the internet. That?s the only thing. > > TOPICS: Open Internet, Pirate Bay, piracy, capitalism, Internet, culture > From rforno at infowarrior.org Mon Dec 14 16:12:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Dec 2015 17:12:45 -0500 Subject: [Infowarrior] - Congress Adds 'CISA' To 'Omnibus' Budget Bill Message-ID: <129C19FD-E1CF-44B7-AB4C-E46D97DC6BEB@infowarrior.org> Congress Adds 'CISA' To 'Omnibus' Budget Bill, Up To President Obama To Veto By Lucian ArmasuDecember 14, 2015 1:55 PM - Source: Fight for the Future http://www.tomshardware.com/news/cisa-included-in-budget-bill,30755.html -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 15 12:25:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Dec 2015 13:25:21 -0500 Subject: [Infowarrior] - UK seeks feedback on Draft Investigatory Powers Bill, Message-ID: <46B91353-E769-46CC-BCCF-E20FA84BD27B@infowarrior.org> The Joint Committee on the Draft Investigatory Powers Bill, chaired by Lord Murphy of Torfaen, was appointed by the two Houses of Parliament in late November 2015 to consider the Draft Investigatory Powers Bill1, which was presented to the two Houses on 4 November 2015. The Committee invites any interested individuals and organisations to submit evidence to this inquiry. The Committee in particular will explore the key issues listed below in detail, and would welcome your views on any or all of the following questions. Please note that questions are not listed here in any particular order of importance. Written evidence should arrive no later than 21 December 2015. Public hearings will be held in November and December 2015 and January 2016. The Committee has been asked to report to the Houses, with recommendations, in February 2016. The report will receive a response from the Government. The time available for the Committee?s inquiry is short, and its focus will be on the contents of the draft Bill rather than more general aspects of policy. The Committee will not consider as part of its inquiry the merits of individual cases which have been, or are now, subject to formal proceedings in courts or tribunals. < - > http://www.parliament.uk/documents/joint-committees/draft-investigatory-powers-bill/ipb-call-for-evidence.pdf/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 15 12:25:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Dec 2015 13:25:34 -0500 Subject: [Infowarrior] - Fact-checking the debate on encryption Message-ID: Fact-checking the debate on encryption by Jeff Larson and Julia Angwin, ProPublica - Dec 15, 2015 9:50am EST http://arstechnica.com/security/2015/12/fact-checking-the-debate-on-encryption/ As politicians and counter-terrorism officials search for lessons from the recent attacks in Paris and San Bernardino, California, senior officials have called for limits on technology that sends encrypted messages. It's a debate that has repeatedly recurred for more than a decade.In the 1990s, the Clinton Administration directed technology companies to store copies of their encryption keys with the government. That would have given the government a "backdoor" to allow law enforcement and intelligence agencies easy access to encrypted communications. That idea was dropped after sharp criticism from technologists and civil liberties advocates. More recently, intelligence officials in Europe and the United States have asserted that encryption hampers their ability to detect plots and trace perpetrators. But many have questioned whether it would be practical or wise to allow governments widespread power to read encrypted messages. To help readers appreciate the arguments on both sides, we've pulled together some FAQs on a subject that is sure to be hotly debated in the years to come. Q: Are terrorists really using encrypted messages to plot attacks? A: There's mounting evidence that terrorist groups are using encryption, but so does nearly everyone living in modern society. Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. In addition, apps that send encrypted text messaging apps through Wi-Fi, such as WhatsApp, Signal and Telegram, have become increasingly commonplace in places where text messaging is expensive. One piece of evidence that terror networks are using encrypted messages surfaced in a recent issue of ISIS's Dabiq magazine,where the group listed a contact number in Telegram. Soon after,Telegram shut down many ISIS-connected groups using its service. And earlier this year, a West Point researcher found copies of an encryption manual designed for journalists and activists on an Internet forum linked to ISIS. Intelligence officials have said that the planner of the Paris terrorist attacks used encryption technology, but police also found that one of the Paris terrorists was using an unencrypted cellphone. Q: Are Google, Apple, Facebook and Twitter thwarting law enforcement through their use of encryption? A: In the past few years, Silicon Valley tech companies have added layers of encryption to their cellphones and websites in an effort to assure users that their data is safe from both hackers and spies. That encryption has also made it harder for law enforcement officials to read what is transmitted by those devices. Last year, Apple made encryption the default setting for iPhones, meaning that all data stored on the device was scrambled. In an open letter announcing the change, Apple CEO Tim Cook wrote, "At Apple, we believe a great customer experience shouldn't come at the expense of your privacy." In congressional testimony this month, FBI Director James Comey said that encryption is now part of "terrorist tradecraft." He cited an instance in Garland, Texas, in which two terror suspects were arrested before they could execute an attack. "That morning, before one of those terrorists left to try and commit mass murder, he exchanged 109 messages with an overseas terrorist. We have no idea what he said because those messages were encrypted," Comey said. Q: But can't the National Security Agency just crack any code it wants? A: It's not clear how much encryption the NSA can break. In 2013, ProPublica and the New York Times reported on a top secret NSA program called Bullrun that was described in internal documents as being able to decrypt "vast amounts of encrypted Internet data." The program started in 2011 and was the result of "an aggressive, multipronged effort to break widely used Internet encryption technologies." Details of the project are not known. But the documents showed that in 2013, the agency planned to spend $250 million to, in part, "insert vulnerabilities into commercial encryption systems." Q: I heard that there is a "golden key" that unlocks all encryption. Is there such a thing? A: Not yet and it's not clear it will ever exist. The U.S. government has been trying to figure out how to access encrypted data for decades. However, wiretapping a phone call is far easier than creating a backdoor into encryption technology. Last year, the Washington Post editorial board called for Apple and Google "with all their wizardry," to "invent a kind of secure golden key" that would allow law enforcement officials to read any encrypted message sent by a suspect. It would be a tremendous challenge to convince the world's encryption makers, many of whom live outside the United States, to give American authorities access to such a tool. And it would be an even bigger challenge to keep the master key secret?given that it would immediately become the No. 1 target of every hacker and nation in the world. To address that issue, a White House working group proposed a split key?where one half of the master key would be kept by the government and the other would be held by the encryption company. But the report noted that this approach would be "complex to implement and maintain." Q: Are there less complicated ways to give law enforcement and intelligence officials the access they say they need? A: The White House working group offered three additional ideas for "backdoors" into encryption. All required manufacturing or software changes by US providers and all involved significant political or technical problems. One idea raised by the panel called for manufacturers to create a special port on all devices that could only be accessed by law enforcement. Requiring a port would represent a "significant cost to US providers," but could be avoided by installing software that creates "a secondary layer of encryption,'' the panel said. Another option would be for telecom providers to slip software that defeats encryption into routine upgrades sent to customers. Such an approach would "call into question the trustworthiness" of American companies' software updates, and could be easily repelled by technically adept users. Finally, the working group suggestedthat telecom providers might be ordered to hack into their customers' devices so that their backup routines would send unencrypted copies of all data to the government. Q: Will any of these backdoor schemes work? A: They all have flaws. A big one: Users could easily bypass all of the backdoor options by creating their own layers of encryption. It's not clear that compelling American companies to allow backdoors would accomplish much. A significant amount of the encryption software used around the world comes from widely available "open source'' products. "There may be no central authority" for the government to negotiate with, the White House said in its report. And even when there is a company to negotiate with, the government has not had luck getting access to encryption keys. Two years ago, for example, the FBI tried and failed to get access to encryption keys from Snowden's email provider, Lavabit. Ladar Levison, Lavabit's owner, "provided the FBI with an 11-page printout containing largely illegible characters in 4-point type" of the keys and then shut down the entire email service. Most importantly, the United States isn't the only country in the world with legal power over technology companies. For example, many cellphones used in the United States are manufactured in China, which could also demand backdoor access for its intelligence and law enforcement authorities. The White House report warns that "any U.S. proposed solution will be adopted by other countries." Q: So what is the government proposing? A: The short answer is that the government has quietly dropped its requests for a backdoor. Last year, in a speech at the Brookings Institution, FBI Director Comey called for a "regulatory or legislative fix" to the problem of law enforcement access to encrypted communications, which was widely interpreted as calling for legislation to require encryption backdoors. But after his proposal prompted a backlash from technologists, Comey has softened his tone. In July, he told a Senate panel that "there has not yet been a decision whether to seek legislation" about requiring companies to provide access to encrypted data. And in Wednesday's testimony, he told a Senate panel that "the administration has decided not to seek a legislative remedy at this time." California Sen. Dianne Feinstein suggested that she is going to seek legislation. "If there is conspiracy going on over the Internet, that encryption ought to be able to be pierced," she said at the hearing. On Thursday, privacy advocates visited the White House to discuss a petition they submitted in support of strong encryption. Kevin Bankston, director of the Open Technology Institute, who attended the meeting, said that administration officials said they "would like to move beyond this debate" and start discussing "how to adapt to strong encryption rather than fighting it." ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 15 12:31:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Dec 2015 13:31:30 -0500 Subject: [Infowarrior] - READ: CISA takes on new, uglier form Message-ID: <7D12B123-8E0D-43F7-9985-438A3026E5A4@infowarrior.org> (Note the 3rd bullet: the RIAA/MPAA cartels must be absolutely giddy at this possibility. --rick) Congress Drops All Pretense: Quietly Turns CISA Into A Full On Surveillance Bill https://www.techdirt.com/articles/20151215/06470133083/congress-drops-all-pretense-quietly-turns-cisa-into-full-surveillance-bill.shtml As you may recall, Congress and the White House have been pushing for a "cybersecurity" bill for a few years now, that has never actually been a cybersecurity bill. Senator Ron Wyden was one of the only people in Congress willing to stand up and directly say what it was: "it's a surveillance bill by another name." And, by now, you should know that when Senator Wyden says that there's a secret interpretation of a bill that will increase surveillance and is at odds with the public's understanding of a bill, you should know to listen. He's said so in the past and has been right... multiple times. < - > And, the latest is that it's getting worse. Not only is Congress looking to include it in the end of year omnibus bill -- basically a "must pass" bill -- to make sure it gets passed, but it's clearly dropping all pretense that CISA isn't about surveillance. Here's what we're hearing from people involved in the latest negotiations. The latest version of CISA that they're looking to put into the omnibus: ? Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn't necessarily wonderful, it's a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA. ? Directly removes the restrictions on using this information for "surveillance" activities. You can't get much more direct than that, right? ? Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We've just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won't make use of CISA too? ? Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first -- where DHS would be in charge of this "scrub". The "scrub" process was a bit exaggerated in the first place, but it was at least something of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the "discretion" of whichever agency gets the information. Guess how that's going to go? In short: while before Congress could at least pretend that CISA was about cybersecurity, rather than surveillance, in this mad dash to get it shoved through, they've dropped all pretense and have stripped every last privacy protection, expanded the scope of the bill, and made it quite clear that it's a very broad surveillance bill that can be widely used and abused by all parts of the government. There is still some hesitation by some as to whether or not this bill belongs in the omnibus bill, or if it should go through the regular process, with a debate and a full vote on this entirely new and different version of CISA. So, now would be a good time to speak out, letting your elected officials and the White House know that (1) CISA should not be in the omnibus and (2) that we don't need another surveillance bill. < - > -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 15 18:12:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Dec 2015 19:12:59 -0500 Subject: [Infowarrior] - OT: The 'new' Star Wars Holiday Special Message-ID: <8CCD7372-3417-4503-9241-43789DF14567@infowarrior.org> (Because the first one was so awesome! --rick) Infamous 'Star Wars Holiday Special' gets 'Force Awakens' parody Funny or Die envisions a new "Hypothetical Star Wars Holiday Special" with the help of Jason Alexander, Lydia Hearst, DJ Qualls and the band Train. Plus, meet BB-8's family. http://www.cnet.com/news/infamous-star-wars-holiday-special-gets-force-awakens-parody/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 15 18:45:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Dec 2015 19:45:30 -0500 Subject: [Infowarrior] - Former national security officials urge government to embrace rise of encryption Message-ID: <6082914D-5BB5-44EE-808A-3E789E82558C@infowarrior.org> Former national security officials urge government to embrace rise of encryption https://www.washingtonpost.com/world/national-security/former-national-security-officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d-11e5-9c4e-be37f66848bb_story.html A number of former senior national security officials are urging that the government embrace the move to strong encryption by tech companies ? even if it means law enforcement will be unable to monitor some phone calls and text messages in terrorism and criminal investigations. In so doing, they are taking a position at odds with their colleagues inside government, including FBI Director James B. Comey. U.S. officials argue that without access to such data, they may miss critical evidence of a terrorist plot or a murder or kidnapping. But these former officials ? previously at the National Security Agency, the CIA, the Pentagon and the Office of the Director of National Intelligence ? are saying that there are larger, strategic national and economic security imperatives that outweigh law enforcement?s operational needs. And they say that recent terrorist attacks in Paris and in San Bernardino, Calif., have not changed their views. Mike McConnell, who headed the NSA in the 1990s during the first national debate over federal encryption policy, recalled how 20 years ago, he was for backdoor access to encrypted communications for the government. ?NSA argued publicly, ?We?re going deaf??? because of encrypted calls, said McConnell, who now serves on the board of several cybersecurity companies. The agency wanted a third party to hold a key to unlock coded calls. But the resulting outcry ? similar to the one heard in today?s debate over smartphone and text message encryption ? caused the government to back down. ?We lost,? McConnell said simply. And what happened? ?From that time until now, NSA has had better sigint than any time in history,? he said, referring to signals intelligence, or the ability to intercept electronic communications. ?Technology will advance, and you can?t stop it. Learn how to deal with it.? McConnell, a former director of national intelligence, said he is not disputing the FBI?s need to eavesdrop on a terrorist or kidnapper. But the cybersecurity that strong encryption provides is a greater strategic need now, he said. ?Chinese economic espionage is so severe that stopping that is more important than being able to read the communications of a criminal,? said McConnell, who in July penned an opinion piece in The Washington Post with former Homeland Security secretary Michael Chertoff and former deputy Defense secretary William J. Lynn on the issue. Chertoff, who served in the George W. Bush administration and now runs his own security consultancy, said that efforts to ?undermine or to create exceptions to what is increasingly the trend to encrypting communications end to end are misguided.? The reality is, he said in an interview this fall, ?it?s always been the case that in a free society you have less than perfect ability to detect people who do bad things.? He recalled how when he was a prosecutor in New York in the mid-1980s working Mafia and political corruption cases, there were many times when he would have liked to have had a record of a conversation, but didn?t ? either because the witness did not tell him about it, didn?t write it down, or the record disappeared before it could be subpoenaed. ?I remember big organized crime cases ? there were several people in particular who never talked in a closed setting because they were worried about being wiretapped,? he said. ?But you know what? We made the case the old-fashioned way. A few photographs. A couple witnesses. Circumstantial evidence. So .?.?. I think that deliberately compromising security to make it easier for law enforcement runs the risk of simply sending the bad guys to other parts of the world where things will be fully encrypted.? The Obama administration in October decided after months of internal debate that it would not seek legislation for now. Although some lawmakers have called for action in the wake of the recent terrorist attacks, some administration officials say the White House is not likely to change its position. Former CIA director Michael V. Hayden, who also headed the NSA from 1999 to 2005, said requiring or even encouraging U.S. companies to build in keys to unlock customers? data ?will drive the market away from them.? If that happens, he said, law enforcement ?will wind up with the worst of all worlds: there will be unbreakable encryption ? it just won?t be made by American firms.? Hayden, a principal in the Chertoff Group, said that ?this is far more of a law enforcement issue than it is intelligence.? Spy agencies have other ways of obtaining information, he said. ?By the way,? he added, ?I?m not saying that NSA should not try to bust what Apple thinks is unbreakable encryption. All I?m saying is Apple should not be required? to hold keys to decrypt data for the government. Joel Brenner, a former NSA inspector general and top U.S. counterintelligence official, said when a company creates a back door to be able to unlock communications, ?the likelihood that others will gain access is quite high.? And even if companies could be persuaded to install back doors that would give the FBI access to records with a court order, the federal government has not shown it can be trusted to protect sensitive records, said Brenner who is now a fellow at MIT and has a consulting practice. ?The notion that we can trust the government to protect its own systems has been completely discredited in the wake of the [Office of Personnel Management] hack and other incidents,? he said referring to the disclosure earlier this year of two separate hacks of OPM?s computers in which the personal records of 22 million current and former federal employees were compromised by the Chinese government. The issue is not just a domestic one, he noted. The British, French and Chinese want companies to create back doors. ?Without some international norm here, it?s going to be very hard to find stability,? he said. ?And I doubt we Americans can do it through a mandate.? Not all former national security officials agree. Keith Alexander, who retired as NSA director last year, said the risks to national security merit law enforcement gaining access to data with a warrant. ?What happens when you can?t see what terrorists are planning?? he said at a cyber conference in September hosted by Hewlett-Packard. ?That?s going to get worse. Much worse.? Alexander, who founded IronNet, a cybersecurity firm, suggested that if current trends continue and law enforcement officials ?get no access,? tragedy will strike. ?We have a 9/11 and then we snap back and say, ?Okay, what do we do?? I think we should have that discussion now before the next crisis.? Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 16 07:55:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Dec 2015 08:55:43 -0500 Subject: [Infowarrior] - (Changed?) CISA included in spending bill going to WH Message-ID: (If wht Techdirt reported yesterday, and was relayed here, this is a major backdoor surveillance bill. --rick) Long-delayed cyber bill included in omnibus By Cory Bennett - 12/16/15 02:31 AM EST http://thehill.com/policy/cybersecurity/263403-long-delayed-cyber-bill-included-in-omnibus A long-delayed cybersecurity bill was included in the sweeping omnibus spending deal released early Wednesday. The inclusion likely ensures the biggest cyber bill in years will soon get to President Obama?s desk, a significant win for the bill?s backers, who scrambled to finish negotiations on the compromise text in recent weeks. The legislation would provide incentives to encourage businesses to share more data on hackers with the government. Negotiators have been working on the cyber measure?s final language since the Senate passed a version from the Intelligence Committee in October. The House passed its two complementary bills in April: one from that chamber's Intelligence panel and another from Homeland Security. For the last two weeks, lawmakers had targeted the giant $1.1 trillion spending measure as a possible method of getting the merged bill through Congress before the end of the year. They just made it in time to get on the omnibus. According to people involved in the discussions, negotiators didn't hammer out all their differences until Tuesday afternoon. As it became increasingly likely congressional leaders would attempt to move the cyber bill in the omnibus, lawmakers and digital rights advocates mobilized in opposition. Four privacy-minded House members sent a letter to their colleagues late Tuesday. ?Reports indicate a new bill is being negotiated by just a handful of members for inclusion in the omnibus,? said the letter, signed by Reps. Justin Amash (R-Mich.), Zoe Lofgren (D-Calif.), Jared Polis (D-Colo.) and Ted Poe (R-Texas). ?Neither negotiations ? nor even bill text ? have been made public. We cannot cast such a consequential vote with not input.? After the omnibus was released, digital rights groups opposing the bill accused lawmakers of trying to avoid a transparent debate about a bill they believe will simply shuttle more of Americans' personal data to the National Security Agency (NSA). ?Congressional leadership is subverting fair process in order to pass a surveillance bill under the false flag of cybersecurity,? said Drew Mitnick, policy counsel at digital rights advocate Access Now. ?They are attempting to insert it into unrelated, must-pass legislation.? Supporters ? including a bipartisan group of lawmakers, many industry groups and even the White House ? have countered that the bill is a necessary first step to fighting hackers. The legislation must move swiftly to help stem the fallout from data breaches. Backers also point to clauses they say would ensure any personal data is removed before the information is shared with the NSA. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 16 13:14:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Dec 2015 14:14:00 -0500 Subject: [Infowarrior] - Meet CISA, A De Facto Cyber Patriot Act Message-ID: <910A64C5-5214-4A44-9643-9771A69A21D2@infowarrior.org> Meet CISA, A De Facto Cyber Patriot Act By Lucian ArmasuDecember 16, 2015 9:30 AM http://www.tomshardware.com/news/cisa-the-cyber-patriot-act,30771.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 16 14:02:10 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Dec 2015 15:02:10 -0500 Subject: [Infowarrior] - =?utf-8?q?=28OT=29_Humor=3A_The_Radicalization_of?= =?utf-8?q?_Luke_Skywalker=3A_A_Jedi=E2=80=99s_Path_to_Jihad?= Message-ID: The Radicalization of Luke Skywalker: A Jedi?s Path to Jihad http://decider.com/2015/12/11/the-radicalization-of-luke-skywalker-a-jedis-path-to-jihad/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 16 14:20:32 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Dec 2015 15:20:32 -0500 Subject: [Infowarrior] - Why I don't drive in DC Message-ID: <4A37601A-26E1-4F42-B155-F567E1483F05@infowarrior.org> Funny this plan is published the same year DC announced its revenue from speed cameras had fallen dramatically. This clearly is nothing more than a way to sustan much-needed revenues from traffic 'safety' measures. I happily Metro and/or pay a cab to venture into DC nowdays. --rick Over the next two years, drivers in the District will have to be watchful of 100 more traffic cameras, 24/7 school zones where speeds are limited to 15 mph, and fines of up to $1,000 for speeding violations. < - > By October 2017, there will be 100 additional cameras targeting violations including speeding, red light, stop sign, crosswalk and gridlock laws and significantly increasing the city?s automated enforcement. The city currently operates 153 traffic cameras, including 97 speed, 42 red-light, 7 stop sign, and 7 oversize or weight cameras, according to the Vision Zero plan. The scores of additional cameras are likely to upset drivers who have widely criticized the city?s 15-year-old automated traffic enforcement program as a money-generator and a tool the city uses to penalize drivers as it pushes the use of public transit, biking and walking. < - > Besides expanding the camera program, the D.C. Department of Transportation is also taking steps to significantly raise fines for traffic violators. On Friday, the agency announced plans for 20 traffic offenses that are either brand-new or for which fines will increase substantially. Under that proposal, which is also part of the Vision Zero approach, drivers traveling 25 mph over the speed limit would face fines of up to $1,000, a significant increase from the current $300 fine. < - > https://www.washingtonpost.com/news/dr-gridlock/wp/2015/12/16/d-c-plans-to-add-100-more-traffic-cameras/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Dec 17 06:59:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Dec 2015 07:59:07 -0500 Subject: [Infowarrior] - Martin Shkreli arrested by FBI. *chuckle* Message-ID: <74E0C907-A3C3-4F6E-B686-581039F214DF@infowarrior.org> (Good riddance to bad rubbish. I wonder what punk pose he'll strike for his mugshot? And, in a moment of mature sanity, may I add a Nelson-esque "Ha-Ha!" -- rick) Turing Pharmaceuticals CEO Shkreli arrested by FBI CNBC http://www.cnbc.com/2015/12/17/turing-pharmaceuticals-ceo-shkreli-arrested-by-fbi-reuters.html Martin Shkreli, a lightning rod for growing outrage over soaring prescription drug prices, was arrested by the FBI on Thursday after a federal investigation involving his former hedge fund and a pharmaceutical company he previously headed. The securities fraud probe of Shkreli, who is now chief executive officer of Turing Pharmaceuticals and KaloBios Pharmaceuticals, stems from his time as manager of hedge fund MSMB Capital Management and CEO of biopharmaceutical company Retrophin Inc, a person familiar with the matter said. Shares of KaloBios fell about 50 percent in premarket trading. Lawyers for Retrophin and Shkreli, whose arrest was witnessed by Reuters, did not immediately respond to a request for comment. Turing and KaloBios declined to comment. Turing sparked controversy earlier this year after news reports that it had raised the price of Daraprim, a 62-year-old treatment for a dangerous parasitic infection, to $750 a tablet from $13.50 after acquiring it. Shkreli, 32, was expected to be charged on Thursday for illegally using Retrophin assets to pay off debts after MSMB lost millions of dollars, the source said. The probe, by federal prosecutors in Brooklyn, dates back to at least January when Retrophin said it received a subpoena from prosecutors seeking information about its relationship with Shkreli. That subpoena also sought information about individuals or entities that had invested in funds previously managed by Shkreli, Retrophin said in a regulatory filing. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Dec 17 17:13:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Dec 2015 18:13:51 -0500 Subject: [Infowarrior] - WH Supports Privacy Destroying CISA, Despite Past Promises It Would Not Message-ID: <0D59F1AF-2128-40CB-9392-A1AFAF327EA4@infowarrior.org> White House Supports Privacy Destroying CISA, Despite Past Promises It Would Not from the this-is-a-problem dept https://www.techdirt.com/articles/20151217/07512133110/white-house-supports-privacy-destroying-cisa-despite-past-promises-it-would-not.shtml In the past, President Obama has threatened to veto any cybersecurity bill that undermines privacy and civil liberties. Of course, people didn't quite believe that was true, and now that we see the final cybersecurity bill, the bastardized CISA has been attached to the "must pass" omnibus spending bill, and clearly is a disaster on privacy issues, what do you think the White House is saying? Well, they love it, of course: "We are pleased that the Omnibus includes cybersecurity information sharing legislation," a senior administration official said in an emailed statement. "The President has long called on Congress to pass cybersecurity information sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality, and civil liberties." Except, you know, it doesn't actually do that last part. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 18 08:46:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Dec 2015 09:46:09 -0500 Subject: [Infowarrior] - Last-Minute Budget Bill Allows New, Privacy-Invading Surveillance in the Name of Cybersecurity Message-ID: <57D5B6C0-8AA8-44A4-848E-C9A6587BEDFF@infowarrior.org> Last-Minute Budget Bill Allows New, Privacy-Invading Surveillance in the Name of Cybersecurity Jenna McLaughlin Dec. 18 2015, 8:20 a.m. https://theintercept.com/2015/12/18/last-minute-budget-bill-allows-new-privacy-invading-surveillance-in-the-name-of-cybersecurity/ In the wake of a series of humiliating cyberattacks, the imperative in Congress and the White House to do something ? anything ? in the name of improving cybersecurity was powerful. But only the most cynical observers thought the results would be this bad. The legislation the House will be voting on Friday is a thinly-disguised surveillance bill that would give companies pathways they don?t need to share user data related to cyber threats with the government ? while allowing the government to use that information for any purpose, with almost no privacy protections. And because Speaker of the House Paul Ryan slipped the provision into the massive government omnibus spending bill that has to pass ? or else the entire government will shut down ? it seems doomed to become law. The text of the bill ? now knowns as the Cybersecurity Act of 2015, formerly known as CISA ? wasn?t released until shortly after midnight Wednesday morning, giving members of Congress essentially no time to do anything about it. The bill would remove a restriction on direct information sharing with the National Security Agency and the Pentagon; would eliminate a restriction on the government?s use of that information for surveillance activities; would allow law enforcement to use the information to prosecute any and all crimes; and would leave it up to the individual agencies to scrub personally identifying information when they feel like it. ?If someone hacks a health insurance company like Blue Cross/Blue Shield, and they get scared and hand over all the medical records that were exposed in the hack, the NSA could share those records with the DEA, who could use them in ongoing investigations that have nothing to do with cyber security or terrorism,? wrote Evan Greer, campaign director for Fight for the Future, a digital rights advocacy group. The House Homeland Security Committee chaired by Rep. McCaul, R-Tex., had proposed a series of privacy protections from a previous House version of the cyber bill, but they were stricken from the new version that emerged from the Speaker?s office. ?The bill is all the worst parts? of the different cyber security bills negotiated in recent months, Nathan White, senior legislative manager for Access Now, told The Intercept. ?It was negotiated in secret?it?s a sneaky process they?ve used.? Because of the last-minute timing, members of Congress ?are not even going to know what they?re passing,? White said. ?We don?t have time to get an informed vote, they?re pulling a fast one on the Senate.? And the White House is reportedly on board. According to a leaked document published by Dustin Volz of Reuters, titled ?Summary administration priorities for CISA?, the White House?s priorities line up with the new version of the bill?despite the fact that the administration threatened a veto over very similar legislation in 2013. According to several technologists, information sharing isn?t a real solution to preventing cyberattacks. The best defense is better cyber hygiene. ?When you?ve got an epidemic, the answer is you should be washing your hands every time you use the bathroom. It?s just not a sexy thing to say,? Lee Tien, senior staff attorney at the Electronic Frontier Foundation told The Intercept last January following President Obama?s State of the Union address, which focused heavily on cybersecurity. Some opposition to the new bill has emerged among digital-rights supporting lawmakers and organizations, both Democratic and Republican. But they face off against the immensely powerful intelligence committees in the House and the Senate, congressional leadership, and the White House. ?Members of Congress are intentionally kept in dark so we don?t have time to rally opposition to particular measures,? Libertarian-leaning Rep. Justin Amash, R-Mich., wrote on Twitter. Rep. Zoe Lofgren, D-Calif., warned that the bill would ?accomplish little more than increased unwarranted surveillance of US persons, sharing private information with prosecutors, and feeding the NSA dragnet.? ?This ?cybersecurity? bill was a bad bill when it passed the Senate and it is an even worse bill today,? said Sen. Ron Wyden, D-Ore. ?Americans deserve policies that protect both their security and their liberty. This bill fails on both counts. Cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections,? Wyden wrote in a press release. Overall, there wasn?t much hope among the conservative groups. ?We certainly would have liked more time to bring this issue to the attention of libertarians and conservatives. Unfortunately, the way the final bill was conferenced?keeping Chairman McCaul out of any substantive discussions and disregarding many of his concerns around the reconciliation process?moved it quicker than we anticipated,? wrote Ryan Hagemann of the Niskanen Center in an e-mail to the Intercept. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 18 08:50:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Dec 2015 09:50:40 -0500 Subject: [Infowarrior] - 51 Civil Society Groups and Security Experts Tell Congress They Oppose Cyber Legislation Message-ID: (Disclosure: I am a signatory. --rick) 51 Civil Society Groups and Security Experts Tell Congress They Oppose Cyber Legislation Groups denounce tactic of attaching the Cybersecurity Act of 2015 to must-pass omnibus spending bill press release | December 17, 2015 https://www.newamerica.org/oti/51-civil-society-groups-and-security-experts-tell-congress-they-oppose-cyber-legislation/ Today, 51 civil society organizations and security experts wrote to Congress, strongly opposing the Cybersecurity Act of 2015, the bill that was previously named CISA, and denouncing its inclusion in the omnibus spending bill, which is considered a must-pass measure. The letter?s signatories caution that ?[t]his bill seriously threatens privacy, civil liberties, and government accountability, and would undermine cybersecurity, rather than enhance it. As such, it should be debated pursuant to regular process, and members should have the opportunity to record their votes on this highly controversial bill.? The coalition raises many concerns about the controversial legislation, including that it would: ? Authorize companies to significantly expand monitoring of their users? online activities, and permit sharing of vaguely defined ?cyber threat indicators? without adequate privacy protections prior to sharing; ? Require federal entities to automatically disseminate to the NSA all cyber threat indicators they receive, including personal information about individuals; ? Allow companies to share information directly with the NSA or FBI; ? Allow the president to establish the Office of the Director of National Intelligence (DNI), the FBI, and any other appropriate civilian federal entity as a portal through which companies may share information with liability protection; ? Authorize overbroad law enforcement uses that go far outside the scope of cybersecurity; and ? Authorize companies to engage in problematic defensive measures. The following quote can be attributed to Robyn Greene, Policy Counsel at New America?s Open Technology Institute: ?The privacy and security communities have consistently opposed the Intelligence Committees? information sharing bills, and are strongly opposed to this new incarnation of CISA, the Cybersecurity Act of 2015. Leaders in cybersecurity - including major tech companies like Apple and Twitter, leading security experts; and civil society - have opposed this bill as harmful to privacy and security. Despite that fact, CISA sponsors and congressional leadership are choosing to force its passage without debate or a vote by attaching it to a must-pass spending bill. This political maneuvering highlights how controversial the bill is, and members of Congress who care about cybersecurity should oppose it and call for it to be stripped from the omnibus. Drafters need to go back to the table and reconsider legislation that will better address the cybersecurity threat, instead of pushing forward on legislation that may do little more than give companies a free pass to share personally identifiable information with the government and each other without the fear of liability. OTI strongly opposes the Cybersecurity Act of 2015, has developed this short chart comparing its provisions with those in the three other information sharing bills that received votes this Congress. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Dec 18 12:49:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Dec 2015 13:49:43 -0500 Subject: [Infowarrior] - CISA heads to White House for signature Message-ID: Budget bill heads to President Obama's desk with CISA intact http://www.engadget.com/2015/12/18/house-senate-pass-budget-with-cisa/ In a nutshell, CISA was meant to allow companies to share information on cyber attacks ? including data from private citizens ? with other companies and the Department of Homeland Security. Once DHS had all the pertinent details, they could be passed along to the FBI and NSA for further investigation and, potentially, legal action. The thing is, critics saw the bill as way for government agencies to more easily keep tabs on Americans without their knowledge. CISA was derided by privacy advocates and tech titans alike, with companies like Amazon, Apple, Dropbox, Google, Facebook and Symantec (to name just a few) issued statements against an earlier version of the bill. By sticking CISA into such a huge omnibus bill, there's basically no way it won't become law. And if anything, the version of CISA that was quietly slipped into this budget plays with privacy even faster and looser than the original. For one, a previously held prohibition against sharing information with the NSA has been removed, meaning America's best surveillance agency can receive pertinent data without it being handled by Homeland Security first. More importantly, the provision that required personal information to be scrubbed from cybersecurity reports also seems to have gone missing, leaving that task up to the discretion of which ever agency gets their hands on it. While the federal government has been trying to toughen its stance on cybersecurity in the wake of massive hacks on the Office of Personnel Management and Sony, we wound up with an even more effete version of a questionable plan that will soon become law. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Dec 19 14:40:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Dec 2015 15:40:18 -0500 Subject: [Infowarrior] - Hasty, Fearful Passage of Cybersecurity Bill Recalls Patriot Act Message-ID: Hasty, Fearful Passage of Cybersecurity Bill Recalls Patriot Act Jenna McLaughlin?jenna.mclaughlin@?theintercept.comt at JennaMC_Laugh https://theintercept.com/2015/12/19/hasty-fearful-passage-of-cybersecurity-bill-recalls-patriot-act/ Congress easily passed a thinly disguised surveillance provision?the final version of the Cybersecurity Information Sharing Act, or CISA? on Friday, shoehorned into a must-pass budget bill to prevent a government shutdown before the holidays. Born of a climate of fear combined with a sense of urgency, the bill claims to do one thing?help companies share information with the government to heed off cyber attacks?and does entirely another?increases the U.S. government?s spying powers while letting companies with poor cyber hygiene off the hook. It?s likely to spawn unintended consequences. Some critics felt its passage was in some ways eerily similar to when the USA Patriot Act, one of the most expansive surveillance bills in recent U.S. history, was made into law shortly after September 11, 2001. In both cases, Congress had little time to even read the bills, making it inevitable that many would vote without being fully informed. And the result is the same?increased power and less accountability for the intelligence community. ?CISA is the new PATRIOT Act. It?s a bill that was born out of a climate of fear and passed quickly and quietly using a broken and nontransparent process,? wrote Evan Greer, campaign director for Fight For the Future, a digital rights group, in an email to The Intercept. ?Most members of Congress still don?t understand what it will actually do, which is to dramatically expand the U.S. government?s unpopular and ineffective surveillance programs and make all of us more vulnerable to cyber attacks by letting corporations off the hook instead of holding them accountable when they fail to protect their customer?s sensitive information,? she continued. ?We?re all feeling a collective sense of deja vu because we?ve seen this before,? wrote Nathan White, senior legislative manager at digital rights group Access Now in an email to The Intercept. ?This is like a bad sequel where we all know the ending, but shouting at the characters doesn?t change anything.? ?Just like the USA PATRIOT Act, CISA was a collection of old ideas that Congress had repeatedly rejected. And just like the PATRIOT Act, they re-wrote the final bill in secret and snuck it through Congress before most people could even read it,? he continued. ?And just like the PATRIOT Act, the bill will be used for far more than what Members of Congress think that they are authorizing.? When the Patriot Act was on the table in 2001, just weeks after the September 11 terror attacks, it flew through Congress late at night, with almost no debate or review. Legislators couldn?t even get into their offices at the time because they were quarantined, as letters laced with anthrax had been mailed to congressional offices and citizens? mailboxes?ultimately killing five. ?A massive security bill (like the Patriot Act) was dropped on the floor in the dead of night before members were to vote on it,? wrote Richard Forno, the director of the Graduate Cyber Security Program at UMBC in Maryland, in an email to The Intercept raising the similarities with this week?s bill. But as national security writer Marcy Wheeler points out, this time around the intense urgency may have come less from the intelligence community and more from the Chamber of Commerce and some corporations who will benefit from the way CISA lets corporations ?that don?t fix their security issues? off the hook. Wheeler wrote that a provision in CISA may essentially prevent the government from suing companies for not living up to their privacy policies, as the FTC has in the past, as long as they share information about cyber threats?and even if their cybersecurity negligence led to the breach. Other privacy advocates noted that the cybersecurity bill took a stealthier path to passage than the Patriot Act. ?The Patriot Act was billed as something exceptional and game-changing. CISA disguised itself,? wrote Jeff Landale, executive assistant for X-Lab, in a tweet to The Intercept. CISA is ?more technically complicated in how it expands the surveillance state,? he wrote. ?The main difference politically is that too many in Congress just didn?t see CISA as a big deal.? Greer, of Fight For the Future, speculated that CISA was ?disguised? partly because the climate for spying legislation has changed since NSA whistleblower Edward Snowden?s revelations. ?The pendulum swung our way a lot after Snowden, they couldn?t just come out and say it was a spying bill,? she wrote in a tweet. Versions of CISA have been around for years, so Congress and the White House could have rallied objection to it. Indeed, in 2013, the White House threatened a veto over a very similar bill. However, the White House actually endorsed the bill this time around. ?In one significant way Patriot Act & CISA are the same,? tweeted Jonathan Langdale, a software developer, to The Intercept. ?They?re a step backwards because we don?t know what else to do.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 21 11:04:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Dec 2015 12:04:44 -0500 Subject: [Infowarrior] - Error Code 451 Approved For Censored Web Pages Message-ID: Today, the IESG approved publication of "An HTTP Status Code to Report Legal Obstacles". It'll be an RFC after some work by the RFC Editor and a few more process bits, but effectively you can start using it now. Tim Bray brought this draft to the HTTP Working Group some time ago, because he (and many others) thought it was important to highlight online censorship; the 403 status code says "Forbidden", but it doesn't say "I can't show you that for legal reasons." Hence, 451 (which is also a great tip of the hat to Ray Bradbury). < - > https://www.mnot.net/blog/2015/12/18/451 -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 21 11:12:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Dec 2015 12:12:57 -0500 Subject: [Infowarrior] - Happy Holidays to infowarrior-l Message-ID: <07227116-C403-4F96-B49E-363A1434194A@infowarrior.org> An infowarrior-l tradition for the holidays ..... (A festive one of Sir Nigel Hawthorne's classic run-on monologues from one of my favorite BBC shows of the 1980s --- "Yes (Prime) Minister.") Video @ http://www.youtube.com/watch?v=vShJa6GobFQ (and well worth watching, for full effect) Bernard: "Before you go home for the holidays, Minister, Sir Humphrey has something to say to you." Sir Humphrey: "Minister, Just one thing. I wonder if I might crave your momentary indulgence in order to discharge a, by-no-means disagreeable obligation, which is over the years become more-or-less, an established practice within government circles, as we approach the terminal period of the year, calendar of-course not financial. In fact not to put a too fine a point on it, week 51, and submit to you, with all appropriate deference for your consideration at a convenient juncture, a sincere and sanguine expectation and indeed confidence. Indeed one might go so far to say, hope, that the aforementioned period may be, at the end of the day, when all relevant factors have been taken into consideration, susceptible of being deemed to be such as, to merit the final verdict of having been, by-no-means unsatisfactory in it?s overall outcome and in the final analysis to give grounds for being judged, on mature reflection to have been conducive to generating a degree of gratification, which will be seen in retrospect to have been significantly higher than the general average." [ crosstalk ] Jim Hacker: "Humphrey, are you saying Happy Christmas?" Sir Humphrey (shocked): "Yes Minister!" Happy Holidays to the subscribers of infowarrior-l! -rick -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 22 07:45:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Dec 2015 08:45:06 -0500 Subject: [Infowarrior] - IRS gains power to revoke tax scofflaws' passports Message-ID: <9E2C56BD-06E0-48E7-955B-3778512EF65A@infowarrior.org> IRS gains power to revoke tax scofflaws' passports Russ Wiles, The Arizona Republic 6:21 a.m. EST December 22, 2015 http://www.usatoday.com/story/money/personalfinance/2015/12/22/irs-gains-power-get-tax-scofflaws-passports-revoked/77417570/ The Department of the Treasury and the IRS can authorize the State Department to take away U.S. passports from individuals with seriously delinquent tax liabilities.(Photo: Getty Images/iStockphoto) It might be wise to pay your overdue income taxes before packing for that European river cruise. A new enforcement provision passed by Congress and signed into law earlier this month allows the government to revoke the passports of seriously delinquent tax scofflaws ? people who owe more than $50,000 to Uncle Sam. "You could be on your honeymoon and they could revoke your passport," said Tom Wheelwright, a certified public accountant and chief executive officer at ProVision Wealth Strategists in Tempe, Ariz. Some details still need to be worked out, but the new passport rule indicates the government wants to get serious about collecting unpaid tax debts. The IRS reported 12.4 million delinquent accounts owing nearly $131 billion? in assessed taxes, interest and penalties in 2014. In addition to going after delinquent taxpayers by revoking their passports, the FAST Act highway-transportation bill signed by President Obama on Dec. 4 also gives private debt collectors a shot at forcing taxpayers to make good on their debts. The act includes a mandate that the Internal Revenue Service turn over certain unpaid tax delinquencies to private debt collectors. The passport-revoking provision allows the Department of the Treasury and the IRS to authorize the State Department to take away U.S. passports from individuals with seriously delinquent tax liabilities. That's defined as those greater than $50,000 and for which the IRS has filed a lien or levy, according to Matthew D. Lee of law firm Blank Rome. In a blog, he described the passport-revoking provision as a "powerful tool to force tax compliance." Affected taxpayers would receive written notice. The State Department is now authorized to deny, revoke or limit use of a taxpayer's U.S. passport, and it isn't supposed to issue a passport to anyone owing that much money (with exceptions for emergencies or for humanitarian reasons). Americans out of the country when their passports are revoked may be allowed to return home. The number of valid U.S. passports has surged in recent years, from roughly 30 million in 1995 to 126 million this year. The new provisions wouldn't affect taxpayers who already have entered deals with the IRS to pay their tax debts, such as installment agreements or offers in compromise. Also, passports wouldn't be revoked for people who are seeking hearings or who are claiming innocent-spouse relief, according to Lee. Wheelwright views the $50,000 limit as low, adding that it wouldn't take much to accumulate that much debt if a person lost a job or incurred big medical bills. It doesn't help that it's getting more difficult for people to contact the IRS, which is answering only about 40% of telephone calls from taxpayers, he said. Even tax professionals are looking at average phone waits of about 90 minutes, he said. On the other hand, many of the people likely to get their passports revoked have been ignoring their tax obligations. An individual typically would receive three or four IRS notices over three to six months before getting to the collections stage, Wheelwright said. Many of the people with severely delinquent accounts are U.S. citizens who live in other nations, said Mark Luscombe, principal federal tax analyst at researcher Wolters Kluwers in suburban Chicago. Some have dual citizenship and might not worry about losing their U.S. passports. "They feel they can ignore a tax problem for a while." Americans out of the country when their passports are revoked may be allowed to return home. (Photo: Getty Images) An IRS spokesman said the agency is reviewing the new law and taking steps to implement the program "as soon as feasible." Congressional analysts expect the passport-revocation rule to raise about $400 million over the next 10 years, said Luscombe. That's less than the expected revenue from the new rule mandating non-IRS debt collectors. That's expected to bring in $4.8 billion total over the next 10 years, or around $2.4 billion after private collectors take their share, Luscombe said. Private debt collectors would be called in on "inactive" tax delinquencies. "This means that the IRS has already tried to collect and failed because they couldn't locate the taxpayer or they deemed it not worth their time," Wheelwright said, adding that only those tax liabilities outstanding more than a year would be outsourced. The new rule carves out various debt-collecting exceptions, such as for minors with big tax bills as well as innocent spouses and military personnel in combat zones. Reach Wiles at russ.wiles at arizonarepublic.com or 602-444-8616. Read or Share this story: http://usat.ly/1OkH3nA -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 22 11:31:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Dec 2015 12:31:02 -0500 Subject: [Infowarrior] - Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA Message-ID: <12B07737-E5F1-40E5-A6BF-9E9639315545@infowarrior.org> (But I'm sure Congress and the FBI will see no problem in continuing to push for a "good guys only" backdoor in other systems, because, ZMGTERRORISM. The irony is lost on those clowns. --rick) Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA Author: Kim Zetter. Kim Zetter Security http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/ Security researchers believe they have finally solved the mystery around how a sophisticated backdoor embedded in Juniper firewalls works. Juniper Networks, a tech giant that produces networking equipment used by an array of corporate and government systems, announced on Thursday that it had discovered two unauthorized backdoors in its firewalls, including one that allows the attackers to decrypt protected traffic passing through Juniper?s devices. The researchers? findings suggest that the NSA may be responsible for that backdoor, at least indirectly. Even if the NSA did not plant the backdoor in the company?s source code, the spy agency may in fact be indirectly responsible for it by having created weaknesses the attackers exploited. Evidence uncovered by Ralf-Philipp Weinmann, founder and CEO of Comsecuris, a security consultancy in Germany, suggests that the Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes. Weinmann reported his findings in an extensive post published late Monday. Security experts say the attack on Juniper firewalls underscores precisely why they have been saying for a long time that government backdoors in systems are a bad idea?because they can be hijacked and repurposed by other parties. They did this by exploiting weaknesses the NSA allegedly placed in a government-approved encryption algorithm known as Dual_EC, a pseudo-random number generator that Juniper uses to encrypt traffic passing through the VPN in its NetScreen firewalls. But in addition to these inherent weaknesses, the attackers also relied on a mistake Juniper apparently made in configuring the VPN encryption scheme in its NetScreen devices, according to Weinmann and other cryptographers who examined the issue. This made it possible for the culprits to pull off their attack. Weinmann says the Juniper backdoor is a textbook example of how someone can exploit the existing weaknesses in the Dual_EC algorithm, noting that the method they used matches exactly a method the security community warned about back in 2007. The new information about how the backdoor works also suggests that a patch Juniper sent to customers last week doesn?t entirely fix the backdoor problem, since the major configuration error Juniper made still exists. ?One [more] line of code could fix this,? Weinmann says. He?s not sure why Juniper didn?t add this fix to the patch it sent to customers last week. Although the party behind the Juniper backdoor could be the NSA or an NSA spying partner like the UK or Israel, news reports last week quoted unnamed US officials saying they don?t believe the US intelligence community is behind it, and that the FBI is investigating the issue. Other possible culprits behind the sophisticated attack, of course, could be Russia or China. If someone other than the US did plant the backdoor, security experts say the attack on Juniper firewalls underscores precisely why they have been saying for a long time that government backdoors in systems are a bad idea?because they can be hijacked and repurposed by other parties. How the Backdoor Works According to Weinmann, to make their scheme work, the attackers behind the Juniper backdoor altered Juniper?s source code to change a so-called constant or point that the Dual_EC algorithm uses to randomly generate a key for encrypting data. It?s assumed the attackers also possess a second secret key that only they know. This secret key, combined with the point they changed in Juniper?s software, the inherent weaknesses in Dual_EC, and the configuration error Juniper made, would allow them to decrypt Juniper?s VPN traffic. The weaknesses in Dual_EC have been known for at least eight years. In 2007, a Microsoft employee named Dan Shumow gave a five-minute talk at a cryptography conference in California discussing discoveries that he and a Microsoft colleague named Niels Ferguson had made in the algorithm. The algorithm had recently been approved by the National Institute of Standards and Technology, along with three other random number generators, for inclusion in a standard that could be used to encrypt government classified communication. Each of the four approved generators are based on a different cryptographic design. The Dual_EC is based on elliptic curves. The NSA had long championed elliptic curve cryptography in general and publicly championed the inclusion of Dual_EC specifically for inclusion in the standard. Random number generators play a crucial role in creating cryptographic keys. But Shumow and Ferguson found that problems with the Dual_EC made it possible to predict what the random number generator would generate, making the encryption produced with it susceptible to cracking. But this wasn?t the only problem. The NIST standard also included guidelines for implementing the algorithm and recommended using specific constants or points?static numbers?for the elliptic curve that the random number generator relies on to work. These constants serve as a kind of public key for the algorithm. Dual_EC needs two parameters or two points on the elliptic curve; Shumow and Ferguson referred to them as P and Q. They showed that if Q is not a true randomly generated point, and the party responsible for generating Q also generates a secret key, what they referred to as ?e?, then whoever has the secret key can effectively break the generator. They determined that anyone who possessed this secret key could predict the output of the random number generator with only a very small sample of data produced by the generator?just 32 bytes of output from it. With that small amount, the party in possession of the secret key could crack the entire encryption system. No one knew who had produced the constants, but people in the security community assumed the NSA had produced them because the spy agency had been so instrumental in having the Dual_EC algorithm included in the standard. If the NSA did produce the constants, there was concern that the spy agency might have also generated a secret key. Cryptographer Schneier called it ?scary stuff? in a piece he wrote for WIRED in 2007, but he said the flaws must have been accidental because they were too obvious?therefore developers of web sites and software applications wouldn?t use it to secure their products and systems. The only problem with this is that major companies, like Cisco, RSA, and Juniper did use Dual_EC. The companies believed this was okay because for years no one in the security community could agree if the weakness in Dual_EC was actually an intentional backdoor. But in September 2013, the New York Times seemed to confirm this when it asserted that Top Secret memos leaked by Edward Snowden showed that the weaknesses in Dual_EC were intentional and had been created by the NSA as part of a $250-million, decade-long covert operation to weaken and undermine the integrity of encryption systems in general. Despite questions about the accuracy of the Times story, it raised enough concerns about the security of the algorithm that NIST subsequently withdrew support for it. Security and crypto companies around the world scrambled to examine their systems to determine if the compromised algorithm played a role in any of