From rforno at infowarrior.org Sun Feb 1 08:33:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 09:33:51 -0500 Subject: [Infowarrior] - Religion and Internet Piracy Message-ID: Downloading Fatwa Issued By Turkish Religious Leaders ? By Andy ? on February 1, 2015 Turkey?s top religious body has handed down a fatwa in response to a question raised on the issue of illegal downloading. Obtaining content without permission from creators is forbidden, the Diyanet said. Meanwhile, a Catholic Church debate on the same topic raised an interesting dilemma. < - > http://torrentfreak.com/downloading-fatwa-issued-by-turkish-religious-leaders-150201/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 08:40:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 09:40:30 -0500 Subject: [Infowarrior] - Super-cookie crumbles: Verizon vows to kill off hated zombie stalkers Message-ID: <5E57B78E-E2F4-4174-BE6C-8CF8C654D60E@infowarrior.org> Super-cookie crumbles: Verizon vows to kill off hated zombie stalkers http://www.theregister.co.uk/2015/01/30/verizon_uidh_super_cookie_killer/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 08:56:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 09:56:28 -0500 Subject: [Infowarrior] - The Pirate Bay Is Back Online, Properly Message-ID: The Pirate Bay Is Back Online, Properly Posted by Soulskill on Saturday January 31, 2015 @08:01PM from the arrr-me-hearties dept. New submitter cbiltcliffe writes: About a month ago, we discussed news that the Pirate Bay domain name was back online. This story mentioned a timer, which supposedly showed the time since the police raid. I didn't notice at the time, but a more recent check showed this counter was counting down, not up, with a time set to reach zero at the end of January. Sometime around a week ago, the waving pirate flag video changed to a graphic of an orange phoenix, and a disabled search box showed up. I've been watching the site since, and now, about 12 hours before the timer was to reach zero, the site is back up, complete with searches. http://yro.slashdot.org/story/15/01/31/2218220/the-pirate-bay-is-back-online-properly -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 09:19:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 10:19:47 -0500 Subject: [Infowarrior] - Can Students Have Too Much Tech? Message-ID: <48F01805-05C0-4338-A9ED-997DFAE3A22C@infowarrior.org> Can Students Have Too Much Tech? By SUSAN PINKERJAN. 30, 2015 http://www.nytimes.com/2015/01/30/opinion/can-students-have-too-much-tech.html PRESIDENT OBAMA?s domestic agenda, which he announced in his State of the Union address this month, has a lot to like: health care, maternity leave, affordable college. But there was one thing he got wrong. As part of his promise to educate American children for an increasingly competitive world, he vowed to ?protect a free and open Internet? and ?extend its reach to every classroom and every community.? More technology in the classroom has long been a policy-making panacea. But mounting evidence shows that showering students, especially those from struggling families, with networked devices will not shrink the class divide in education. If anything, it will widen it. In the early 2000s, the Duke University economists Jacob Vigdor and Helen Ladd tracked the academic progress of nearly one million disadvantaged middle-school students against the dates they were given networked computers. The researchers assessed the students? math and reading skills annually for five years, and recorded how they spent their time. The news was not good. ?Students who gain access to a home computer between the 5th and 8th grades tend to witness a persistent decline in reading and math scores,? the economists wrote, adding that license to surf the Internet was also linked to lower grades in younger children. In fact, the students? academic scores dropped and remained depressed for as long as the researchers kept tabs on them. What?s worse, the weaker students (boys, African-Americans) were more adversely affected than the rest. When their computers arrived, their reading scores fell off a cliff. We don?t know why this is, but we can speculate. With no adults to supervise them, many kids used their networked devices not for schoolwork, but to play games, troll social media and download entertainment. (And why not? Given their druthers, most adults would do the same.) The problem is the differential impact on children from poor families. Babies born to low-income parents spend at least 40 percent of their waking hours in front of a screen ? more than twice the time spent by middle-class babies. They also get far less cuddling and bantering over family meals than do more privileged children. The give-and-take of these interactions is what predicts robust vocabularies and school success. Apps and videos don?t. If children who spend more time with electronic devices are also more likely to be out of sync with their peers? behavior and learning by the fourth grade, why would adding more viewing and clicking to their school days be considered a good idea? An unquestioned belief in the power of gadgetry has already led to educational snafus. Beginning in 2006, the nonprofit One Laptop Per Child project envisioned a digital utopia in which all students over 6 years old, worldwide, would own their own laptops. Impoverished children would thus have the power to go online and educate themselves ? no school or teacher required. With laptops for poor children initially priced at $400, donations poured in. But the program didn?t live up to the ballyhoo. For one thing, the machines were buggy and often broke down. And when they did work, the impoverished students who received free laptops spent more time on games and chat rooms and less time on their homework than before, according to the education researchers Mark Warschauer and Morgan Ames. It?s drive-by education ? adults distribute the laptops and then walk away. It?s true that there is often an initial uptick in students? engagement with their studies ? interactive apps can be fun. But the novelty wears off after a few months, said Larry Cuban, an emeritus education professor at Stanford. Technology does have a role in education. But as Randy Yerrick, a professor of education at the University at Buffalo, told me, it is worth the investment only when it?s perfectly suited to the task, in science simulations, for example, or to teach students with learning disabilities. And, of course, technology can work only when it is deployed as a tool by a terrific, highly trained teacher. As extensive research shows, just one year with a gifted teacher in middle school makes it far less likely that a student will get pregnant in high school, and much more likely that she will go to college, earn a decent salary, live in a good neighborhood and save for retirement. To the extent that such a teacher can benefit from classroom technology, he or she should get it. But only when such teachers are effectively trained to apply a specific application to teaching a particular topic to a particular set of students ? only then does classroom technology really work. Even then, we still have no proof that the newly acquired, tech-centric skills that students learn in the classroom transfer to novel problems that they need to solve in other areas. While we?re waiting to find out, the public money spent on wiring up classrooms should be matched by training and mentorship programs for teachers, so that a free and open Internet, reached through constantly evolving, beautifully packaged and compelling electronic tools, helps ? not hampers ? the progress of children who need help the most. Susan Pinker, a developmental psychologist and columnist, is the author, most recently, of ?The Village Effect: How Face-to-Face Contact Can Make us Healthier, Happier, and Smarter.? A version of this op-ed appears in print on January 30, 2015, on page A27 of the New York edition with the headline: Can Students Have Too Much Tech?. Order Reprints| Today's Paper|Subscribe -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 09:27:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 10:27:07 -0500 Subject: [Infowarrior] - Australian PM: Social Media Is Like Electronic Graffiti Message-ID: <0A2B6E20-3227-4B39-BD05-7BE558D064CF@infowarrior.org> Australian Prime Minister: Social Media Is Like Electronic Graffiti from the accelerated-and-intense dept Here on Techdirt we've been reporting on a depressing stream of really bad legislative proposals coming out of Australia concerning copyright and surveillance. Much of this seems born of ignorance: some senior ministers clearly do not understand how the Internet works. Sadly, that includes Tony Abbott, Australia's Prime Minister, as this report in The Age indicates: "I'll leave social media to its own devices. Social media is kind of like electronic graffiti and I think that in the media, you make a big mistake to pay too much attention to social media," Mr Abbott said on Australia Day. "You wouldn't report what's sprayed up on the walls of buildings." < -- > https://www.techdirt.com/articles/20150126/04360829813/australian-prime-minister-social-media-is-like-electronic-graffiti.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 10:01:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 11:01:29 -0500 Subject: [Infowarrior] - Libreoffice gets a facelift and performance boost in version 4.4 Message-ID: <278B2F37-5669-4A0A-B902-A0A46F817739@infowarrior.org> (Only played w/it briefly but it is pretty slick -- might well become my Office replacement. --rick) Libreoffice gets a facelift and performance boost in version 4.4 Described as 'most beautiful ever' By Chris Merriman Fri Jan 30 2015, 15:26 http://www.theinquirer.net/inquirer/news/2392956/libreoffice-gets-a-facelift-and-performance-boost-in-version-44 LIBREOFFICE HAS UNVEILED a fresh new look for the latest version of its open source productivity suite. Libreoffice 4.4 has been given a serious facelift, as well as improvements to the coding to make it feel faster. "LibreOffice 4.4 has got a lot of UX and design love, and in my opinion is the most beautiful ever," said Jan 'Kendy' Holesovsky, a member of the membership committee and leader of the design team. "We also developed a new Color Selector, improved the Sidebar to integrate more smoothly with menus, and reworked many user interface details to follow today's UX trends." Other additions include OpenGL transitions in Windows, digital signing of PDF files during export, two new fonts, Carlito and Caleadea, which fixes some bugs when using Microsoft fonts. LibreOffice is an open source project, so there have been multiple contributions from the community including default templates. Visual editing has been added to Impress master pages for presentations, with bullet toggling and layer hiding among the additions. Track Changes has been improved with better auto correct features in the Writer word processor. Import filters for Microsoft Visio, Publisher and AbiWord files, Works Spreadsheets, Adobe Pagemaker, MacDraw, MacDraw II and Ragtime have been added. This is the first major release for LibreOffice since last summer which fixed a bug in the Open Office architecture which had plagued it for some time. The suite is a fork of OpenOffice, but retains its independence from a major corporation. In version 4.2 the suite introduced deep integration with Windows. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 10:32:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 11:32:22 -0500 Subject: [Infowarrior] - Microsoft to Invest in CyanogenMod: What Could It Mean For Google? Message-ID: Microsoft to Invest in CyanogenMod: What Could It Mean For Google? By Christian de Looper, Tech Times | February 1, 9:24 AM http://www.techtimes.com/articles/30110/20150201/microsoft-invest-cyanogenmod-what-mean-google.html Microsoft is reportedly taking part in a $70 million investment round in CyanogenMod, an Android ROM creator that is one of the most popular alternative versions of Android. CyanogenMod essentially takes the Android code and modifies it, adding different features and bringing it to other devices. What could a Microsoft-powered CyanogenMod mean for Google? There are a number of reasons that Microsoft could be investing in CyanogenMod. Android is a very open operating system. However, Google does not offer the source code for services like Gmail and YouTube. Google has also been tightening its grip on Android in the past few years. Investing in CyanogenMod could mean that Microsoft's apps would become a much more prominent part of the operating system in the future. Microsoft clearly feels as though expanding support of CyanogenMod could help make it even better than the Google-developed version of Android. This is another route for Microsoft to take in the mobile space on top of its Windows 10 operating system. According to CyanogenMod, 50 million people are currently using the CyanogenMod version of Android, which makes it a route that's definitely worth perusing for Microsoft. What does all this mean for Google? Well, probably not too much. Windows Phone is barely a threat to Google's Android, and CyanogenMod is really just an offshoot of Android. The two companies teaming up will not mean much for Google, except for the fact that some users will likely be using Microsoft apps rather than Google ones. This isn't great for Google, but it will be a small percentage of people. Cyanogen has, however, been using big words against Google in the past few weeks, saying that it wanted to take "Android back from Google." Considering the fact that Android accounts for over 80 percent of the mobile market share, the company has a long way to go before it will be able to do anything of the like. In fact, Google has a lot to gain from CyanogenMod whether Microsoft is funding it or not. The Google Play Store will have to remain an important part of the operating system because without it users will not have easy access to apps. This means that Google could still be making money from CyanogenMod, especially since many users would want Google apps on their devices. A "Microsoft-powered" CyanogenMod would mean almost nothing for Google. Microsoft could certainly fund a more successful operating system from CyanogenMod. However, this won't be much of a threat for the search giant. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 10:34:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 11:34:27 -0500 Subject: [Infowarrior] - Another Comcast customer-service gaffe - this one vulgar and viral Message-ID: <83CB6B82-FF45-4A33-8044-B4AFC9E619DA@infowarrior.org> Another Comcast customer-service gaffe - this one vulgar and viral Bob Fernandez, Inquirer Staff Writer Posted: Friday, January 30, 2015, 1:08 AM Comcast Corp.'s national reputation for shaky customer service was rocked again Thursday, and in a particularly unseemly and profane fashion. A customer in Spokane, Wash., said the cable-TV giant changed his first name on his bill and his online account after he canceled his cable service because of financial hardships. A worker substituted his actual first name, Ricardo, with a vulgarity in its billing system. Charles Herrin, senior vice president for Comcast customer experience, personally apologized to the Browns in a phone call and said Thursday in a blog posting that it was an "unacceptable situation." The employee responsible, Herrin said in the posting, "will no longer be working on behalf of Comcast." Lisa Brown, 37, wife of Ricardo and the one who complained to the office that authorizes cable franchising in Spokane, said Thursday that she was "shocked" by the incident. Comcast agreed to refund two years of her bills, she said. The company said it was working with Brown but would not talk about specifics. "We were speechless that that would make it out the door," she said of the mailed bill, which identified her husband as "Asshole Brown." < - > http://www.philly.com/philly/business/20150130_Another_Comcast_customer-service_gaffe_-_this_one_vulgar_and_viral.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 1 11:18:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 1 Feb 2015 12:18:44 -0500 Subject: [Infowarrior] - British army creates team of Facebook warriors Message-ID: <4E320C8B-42CD-42D4-963F-A99B72F1A082@infowarrior.org> British army creates team of Facebook warriors Soldiers familiar with social media sought for 77th Brigade, which will be responsible for ?non-lethal warfare? Saturday 31 January 2015 06.48 EST http://www.theguardian.com/uk-news/2015/jan/31/british-army-facebook-warriors-77th-brigade The British army is creating a special force of Facebook warriors, skilled in psychological operations and use of social media to engage in unconventional warfare in the information age. The 77th Brigade, to be based in Hermitage, near Newbury, in Berkshire, will be about 1,500-strong and formed of units drawn from across the army. It will formally come into being in April. The brigade will be responsible for what is described as non-lethal warfare. Both the Israeli and US army already engage heavily in psychological operations. Against a background of 24-hour news, smartphones and social media, such as Facebook and Twitter, the force will attempt to control the narrative. The 77th will include regulars and reservists and recruitment will begin in the spring. Soldiers with journalism skills and familiarity with social media are among those being sought. An army spokesman said: ?77th Brigade is being created to draw together a host of existing and developing capabilities essential to meet the challenges of modern conflict and warfare. It recognises that the actions of others in a modern battlefield can be affected in ways that are not necessarily violent.? The move is partly a result of experience in counter-insurgency operations in Afghanistan. It can also be seen as a response to events of the last year that include Russia?s actions in Ukraine, in particular Crimea, and Islamic State?s (Isis) takeover of large swaths of Syria and Iraq. Nato has so far been unable to find a counter to what the US and UK claim is Russia creating unrest by sending in regular troops disguised as local militia, allowing president Vladimir Putin to deny responsibility.Isis has proved adept at exploiting social media to attract fighters from around the world. The Israel Defence Forces have pioneered state military engagement with social media, with dedicated teams operating since Operation Cast Lead, its war in Gaza in 2008-9. The IDF is active on 30 platforms ? including Twitter, Facebook, Youtube and Instagram ? in six languages. ?It enables us to engage with an audience we otherwise wouldn?t reach,? said an Israeli army spokesman. It has been approached by several western countries, keen to learn from its expertise. During last summer?s war in Gaza, Operation Protective Edge, the IDF and Hamas?s military wing, the Qassam Brigades, tweeted prolifically, sometimes engaging directly with one another. The new brigade is being named the 77th in tribute to the Chindits, the British guerrilla force led by Maj Gen Orde Wingate against the Japanese in Burma during the second world war. Wingate adopted unorthodox and controversial tactics that achieved successes completely disproportionate to the size of his forces, sending teams deep into Japanese-held territory, creating uncertainty in the Japanese high command and forcing it to alter its strategic plans. In a nod to the Chindits, members of the 77th Brigade will have arm badges showing a mythical Burmese creature. The aim is that the new force will prove as flexible as the Chindits in the face of the dizzying array of challenges being thrown up in the early part of this century. The creation of 77th Brigade comes as the commander of Nato special operations headquarters, Lt Gen Marshall Webb, speaking in Washington this week, expressed concern about Russia and about Isis. ?Special operations headquarters is uniquely placed to address this,? he said. ?We tend to take an indirect approach. We can engage without being escalatory or aggressive. We tend to view things from an oblique angle, and we absolutely acknowledge that trust, information-sharing and interagency collaboration is crucial.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 2 15:23:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 2 Feb 2015 16:23:59 -0500 Subject: [Infowarrior] - EFF Joins Coalition to Launch Canarywatch.org Message-ID: <98A5E477-6B0A-4520-A144-1190A32EEBC2@infowarrior.org> EFF Joins Coalition to Launch Canarywatch.org https://www.eff.org/deeplinks/2015/01/eff-joins-coalition-launch-canarywatchorg "Warrant canary" is a colloquial term for a regularly published statement that an internet service provider (ISP) has not received legal process that it would be prohibited from saying it had received, such as a national security letter. The term "warrant canary" is a reference to the canaries used to provide warnings in coalmines, which would become sick from carbon monoxide poisoning before the miners would?warning of the otherwise-invisible danger. Just like canaries in a coalmine, the canaries on web pages ?die? when they are exposed to something toxic?like a secret FISA court order. Warrant canaries rely upon the legal theory of compelled speech. Compelled speech happens when a person is forced by the government to make expressive statements they do not want to make. Fortunately, the First Amendment protects against compelled speech in most circumstances. In fact, we?re not aware of any case where a court has upheld compelled false speech. Thus, a service provider could argue that, when its statement about the legal process received is no longer true, it cannot be compelled to reissue the now false statement, and can, instead, remain silent. So far, no court has addressed this issue. But if you?re not paying attention to a specific canary, you may never know when it changes. Plenty of providers don?t have warrant canaries. Those that do may not make them obvious. And when warrant canaries do change, it?s not always immediately obvious what that change means. That?s why EFF has joined with a coalition of organizations, including the Berkman Center for Internet and Society, New York University?s Technology Law & Policy Clinic, and the Calyx Institute to launch Canarywatch.org. The Calyx Institute runs and hosts Canarywatch.org. Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about. The page?s FAQ explains the mechanics and legal theories underpinning warrant canaries. It also has an anatomy of a canary that, since canaries come in so many different forms, helps anyone understand what they?re seeing when they look at a particular canary. Warrant canaries are a unique tool ISPs have to provide users with more transparency about the government requests they do, and do not, receive. We hope the site will educate, improve the usefulness of warrant canaries for the general public, and help people with a special interest in canaries track them. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 2 17:12:54 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 2 Feb 2015 18:12:54 -0500 Subject: [Infowarrior] - Canada's proposed PATRIOT Act Message-ID: <9D90C2FF-936A-449A-93BE-E4BFAB21CA64@infowarrior.org> Canada's New Anti-Terrorism Legislation Echoes The PATRIOT Act, Expands Spying Powers And Government Reach https://www.techdirt.com/articles/20150202/09293729882/canadas-new-anti-terrorism-legislation-echoes-patriot-act-expands-spying-powers-government-reach.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 2 21:10:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 2 Feb 2015 22:10:17 -0500 Subject: [Infowarrior] - Former CIA & NSA Boss: September 11th Gave Me Permission To Reinterpret The 4th Amendment Message-ID: <163174A3-66F0-4071-B089-E2AA02714D18@infowarrior.org> Former CIA & NSA Boss: September 11th Gave Me Permission To Reinterpret The 4th Amendment from the i-guess-the-terrorists-did-win dept Michael Hayden, the former CIA and NSA director, has revealed what most people already suspected -- to him, the Constitution is a document that he can rewrite based on his personal beliefs at any particular time, as noted by Conor Friedersdorf at the Atlantic. Specifically, he admits that after September 11th, 2001, he was able to totally reinterpret the 4th Amendment to mean something entirely different: < - > Then there was this other rather stunning admission. Hayden admits that the NSA wants to listen to anyone it finds "interesting," not just those they think are doing something bad: "I am not a law enforcement officer. I don't suspect anybody. I am simply going out there to retrieve information that helps keep my countrymen free and safe. This is not about guilt. In fact, let me be really clear. NSA doesn't just listen to bad people. NSA listens to interesting people. People who are communicating information.? This is a rather refreshing admission -- as most of those who normally defend the surveillance state like to pretend that they're only listening to "bad" people. They trot out the "if you're not doing anything wrong, you have nothing to fear" argument all the time. Even Hayden himself has argued along those lines in the past. Yet here he is, more accurately saying that "if you're boring, you have nothing to fear" but "if we think you're interesting, you should be very afraid." And "interesting" is subject to a lot more vague interpretations than "reasonableness.? < - > https://www.techdirt.com/articles/20150201/07575429871/former-cia-nsa-boss-september-11th-allowed-me-to-reinterpret-4th-amendment.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 3 07:05:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 3 Feb 2015 08:05:01 -0500 Subject: [Infowarrior] - Why 'Surveillance Is The Dominant Business Model On The Internet' Message-ID: <39D711A7-1EEC-4DC9-9E38-98AFABBDAF4F@infowarrior.org> Why 'Surveillance Is The Dominant Business Model On The Internet' The European | By Max Tholl Posted: 02/02/2015 6:35 pm EST Updated: 02/02/2015 6:59 pm EST http://www.huffingtonpost.com/2015/02/02/surveillance-business-model-internet_n_6595950.html -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 3 07:19:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 3 Feb 2015 08:19:25 -0500 Subject: [Infowarrior] - F.C.C. Is Expected to Propose Regulating Internet Service as a Utility Message-ID: F.C.C. Is Expected to Propose Regulating Internet Service as a Utility http://www.nytimes.com/2015/02/03/technology/in-net-neutrality-push-fcc-is-expected-to-propose-regulating-the-internet-as-a-utility.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 4 06:11:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 4 Feb 2015 07:11:13 -0500 Subject: [Infowarrior] - =?windows-1252?q?Major_labels_keep_73=25_of_Spoti?= =?windows-1252?q?fy_premium_payouts_=96_report?= Message-ID: (would be great to see one of these contracts. --rick) Major labels keep 73% of Spotify premium payouts ? report http://www.musicbusinessworldwide.com/artists-get-7-of-streaming-cash-labels-take-46/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 4 08:49:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 4 Feb 2015 09:49:29 -0500 Subject: [Infowarrior] - DOJ caught lying about CIA torture report Message-ID: DOJ Tells Court It Hasn't Even Opened CIA Torture Report... After Telling Reporters It Read The Whole Thing https://www.techdirt.com/articles/20150203/12363829897/doj-tells-new-york-times-it-has-read-entire-torture-report-tells-court-it-hasnt-even-opened-package-it-came.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 4 09:08:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 4 Feb 2015 10:08:53 -0500 Subject: [Infowarrior] - =?windows-1252?q?The_Most_Transparent_Administrat?= =?windows-1252?q?ion_in_History=99?= Message-ID: Obama still argues that we can't have transparency or the terrorists will win Trevor Timm From the torture report to videos from Guant?namo to pictures from Abu Ghraib, the government says we can?t see because bad men might use it against us http://www.theguardian.com/commentisfree/2015/feb/04/obama-still-argues-that-we-cant-have-transparency-or-the-terrorists-will-win -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 4 10:24:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 4 Feb 2015 11:24:23 -0500 Subject: [Infowarrior] - FCC Chairman Tom Wheeler: This Is How We Will Ensure Net Neutrality Message-ID: <6D3C4CC4-9627-4BCD-B154-C148CF995D75@infowarrior.org> FCC Chairman Tom Wheeler: This Is How We Will Ensure Net Neutrality ? By Tom Wheeler ? 02.04.15 | ? 11:00 am | http://www.wired.com/2015/02/fcc-chairman-wheeler-net-neutrality/ After more than a decade of debate and a record-setting proceeding that attracted nearly 4 million public comments, the time to settle the Net Neutrality question has arrived. This week, I will circulate to the members of the Federal Communications Commission (FCC) proposed new rules to preserve the internet as an open platform for innovation and free expression. This proposal is rooted in long-standing regulatory principles, marketplace experience, and public input received over the last several months. Broadband network operators have an understandable motivation to manage their network to maximize their business interests. But their actions may not always be optimal for network users. The Congress gave the FCC broad authority to update its rules to reflect changes in technology and marketplace behavior in a way that protects consumers. Over the years, the Commission has used this authority to the public?s great benefit. The internet wouldn?t have emerged as it did, for instance, if the FCC hadn?t mandated open access for network equipment in the late 1960s. Before then, AT&T prohibited anyone from attaching non-AT&T equipment to the network. The modems that enabled the internet were usable only because the FCC required the network to be open. Companies such as AOL were able to grow in the early days of home computing because these modems gave them access to the open telephone network. I personally learned the importance of open networks the hard way. In the mid-1980s I was president of a startup, NABU: The Home Computer Network. My company was using new technology to deliver high-speed data to home computers over cable television lines. Across town Steve Case was starting what became AOL. NABU was delivering service at the then-blazing speed of 1.5 megabits per second?hundreds of times faster than Case?s company. ?We used to worry about you a lot,? Case told me years later. But NABU went broke while AOL became very successful. Why that is highlights the fundamental problem with allowing networks to act as gatekeepers. While delivering better service, NABU had to depend on cable television operators granting access to their systems. Steve Case was not only a brilliant entrepreneur, but he also had access to an unlimited number of customers nationwide who only had to attach a modem to their phone line to receive his service. The phone network was open whereas the cable networks were closed. End of story. The phone network?s openness did not happen by accident, but by FCC rule. How we precisely deliver that kind of openness for America?s broadband networks has been the subject of a debate over the last several months. Originally, I believed that the FCC could assure internet openness through a determination of ?commercial reasonableness? under Section 706 of the Telecommunications Act of 1996. While a recent court decision seemed to draw a roadmap for using this approach, I became concerned that this relatively new concept might, down the road, be interpreted to mean what is reasonable for commercial interests, not consumers. That is why I am proposing that the FCC use its Title II authority to implement and enforce open internet protections. Using this authority, I am submitting to my colleagues the strongest open internet protections ever proposed by the FCC. These enforceable, bright-line rules will ban paid prioritization, and the blocking and throttling of lawful content and services. I propose to fully apply?for the first time ever?those bright-line rules to mobile broadband. My proposal assures the rights of internet users to go where they want, when they want, and the rights of innovators to introduce new products without asking anyone?s permission. All of this can be accomplished while encouraging investment in broadband networks. To preserve incentives for broadband operators to invest in their networks, my proposal will modernize Title II, tailoring it for the 21st century, in order to provide returns necessary to construct competitive networks. For example, there will be no rate regulation, no tariffs, no last-mile unbundling. Over the last 21 years, the wireless industry has invested almost $300 billion under similar rules, proving that modernized Title II regulation can encourage investment and competition. Congress wisely gave the FCC the power to update its rules to keep pace with innovation. Under that authority my proposal includes a general conduct rule that can be used to stop new and novel threats to the internet. This means the action we take will be strong enough and flexible enough not only to deal with the realities of today, but also to establish ground rules for the as yet unimagined. The internet must be fast, fair and open. That is the message I?ve heard from consumers and innovators across this nation. That is the principle that has enabled the internet to become an unprecedented platform for innovation and human expression. And that is the lesson I learned heading a tech startup at the dawn of the internet age. The proposal I present to the commission will ensure the internet remains open, now and in the future, for all Americans. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 4 17:37:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 4 Feb 2015 18:37:01 -0500 Subject: [Infowarrior] - TSA jails innocent traveler when he asks to file a complaint Message-ID: <53475B94-8C81-4898-8F72-04641610ECCA@infowarrior.org> Polaneczky: TSA jails innocent traveler when he asks to file a complaint Posted: Wednesday, February 4, 2015, 3:01 AM http://www.philly.com/philly/news/20150204_TSA_jails_innocent_traveler_when_he_asks_to_file_a_complaint.html APPARENTLY, working as a supervisor for the Transportation Security Administration at Philadelphia International Airport comes with a perk: You get to throw people in jail for no good reason and still keep your job. If that's not the case, why is Charles Kieser still employed by the TSA? Roger Vanderklok had the misfortune of going through Kieser's security-screening area at 8 a.m. Jan. 26, 2013, in Terminal B. Vanderklok, 57, is a Philly architect who runs half-marathons. Twice a month, he flies around the country for weekend races. On this day, he was headed to Miami. In his carry-on bag was a packet of PowerBars and a heart-monitoring watch. When the bag went through the X-ray scanner, the items looked suspicious to a TSA agent whom Kieser supervises. For the next 30 minutes, screeners checked the bag several times. Vanderklok told them that a tube-shaped case in the bag contained his watch. Then he was asked if his bag contained "organic matter." Vanderklok said no, as he thought "organic matter" meant fruits or vegetables. PowerBars, which contain milk, grain and sugar, are considered "organic matter" and can resemble a common explosive. Terrorists often use a small electronic device, like a watch, to detonate the explosive. Hence the agent's concern. Once the items were deemed harmless, Vanderklok says, he told Kieser that if someone had only told him what "organic matter" meant, he could have saved everyone a lot of trouble. Kieser then became confrontational. Vanderklok says he calmly asked to file a complaint. He then waited while someone was supposedly retrieving the proper form. Instead, Kieser summoned the Philadelphia Police. Vanderklok was taken to an airport holding cell, and his personal belongings - including his phone - were confiscated while police "investigated" him. Vanderklok was detained for three hours in the holding cell, missing his plane. Then he was handcuffed, taken to the 18th District at 55th and Pine and placed in another cell. He says that no one - neither the police officers at the airport nor the detectives at the 18th - told him why he was there. He didn't find out until he was arraigned at 2 a.m. that he was being charged with "threatening the placement of a bomb" and making "terroristic threats." Vanderklok's Kafkaesque odyssey finally ended at 4 a.m., when his wife paid 10 percent of his $40,000 bail. When I heard this story, my first thought was that Vanderklok had to have said or done something outrageous for others to respond with such alarm. In fact, Kieser said as much at Vanderklok's trial on April 8, 2013. Under oath, Kieser told the court that he had been monitoring Vanderklok's interaction with the bag screener because "I saw a passenger becoming agitated. Hands were in the air. And it's something we deal with regularly. But I don't let it go on on my checkpoint." Kieser intervened, he said, and that's when Vanderklok complained that the screening was "delaying him." While he said this, he "had both hands with fingers extended up toward the ceiling up in the air at the time and shaking them." Vanderklok also "put his finger in my face. And he said, 'Let me tell you something. I'll bring a bomb through here any day I want.' And he said you'll never find it." Vanderklok repeated the aggressive finger-pointing two more times, Kieser testified. But here's the thing: Airport surveillance videos show nothing of the sort. Throughout the search, Vanderklok appears calm. His laptop computer is tucked under his arms and his hands are clasped in front of him the entire time. Without any fuss, he follows TSA agents when they move from one part of the screening area to another. He even smiles a little. Not once does he raise his hands. Not once does he point a finger in Kieser's face. If anyone is becoming agitated, the video shows, it is Kieser. Neither Kieser nor his colleagues appear alarmed about the bomb threat Vanderklok has allegedly made. They chat and laugh with one another behind a desk, check their cellphones. One sips a soda, another wanders around the area, straightening bins. Two more assist an elderly couple with their wheelchairs. They do not summon the FBI, clear passengers from the area, don protective gear or appear to do anything suggesting there's looming danger. And here's another thing: Kieser alleged that Vanderklok told him, "I'll bring a bomb through here any day I want. And . . . you'll never find it." But that's not what Kieser told police, according to the report taken by the responding officer. The report reads that Vanderklok, frustrated, told Kieser, "Anybody could bring a bomb in here and nobody would know." The first statement is a threat, forbidden by law. The second is an opinion, protected by it. Vanderklok says he made neither statement. Yet he was treated like the Shoe Bomber. Even talking about it now, two years later, rattles him. "I was scared to death. I have never been arrested in my life, never had handcuffs put on," he says. "Throughout the night, I was in a dark place; no one knew where I was. I thought, 'I could fall off the face of the earth right now, and no one would know it.' " While Vanderklok was worrying, so was his wife, Eleanor. When her husband travels, his routine is to call her when he boards the plane, when he lands and when he arrives at his hotel. This time, no calls. Nor did he respond to the increasingly panicked messages she left him. She called his Miami hotel. He'd never checked in. She called the airline. He'd never boarded the plane. She called the city's hospitals. He wasn't in any of them. Finally, she called 9-1-1. "I was so scared. I didn't know what to do with myself," says Eleanor Vanderklok. "A million scenarios go through your head." She was waiting for an officer to arrive at the couple's Center City home to take her report when the phone rang. A police officer told her that her husband had been arrested and was awaiting arraignment. When she learned why, she was shocked. "My husband has been on planes hundreds of times," she says. "Not once was there a problem. This was out of the blue." At trial, Kieser was the first and only witness to testify. Municipal Judge Felice Stack acquitted Vanderklok of all charges within minutes of hearing Kieser's testimony. Vanderklok's lawyer, Thomas Malone, didn't get a chance to question the Philadelphia police officers and detectives who were involved in Vanderklok's arrest. Nor did he get to show the surveillance video that contradicted Kieser. "The police at the airport never even questioned Mr. Vanderklok. They just detained him," says Malone. "The detectives at the 18th [District] also never spoke with him. He was charged based on a single allegation by one TSA employee." Last week, Malone filed a suit on Vanderklok's behalf against the TSA, the Philadelphia Police Department and the Department of Homeland Security, alleging that Vanderklok was willfully deprived of his liberty because he had the gall to say that he wanted to file a complaint. The city and the TSA declined to comment on the case. So allow me to. Vanderklok's arrest reeks of payback from a TSA supervisor who - to give him the benefit of the doubt - was perhaps having a bad day on Jan. 26, 2013. But that same supervisor's behavior on April 8, when he swore under oath to things that were not true, is not evidence of a bad day. It's evidence of someone who will stick to his story even if it means an innocent man may go to jail. I don't know if that makes Kieser a bad man. But it sure doesn't make him a very good TSA employee. It's unbelievable that he still has his job. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 4 21:38:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 4 Feb 2015 22:38:57 -0500 Subject: [Infowarrior] - Massive breach at Anthem health care Message-ID: Massive breach at health care company Anthem Inc. Elizabeth Weise, USATODAY 10:19 p.m. EST February 4, 2015 http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/ SAN FRANCISCO - As many as 80 million customers of the nation's second large health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement. "Anthem was the target of a very sophisticated eternal cyber attack," Anthem president and CEO Joseph Swedish said in a statement posted on the company's website. The hackers gained access to Anthem's computer system and got information including names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses and employment information, including income data, Swedish said. Both current and former customers were hit, he said. Anthem has contacted the FBI and is working with the computer security firm Mandiant to evaluate its systems. "Anthem's own associates' personal information--including my own--was accessed during this security breach. We join in your concern and frustration and I assure you that we are working around the clock to do everything we can to further secure your data," Swedish said. The breach was discovered last week, Anthem said. Anthem Inc. was previously known as WellPoint Inc. It was formed when Anthem Insurance Company bought WellPoint Health Networks in 2004. Anthem has customers in 14 states. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 5 09:21:54 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 5 Feb 2015 10:21:54 -0500 Subject: [Infowarrior] - Scientists just cracked the viral equivalent of the Enigma code Message-ID: <5EE935FB-7BE1-431C-B489-AFF8885E2F6C@infowarrior.org> Scientists just cracked the viral equivalent of the Enigma code By Sarah Kaplan February 5 at 5:53 AM http://www.washingtonpost.com/news/morning-mix/wp/2015/02/05/scientists-just-cracked-the-viral-equivalent-of-the-enigma-code/?tid=hp_mm Peter Stockley is at war with the common cold. It?s a wily adversary: a single, seemingly indecipherable strand of genetic material that lacks a brain or even a complete cell, yet somehow knows how to latch on to an unsuspecting respiratory lining and replicate itself, wreaking havoc on the immune system. But now Stockley, a professor at Britain?s University of Leeds, thinks he has the upper hand. He has cracked the viral equivalent of the Nazi ?Enigma code,? which proved key to winning World War II: a genetic message embedded within the virus?s RNA that tells it how to assemble new versions of itself during replication. ?Down at the kind of molecular level, this kind of biology is like molecular warfare,? Stockley told The Washington Post in a phone interview from his home in Leeds (where he happened to be battling a viral infection of his own). ?And this code is a vital part of how the virus attacks.? Stockley?s findings, which were published in the Proceedings of the National Academy of Sciences Wednesday, are the result of a collaboration between Leeds and the University of York. The first breakthrough came in 2012, when Stockley and his team at Leeds published the first observation of how viruses are assembled. Viruses consist of a strand of genetic information, RNA, encased in protein. Once they have attached to a host cell (in the case of a cold, those that line the lungs of their victim), they unspool their genetic contents and take control of the cell?s machinery to churn out copied versions of the RNA strand and the protein shell it comes in. What happens next was documented for the first time in Stockley?s report: The newly created proteins instantaneously fold the RNA up and encase it within themselves, as if by magic. In an essay for the Huffington Post, Stockley called the phenomenon viral assembly?s ?Harry Potter moment.? Stockley is a biologist, not a wizard, and he knew that the proteins must be getting instruction on how to ?pack? the RNA from somewhere. The strands of RNA offered no guidance ? the genetic material they contained appeared entirely benign (except for the whole infecting people part). It took mathematician Reidun Twarock, a professor at the University of York, to crack the code: The instructions for assembly were right there among the mundane material of the RNA ? but they only appeared once the RNA had been folded. Understanding the code ? and finding a way to disrupt it ? could lead to vastly improved treatments for a whole class of viral infections, not just the common cold but also polio, HIV, hepatitis C and the winter vomiting disease norovirus. That?s because viruses mutate so quickly that traditional treatments, like vaccines, aren?t effective at teaching the body to recognize and combat them. A drug that scrambled the viral assembly code would preempt the body?s immune response by disarming the virus before it can reproduce itself. Stockley?s team has done preliminary studies on a potential scrambling mechanism, but he warns that a cure for the common cold is still a long way off. He should know ? he?s still got one himself. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 5 20:07:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 5 Feb 2015 21:07:37 -0500 Subject: [Infowarrior] - After Sony Hacking, the M.P.A.A. Considers Major Changes Message-ID: (Disappearing would be nice. ?rick) After Sony Hacking, the M.P.A.A. Considers Major Changes By MICHAEL CIEPLY and BROOKS BARNESFEB. 5, 2015 http://www.nytimes.com/2015/02/06/business/media/after-sony-hacking-the-mpaa-considers-major-changes.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 7 19:40:32 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 7 Feb 2015 20:40:32 -0500 Subject: [Infowarrior] - Va. Senate approves bill to limit license plate reader data Message-ID: <198752CB-11BF-4595-99C2-FCC71BAFB314@infowarrior.org> Va. Senate approves bill to limit license plate reader data By Max Smith | @amaxsmith February 6, 2015 12:49 pm http://wtop.com/virginia/2015/02/va-senate-approves-bill-limit-license-plate-reader-data/ WASHINGTON ? A bill to limit how much data police collect from sources like license plate readers, and how long they can keep it, has just been approved by Virginia?s state Senate. The bill, sponsored by Sen. Chap Petersen, D-Fairfax, and Sen. Dick Black, R-Loudoun, would generally restrict mass collection of personal data by police or state agencies in Virginia unless the data is known to be relevant and ?intended for prompt evaluation?. Petersen argued that the bill reflects Virginia?s history of standing up to police overreach in the Virginia Declaration of Rights, including the right against general warrants. ?Times have changed and technologies have changed and there have become new ways to collect information by law enforcement, and even if used for the best of purposes, they still require some type of oversight,? Petersen said on the Senate floor. Police agencies say the technologies can help locate missing people, solve crimes and more. The bill would allow law enforcement to continue to use license plate readers, but limit the way that the data collected could be stored and used. It requires police only keep the data for seven days or less unless it is part of an ongoing investigation, and that they do not allow any use of the data except as part of a criminal investigation or missing persons report. Petersen says clearly, in situations like the disappearance of U. Va. student Hannah Graham, investigators could keep license plate reader data to help with an investigation. ?LPRs are pernicious in my opinion if they are not restricted, because the bottom line is you can use that to collect information on people, and you have the ability to target where you want to collect that information. You can take that LPR to a political rally, you can take it to a movie theater, you can take it to a public gun show, you can take it where you want to decide where you?re going to look for people that have violated the law,? Petersen says. The bill passed on a unanimous 38-0 vote, and now goes to the House of Delegates. Also on Friday, the state senate approved Black?s bill that would scrap Virginia?s A-F school grading system and a bill that would require even small day cares in Virginia that get child care subsidies to be licensed. The Senate narrowly rejected a bill that would impose stricter limits on the release of balloons in the commonwealth. It was aimed at cutting litter and protecting wildlife, but opponents argued the bill was overregulation. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 7 19:40:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 7 Feb 2015 20:40:38 -0500 Subject: [Infowarrior] - Youtube Ditches Flash, and it Hardly Matters: Meet the New Boss, Same as the Old Boss Message-ID: February 6, 2015 | By Cory Doctorow Youtube Ditches Flash, and it Hardly Matters: Meet the New Boss, Same as the Old Boss https://www.eff.org/deeplinks/2015/01/new-drm-boss-same-old-boss Last week, Google announced that its Youtube service would default to using HTML5 video instead of Flash. Once upon a time, this would have been cause for celebration: after all, Flash is a proprietary technology owned by one company, a frequent source of critical vulnerabilities that expose hundreds of millions of Internet users to attacks on their computers and all that they protect, and Flash objects can only be reliably accessed via closed software, and not from free/open code that anyone can inspect. A year ago, the largest video site on the net ditching Flash would have been a blow for Internet freedom. Today, it's a bitter reminder of how the three big commercial browser vendors?Apple, Microsoft and Google?Netflix, the BBC, and the World Wide Web Consortium sold the whole Internet down the river. In spring 2013, the World Wide Web Consortium (W3C) abandoned its long-term role as the guardian of the open Web, and threw its support at the highest level behind EME, an attempt to standardize Flash-style locks on browsers. They did this after the big three commercial browser companies revealed that they had engaged in closed-door meetings with Netflix to create back-doors in their browsers to lock users out of their own computers while streaming video. The W3C agreed to work to standardize browsers that treat their owners as untrusted adversaries and take steps to countermand user-actions (like saving videos). By mid-May, the Mozilla Foundation announced that it, too, would support the project of designing browsers that don't trust their users, stating that it feared that it would be shut out of Netflix videos if it didn't play along, and that it believed that without Netflix, it would lose users to the commercial browser world. Both the W3C and Mozilla made similar "pragmatic" arguments for taking this controversial and divisive step?one that disappointed their own staffers as much as their supporters. Fundamentally, their argument went: "We are the good guys, and we will become irrelevant if we don't do this terrible thing, which will happen whether or not we play along. The Internet is a better place with us fighting for its users, even if we're selling them out here." In other words: "We have to destroy the village to save it." Which brings us back to Youtube. Now, you can access all of Youtube videos without having to use Adobe's proprietary software, so long as your browser supports the W3C's version of Adobe's proprietary software. If you're using Firefox, you can access all of Youtube's videos without Flash, except that in some cases, you'll need their version of the W3C-standardized "Encrypted Media Extension"?which requires that you use proprietary software. From Adobe. Meet the new boss, same as the old boss. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 7 19:40:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 7 Feb 2015 20:40:42 -0500 Subject: [Infowarrior] - =?windows-1252?q?=93Cyberspace=94_must_die=2E_Her?= =?windows-1252?q?e=92s_why?