their products. In an announcement posted to its web site after the Times story, Juniper acknowledged that the ScreenOS software running on its NetScreen firewalls does use the Dual_EC_DRBG algorithm. But the company apparently believed it had designed its system securely so that the inherent weakness in Dual_EC was not a problem. Juniper wrote that its encryption scheme does not use Dual_EC as its primary random number generator and that it had also implemented the generator in a secure way so that its inherent vulnerabilities didn?t matter. It did this by generating its own constant, or Q point, to use with the generator instead of the questionable one that had been attributed to the NSA. Juniper also used a second random number generator known as ANSI X.9.31. The Dual_EC generated initial output that was supposed to then be run through the ANSI generator. The output from the second random generator would theoretically cancel out any vulnerabilities that were inherent in the Dual_EC output. Except Juniper?s system contained a bug, according to Willem Pinckaers, an independent security researcher in the San Francisco area who examined the system with Weinmann. Instead of using the second generator, it ignored this one and used only the output from the bad Dual_EC generator. ?What?s happening is they managed to screw it up in all the firmware, such that the ANSI code is there but it?s never used,? Weinmann told WIRED. ?That?s a catastrophic fail.? This put the output at risk of being compromised if an attacker also possessed a secret key that could be used with the Q point to unlock the encryption. Weinmann and others discovered that the attackers altered Juniper?s Q and changed it to a Q they had generated. The attackers appear to have made that change in August 2012?at least that?s when Juniper started shipping a version of its ScreenOS firmware with a Q point that was different than previous versions used. So essentially, although Juniper used its own Q point instead of using the one allegedly generated by the NSA, in an effort to make the Dual_EC more secure, the company hadn?t anticipated that attackers might break into Juniper?s network, gain access to critical systems used to build its source code, and change the Q again to something of their own choosing. And presumably, they also possess the secret key that works with the Q to unlock the encryption, otherwise they would not have gone to the trouble of changing Q. ?It stands to reason that whoever managed to slip in their own Q [into the software] will also know the corresponding e,? Weinmann says. This would not have been enough to make the backdoor work, however, if Juniper had indeed configured its system the way it said it did?using two random number generators and relying only on the second one, the ANSI generator, for the final output. But we now know it failed to do that. The backdoor remained undetected for at least three years, until Juniper recently discovered it during a code review. Matthew Green, a cryptographer and professor at Johns Hopkins University, says that the ANSI failure raises additional questions about Juniper. ?I don?t want to say that Juniper did this on purpose. But if you wanted to create a deliberate backdoor based on Dual_EC and make it look safe, while also having it be vulnerable, this is the way you?d do it. The best backdoor is a backdoor that looks like a bug, where you look at the thing and say, ?Whoops, someone forgot a line of code or got a symbol wrong.? ? It makes it deniable. But this bug happens to be sitting there right next to this incredibly dangerous NSA-designed random number generator, and it makes that generator actually dangerous where it might not have been otherwise.? The evidence that someone intentionally changed the Q parameter in Juniper?s software confirms what Shumow and Ferguson had warned: The inherent weaknesses in Dual_EC provide the perfect backdoor to the algorithm. Even if the algorithm was not intended to create a backdoor for the NSA, it made it possible for someone to piggyback on its weaknesses to turn it into a backdoor for themselves. Even more worrisome is that Juniper systems are still essentially insecure. Juniper didn?t patch the problem by removing Dual_EC altogether or by altering the configuration so that the VPN encryption scheme relies on output from the ANSI generator; instead Juniper patched it simply by changing the Q point back to what the company originally had in the system. This leaves the firewalls susceptible to attack again if attackers can change the points a second time without Juniper detecting it. The company, Weinmann says, should at least issue a new patch that makes the system use the ANSI generator and not the Dual_EC one. ?It would take one line of code to fix this,? he says. And there?s another problem, he notes. Juniper admitted that it had generated its own Q for Dual_EC, but it has not revealed how it generated Q?so others can?t verify that Juniper did it in a truly random way that would ensure its security. And in generating its own Q, it raises questions about whether Juniper also generated its own secret key, or ?e? for the generator, which would essentially give Juniper a backdoor to the encrypted VPN traffic. This should worry customers just as much as the NSA holding a key to the backdoor, Weinmann says. ?It now depends on whether you trust them to have generated this point randomly or not. I would probably not do that at this point,? he says, given the other mistakes the company made. Green says because of the weakness inherent in Dual_EC, Juniper should have removed it back in 2013 after the Times story published and should do so now to protect customers. ?There?s no legitimate reason to put Dual_EC in a product,? he says. ?There never was. This is an incredibly powerful and dangerous code and you put it in your system and it creates a capability that would not have been there otherwise. There?s no way to use it safely.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 22 14:27:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Dec 2015 15:27:56 -0500 Subject: [Infowarrior] - U.S. Cold War Nuclear Target Lists Declassified for First Time Message-ID: <444E3EBA-8AFF-4919-853D-4EB01CC68E6F@infowarrior.org> (c/o JH) U.S. Cold War Nuclear Target Lists Declassified for First Time National Security Archive Electronic Briefing Book No. 538 Edited by William Burr Posted - December 22, 2015 For more information, contact: William Burr: 202.994.7000 or nsarchiv at gwu.edu. < -- > http://nsarchive.gwu.edu/nukevault/ebb538-Cold-War-Nuclear-Target-List-Declassified-First-Ever/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 22 14:31:16 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Dec 2015 15:31:16 -0500 Subject: [Infowarrior] - Now the TSA can force you to go through the body-scanner Message-ID: <13D05192-9B38-43B1-97C7-56E3C59073B3@infowarrior.org> Now the TSA can force you to go through the body-scanner Chris Davies - Dec 22, 2015 http://www.slashgear.com/now-the-tsa-can-force-you-to-go-through-the-body-scanner-22419599/ Your next flight might include a mandatory trip through the body scanner, with the US government quietly changing the opt-out rules for searches. In a document published earlier this month, the Department of Homeland Security outlined an update to the Advanced Imagery Technology protocols used by the TSA at US airports, adding a clause which allows officers to insist travelers go through the controversial machines. Previously, though the body scanners were present at many airports across the country, travelers were free to opt-out of the process. Billed as a privacy consideration, it meant a physical screening was mandatory, but alleviated concerns held by some that the technology could "see them naked" and store photographs of that. Now, though, that option is being diluted, though not completely retired. "TSA is updating the AIT PIA to reflect a change to the operating protocol regarding the ability of individuals to opt opt-out of AIT screening in favor of physical screening," the DHS writes. "While passengers may generally decline AIT screening in favor of physical screening, TSA may direct mandatory AIT screening for some passengers." No more detailed explanation for the change is given. However, it seems likely that the scanners' ability to single out metallic objects hidden around the body - and that might have been missed by a physical search from a TSA agent - is seen as invaluable for whoever security services believe presents a greater-than-normal risk. The document also points out that the scanners do not store or transmit any of the graphics captured while travelers are using them; instead, such images are only shown on the nearby display until TSA agents can physically check the specific area. Meanwhile, unlike the earlier - now retired - scanners which did indeed show nudity, the newer system "replaces the individual's image with that of a generic figure" the DHS writes. All the same, it's likely that the change in policy could cause a few headaches at airports should travelers want to opt-out but be informed that the only way they can get to their gate is to submit to body scanning. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 22 17:34:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Dec 2015 18:34:07 -0500 Subject: [Infowarrior] - =?utf-8?q?Bank_of_America_gets_Twitter_to_delete_?= =?utf-8?q?journalist=E2=80=99s_joke=2C_says_he_violated_copyright?= Message-ID: Bank of America gets Twitter to delete journalist?s joke, says he violated copyright by Joe Mullin - Dec 22, 2015 4:15pm EST http://arstechnica.com/tech-policy/2015/12/bank-of-america-gets-twitter-to-delete-journalists-joke-says-he-violated-copyright/ The founding editor of Business Insider UK, Jim Edwards, had a bank delete two of his tweets today. In an e-mail, Bank of America told Edwards that his tweets violated the bank's copyright and that if he kept it up, they'd see to it that his Twitter account was deleted. "Investment banks apparently have the power to censor journalists on Twitter, simply by asking," Edwards wrote in a short post on Business Insider describing the situation. "That is depressing." Edwards had quoted a research document produced by analysts. He says the tweets were "probably trivial," but can't really be more specific?in part because the frequent Twitter user can't even remember exactly what they were about. One of them reads "BAML's Teo Lasarte is developing a pun-based method for analysing auto stocks," where the "BAML" acronym refers to Bank of America Merrill Lynch. The tweet included a screenshot that has been deleted. Edwards acknowledges no earth-shattering information has been lost to the world. In fact, it was likely a compliment to the analyst in question. "Sometimes analysts write funny headlines on their investment notes," he says, leading him to take a screenshot and tweet it out. B of A might have a case if Edwards had sent out the entire PDF of Lasarte's report, he says, but the funny headline tweet didn't even come close to that. In Edwards' view, it's a no-brainer case of fair use. The DMCA claim came from the "Attributor Corporation," part of digital-rights company Digimarc, working on behalf of Bank of America. It's the latest example of the Kafka-esque system of copyright takedowns, in which intermediaries like Twitter tend to treat users subject to copyright claims as guilty until proven innocent. "I have no idea what Twitter agreed to censor for BAML, and no way of guessing what BAML's objection was really about?or if it was even BAML who made the complaint," writes Edwards. Twitter wouldn't comment on the matter other than to refer to their copyright policy. The Digimarc employee whose name is on the takedown notice didn't respond to Edwards' inquiry. Other Edwards tweets that quote Bank of America reports remain online, and unchallenged. He has appealed the claim through Twitter's system and says he'll report how that turns out. "I'm not in favor of journalists getting special treatment over this kind of thing," said Edwards in a Twitter discussion with Ars. "But it is frustrating. Twitter/ BAML are sending me legal spam. I'm replying, basically just asking them to look at this and apply some discretion or judgment. So far, no dice." -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 23 17:11:35 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Dec 2015 18:11:35 -0500 Subject: [Infowarrior] - The encryption delusion Message-ID: <58A10E23-FC78-4195-8222-C72E8E1F61FF@infowarrior.org> The encryption delusion David Meyer http://www.politico.eu/article/the-encryption-delusion/ Call it the ?e-word.? Every time there is a terrorist attack, with Paris and California the most recent examples, the political ruckus over the balance between liberty and security zeros in on the encryption technology that people use to keep their communications secret. The chairman of the U.S. Senate?s intelligence committee, Richard Burr, described encryption as ?a big problem out there that we?re going to have to deal with.? FBI Director James Comey urged tech companies to abandon end-to-end encryption, which gives customers the keys to their online communications. And the U.K. is pushing an investigatory powers bill that would force online providers to give authorities access to customers? encrypted communications. There?s just one catch. Neither in Paris nor in San Bernardino has there been any strong evidence so far that terrorists used encrypted messages to plan or carry out the attacks. According to some experts, encryption isn?t the biggest problem, and any policy response is unlikely to be the solution. Statistics from the U.S. Federal Bureau of Investigation suggest encryption is cropping up less and less for law enforcement these days, and experts are flagging up poor information sharing between agencies as a more urgent problem. ?Encryption between organized criminals is a problem, but the evidence is showing us it?s not as much of a problem as it used to be,? said Alan Woodward, a visiting professor at the University of Surrey?s department of computer science and an advisor to Europol, the EU?s law enforcement agency. Rise of the skeptics The Paris attacks are a case in point. Although the New York Times reported that Abdelhamid Abaaoud ? believed to have been the architect of the attacks ? had previously given another terrorist instructions and a software key for using encrypted email, this kind of encryption remains tangential to the current debate. Encrypted email, which has been around for decades, does not rely on a centralized service in the same way as a messaging system such as WhatsApp or Telegram. Email encryption relies on widespread and freely downloadable tools, and there is no provider that can be swayed by court order or told to insert a ?backdoor? to allow its system to be bugged. In terms of communications tied to the Paris attacks, the publicly disclosed evidence points away from encryption. One of the Paris attackers? phones contained an unencrypted text message sent to an unidentified person, saying in French: ?We are ready, we are starting.? Citing unnamed officials briefed on the investigation, CNN reported last week that investigators believe the attackers used encrypted apps, including WhatsApp and Telegram. However, neither the Paris police nor the local prosecutor?s office would confirm this. This lack of clear evidence is changing the political dynamic, with an increasing number of skeptics and privacy advocates, including the center-right European People?s Party (EPP) in the European Parliament. There is no thorough analysis on the issue of encryption and possible problems in the security area ? Monika Hohlmeier ?There is no thorough analysis on the issue of encryption and possible problems in the security area,? said the EPP?s Monika Hohlmeier, a German MEP and member of the Parliament?s civil liberties, justice and home affairs committee. Hohlmeier said the European encryption debate has largely been driven by claims from the intelligence community and media. She said the EPP, the Parliament?s largest group, wanted the European Commission and EU countries to produce analysis of ?where problems are appearing.? Sophie in ?t Veld, a Dutch Liberal MEP, said those who were calling for encryption to be curtailed or sidestepped were exploiting the Paris attacks. ?They see the Paris attacks as an opportunity to push their agenda through, even if it?s completely unrelated. I find it incredibly cynical,? she said. ?A lot of terrorist preparations take place inside the home,? in ?t Veld said. ?Does that mean you?re not allowed to have a lock on your front door anymore? Nobody would accept that ? In most cases, the evidence for necessity and proportionality is missing.? Snowden and the blame game The encryption debate has been going in circles since the 1990s, when the U.S. National Security Agency (NSA) designed the ?Clipper chip,? an encryption device that was supposed to protect private communications but still allow the authorities to examine data ? a so-called ?backdoor.? A public backlash about spying and technological developments swiftly rendered the Clipper chip program obsolete: it was announced in 1993 and scrapped just three years later. The surveillance revelations of NSA whistleblower Edward Snowden in 2013 prompted renewed interest in encryption. Snowden showed how easily the NSA and its counterparts around the world were able to access online communications. This led communications providers to boost their security by adding more encryption, which heated up official calls for the use of backdoors. Those calls in turn prompted a who?s who of the computer security world to yet again insist that backdoors make the general populace less secure. What?s more, terrorists have been using various forms of encryption for years. As keen as some in the intelligence community are to blame Snowden for what happened in Paris, others were warning back in early 2001 that the likes of Al Qaeda were regularly encoding their communications. Woodward of the University of Surrey is one of the co-authors of Europol?s annual Internet organized crime threat assessment report, with encryption as his specialty. The 2015 report, published in September, called on EU countries to help quantify the problem. You can?t blame Snowden for Paris ? Alan Woodward If anything, Woodward said, criminal use of encryption may be declining. He pointed to statistics from the FBI, which showed the number of state wiretaps that came up against encryption fell from 41 in 2013 to 22 in 2014, and of those 22 only two were undecipherable. Only three federal wiretaps in 2014 were encrypted, with two proving too hard to crack. The professor suggested criminals and terrorists may be turning to steganography ? concealing messages in unencrypted text or images, or even social media activities, that hold hidden meanings. ?When you encrypt something, you can spot something that looks like gobbledygook,? he said, noting that many encrypted services still show who is talking to whom. ?It draws attention.? Citing language in the proposed U.K. surveillance bill, Woodward said there was now a political shift in Europe from simply trying to bypass all encryption to in some cases trying to bug targets? computers and smartphones. That way, investigators can see what people are writing, by examining their screens or keystrokes. But even then, the main problems for intelligence services remain a lack of resources (some of the Paris attackers were known to the authorities but not kept under active surveillance) and poor information sharing between national agencies ? an issue that may now be resolved through Europol?s enlarged mandate as a clearing-house for cross-border law enforcement collaboration. ?You can?t blame Snowden for Paris,? Woodward said. ?It doesn?t actually take a huge amount of communication to plan something like Paris ? A lot of the intelligence failures in France are actually being addressed by the sharing of information.? This article was first published on POLITICO Pro. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Dec 24 13:35:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Dec 2015 14:35:29 -0500 Subject: [Infowarrior] - Burr re-opens war on encryption Message-ID: (Reportedly the WH will release its 'position' on encryption sometime soon, too....purportedly sometime 'before' the holidays, but who knows? That said it would not surprise me to see it come out during a quiet news period during the next week or so, especially if the WH position comes out in favor of the Comey-Burr Camp of Cluelessness. --rick) The Debate Over Encryption: Stopping Terrorists From ?Going Dark? Encrypted devices block law enforcement from collecting evidence. Period. By RICHARD BURR Dec. 23, 2015 6:46 p.m. ET http://www.wsj.com/articles/stopping-terrorists-from-going-dark-1450914378 While the terrorist attacks in Paris, San Bernardino, Calif., and Garland, Texas, have brought discussions about encryption to the front pages, criminals in the U.S. have been using this technology for years to cover their tracks. The time has come for Congress and technology companies to discuss how encryption?encoding messages to protect their content?is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists. Consumer information should be protected, and the development of stronger and more robust levels of encryption is necessary. Unfortunately, the protection that encryption provides law-abiding citizens is also available to criminals and terrorists. Today?s messaging systems are often designed so that companies? own developers cannot gain access to encrypted content?and, alarmingly, not even when compelled by a court order. This allows criminals and terrorists, as the law enforcement community says, to ?go dark? and plot with abandon. Leaving aside the terrorism challenges, encryption is affecting the investigations of kidnapping, child pornography, gang activity and other crimes. Federal, state, local and tribal law-enforcement officers can obtain legal authority to conduct electronic communications surveillance on terrorists and criminals. But encrypted devices and applications sometimes block access to the data. This means that even when the government has shown probable cause under the Fourth Amendment, it cannot acquire the evidence it seeks. Technology has outpaced the law. The core statute, the Communications Assistance for Law Enforcement Act, was enacted in 1994, more than a decade before the iPhone existed. The law requires telecommunications carriers?for instance, phone companies?to build into their equipment the capability for law enforcement to intercept communications in real time. The problem is that it doesn?t apply to other providers of electronic communications, including those supporting encrypted applications. Federal Bureau of Investigation Director James Comey has said that one of the two Garland, Texas, shooters who died carrying out an attack on a Muhammad art exhibit in May exchanged 109 messages with an operative overseas. ?We have no idea what he said,? Mr. Comey told the Senate this month, ?because those messages were encrypted.? He described this as a ?big problem??and I couldn?t agree more. Last month Manhattan District Attorney Cyrus R. Vance Jr. released an in-depth report specifically on ?smartphone encryption and public safety.? Many cellphones, including those designed by Apple and Google, now encrypt by default all the data they store, which is accessible only with a passcode. No one, not even the manufacturer, can access a passcode-locked phone. Apple has even touted this as a feature, telling customers that ?it?s not technically feasible for us to respond to government warrants for the extraction of this data from devices.? The report states that ?passcode-protected devices render lawful court orders meaningless and encourage criminals to act with impunity. The ultimate losers in this equation are crime victims.? The authors conclude: ?Congress should enact a statute that requires any designer of an operating system for a smartphone or tablet manufactured, leased, or sold in the U.S. to ensure that data on its devices is accessible pursuant to a search warrant. Such a law would be well within Congress?s Commerce Clause powers, and does not require costly or difficult technological innovations.? The challenges presented by encryption extend to financial transactions. In August Sen. Elizabeth Warren wrote letters to six federal agencies voicing concerns that banks were using Symphony, an encrypted messaging system that could prevent regulators from detecting illegal activities. The letter came shortly after New York?s top banking regulator, the New York State Department of Financial Services, raised the same concern with several major banks and Symphony?s developer. In response, the banks agreed to store decryption keys with independent custodians, and Symphony agreed to retain electronic communications for seven years. All parties also agreed to a periodic review process to make sure that oversight keeps in sync with new technologies. It would seem to me that daily financial flows shouldn?t command more attention than terrorist or criminal communications, yet here we are. Although the agreement described above may not be the solution for all encrypted communications, it does show that cooperative solutions are possible. I and other lawmakers in Washington would like to work with America?s leading tech companies to solve this problem, but we fear they may balk. When Apple objected to a recent court order in a New York criminal case requiring it to unlock an iPhone running iOS 7?an operating system that Apple can unlock?the company refused, arguing: ?This is a matter for Congress to decide.? On that point, Apple and I agree. It?s time to update the law. Mr. Burr, a Republican senator from North Carolina, is the chairman of the Senate Select Committee on Intelligence. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 27 13:20:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Dec 2015 14:20:27 -0500 Subject: [Infowarrior] - Fwd: referral: regulator assassination of the Internet Archive FCU References: <20151225014030.56A32A06D76@palinka.tinho.net> Message-ID: > > From: dan > Subject: referral: regulator assassination of the Internet Archive FCU > Date: December 24, 2015 at 8:40:30 PM EST > > NY Times version > http://www.nytimes.com/2015/11/25/business/dealbook/dream-of-new-kind-of-credit-union-is-burdened-by-bureaucracy.html > > Brewster's version > https://blog.archive.org/2015/11/24/difficult-times-at-our-credit-union/ > > > an outrage, simply an outrage. > > --dan From rforno at infowarrior.org Sun Dec 27 13:20:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Dec 2015 14:20:33 -0500 Subject: [Infowarrior] - =?utf-8?q?Techno-skeptics=E2=80=99_objection_grow?= =?utf-8?q?ing_louder?= Message-ID: Techno-skeptics? objection growing louder https://www.washingtonpost.com/classic-apps/techno-skeptics-objection-growing-louder/2015/12/26/e83cf658-617a-11e5-8e9e-dce8a2a2a679_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 27 13:20:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Dec 2015 14:20:38 -0500 Subject: [Infowarrior] - North Korea's 'paranoid' computer operating system revealed Message-ID: <7D4B3957-B168-45F2-8806-0028027AEEB4@infowarrior.org> North Korea's 'paranoid' computer operating system revealed http://www.theguardian.com/world/2015/dec/27/north-koreas-computer-operating-system-revealed-by-researchers North Korea?s homegrown computer operating system mirrors its political one ? marked by a high degree of paranoia and invasive snooping on users, according to two German researchers. Their investigation, the deepest yet into the country?s Red Star OS, illustrates the challenges Pyongyang faces in trying to embrace the benefits of computing and the internet while keeping a tight grip on ideas and culture. The operating system is not just the pale copy of western ones that many have assumed, said Florian Grunow and Niklaus Schiess of the German IT security company ERNW, who downloaded the software from a website outside North Korea and explored the code in detail. ?[The late leader] Kim Jong-il said North Korea should develop a system of their own. This is what they?ve done,? Gunrow told the Chaos Communication congress in Hamburg on Sunday. North Korea, whose rudimentary intranet system does not connect to the world wide web, but allows access to state media and some officially approved sites, has been developing its own operating system for more than a decade. Women earn more than men although this does not mean their lives are easier, says Fyodor Tertitskiy This latest version, written around 2013, is based on a version of Linux called Fedora and has eschewed the previous version?s Windows XP feel for Apple?s OSX ? perhaps a nod to the country?s leader Kim Jong-un who, like his father, has been photographed near Macs. But under the bonnet there?s a lot that is unique, including its own version of encrypting files. ?This is a full blown operation system where they control most of the code,? Grunow said. The researchers say this suggests North Korea wants to avoid any code that might be compromised by intelligence agencies. ?Maybe this is a bit fear-driven,? Grunow said. ?They may want to be independent of other operating systems because they fear back doors,? which might allow others to spy on them. Grunow and Schiess said they had no way of knowing how many computers were running the software. Private computer use is on the rise in North Korea, but visitors to the country say most machines still use Windows XP, now nearly 15 years old. The Red Star operating system makes it very hard for anyone to tamper with it. If a user makes any changes to core functions, like trying to disable its antivirus checker or firewall, the computer will display an error message or reboot itself. Red Star also addresses a more pressing concern - cracking down on the growing underground exchange of foreign movies, music and writing. Illegal media is usually passed person-to-person in North Korea using USB sticks and microSD cards, making it hard for the government to track where they come from. Red Star tackles this by tagging, or watermarking, every document or media file on a computer or on any USB stick connected to it. That means that all files can be traced. ?It?s definitely privacy invading. It?s not transparent to the user,? Grunow said. ?It?s done stealthily and touches files you haven?t even opened.? Nat Kretchun, an authority on the spread of foreign media in North Korea, said such efforts reflected Pyongyang?s realisation that it needs ?new ways to update their surveillance and security procedures to respond to new types of technology and new sources of information?. There is no sign in the operating system of the kinds of cyber-attack capability North Korea has been accused of, the researchers say. ?It really looks like they?ve just tried to build an operating system for them, and give the user a basic set of applications,? Grunow said. That includes a Korean word processor, a calendar and an app for composing and transcribing music. North Korea is not the only country to try to develop a bespoke operating system. Cuba has National Nova, and China, Russia and others have also tried to build their own. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 27 13:20:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Dec 2015 14:20:43 -0500 Subject: [Infowarrior] - Schneier: How the Internet of Things Limits Consumer Choice Message-ID: <8C3AA52C-BEA0-41E9-BF3C-B922D7B07E35@infowarrior.org> How the Internet of Things Limits Consumer Choice Bruce Schneier http://www.theatlantic.com/technology/archive/2015/12/internet-of-things-philips-hue-lightbulbs/421884/ A recent dustup over smart light bulbs illuminates a larger problem. In theory, the Internet of Things?the connected network of tiny computers inside home appliances, household objects, even clothing?promises to make your life easier and your work more efficient. These computers will communicate with each other and the Internet in homes and public spaces, collecting data about their environment and making changes based on the information they receive. In theory, connected sensors will anticipate your needs, saving you time, money, and energy. Except when the companies that make these connected objects act in a way that runs counter to the consumer?s best interests?as the technology company Philips did recently with its smart ambient-lighting system, Hue, which consists of a central controller that can remotely communicate with light bulbs. In mid-December, the company pushed out a software update that made the system incompatible with some other manufacturers? light bulbs, including bulbs that had previously been supported. The complaints began rolling in almost immediately. The Hue system was supposed to be compatible with an industry standard called ZigBee, but the bulbs that Philips cut off were ZigBee compliant. Philips backed down and restored compatibility a few days later. But the story of the Hue debacle?the story of a company using copy-protection technology to lock out competitors?isn?t a new one. Plenty of companies set up proprietary standards to ensure that their customers don't use someone else's products with theirs. Keurig, for example, puts codes on their single-cup coffee pods, and engineers their coffee makers to work only with those codes. HP has done the same thing with its printers and ink cartridges. To stop competitors just reverse-engineering the proprietary standard and making compatible peripherals (for example, another coffee manufacturer putting Keurig?s codes on their own pods), these companies rely on a 1998 law called the Digital Millennium Copyright Act (DCMA). The law was originally passed to prevent people from pirating music and movies; while it hasn't done a lot of good in that regard (as anyone who uses BitTorrent can attest), it has done a lot to inhibit security and compatibility research. Specifically, the DMCA includes an anti-circumvention provision, which prohibits companies from circumventing ?technological protection measures? that ?effectively control access? to copyrighted works. That means it?s illegal for someone to create a Hue-compatible lightbulb without Philips? permission, a K-cup-compatible coffee pod without Keurigs?, or an HP-printer compatible cartridge without HP?s. By now, we're used to this in the computer world. In the 1990s, Microsoft used a strategy it called ?embrace, extend, extinguish,? in which it gradually added proprietary capabilities to products that already adhered to widely used standards. Some more recent examples: Amazon's e-book format doesn't work on other companies' readers, music purchased from Apple's iTunes store doesn't work with other music players, and every game console has its own proprietary game cartridge format. Because companies can enforce anti-competitive behavior this way, there?s a litany of things that just don?t exist, even though they would make life easier for consumers in significant ways. You can?t have custom software for your cochlear implant, or your programmable thermostat, or your computer-enabled Barbie doll. An auto-repair shop can?t design a better diagnostic system that interfaces with a car?s computers. And John Deere has claimed that it owns the software on all of its tractors, meaning the farmers that purchase them are prohibited from repairing or modifying their property. As the Internet of Things becomes more prevalent, so too will this kind of anti-competitive behavior?which undercuts the purpose of having smart objects in the first place. We'll want our light bulbs to communicate with a central controller, regardless of manufacturer. We'll want our clothes to communicate with our dishwasher and our cars to communicate with traffic signs. We can?t have this when companies can cut off compatible products, or use the law to prevent competitors from reverse-engineering their products to ensure compatibility across brands. For the Internet of Things to provide any value, what we need is a world that looks like the automotive industry, where you can go to a store and buy replacement parts made by a wide variety of different manufacturers. Instead, the Internet of Things is on track to become a battleground of competing standards, as companies try to build monopolies by locking each other out. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 27 17:55:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Dec 2015 18:55:41 -0500 Subject: [Infowarrior] - 10 Awful Tech-Industry Terms to Stop Using in 2016 Message-ID: Sunday, December 27, 2015 New Year Rant: 10 Awful Tech-Industry Terms to Stop Using in 2016 http://disruptivewireless.blogspot.fi/2015/12/new-year-rant-10-awful-tech-industry.html In the spirit of the holiday season and New Year, this is another list about 2016. But it's from me, so it's a rant, rather than clairvoyancy with a crystal-ball. There's a bunch of words and concepts used in the technology industry that make you look like a fool, or at least lazy and sloppy. They're often meaningless, duplicitously-used to "misframe" an argument, or just generally cringe-worthy. Some of them I've tackled before, and yes, mea culpa, I've been guilty of some of them before too. But I've learned from the errors of the past, and apologise unreservedly for any historical fluffiness and telcowash. So let's double-check our terminology in 2016, call out offenders, and make a collective New Year resolution to ditch the telco-industry b*llocks.... < -- > Summary So let?s have a collective New Year?s resolution to avoid telecoms-sector ?trigger words? and acknowledge what we actually mean in 2016. Let?s get rid of: ? Digital ? OTT ? Transformation ? Seamless ? Carrier-Grade ? Engagement ? Content ? Rich ? End-to-End ? Ecosystem And, I?m sad to admit, there?s also probably a number 11 that?s past it?s sell-by: ?Disruptive?. But yeah, let?s forget about that one, given that I was disruptive before it went mainstream. I reckon I can claim some form of retro-irony exemption? Rant over. Happy New Year! -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Dec 27 20:12:11 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Dec 2015 21:12:11 -0500 Subject: [Infowarrior] - China adopts first counter-terrorism law, weakens crypto Message-ID: China adopts first counter-terrorism law English.news.cn | 2015-12-27 20:29:43 | Editor: huaxia http://news.xinhuanet.com/english/2015-12/27/c_134955905.htm BEIJING, Dec. 27 (Xinhua) -- China's top legislature on Sunday adopted the country's first counter-terrorism law in the latest attempt to address terrorism at home and help maintain world security. Lawmakers approved the legislation Sunday afternoon at the end of a week-long bimonthly session of the National People's Congress (NPC) Standing Committee. At a press conference held on Sunday, An Weixing, an official with the public security ministry, at Sunday's press conference, said China is facing rising threats of terrorism. "Terrorist attacks have caused heavy losses of people's lives and properties, posing a serious threat to our security, stability, economic development and ethnic unity," An said. The new law, which will enter into force in January next year, will provide legal support to the country's counter-terrorism activities as well as collaboration with the international society, he said. The much anticipated couter-terrorism law proposed a national leading organ for counter-terrorism work, which will be in charge of identifying terrorist activities and personnel, and coordinate nationwide anti-terrorist work. The state will provide necessary financial support for key regions listed in the country's counter-terrorist plan, whereas professional anti-terrorist forces will be established by public security, national security authorities as well as armed forces. A national intelligence center will be established to coordinate inter-departmental and trans-regional efforts on counter-terrorism intelligence and information. The term "terrorism" is defined as any proposition or activity -- that, by means of violence, sabotage or threat, generates social panic, undermines public security, infringes on personal and property rights, and menaces government organs and international organizations -- with the aim to realize certain political and ideological purposes. A statement from NPC Standing Committee earlier this week said the new definition had been inspired by a Shanghai Cooperation Organization (SCO) counter-terrorism convention, and the UN's Declaration on Measures to Eliminate International Terrorism. A previous draft of the law, submitted in February, did not cover personal and property rights or political and ideological purposes. "[China] opposes all extremism that seeks to instigate hatred, incite discrimination and advocate violence by distorting religious doctrines and other means, and acts to eradicate the ideological basis for terrorism," the approved bill read. The new law comes at a delicate time for China and for the world at large - terror attacks in Paris, the bombing of a Russian passenger jet over Egypt, and the brutal killings of hostages committed by Islamic State (IS) extremist group are alerting the world about an ever-growing threat of terrorism. According to China's top legislator Zhang Dejiang, the new law is an important part for establishing systemic rules for national security. The law establishes basic principles for counter-terrorism work and strengthens measures of prevention, handling, punishment as well as international cooperation, he said. Under the new bill, telecom operators and internet service providers are required to provide technical support and assistance, including decryption, to police and national security authorities in prevention and investigation of terrorist activities. They should also prevent dissemination of information on terrorism and extremism. Li Shouwei of the National People's Congress (NPC) Standing Committee legislative affairs commission, said the rule accorded with the actual work needed to fight terrorism and was basically the same as other major countries. "The clause reflects lessons China has learned from other countries and is a result of wide solicitation of public opinion," he added. "(It) will not affect companies' normal business nor install backdoors to infringe intellectual property rights, or ... citizens freedom of speech on the internet and their religious freedom," Li said. China's national security law adopted in July also requires Internet and information technology, infrastructure, information systems and data in key sectors to be "secure and controllable". Before Sunday's new bill, China did not have an anti-terrorism legislation, though related provisions feature in various NPC Standing Committee decisions, as well as the Criminal Law, Criminal Procedure Law and Emergency Response Law. The NPC's standing committee passed a decision to improve anti-terrorism work in October 2011, but it was never made into law. The lack of a systematic law in this field had hampered China's fight against terrorism, with measures deemed not forceful enough, analysts say. In one of most deadly cases, twenty-nine people were killed and scores more injured by knife-wielding assailants at a train station in Yunnan's capital city, Kunming, on March 1, 2014. Terrorist attacks have brought greater urgency for a counter-terrorism law. The first draft of the law was submitted for review in October 2014 and the second draft in February. In a separate clause, Sunday's new bill allows police forces, when facing violent attackers with guns or knives, use weapons directly in emergency circumstances. In the rare reality of a terrorist attack, no institutions or individuals shall fabricate and disseminate information on forged terrorist incidents, report on or disseminate details of terrorist activities that might lead to imitation, nor publish scenes of cruelty and inhumanity in terrorist activities, the new law reads. None, except news media with approval from counter-terrorism authorities in charge of information distribution, shall report on or disseminate the personal details of on-scene counter-terrorist workers, hostages or authorities' response activities. The clause was specifically revised to restrict the distribution of terrorism-related information by individual users on social media, earlier reports said. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 28 06:53:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Dec 2015 07:53:37 -0500 Subject: [Infowarrior] - Six cybersecurity lawmakers to watch in 2016 Message-ID: <04D23B9D-D661-4CF8-9557-2B3F594D2C1A@infowarrior.org> The first two should be re-labelled "Enemies of the Internet" if you ask me. --rick Six cybersecurity lawmakers to watch in 2016 By Katie Bo Williams - 12/28/15 06:05 AM EST http://thehill.com/policy/cybersecurity/264118-six-cybersecurity-lawmakers-to-watch-in-2016 On the heels of passing its most significant cybersecurity legislation in years, Congress is poised to tackle a slate of fresh digital issues in 2016. Concerns over terrorist use of encrypted technology, proliferating hacks on retail companies, invalidated data transfers between the U.S. and the European Union, and more have pushed lawmakers to urge action on cybersecurity. Here are six lawmakers to watch on cybersecurity issues in 2016. SENS. RICHARD BURR (R-N.C.) AND DIANNE FEINSTEIN (D-CALIF.) AND REP. MICHAEL MCCAUL (R-TEXAS) In the wake of reports that the terrorists behind the deadly attacks in Paris and San Bernardino used encrypted technology to plot the shootings out of sight of law enforcement, several lawmakers have urged immediate action on legislation governing the technology. The debate over whether it is technically feasible to provide law enforcement some form of guaranteed access to locked communications has emerged as one of the most contentious issues of the new year. Security experts and tech firms insist that undermining encryption destroys the security of the day-to-day operations of the entire Internet. Law enforcement ? led by FBI Director James B. Comey ? say that tech companies need to change their business models to comply with legal warrants. Sen. Dianne Feinstein (D-Calif.) is vowing to lead the charge on legislation that would require companies to decrypt data under court order. ?I?m going to seek legislation if nobody else is,? she said in December. She is working with Senate Intelligence Chairman Richard Burr (R-N.C.) to develop the bill. House Homeland Security Chairman Michael McCaul (R-Texas) has also stepped into the debate, pushing the creation of ?a national commission on security and technology challenges in the digital age.? The panel will be tasked with providing specific recommendations for dealing with an issue that has created a deep rift between Silicon Valley and Washington officials. REP. WILL HURD (R-TEXAS) The devastating hack of the Office of Personnel Management (OPM), uncovered in spring of 2015, rocked the federal government. The intrusion, which exposed 21.5 million federal employees and others, revealed deep deficiencies in how government agencies safeguard sensitive data. The House Oversight Committee led the charge in investigating the OPM in 2015, calling for the resignation of then-director Katherine Archuleta and pressing the agency on its process for notifying victims. Rep. Will Hurd (R-Texas), the chairman of the new House Oversight Subcommittee on Information Technology, told a cybersecurity conference this fall that Congressional oversight of federal cybersecurity is only going to get stiffer. ?Congress is doing a better job of playing our oversight role and you?re going to be seeing that,? Hurd said, noting that ensuring a robust federal IT infrastructure is an area where he has ?a lot of latitude? ? and that he expects to be exercising that authority in the coming months. SEN. RON WYDEN (D-ORE.) Known around Capitol Hill as a privacy hawk, Sen. Ron Wyden (D-Ore.) was one of the most vocal critics of a major cybersecurity bill passed as part of the 2015 omnibus. Wyden ultimately failed in his attempt to alter the bill?s text to boost privacy protections, but he garnered enough support that he felt his efforts to educate his colleagues gained some traction. ?When you have a reactive Congress ? we?ve all seen these cyberattacks ? and somebody says here?s a cybersecurity bill, you always have a big educational challenge,? he told reporters just before the Senate bill passed. Wyden continues to crusade for tougher privacy laws as the U.S. and the European Union struggle to hammer out a new data transfer agreement to replace a predecessor that was struck down by the European high court this fall. The court said that because of its surveillance practices, the U.S. couldn?t be seen to sufficiently protect citizens? privacy. Wyden has criticized the ruling and used it to call on Congress to pass legislation boosting protections. ?They were saying that our privacy policies are not adequate now,? he told reporters this fall. REP. JIM LANGEVIN (D-R.I.) Rep. Jim Langevin (D-R.I.) has worked throughout the fall to raise Congressional awareness of a little-known international agreement governing export regulations for so-called intrusion software ? digital hacking and surveillance tools that could be abused by repressive regimes. Security experts argue that the arrangement defines ?intrusion software? too broadly, effectively outlawing the export of legitimate tools that companies use to test and fortify their own defenses. Langevin, along with his House Cybersecurity co-chair Michael McCaul, gathered the support of at 125 lawmakers in urging the White House to step in and help rework the proposed rule late this month. As written, they say, the rules ?dramatically reduced our ability to defend our nation's networks while only marginally reducing malicious actors' abilities to use hacking tools.? Other lawmakers expect Langevin?s efforts to educate members on the importance of the agreement will bear fruit. ?The whole issue of cybersecurity has been elevated, I think that?s why there?s a lot of member interest,? Rep. Ted Lieu (D-Calif.) told The Hill. ?And I think people understand that one of the best ways to protect yourself against cyberattacks is to test your own system.? REP. DEVIN NUNES (R-CALIF.) AND ADAM SCHIFF (D-CALIF.) Fresh off of a critical role in crafting the final version of the Cybersecurity Information Sharing Act, the House Intelligence Committee chairman and ranking member will be at the forefront of an ongoing debate over the extent of U.S. surveillance practices. Through their committee roles, Nunes and Schiff are some of the key members of Congress overseeing the intelligence community. Both supported a massive overhaul of the National Security Agency (NSA) passed earlier this year ? although Nunes said later that the legislation was largely unnecessary. Schiff was a co-sponsor of the original bill. The attacks on Paris and San Bernardino have reignited debate over the reforms, which ended the NSA?s bulk collection of phone metadata. Security hawks, including Republican presidential candidate Sen. Marco Rubio (Fla.), have accused those who voted in favor of the bill of making America less safe. In 2017, lawmakers will reevaluate the authorization of several controversial NSA programs, including the so-called ?PRISM? program. Privacy backers hope the deadline for that law will provide an opportunity to force changes in what data the government is allowed to collect. WILDCARD With a major information sharing bill signed into law, Congress turns its attention to the next challenge in domestic cybersecurity legislation: Data breach notification. As high-profile breaches continue to make headlines, data security bills have cluttered both chambers this year. There are at least four offerings in both the Senate and the House. Sen. Mark Warner (D-Va.) is also reportedly circulating a discussion draft that appears to have strong support from retailers. Most of the proposed legislation seeks to mandate cybersecurity requirements for retailers and set a minimum standard for reporting breaches ? typically 30 days. In the House, lawmakers from the Energy and Commerce Committee and the Financial Services Committee are in talks to combine their two competing offerings into a single bill supported by both committees. Rep. Randy Neugebauer (R-Texas), whose Data Security Act passed out of the Financial Services Committee with broad bipartisan support, has expressed confidence that his language has a shot at seeing the floor. But it is far from certain which bill ? and which lawmaker ? will emerge at the forefront of the race to mandate cybersecurity standards. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Dec 28 13:42:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Dec 2015 14:42:12 -0500 Subject: [Infowarrior] - 191m US voters' data exposed online in database mishap Message-ID: <8F4C51A8-84C4-48C9-B064-28D892A64324@infowarrior.org> (from multiple sources) http://www.csoonline.com/article/3018592/security/database-configuration-issues-expose-191-million-voter-records.html Database configuration issues expose 191 million voter records By Steve Ragan Dec 28, 2015 4:00 AM PT A misconfigured database has led to the disclosure of 191 million voter records. The database, discovered by researcher Chris Vickery, doesn't seem to have an owner; it's just sitting in the public ? waiting to be discovered by anyone who happens to be looking. What's in the database? The database was discovered by researcher Chris Vickery, who shared his findings with Databreaches.net. The two attempted to locate the owner of the database based on the records it housed and other details. However, their attempts didn't pan out, so they came to Salted Hash for assistance. Never one to shy away from a puzzle, I agreed to help. the best place to start looking was the database itself. That's when Vickery sent me my personal voter record from the database. It was current based on the elections listed. My personal information was accurate too. Vickery discovered his own record as well, so I asked him about his initial reaction. "My immediate reaction was disbelief," Vickery said. "I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?" The database contains a voter's full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. In addition, the database contains fields for voter prediction scores. All voter information, except for a few elements protected by law in some states, is public record. For example, in Ohio, voter records are posted online. Other states make obtaining voter records a bit more challenging or outright expensive, but they're still available. For the most part, voter data is restricted to non-commercial purposes. However, each state has its own rules for such data. Point in case, in Alaska, Arkansas, and Colorado, voter data has no restrictions placed on it. However, in California, voter data may only be used for political purposes and may not be made available to persons outside of the U.S. South Dakota has a law that is directly related to this article's focus: "...the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet." The database discovered by Vickery doesn't contain Social Security Numbers or driver license numbers, but it's still a massive collection of data. Again, most states or data brokers require that anyone obtaining voter data affirm that they're not going to use it for commercial gain and that they'll follow all related state laws. Yet, because the information Vickery discovered is in a database available to anyone on the Internet who knows how to find it, it's essentially unrestricted data. I shared my personal voting file with a few election sources and experts. One of them offered a simple explanation as to why it exists, and what a database such as this could be used for during an election season. "This file has all the basic information that a voter file would have on you: your address, date of birth, every election you did or didn't vote in, and some basic demographic information. Campaigns use all of [this] information to target their messages more efficiently: to make sure they're targeting not just the right people, but people who will actually end up voting. Most of this data is public record, with the caveat that it can only be used for campaign purposes," explained Maclen Zilber, a Democratic political consultant with the firm Shallman Communications. "Some major voting data companies will give each voter a rating of how likely they are to turn out and vote, how likely they are to support a given political party, and even more niche questions such as how likely they are to support a specific issue. The prediction score row suggests that this file is from a company selling voter data, not just a file from a government database." Who owns the database? Salted Hash reached out to several political data firms in an effort to locate the owner of the exposed database. Dissent (admin of Databreaches.net) did the same thing. However, none of our efforts were successful. The following firms were contacted by Salted Hash for this story: Catalist, Political Data, Aristotle, L2 Political, and NGP VAN. Databreaches.net reached out to Nation Builder. Speaking to Dissent, Nation Builder said that the IP address hosting the database wasn't one of theirs, and it wasn't an IP address for any of their hosted clients. As for the firms contacted by Salted Hash, each of them denied that the database was theirs, and in the case of NGP VAN, the technical aspects of the infrastructure (Linux vs. Windows) ruled them out because they're a Windows shop and the data is housed as part of a Linux build. A later attempt to contact i360, another political data firm, was unsuccessful. In addition, DSPolitical, TargetSmart, and Data Trust were also contacted about the database. Conversations between TargetSmart and Salted Hash went as expected by this point; the database isn't theirs and they are not using that IP address. If DSPolitical and Data Trust respond to questions, this story will be updated. How was this database compiled? For the last week, Salted Hash has attempted to discover not only who owns the database that's been exposed to the public, but also how it was compiled. The hope was that if the owner couldn't be determined, then knowing the source of the data could be useful, as the vendor might be able to contact a customer and alert them to the problem. As it turns out, researching this story was a bit complicated because of the Sanders / Clinton / NGP VAN voter database incident. Many of those contacted by Salted Hash assumed the two stories were somehow connected. To be perfectly clear, this story is not related to the Sanders / Clinton incident at all. The NGP VAN incident involving the Sanders and Clinton campaigns centered on a software configuration error that resulted in the Sanders campaign seeing client scores from the Clinton camp. There were no voter records exposed, just client scores. In fact, the Sanders and Clinton campaigns share the exact same DNC voter database. The information exposed was added by one campaign, and the glitch allowed the other campaign to see it. What Vickery has discovered is worse, because the data he discovered isn't a client score ? it's a complete voter record for 191 million registered voters. The problem is, no one seems to care that this database is out there and no one wants to claim ownership. As it turns out, many state and county elections offices charge for access to voter data. Sometimes, voter data is free, but when there's a cost involved, the total paid can be extreme. For example, in 2012, the fee to obtain 3 million voter registration records in Alabama was just over $29,000. Such costs can really cut into the budget of a political campaign, so campaign managers will turn to various political data firms and purchase the information needed at a lower cost. One of the places campaigns turn to is Nation Builder. When Vickery first discovered the voter database, he and Dissent identified Nation Builder as the possible source of the data. However, as mentioned, Nation Builder denied that the IP address was theirs. They also said the IP wasn't being used by any of their hosted clients. Digital maps and Big Data But did the data in the exposed voter database come from Nation Builder? Based on the database schema and formatting, yes, it did. The personal voter file given to me by Vickery is clearly from a Nation Builder data set. In the U.S., few vendors maintain a national voter file. For those vendors that do, each voter file has signature components that are unique to that particular vendor ? similar to a digital fingerprint. In order to distinguish one voter file source from another, one can compare the file structure - how the vendor chooses to name various fields as well as the order in which they appear on their file. Another clear distinguishing factor is the unique voter ID - the code that the vendor assigns to each voter in the country. Each vendor that deals with national voter files has their own distinct approach to creating unique identifiers for voters. In my voter record, the voter ID and the field names point directly to Nation Builder as the source of the data that's been exposed. When you compare my voter record to the file structure published by Nation Builder, there are clear similarities including the nbec_precinct_code. This code is unique to Nation Builder. It's shorthand for Nation Builder Election Center Precinct Code. In my case, that code is: 18097-Marion-Center (Marion County, Center Township). As for the voter ID, my voter record uses a voter ID code consisting of 32 letters and numbers separated by dashes: 058a902b-4e1d-4989-8fdb-4976f48fbfb6 Multiple firms questioned about the digital fingerprints in my voter record (UID / NBEC code) quickly concluded that Nation Builder was the source of the data, and one said that this would be clear to anyone who has ever viewed Nation Builder before. But is Nation Builder to blame? Not really... So while Nation Builder denied any claim to the IP and the leaked database, it's entirely possible they might know who developed it ? but that would require an extensive records check. This is because a developer or campaign wishing to access the Nation Builder Election Center would need to register their contact details, such as name and email address. However, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it. In short, while they provided the data that's in my newly leaked voter record, they're not liable in any way for it being exposed. And to be clear, I don't blame Nation Builder for my leaked record either, I blame the person(s) who developed the database and poorly configured its hosting. I'm just not sure who they are yet. Either way, I'm just one individual. There are more than 191 million people with records in this database. So if you're a registered voter in the U.S., you should know your data has been exposed. Moreover, there is no way to know for sure how long this database has existed online, and for some of you ? that's a problem. Point in case, the law enforcement officer that spoke to Dissent about their leaked voter file. Based on the voter count and some of the records, the database appears to be from Nation Builder's 2014 update from February or March, but unless the database owner is contacted and confirms, there's no way to prove that conclusion. The concern is the potential for abuse. Stalking and the exposure of people who normally don't share their personal information is certainly an issue. There are other long term issues too. The personal information in this database, including political affiliation, date of birth, could be used to construct a targeted Phishing campaign. While most people are aware of financially-based Phishing attacks, or those focused on retail or shipping, a targeted list based on politics might have a higher level of success, especially this time of year heading into the 2016 election cycle. Vickery and Dissent have reached out to federal law enforcement for assistance in locating the database's owner or removing it from public view. In addition, they've contacted the California Attorney General. At the time this article was written and published, the database was still live. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 29 10:13:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Dec 2015 11:13:48 -0500 Subject: [Infowarrior] - Less validation for senior US spies Message-ID: Spy agencies resist push for expanded scrutiny of top employees By Greg Miller December 29 at 10:04 AM https://www.washingtonpost.com/world/national-security/spy-agencies-resist-push-for-expanded-scrutiny-of-top-employees/2015/12/29/00c8bc68-ad87-11e5-9ab0-884d1cc4b33e_story.html U.S. intelligence agencies recently fought off a move by Congress to require the CIA and other spy services to disclose more details about high-ranking employees who have been promoted or fired, despite pledges to be more open and accountable. The disputed measure was designed to increase scrutiny of cases in which senior officers ascend to high-level positions despite problems ranging from abusive treatment of subordinates to involvement in botched operations overseas. The CIA in particular has faced sharp criticism in recent years for promoting operatives who faced investigations by the agency?s internal watchdog or the Justice Department for their roles in the brutal interrogations of prisoners or badly mishandled operations to capture terrorism suspects. [Senate report details CIA brutality, dishonesty] Under a provision drafted by the Senate Intelligence Committee this year, intelligence agencies would have been required to regularly provide names of those being promoted to top positions and disclose any ?significant and credible information to suggest that the individual is unfit or unqualified.? But that language faced intense opposition from Director of National Intelligence James R. Clapper Jr., according to officials involved in the matter. As a result, the wording was watered down by Congress this month and now requires Clapper only to furnish ?information the Director determines appropriate.? U.S. officials offered multiple explanations for Clapper?s objections. Several said that his main concern was the bureaucratic workload that would be generated by legislation requiring so much detail about potentially hundreds of senior employees across the U.S. intelligence community. But others said that U.S. spy chiefs chafed at the idea of subjecting their top officials to such congressional scrutiny and went so far as to warn that candidates for certain jobs would probably withdraw. Lawmakers were told that ?some intelligence personnel would be reluctant to seek promotions out of concern that information about them would be presented to the Hill,? said a U.S. official involved in the discussions. Brian Hale, a spokesman for Clapper?s office, declined to comment on specific objections to the provision, except to say that senior officials ?had some concerns with the original language? but ?worked them out to a mutually agreeable solution.? Sen. Dianne Feinstein (D-Calif.), the top Democrat on the Senate committee, had inserted the initial provision in the intelligence authorization bill that was passed by the panel earlier this year, officials said. The modified language will ensure that oversight committees ?know the names of senior intelligence community leaders,? Feinstein said in a statement provided to The Washington Post. The original version ?would have provided additional information, but the language in the omnibus is a good first step.? She was referring to a broad budget and tax deal that cleared Congress on Dec. 18 and included the intelligence provision. Feinstein had served as chairman of the Senate panel before being replaced by Sen. Richard Burr (R-N.C.) this year. Feinstein clashed with the CIA repeatedly over personnel moves and accountability issues as the committee finished an exhaustive investigation of the secret prison and interrogation program the agency launched after the Sept. 11, 2001, attacks. The committee?s report, which was released last year, cited multiple instances in which employees with troubled backgrounds were nevertheless given key roles in sensitive operations. The report concluded that ?numerous CIA officers had serious documented personal and professional problems ? including histories of violence and records of abusive treatment of others ? that should have called into question their suitability to participate in the CIA?s detention and interrogation program.? One passage noted that the head of a CIA prison had complained in an e-mail that headquarters ?managers seem to be selecting either problem, underperforming officers, new, totally inexperienced officers or whomever seems to be willing and able to deploy at any given time.? The CIA issued a lengthy response that outlined its objections to the Senate report, although CIA Director John Brennan acknowledged problems in the interrogation program and said that the agency ?fell short when it came to holding individuals accountable for poor performance and management failures.? Brennan?s vow to correct those shortcomings was one of multiple instances over the past few years in which he, Clapper and others have pledged to improve transparency in personnel matters and other issues that don?t involve sensitive operational information. One of the most controversial CIA cases centered on an analyst who was widely blamed for a 2003 operation in Macedonia that captured a German citizen, Khaled el-Masri, and whisked him to a secret prison in Afghanistan before agency operatives realized they had detained the wrong man. The analyst was never punished and went on to hold a series of high-level jobs at CIA headquarters, including in its Counterterrorism Center. More recently, a top CIA manager who had been removed from his job for abusive treatment of subordinates was reinstated this year as deputy chief for counterintelligence at the Counterterrorism Center. Congressional officials emphasized that the recent personnel reporting measure would apply to all U.S. spy agencies, and that while intelligence committees have always been able to request personnel information there has been no mechanism by which the names of senior officers are routinely shared with Congress. The earlier draft would have required quarterly reports from Clapper?s office on ?each appointment of an individual to or separation from a senior level position during the previous 3-month period.? Former CIA director Michael Hayden said he would have opposed such language ?for simply being too invasive? and undermining the separation of powers between the executive and legislative branches of government. ?It would create a chill for people being willing to accept particularly challenging positions,? Hayden said. ?Then there is the whole question of opening up agency officers for attacks from the Hill, not all of them highly motivated.? The final version no longer links disclosures to promotions or firings, and instead only requires the nation?s spy chief to provide ?the identities of individuals occupying senior level positions within the intelligence community.? Greg Miller covers intelligence agencies and terrorism for The Washington Post. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 29 10:13:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Dec 2015 11:13:55 -0500 Subject: [Infowarrior] - =?utf-8?q?What_Alzheimer=E2=80=99s_Feels_Like_fro?= =?utf-8?q?m_the_Inside?= Message-ID: What Alzheimer?s Feels Like from the Inside An investigative reporter chronicles the progression of his own disease. By Greg O?Brien December 10, 2015 http://nautil.us/issue/31/stress/what-alzheimers-feels-like-from-the-inside I was up again at 4 a.m. the other night, one of five nocturnal ramblings in the early morning, the new me. No sleep. Picking my way in the dark, familiar territory of a home on Cape Cod where I have lived with my family for 34 years. I fumbled into the bathroom as I felt the numbness creep up the back of my neck like a penetrating fog, slowly inching to the front of my mind. It was as if a light in my brain had been shut off. I was overcome by the darkness of not knowing where I was and who I was. So I reached for my cellphone that substitutes as a flashlight, and called the house. My wife, deep asleep in our bed just 20 feet away, rose like Lazarus from the grave to grab the phone in angst, fearing a car crash with one of the kids or the death of an extended family member. It was me, just me. I was lost in the bathroom. Inside Alzheimer's DiseaseDay?s Edge Productions and the Howard Hughes Medical Institute I was diagnosed in 2009 with early-onset Alzheimer?s, after Alzheimer?s stole my maternal grandfather and my mother, and several years before my paternal uncle died of Alzheimer?s. Clinical tests, MRIs and a brain scan confirmed my diagnosis. I also carry the Alzheimer?s marker gene APOE4. Two traumatic head injuries ?unmasked? a disease in the making, my doctors tell me. Today, 60 percent of my short-term memory can be gone in 30 seconds. I often don?t recognize friends, including, on two occasions, my wife. I get lost in familiar places, fly into inexorable rages, put my keys and cellphone in the refrigerator, my laptop in the microwave, and wash business cards in the dishwasher simply because they are dirty. And at times, I see things that aren?t there. The most disturbing symptoms in my private darkness are the visual misperceptions, the hallucinations?those crawling, spider-and-insect like creatures that crawl along the ceiling regularly at different times of day, sometimes in a platoon, turning at 90 degree angles, then inching a third of the way down the wall before floating toward me. I brush them away, almost in amusement, knowing now that they are not real, yet fearful of the cognitive decline. On a recent morning, I saw a bird in my bedroom circling above me in ever-tighter orbits, before it precipitously dove to the bed in a suicide mission. I screamed. But it was my imagination. Years ago as a journalist, I thought I was Clark Kent, Superman, an award-winning reporter who feared nothing. But today, I feel more like a baffled Jimmy Olsen. And on days of muddle, more like a codfish landed on the dock. A fish rots from the head down. I never know who?s going to show up. Will I be on or off? I was off the other night, yet another reminder of the denouement of this plot. Stephen King couldn?t have written a better thriller. When I sat down to write my own story, in my book, On Pluto: Inside the Mind of Alzheimer?s, my purpose was to offer a blueprint of strategies, faith, and humor, a day-to-day focus on living with Alzheimer?s, not dying with it?a hope that all is not lost when it appears to be. I was with my mother in the nursing home when she passed away, and told her moments before she died, ?Mom, we?re riding this one out together.? She had always taught me to confront the demons in life. And so, when producer Nathan Dappen called me about appearing in a short film, I told him he had me with hello. I was honored by the opportunity, and saw my mother?s face in the camera, urging me in spirit to tell my story. And so I did. As a journalist, answering questions, rather than asking them, and then seeing the remarkable finished product, is a humbling, out-of-body experience?a bit like Alzheimer?s. I?m not stupid; I have a disease. Hey, it?s just me, the guy lost in the bathroom ? Greg O?Brien is the author of On Pluto: Inside the Mind of Alzheimer?s. It is the first book written by an investigative reporter embedded inside the mind of Alzheimer?s chronicling the progression of his own disease. On Pluto has won several international book awards, and has been the subject of numerous television, radio, newspaper and magazine stories. Video produced by Day?s Edge Productions and the Howard Hughes Medical Institute as part of its ?Think Like a Scientist? series for Nautilus. ?Can Alzheimer?s be Stopped?? premieres 2016 on PBS NOVA. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 29 10:14:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Dec 2015 11:14:00 -0500 Subject: [Infowarrior] - Those Demanding Free Speech Limits to Fight ISIS Pose a Greater Threat to U.S. Than ISIS Message-ID: <268DFC1B-29F4-4AA8-A357-A98FC34323B6@infowarrior.org> Those Demanding Free Speech Limits to Fight ISIS Pose a Greater Threat to U.S. Than ISIS Glenn Greenwald Dec. 29 2015, 5:20 a.m. https://theintercept.com/2015/12/29/those-demanding-free-speech-limits-to-fight-isis-pose-a-greater-threat-to-u-s-than-isis/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 29 15:27:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Dec 2015 16:27:19 -0500 Subject: [Infowarrior] - Agencies directed to use social media in security clearance reviews Message-ID: <554F4A06-5403-41C9-B592-2C8127FAB1C6@infowarrior.org> Agencies directed to use social media in security clearance reviews By Nicole Ogrysko | @nogryskoWFED December 28, 2015 2:28 pm http://federalnewsradio.com/defense/2015/12/agencies-review-security-clearance-holders-twice-every-five-years/ The Director of National Intelligence will soon ask agencies to use additional sources of information when periodically reviewing their security clearance holders, according to a provision slipped into the 2016 omnibus spending bill. The legislation creates an enhanced personnel security program, which requires that agencies develop a plan for investigating existing clearance holders, under the direction of the Director of National Intelligence (DNI). Those reinvestigations must happen at least twice every five years. ?The enhanced personnel security program of an agency shall integrate relevant and appropriate information from various sources, including government, publicly available and commercial data sources, consumer reporting agencies, social media and such other sources as determined by the Director of National Intelligence,? the bill states. Specifically, agencies should collect criminal and financial information, such as a civil legal proceeding or credit score, as well as data on a terrorist or criminal watch list and any information that is already publicly available to conduct security reviews, the legislation says. Agencies must implement their enhanced personnel security programs either within the next five years or before the backlog of overdue periodic reinvestigations is eliminated. The specific inclusion of social media and publicly available electronic information is key, said Charlie Sowell, senior vice president for system and software engineering solutions at Salient CRGT and a former senior adviser to the Director of National Intelligence. The term ?social media? will apply to any information an employee publicly posts on his or her account. ?It?s interesting that they used publicly available and social media separately,? Sowell said. ?What we call publicly available electronic information (PAEI) [is] anything that?s available online that a member of the general public could get without a subscription. It?s readily available, and social media is a part of that.? Though the legislation generally says agencies should use social media when reviewing clearance holders, it doesn?t describe exactly how they should use it, what they should look for and how they should interpret the information they find. Sowell said the Director of National Intelligence was supposed to issue a security executive agent directive, which would detail how the DNI expects agencies to use social media and other publicly available information in the security clearance process. ?Agencies, particularly in the Intelligence Community, have been waiting for the DNI to issue a top-cover for them to begin exploring the use of social media and publicly available electronic information in the normal clearance process, that is in the initial investigation and the periodic reinvestigation,? he said. ?But frankly some agencies, which have started piloting the use of social media in investigations, have stopped because they haven?t gotten that top-cover, that policy document from the DNI that says it?s ok to use it.? While the legislation directs that agencies use social media for reinvestigations, the DNI will still need to issue a directive permitting them to begin using that kind of information, Sowell said. The legislation makes no mention of continuous evaluation ? the practice of consistently conducting automated checks on an employee?s financial, travel and criminal history records ? which some agencies have begun to experiment with. ?I?m not sure this is as practical as moving whole hog into continuous evaluation, because you?d have to set up random checks that launch for every single person at different intervals,? Sowell said. ?It?s not 5 percent of the population; it?s everyone. So why not go all the way to continuous evaluation?? Two years after its start, each agency?s inspector general will conduct at least one audit of the program using performance standards that the Director of National Intelligence developed. Inspectors general will submit the results of their audits to the Director of National Intelligence, who will assess how well agencies are implementing enhanced personnel security programs governmentwide. The 2016 budget also includes a resolution requiring the Director of National Intelligence to develop a plan to eliminate the security clearance backlog. ?The plan ? shall use a risk-based approach to identify high risk populations and prioritize reinvestigations that are due or overdue to be conducted,? the legislation says. That comes as the future of the federal security clearance process remains unclear. Following multiple cyber breaches at the Office of Personnel Management, the White House mandated a 90-day review of the federal security clearance process in July. A request for proposal that OPM released in November for a workforce planning study of its Federal Investigation Services (FIS), indicates that the results of that review might be coming soon. It?s still unclear which agency will ultimately own the security clearance process. A former federal counterintelligence official said the White House will create a new organization, the National Investigative Service Agency, which would assume oversight of the clearance process. Other options included moving the services back to the Defense Department or keeping them under OPM?s oversight. Previous attempts to reform the security clearance process have died in Congress. The Enhanced Security Clearance Act, which had multiple versions and sponsors in 2013 and 2014, had marked similarities to the program included in the 2016 omnibus. It asked agencies to use publicly available information to review security clearance holders twice every five years. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 29 16:37:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Dec 2015 17:37:21 -0500 Subject: [Infowarrior] - WSJ: FBI Seeks to Reframe Encryption Debate Message-ID: <57A9C316-2CFB-45EE-86C8-BBB8B046E81B@infowarrior.org> FBI Seeks to Reframe Encryption Debate Devlin Barrett Dec. 29, 2015 2:27 p.m. ET http://www.wsj.com/articles/fbi-seeks-to-reframe-encryption-debate-1451417252 WASHINGTON?The Federal Bureau of Investigation is issuing a more direct challenge to technology companies in the wake of terror attacks in Paris and California, urging them in blunter terms to allow investigators to decrypt private communications during terror probes. Hoping to escape a continuing debate over the technical feasibility of decryption, which they fear plays into Silicon Valley?s hands, FBI Director James Comey and others are pushing executives to move away from a policy they say values customers? privacy over public safety. ?It is a business-model question,? Mr. Comey said at a recent congressional hearing, adding that executives ?have designed their systems and their devices so that judges? orders cannot be complied with?Should they change their business model? That is a very, very hard question.? Challenging tech CEOs like Apple Inc. AAPL 1.80 % ?s Tim Cook directly suggests that Mr. Comey could be laying the groundwork for a push in Congress for legislation that would force the companies to change their products. So far, however, there is no indication the tech industry is retreating from its argument that strong encryption is necessary to protect users? information, and that providing a technological ?key? or ?backdoor? for law enforcement would simply make the information more vulnerable to hackers of all kinds. Apple, in response to questions for this article, said this isn?t a new issue, since the company has used encryption for well over a decade as a vital way to protect customers? personal information. ?As hacking schemes and cybercrimes against individuals, companies and governments have become daily occurrences, we have worked hard to keep pace,? Apple said in a statement. ?We know that criminals will seek out encryption techniques or develop their own, so weakening encryption in consumer devices will only hurt law-abiding citizens who rely on it to protect their data.? Still, not all tech companies are equally firm. John Chen, CEO of cellphone maker BlackBerry Ltd. BBRY -0.74 % , has declared the company will work with the government to be responsive to court orders, saying, ?Our privacy commitment does not extend to criminals.? In the wake of the recent mass killings, advocates on both sides are watching closely for a shift in public sentiment that might put more pressure on tech companies to allow law enforcement access to encrypted information if they have a court order. Some members of Congress are highlighting the terror attacks and threatening legislation in an attempt to pressure companies to make changes. Others have urged the creation of a blue-ribbon panel to study the issue and offer recommendations. The FBI?s current reframing of the issue is a shift from past appeals for software designers to find technical solutions. At the same time, law-enforcement officials are citing the menace of terror attacks rather than emphasizing crimes like child abductions, as they?ve done previously. Cindy Cohn, executive director of the Electronic Frontier Foundation, a privacy group, said the FBI?s shift ?means they realize their first strategy wasn?t working.? She added, ?By shifting the conversation to a ?business model,? they may think they have more leverage against those people.? When the U.K. recently proposed giving officials more power to monitor communications, Apple fired back with a lengthy response saying the plan would threaten the security of millions of people?s data. Mr. Comey isn?t the only law enforcement leader seeking to re-energize the effort to allow investigators pierce encryption in the wake of the terror attacks in Paris and San Bernardino, Calif. In a lengthy report on the issue in November, Manhattan District Attorney Cyrus R. Vance Jr. argued, ?Apple and Google are not responsible for keeping the public safe. That is the job of law enforcement. But the consequences of these companies? actions on the public safety are severe.?? Officials at Google declined to comment. A year ago, senior Justice Department officials met with Apple lawyers and laid out concerns about ?end-to-end? encryption, which makes it impossible for authorities to scrutinize the content of encrypted exchanges. The meeting followed a decision by Apple to make end-to-end encryption a default setting for some features on its new iPhones. Google announced a similar move around the same time for its Android cellphone operating system, with both companies saying they were focused on protecting their customers? privacy. At the meeting, government officials raised the specter of a child?s murder going unsolved because a suspect?s or victim?s phone couldn?t be accessed. That infuriated the Apple lawyers and widened the gulf between the two sides, according to people familiar with the discussions. Tempers have cooled since then, but the policy differences remain. Government officials acknowledge it may be hard to find a case where encryption indisputably prevented the thwarting of a deadly attack. Even where terrorists have used encrypted communications, they say, they generally also have engaged in unencrypted exchanges that law enforcement could monitor. The problem of suspects ?going dark? isn?t that investigators see nothing of what an individual does, but that they see far less of it, making it harder to know if an attack may be in the offing and try to prevent it beforehand, officials said. Terrorism has made encryption a hotter issue, but police have long complained that it can interfere with investigations of an array of crimes. Some officials cite a 2012 federal appeals court ruling related to a child-pornography case as an example of how encryption can enable dangerous criminals to remain free. In that case, investigators noticed an individual was using Internet connections at California hotels to access and share videos of child molestation. When they cross-checked the hotels? registries for those dates, a single name came up. Authorities seized the man?s computers and hard drives, but all the data was encrypted. He was ordered to enter the password to the devices but he refused and was jailed for contempt of court. An appeals court eventually ruled the man couldn?t be forced to provide a password, because to do so would have infringed his Fifth Amendment rights against self-incrimination. That forced prosecutors to drop the case and the man wasn?t charged. Write to Devlin Barrett at devlin.barrett at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Dec 29 23:58:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Dec 2015 00:58:12 -0500 Subject: [Infowarrior] - U.S. Spy Net on Israel Snares Congress Message-ID: <934F463E-1B32-4D4E-A6C0-70363BC72A16@infowarrior.org> (Next up: Burr and Feinstein introduce legislation calling for unbreakable cryptography for Congress and its staff, because they 'need' to ensure private communication, citing separation of powers and privacy concerns. Just wait for it. --- rick) U.S. Spy Net on Israel Snares Congress By Adam Entous and Danny Yadron Dec. 29, 2015 4:40 p.m. ET http://www.wsj.com/articles/u-s-spy-net-on-israel-snares-congress-1451425210 President Barack Obama announced two years ago he would curtail eavesdropping on friendly heads of state after the world learned the reach of long-secret U.S. surveillance programs. But behind the scenes, the White House decided to keep certain allies under close watch, current and former U.S. officials said. Topping the list was Israeli Prime Minister Benjamin Netanyahu. The U.S., pursuing a nuclear arms agreement with Iran at the time, captured communications between Mr. Netanyahu and his aides that inflamed mistrust between the two countries and planted a political minefield at home when Mr. Netanyahu later took his campaign against the deal to Capitol Hill. The National Security Agency?s targeting of Israeli leaders and officials also swept up the contents of some of their private conversations with U.S. lawmakers and American-Jewish groups. That raised fears?an ?Oh-s? moment,? one senior U.S. official said?that the executive branch would be accused of spying on Congress. White House officials believed the intercepted information could be valuable to counter Mr. Netanyahu?s campaign. They also recognized that asking for it was politically risky. So, wary of a paper trail stemming from a request, the White House let the NSA decide what to share and what to withhold, officials said. ?We didn?t say, ?Do it,? ? a senior U.S. official said. ?We didn?t say, ?Don?t do it.? ? Stepped-up NSA eavesdropping revealed to the White House how Mr. Netanyahu and his advisers had leaked details of the U.S.-Iran negotiations?learned through Israeli spying operations?to undermine the talks; coordinated talking points with Jewish-American groups against the deal; and asked undecided lawmakers what it would take to win their votes, according to current and former officials familiar with the intercepts. Before former NSA contractor Edward Snowden exposed much of the agency?s spying operations in 2013, there was little worry in the administration about the monitoring of friendly heads of state because it was such a closely held secret. After the revelations and a White House review, Mr. Obama announced in a January 2014 speech he would curb such eavesdropping. In closed-door debate, the Obama administration weighed which allied leaders belonged on a so-called protected list, shielding them from NSA snooping. French President Fran?ois Hollande, German Chancellor Angela Merkel and other North Atlantic Treaty Organization leaders made the list, but the administration permitted the NSA to target the leaders? top advisers, current and former U.S. officials said. Other allies were excluded from the protected list, including Recep Tayyip Erdogan, president of NATO ally Turkey, which allowed the NSA to spy on their communications at the discretion of top officials. Privately, Mr. Obama maintained the monitoring of Mr. Netanyahu on the grounds that it served a ?compelling national security purpose,? according to current and former U.S. officials. Mr. Obama mentioned the exception in his speech but kept secret the leaders it would apply to. Israeli, German and French government officials declined to comment on NSA activities. Turkish officials didn?t respond to requests Tuesday for comment. The Office of the Director of National Intelligence and the NSA declined to comment on communications provided to the White House. The White House stopped directly monitoring the private communications of German Chancellor Angela Merkel but authorized the National Security Agency to eavesdrop on her top advisers. ENLARGE The White House stopped directly monitoring the private communications of German Chancellor Angela Merkel but authorized the National Security Agency to eavesdrop on her top advisers. Photo: Odd Andersen/Agence France-Presse/Getty Images This account, stretching over two terms of the Obama administration, is based on interviews with more than two dozen current and former U.S. intelligence and administration officials and reveals for the first time the extent of American spying on the Israeli prime minister. Taking office After Mr. Obama?s 2008 presidential election, U.S. intelligence officials gave his national-security team a one-page questionnaire on priorities. Included on the form was a box directing intelligence agencies to focus on ?leadership intentions,? a category that relies on electronic spying to monitor world leaders. The NSA was so proficient at monitoring heads of state that it was common for the agency to deliver a visiting leader?s talking points to the president in advance. ?Who?s going to look at that box and say, ?No, I don?t want to know what world leaders are saying,? ? a former Obama administration official said. In early intelligence briefings, Mr. Obama and his top advisers were told what U.S. spy agencies thought of world leaders, including Mr. Netanyahu, who at the time headed the opposition Likud party. Michael Hayden, who led the NSA and the Central Intelligence Agency during the George W. Bush administration, described the intelligence relationship between the U.S. and Israel as ?the most combustible mixture of intimacy and caution that we have.? The NSA helped Israel expand its electronic spy apparatus?known as signals intelligence?in the late 1970s. The arrangement gave Israel access to the communications of its regional enemies, information shared with the U.S. Israel?s spy chiefs later suspected the NSA was tapping into their systems. When Mr. Obama took office, the NSA and its Israeli counterpart, Unit 8200, worked together against shared threats, including a campaign to sabotage centrifuges for Iran?s nuclear program. At the same time, the U.S. and Israeli intelligence agencies targeted one another, stoking tensions. ?Intelligence professionals have a saying: There are no friendly intelligence services,? said Mike Rogers, former Republican chairman of the House Intelligence Committee. Early in the Obama presidency, for example, Unit 8200 gave the NSA a hacking tool the NSA later discovered also told Israel how the Americans used it. It wasn?t the only time the NSA caught Unit 8200 poking around restricted U.S. networks. Israel would say intrusions were accidental, one former U.S. official said, and the NSA would respond, ?Don?t worry. We make mistakes, too.? In 2011 and 2012, the aims of Messrs. Netanyahu and Obama diverged over Iran. Mr. Netanyahu prepared for a possible strike against an Iranian nuclear facility, as Mr. Obama pursued secret talks with Tehran without telling Israel. Convinced Mr. Netanyahu would attack Iran without warning the White House, U.S. spy agencies ramped up their surveillance, with the assent of Democratic and Republican lawmakers serving on congressional intelligence committees. By 2013, U.S. intelligence agencies determined Mr. Netanyahu wasn?t going to strike Iran. But they had another reason to keep watch. The White House wanted to know if Israel had learned of the secret negotiations. U.S. officials feared Iran would bolt the talks and pursue an atomic bomb if news leaked. The NSA had, in some cases, spent decades placing electronic implants in networks around the world to collect phone calls, text messages and emails. Removing them or turning them off in the wake of the Snowden revelations would make it difficult, if not impossible, to re-establish access in the future, U.S. intelligence officials warned the White House. Instead of removing the implants, Mr. Obama decided to shut off the NSA?s monitoring of phone numbers and email addresses of certain allied leaders?a move that could be reversed by the president or his successor. There was little debate over Israel. ?Going dark on Bibi? Of course we wouldn?t do that,? a senior U.S. official said, using Mr. Netanyahu?s nickname. One tool was a cyber implant in Israeli networks that gave the NSA access to communications within the Israeli prime minister?s office. Given the appetite for information about Mr. Netanyahu?s intentions during the U.S.-Iran negotiations, the NSA tried to send updates to U.S. policy makers quickly, often in less than six hours after a notable communication was intercepted, a former official said. Emerging deal NSA intercepts convinced the White House last year that Israel was spying on negotiations under way in Europe. Israeli officials later denied targeting U.S. negotiators, saying they had won access to U.S. positions by spying only on the Iranians. By late 2014, White House officials knew Mr. Netanyahu wanted to block the emerging nuclear deal but didn?t know how. On Jan. 8, John Boehner, then the Republican House Speaker, and incoming Republican Senate Majority Leader Mitch McConnell agreed on a plan. They would invite Mr. Netanyahu to deliver a speech to a joint session of Congress. A day later, Mr. Boehner called Ron Dermer, the Israeli ambassador, to get Mr. Netanyahu?s agreement. Despite NSA surveillance, Obama administration officials said they were caught off guard when Mr. Boehner announced the invitation on Jan. 21. Soon after, Israel?s lobbying campaign against the deal went into full swing on Capitol Hill, and it didn?t take long for administration and intelligence officials to realize the NSA was sweeping up the content of conversations with lawmakers. The message to the NSA from the White House amounted to: ?You decide? what to deliver, a former intelligence official said. NSA rules governing intercepted communications ?to, from or about? Americans date back to the Cold War and require obscuring the identities of U.S. individuals and U.S. corporations. An American is identified only as a ?U.S. person? in intelligence reports; a U.S. corporation is identified only as a ?U.S. organization.? Senior U.S. officials can ask for names if needed to understand the intelligence information. The rules were tightened in the early 1990s to require that intelligence agencies inform congressional committees when a lawmaker?s name was revealed to the executive branch in summaries of intercepted communications. A 2011 NSA directive said direct communications between foreign intelligence targets and members of Congress should be destroyed when they are intercepted. But the NSA director can issue a waiver if he determines the communications contain ?significant foreign intelligence.? The NSA has leeway to collect and disseminate intercepted communications involving U.S. lawmakers if, for example, foreign ambassadors send messages to their foreign ministries that recount their private meetings or phone calls with members of Congress, current and former officials said. ?Either way, we got the same information,? a former official said, citing detailed reports prepared by the Israelis after exchanges with lawmakers. During Israel?s lobbying campaign in the months before the deal cleared Congress in September, the NSA removed the names of lawmakers from intelligence reports and weeded out personal information. The agency kept out ?trash talk,? officials said, such as personal attacks on the executive branch. Administration and intelligence officials said the White House didn?t ask the NSA to identify any lawmakers during this period. ?From what I can tell, we haven?t had a problem with how incidental collection has been handled concerning lawmakers,? said Rep. Adam Schiff, a California Democrat and the ranking member of the House Permanent Select Committee on Intelligence. He declined to comment on any specific communications between lawmakers and Israel. The NSA reports allowed administration officials to peer inside Israeli efforts to turn Congress against the deal. Mr. Dermer was described as coaching unnamed U.S. organizations?which officials could tell from the context were Jewish-American groups?on lines of argument to use with lawmakers, and Israeli officials were reported pressing lawmakers to oppose the deal. ?These allegations are total nonsense,? said a spokesman for the Embassy of Israel in Washington. A U.S. intelligence official familiar with the intercepts said Israel?s pitch to undecided lawmakers often included such questions as: ?How can we get your vote? What?s it going to take?? NSA intelligence reports helped the White House figure out which Israeli government officials had leaked information from confidential U.S. briefings. When confronted by the U.S., Israel denied passing on the briefing materials. The agency?s goal was ?to give us an accurate illustrative picture of what [the Israelis] were doing,? a senior U.S. official said. Just before Mr. Netanyahu?s address to Congress in March, the NSA swept up Israeli messages that raised alarms at the White House: Mr. Netanyahu?s office wanted details from Israeli intelligence officials about the latest U.S. positions in the Iran talks, U.S. officials said. A day before the speech, Secretary of State John Kerry made an unusual disclosure. Speaking to reporters in Switzerland, Mr. Kerry said he was concerned Mr. Netanyahu would divulge ?selective details of the ongoing negotiations.? The State Department said Mr. Kerry was responding to Israeli media reports that Mr. Netanyahu wanted to use his speech to make sure U.S. lawmakers knew the terms of the Iran deal. Intelligence officials said the media reports allowed the U.S. to put Mr. Netanyahu on notice without revealing they already knew his thinking. The prime minister mentioned no secrets during his speech to Congress. In the final months of the campaign, NSA intercepts yielded few surprises. Officials said the information reaffirmed what they heard directly from lawmakers and Israeli officials opposed to Mr. Netanyahu?s campaign?that the prime minister was focused on building opposition among Democratic lawmakers. The NSA intercepts, however, revealed one surprise. Mr. Netanyahu and some of his allies voiced confidence they could win enough votes. Write to Adam Entous at adam.entous at wsj.com and Danny Yadron at danny.yadron at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Dec 30 12:11:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Dec 2015 13:11:28 -0500 Subject: [Infowarrior] - HPSCI opens probe of eavesdropping on Congress Message-ID: (Wonder what hypocrisy will be the recommended solution? -- rick) House intel committee opens probe of eavesdropping on Congress By Nolan D. McCaskill 12/30/15 12:30 PM EST Updated 12/30/15 12:46 PM EST http://www.politico.com/story/2015/12/house-intel-probe-wsj-217228 A House panel on Wednesday announced it is opening an investigation into U.S. intelligence collection that may have swept up members of Congress. The House Permanent Select Committee on Intelligence?s announcement of the probe comes after a Wall Street Journal report that the U.S. collected information on private exchanges between Israeli Prime Minister Benjamin Netanyahu and members of Congress during ongoing negotiations for nuclear deal with Iran. ?The House Intelligence Committee is looking into allegations in the Wall Street Journal regarding possible Intelligence Community (IC) collection of communications between Israeli government officials and Members of Congress,? Chairman Devin Nunes (R-Calif.) said in a statement. ?The Committee has requested additional information from the IC to determine which, if any, of these allegations are true, and whether the IC followed all applicable laws, rules, and procedures.? According to the Journal, White House officials thought the information it uncovered could potentially be used to counter Netanyahu?s campaign against the nuclear accord but ultimately decided not to formally ask the National Security Agency to keep tabs on the Israeli premier?s maneuverings on Capitol Hill. The White House also gave the NSA the authority to determine what it would and wouldn?t do with the information, U.S. officials said. ?We didn?t say, ?Do it,?? one senior U.S. official recalled in an interview with the Journal. ?We didn?t say, ?Don?t do it.?? The correspondence the agency revealed redacted the names of lawmakers, as well as personal information and ?trash talk? about the White House, the Journal reported. Read more: http://www.politico.com/story/2015/12/house-intel-probe-wsj-217228#ixzz3vpSQTKtR -- It's better to burn out than fade away.