= Message-ID: <104F0163-5E6D-47C3-BC9F-679FE161C14D@infowarrior.org> ?Cyberspace? must die. Here?s why David Meyer Feb. 7, 2015 - 8:00 AM PST https://gigaom.com/2015/02/07/cyberspace-must-die-heres-why/ We?re halfway through the second decade of the 21st century and people are stilltalking about ?cyberspace?. This has to stop. The term has become not only outmoded, but downright dangerous. ?Cyberspace? suggests a place other than the real world. Perhaps that?s how things once felt, when online life was still sparkly and anarchic back in the 1980s, but that?s not where we are now. Everything?s going online. When Eric Schmidt said last month that ?the internet will disappear?, he was right ? the online and offline worlds will merge to such a degree that the connecting infrastructure will no longer be apparent and the split will be meaningless. But still we constantly hear media and politicians and policy-makers refer to this other realm. Last month the U.K. government talked about keeping businesses ?safe in cyberspace?. U.S. president Barack Obama talks about ?threats in cyberspace? and ?securing cyberspace?. Israel?s National Cyber Bureau ?works to promote the national interest in cyberspace?. China has a Cyberspace Affairs Administration that promotes ?a peaceful, safe and open and co-operative cyberspace? (i.e. a more heavily censored existence). The online layer It?s as if everyone?s talking about a new continent that recently rose up from the sea ? uncharted territory or ?Neuland?, in the much-mocked phrasing of German chancellor Angela Merkel. In reality, what they?re referring to is an online layer that augments the offline world, thanks to the physical infrastructure that is the internet. The problem with ?cyberspace? is that the word suggests a place where different rules apply, and as such it can be misleading. We all need protection from theft and fraud, whether it takes place online or offline. If we?re tracked and spied upon in the online layer, the effect is similar (though more surreptitious) to being stalked around town and in the living room. Online harassment can be as painful as being menaced in the street. We cannot allow the impact of rights violations to be downplayed because they take place online, and we create such a risk by referring to the online world as another, less immediate place. The need to abandon the false digital dualism embodied in the term ?cyberspace? (hat tip to Nathan Jurgenson and PJ Rey) becomes more urgent as everyday items become connected to the internet. To appreciate how anachronistic the word has become, consider whether your fitness tracker or smart thermostat exists in cyberspace or the real world. When leaked NSA documents talked about strong decryption capabilities as the ?price of admission for the U.S. to maintain unrestricted access to and use of cyberspace,? that wasn?t about mastering Neuland. It was about being able to access and exploit the entire connected world, smart homes and all. The problem with ?cyberspace? is that the word suggests a place where different rules apply, and as such it can be misleading. Of course, the online layer is a deeply complex and occasionally paradoxical concept that requires much philosophical digestion and even more political adjustment. For one thing, it?s a layer that spans discrete jurisdictions while lacking inherent borders, creating a conundrum that?s exemplified in Europe?s ?right to be forgotten?. Whether it?s a good idea or not, Europe has the right to tell Google to remove certain links from its results within its territory, but it doesn?t have the right to make Google remove those links outside the EU. At the same time, the technical reality of the online layer makes it difficult or perhaps impossible for Google to meaningfully enforce its right in Europe without applying it globally, because the layer?s borderless nature makes circumvention far too easy. Is there an easy answer to this? Not without some kind of New World Order. But reality is complex ? we?ll probably need carefully drafted international treaties to manage this issue ? and the reductiveness of a concept like ?cyberspace? won?t help us get where we need to go. Give and take ?Cyberspace? denotes a place but, if anything, it?s about the elimination of spatial concerns as we socialize, collaborate and work together across the world. As such, it?s an awkwardly-named property of the online layer ? related to the shared ?internet commons? idea ? rather than a good descriptor for the layer itself. It?s only one property among many; the online layer still remains tied to the framework of the nation state, with all its political and legal implications, and so it must for now. Citizens of a particular country can?t live under one set of laws and norms offline, and another online. The information ethicist Luciano Floridi refers to the ?onlife experience?as the state in which we are increasingly living. There?s a lot of value in that concept, though we?re not really there yet. The online and offline layers are inextricably bound, but there?s still a lot of friction that will have to be resolved. Governments and others whose nature and ideas are rooted in offline structures may want the online layer to conform to those, but its technical properties require the fundamental rethinking of many offline social and legal concepts. What does ?theft? mean in the online sense, where the original copy of the ?stolen? data remains in place? How do social norms around not listening in on or butting into private conversations in a public space apply on Twitter? At the same time, the connected world is something that?s being shaped by us, and the technical nature of its online layer will ultimately be tempered by our choices and needs. For example, the corporate spying that funds the current free-services model may have to be reined in to respect our inherent right to privacy, even though our understanding of privacy will inevitably adapt to exploit the potential of pervasive connectivity. There will be a lot of give and take. We have a long way to go before the online and offline layers coexist in ?onlife? harmony, and at that point we may as well just call it ?life.? But that?s the end state we?re aiming for, and if we?re going to build it with conceptual clarity, then we need to abandon the idea of ?cyberspace? and the baggage it?s accumulated since William Gibson coined it (with little semantic intent) over three decades ago. It?s all the real world now. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 9 13:11:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 9 Feb 2015 14:11:12 -0500 Subject: [Infowarrior] - Sling TV launches nationwide, adds AMC Message-ID: (I was one of the first to sign up during private testing and think it's well worth it for ESPN. --rick) Sling TV launches nationwide, adds AMC By Cecilia Kang February 9 at 9:29 AM http://www.washingtonpost.com/news/business/wp/2015/02/09/sling-tv-launches-nationwide-adds-amc/ Sling TV launched its streaming service on Monday, saying that it will soon add AMC to its basic $20 online bundle of channels, which would make it the most complete offering of sports, news, premium shows and lifestyle channels for the Internet. The streaming service by Dish Network doesn?t require a cable or satellite subscription, and for $20 a month it is seen as a disruptive force to the traditional paid television industry. Unlike the cable industry, the service doesn?t require long-term contracts or credit checks and can be canceled at any time. Sling TV includes ESPN, ESPN 2, TNT, TBS, Food Network, HGTV, Travel Channel and CNN. At a later date, the basic package will include AMC, whose popular shows include ?Walking Dead? and ?Better Call Saul,? a premium channel that some analysts said was missing to make it a complete online offering. Dish Network and its network partners have downplayed the risk Sling TV and other streaming service will pose to the traditional cable bundle. Disney?s ESPN is seen as the lynchpin to the cable bundle, but executives there say they believe Sling TV will mostly appeal to the estimated 11 million younger consumers who have never subscribed to cable and likely won?t in the future. ESPN has also put a limit on its participation in Sling TV, people familiar with the company?s thinking have said. ESPN is testing the popularity of the service but has put a cap on how many online-only consumers it will take on. ?There has been a remarkable expression of consumer interest since we first announced Sling TV one month ago,? said Roger Lynch, chief executive of Sling TV. ?We believe Sling TV is a game-changing service that enhances the existing television landscape. Now underserved audiences have access to the best of live TV at an affordable price.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 9 17:30:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 9 Feb 2015 18:30:52 -0500 Subject: [Infowarrior] - CIA Wanted To Throw The CFAA At Senate Staffers For Unauthorized Googling Message-ID: CIA Wanted To Throw The CFAA At Senate Staffers For Unauthorized Googling https://www.techdirt.com/articles/20150207/16043229949/cia-wanted-to-throw-cfaa-senate-staffers-unauthorized-googling.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 9 17:30:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 9 Feb 2015 18:30:57 -0500 Subject: [Infowarrior] - =?windows-1252?q?Millions_of_Facebook_users_have_?= =?windows-1252?q?no_idea_they=92re_using_the_internet?= Message-ID: Millions of Facebook users have no idea they?re using the internet http://qz.com/333313/milliions-of-facebook-users-have-no-idea-theyre-using-the-internet/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 10 06:33:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 07:33:37 -0500 Subject: [Infowarrior] - *more* USG 'cyber' bureaucracy established Message-ID: New agency to sniff out threats in cyberspace By Ellen Nakashima February 10 at 12:01 AM http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html?wprss=rss_national The Obama administration is establishing a new agency to combat the deepening threat from cyberattacks, and its mission will be to fuse intelligence from around the government when a crisis occurs. The agency is modeled after the National Counterterrorism Center, which was launched in the wake of the Sept. 11, 2001, attacks amid criticism that the government failed to share intelligence that could have unraveled the al-Qaeda plot. Over the past several years, a series of significant cyber-incidents has affected U.S. companies and government networks, increasing the profile of the threat for policymakers and industries. Disruptions, linked to Iran, of major bank Web sites, a Russian intrusion into the White House?s unclassified computer network and the North Korean hack of Sony Pictures have raised the specter of devastating consequences if critical infrastructure were destroyed. ?The cyberthreat is one of the greatest threats we face, and policymakers and operators will benefit from having a rapid source of intelligence,? Lisa Monaco, assistant to the president for homeland security and counterterrorism, said in an interview. ?It will help ensure that we have the same integrated, all-tools approach to the cyberthreat that we have developed to combat terrorism.? Monaco will announce the creation of the Cyber Threat Intelligence Integration Center on Tuesday in a speech at the Wilson Center. ?It?s a great idea,? said Richard Clarke, a former White House counterterrorism official. ?It?s overdue.? Others question why a new agency is needed when the government already has several dedicated to monitoring and analyzing cyberthreat data. The Department of Homeland Security, the FBI and the National Security Agency all have cyber-operations centers, and the FBI and the NSA are able to integrate information, noted Melissa Hathaway, a former White House cybersecurity coordinator and president of Hathaway Global Strategies. ?We should not be creating more organizations and bureaucracy,? she said. ?We need to be forcing the existing organizations to become more effective ? hold them accountable.? The idea of a central agency to analyze cyberthreats and coordinate strategy to counter them isn?t new. But as the threat has grown, the idea has taken hold again. Monaco, who has a decade of government experience in counterterrorism, has long thought that the lessons learned from fighting terrorism can be applied to cybersecurity. She saw that as a policymaker she could quickly receive an intelligence community assessment on the latest terrorism threat from NCTC, but that was not possible in the cyber realm. ?We need to build up the muscle memory for our cyber-response capabilities, as we have on the terrorism side,? she said. Last summer, Monaco directed White House cybersecurity coordinator Michael Daniel to see whether lessons learned from the counterterrorism world could be applied to cyberthreats. She also revived a cyber-response group for senior staff from agencies around the government, modeled after a similar group in the counterterrorism world, to meet weekly and during crises. Daniel?s staff concluded that the same defects that contributed to the 2001 terrorist attacks ? intelligence agency stove-piping and a failure to combine analysis from across the government ? existed in the cyber context. They recommended the creation of an NCTC for cybersecurity, but some agencies initially resisted. Advocates argued that the new center would not conduct operations or supplant the work of others. Rather it would support their work, providing useful analysis so that the FBI can focus on investigations and DHS can focus on working with the private sector, officials said. During Thanksgiving week, news broke of a major incident at Sony Pictures Entertainment. In the following days, it became clear the hack was significant: Computers were rendered useless, and massive amounts of e-mail and employee data were pilfered and made public. President Obama wanted to know the details. What was the impact? Who was behind it? Monaco called meetings of the key agencies involved in the investigation, including the FBI, the NSA and the CIA. ?Okay, who do we think did this?? she asked, according to one participant. ?She got back six views.? All pointed to North Korea, but they differed in the degree of certainty. The key gap: No one was responsible for an analysis that integrated all the agency views. In the end, Monaco asked the FBI to produce one, coordinating with the other agencies. The Office of the Director of National Intelligence, which oversees the NCTC, might seem a natural place to provide that analysis. But its small cyber staff focuses on strategic long-term analysis, not a rapid merging of all sources of intelligence about a particular problem. The Sony incident provided the final impetus for the new center. Monaco began making the rounds at the White House to build support for the center, officials said. In his State of the Union speech on Jan. 20, Obama made a veiled reference to the center, saying the government would integrate intelligence to combat cyberthreats ?just as we have done to combat terrorism.? Obama will issue a memorandum creating the center, which will be part of the Office of the Director of National Intelligence. The new agency will begin with a staff of about 50 and a budget of $35 million, officials said. Matthew Olsen, a former NCTC director, said the quality of the threat analysis will depend on a steady stream of data from the private sector, which operates the nation?s energy, financial and other critical systems. ?One challenge will be identifying ways to work more closely with the private sector, where cyberthreats are the most prevalent,? he said. The government and industries need to invest more in technology, information-sharing and personnel training, as well as in deterring and punishing those who carry out cyberattacks, said Michael Leiter, another former NCTC director who is now executive vice president at Leidos, a national security contractor. The new center ?is a good and important step,? Leiter said. ?But it is far from a panacea.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 10 06:40:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 07:40:14 -0500 Subject: [Infowarrior] - Today I Am Releasing Ten Million Passwords Message-ID: <25B1F319-21F1-48AA-A917-20E27AACCB80@infowarrior.org> Today I Am Releasing Ten Million Passwords 02.09.15Posted by Mark Burnett in Passwords27 Comments Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain. < - > https://xato.net/passwords/ten-million-passwords/#.VNmTsi57RqH -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 10 07:47:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 08:47:13 -0500 Subject: [Infowarrior] - Keurig's attempt to 'DRM' its coffee cups totally backfired Message-ID: <03063D8D-75DF-49B3-80ED-06966DF2898E@infowarrior.org> Put this in the "how could you NOT see this coming?" category...... Keurig's attempt to 'DRM' its coffee cups totally backfired http://www.theverge.com/2015/2/5/7986327/keurigs-attempt-to-drm-its-coffee-cups-totally-backfired -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 10 15:55:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 16:55:34 -0500 Subject: [Infowarrior] - Privacy experts question Obama's plan for new agency to counter cyber threats Message-ID: <462FABB6-DAC5-4C19-B221-530F786844ED@infowarrior.org> Privacy experts question Obama's plan for new agency to counter cyber threats White House to unveil on Tuesday the Cyber Threat Intelligence Integration Center but critics fear an expansion of government monitoring of online data Spencer Ackerman in New York http://www.theguardian.com/world/2015/feb/10/obama-cyber-threat-agency-privacy Tuesday 10 February 2015 14.12 EST Cybersecurity and digital privacy experts are questioning the need for Barack Obama?s latest bureaucratic initiative, a new agency spurred by the massive Sony hack that critics fear will expand the government?s role into monitoring online data networks on security grounds. White House security adviser Lisa Monaco unveiled on Tuesday the Cyber Threat Intelligence Integration Center, the name of which speaks to its position within a US intelligence community whose ongoing, surreptitious reach over the internet has attracted global skepticism. Monaco said the remit of the new center, subordinate to the office of the director of national intelligence and modelled on the National Counterterrorism Center, is said to be the combination of the various intelligence, security and law enforcement agencies? understanding and analysis of new or emerging malicious cyber-attacks. ?We?re going to have to work in lockstep with the private sector,? said Monaco, who called the December hack of Sony, which she blamed on North Korea, a ?game changer?. ?We want this flow of information to go both ways,? Monaco said. Over the past five years, the administration has stood up new entities, such as the National Security Agency?s military twin US Cyber Command, or expanded the remit of others, like the Department of Homeland Security, to safeguard government ? and increasingly civilian ? networks. ?Given the number of other agencies that have cybersecurity threat integration responsibilities, it?s not clear that a new agency is needed,? said Greg Nojeim of the Center for Democracy and Technology. ?We are keen to hear from the White House about the measures it will impose to ensure that this new agency operates transparently, with effective independent oversight, and does not become a repository for personal information unnecessary to counter cyber threats.? A senior US official said the center, initially budgeted at $35m, is intended to give the government awareness of new online threat patterns ?in as close to real time as possible?. While it will ?facilitate and support efforts by the government to counter foreign cyber threats,? the official said it will have no offensive role, and is limited to ?strictly intel fusion and analysis?. Monaco added that it will not collect intelligence. Yet earlier government cyber efforts, such as those from the Department of Homeland Security?s National Cybersecurity and Communications Integration Center (NCCIC), have previously promised near-real time identification of threats at its ?24-7 cyber situational awareness, incident response, and management center,? prompting skepticism from security experts about the ability of the center to deliver on its stated promise. ?They really could have just restructured at DHS how the NCCIC works to really move threats together in a comprehensive fashion, and a real-time fashion, where you could actually get some value out of it,? said Tony Cole, a top executive at the cybersecurity firm FireEye, who said he was hearing similar puzzlement from industry leaders about the new center. ?If you still are not restructuring agencies to be able to share in an automated fashion, then there?s probably little value to be had out of creating a new organization.? After the Edward Snowden leaks, legislation seeking to expand business? sharing of threat pattern data ? one of the top priorities of the NSA in the new Congress ? has stalled in the Senate. While the Obama administration and congressional advocates intend DHS to be the primary interlocutor for businesses, the NSA will be able to access the information, raising concerns amongst privacy advocates that more customer data, including financial information, will pass to US intelligence agencies. Monaco pressed again for passage of cybersecurity legislation that would legally immunize companies that take ?reasonable steps? to remove customer and other private data before providing threat information to the government ? leaving the door open to that information indeed passing to security and intelligence agencies, a critical privacy concern. The NSA ? which, along with Cyber Command, performs so-called ?offensive cyber? operations ? declined to specify its role in the new center. The senior official, while speaking generically, confirmed that ?staff will be drawn from across departments and agencies, including the IC?, or intelligence community. A divide has emerged in recent months between how data-privacy advocates and the Obama administration view cybersecurity in the aftermath of huge data breaches from Sony, Target, Home Depot and now the Anthem health insurance company. Digital security campaigners want the government to emphasize techniques private firms can use to harden their network defenses, such as the expanded use of encrypted data. The administration prefers expanded data-sharing from the private sector to stay atop of online threats ? and the director of the FBI has recently described encryption as an unacceptable hindrance to law enforcement. Amie Stepanovich, a lawyer with the digital rights group Access, said the center ?has real potential to violate privacy in a very meaningful and widespread manner? if it serves primarily as a threat-pattern clearinghouse. If the center instead serves as an interlocutor to promote ?standards and incentives? for data hygiene and security ?to protect these very harmful data breaches, it could be very positive, if done in a transparent way,? Stepanovich said. Monaco spoke to that point in her Tuesday speech. She said a major focus of Obama?s cybersecurity approach will be to encourage ?basic cyber hygiene?. Existing government initiatives for cybersecurity, which the new center builds upon, have come in for legislative criticism. A report last month from the former senator Tom Coburn claimed it was ?unclear? if the $700m DHS spends on cybersecurity to aid ?the private sector in preventing, mitigating, or recovering from cybersecurity incidents are providing significant value or are worth the tax dollars spent on them.? On Friday, Obama plans to attend a cybersecurity summit at Stanford University with leading business figures and academics to forge a post-Snowden cybersecurity consensus. Monaco disputed that the new center would be a redundant bureaucracy. She argued it would provide ?critical, rapid, coordinated intelligence to feed operations. It?s not duplicative at all?. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 10 15:57:32 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 16:57:32 -0500 Subject: [Infowarrior] - RapidShare calls it quits Message-ID: RapidShare calls it quits: Veteran file-sharing site to close in March 2015 For over 13 years, Switzerland-based site has fought hard to be seen as legitimate. by Cyrus Farivar - Feb 10 2015, 3:40pm EST < - > http://arstechnica.com/tech-policy/2015/02/rapidshare-calls-it-quits-veteran-file-sharing-site-to-close-in-march-2015/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 10 18:28:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 19:28:02 -0500 Subject: [Infowarrior] - Fwd: NY to assess insurance companies References: <20150210232145.622662280B4@palinka.tinho.net> Message-ID: <9E7F7330-35E5-43D6-B2AA-17E7A1265D1B@infowarrior.org> > From: dan at geer.org > > http://www.dfs.ny.gov/about/press2015/pr1502081.htm > > Press Release > > February 8, 2015 > Contact: Matt Anderson, 212-709-1691 > > NYDFS ANNOUNCES NEW, TARGETED CYBER SECURITY ASSESSMENTS FOR INSURANCE > COMPANIES > > Benjamin M. Lawsky, Superintendent of Financial Services, today > announced the release of a Department of Financial Services (DFS) > report on cyber security in the insurance industry and a series of > measures that DFS will take to help strengthen cyber hacking defenses > at insurers. To view a copy of the report, please visit, [66]link. > > In the coming weeks and months, DFS will integrate regular, targeted > assessments of cyber security preparedness at insurance companies as > part of the Department's examination process; put forward enhanced > regulations requiring institutions to meet heightened standards for > cyber security; and examine stronger measures related to the > representations and warranties insurance companies receive from > third-party vendors, among other measures. > > Superintendent Lawsky said: "Recent cyber security breaches should > serve as a stern wake up call for insurers and other financial > institutions to strengthen their cyber defenses. Those companies are > entrusted with a virtual treasure trove of sensitive customer > information that is an inviting target for hackers. Regulators and > private sector companies must both redouble their efforts and move > aggressively to help safeguard this consumer data." > > DFS conducted a survey with respect to cyber security at a significant > cross-section of its regulated insurance companies. A total of 43 > entities, with combined assets of approximately $3.2 trillion, > completed a survey seeking information about each participant's cyber > security program, costs, and future plans. > > Notably, the Department's analysis of the insurers surveyed found that > a wide array of factors - not just reported assets - affect the > sophistication and comprehensiveness of the insurers' cyber security > programs. In other words, although it may be expected that the largest > insurers would have the most robust and sophisticated cyber defenses, > the Department did not necessarily find that to be the case. > > Moreover, the Department found that 95 percent of insurers already > believe that they have adequate staffing levels for information > security and only 14 percent of chief executive officers receive > monthly briefings on information security. Recent cyber security > breaches at financial institutions and other major corporations should > serve as a wake up call for insurers to strengthen their cyber defenses > - particularly given the level of sensitive consumer information that > insurers are entrusted with handling. > > In addition to today's report and actions related to the insurance > industry, DFS has also taken a series of steps to help strengthen cyber > security in the banking sector. In [67]December 2014, DFS issued > industry guidance to all its regulated banks outlining the specific > issues and factors on which those institutions will be examined as part > of new targeted, DFS cyber security preparedness assessments. Among > other factors, banks will be examined on their protocols for the > detection of cyber breaches and penetration testing; corporate > governance related to cyber security; their defenses against breaches, > including multi-factor authentication; and the security of their > third-party vendors. > > DFS has also issued a consumer alert for Anthem (the owner of Empire > Blue Cross Blue Shield) in light of the recent data breach at that > company. There are more than 4 million Empire Blue Cross Blue Shield > customers in New York. To view a copy of that consumer alert, please > visit, [68]link. > > ### > > Your browser does not support iFrames > > References > > 65. http://www.dfs.ny.gov/insurance/news1.htm > 66. http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf > 67. http://www.dfs.ny.gov/about/press2014/pr1412101.htm > 68. http://www.dfs.ny.gov/consumer/alert_anthem_data_breach.htm > From rforno at infowarrior.org Tue Feb 10 19:37:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Feb 2015 20:37:30 -0500 Subject: [Infowarrior] - Lawmakers not briefed on White House cyber center Message-ID: Lawmakers not briefed on White House cyber center By Joseph Marks 2/10/15 3:28 PM EST Updated 2/10/15 8:12 PM EST http://www.politico.com/story/2015/02/white-house-cyber-center-lawmakers-115078.html?hp=b1_c2 White House officials gave members of the House Intelligence Committee either little notice or none at all about the announcement Tuesday of a new cyber integration center modeled on the National Counterterrorism Center, sources told POLITICO. A source on the Republican side said Tuesday that the committee?s only advance information about the new center came during a briefing by representatives from the Office of the Director for National Intelligence last week and that the briefer declined to explain what the budget request was for. ?When they were specifically asked for details on their cyber plans, they said there was nothing else they could share at this time,? the source said, adding they were told more information would be made available in more detailed budget documents that have not yet been sent to the committee. That was the last committee members heard of the issue before today?s announcement was trailed with an official leak to The Washington Post, the source said. Asked if committee members believed they should have been briefed in advance, the source replied, ?Yes; I can give you a one word answer on that.? A Democratic aide later countered that both Democratic and Republican committee staff were told about the center the day before. A senior administration official said ?we notified key staff on the intelligence committees and intend to provide further briefings in the coming weeks.? The Cyber Threat Intelligence Integration Center, projected to have a staff of 50 when it is fully operational next year, is funded by a $35 million line item in the ?black budget? request for intelligence funding. The center was first called for by the former co-chairmen of the 9/11 Commission, Tom Kean and Lee Hamilton, in an op-ed last year. There are also concerns that the new center might duplicate the work of other existing federal cyber centers, like the National Cybersecurity and Communications Integration Center at DHS. Officials say the NCCIC is focused on situational awareness and operational response to cyberattacks, whereas the CTIIC will focus on rapidly fusing intelligence different sources about cyber threats. This story has been updated to include comments from a Democratic committee aide and from the administration. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 11 16:59:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Feb 2015 17:59:27 -0500 Subject: [Infowarrior] - Facebook opens security industry social network for threat sharing Message-ID: <7A78799A-FF2F-4090-882B-25E74937B589@infowarrior.org> Facebook opens security industry social network for threat sharing What the net needs is a great big sharing pot By Dave Neal Wed Feb 11 2015, 16:50 http://www.theinquirer.net/inquirer/news/2394882/facebook-opens-security-industry-social-network-for-threat-sharing FACEBOOK HAS LAUNCHED A THING called ThreatExchange which is the firm's gift to the wider online security industry and a kind of sharing place for advice, updates and information. News of ThreatExchange comes to us through an official post on the Facebook blog, and is soundtracked with some trumpeting. It is pitched as a social network for the security community, so let's assume it is not baggy like a first year schoolkid's PE kit. "A little over a year ago, a group of technology companies came together to discuss a botnet that was spreading a malware-based spam attack on all of our services," said Mark Hammel, Facebook's manager of threat infrastructure. "We quickly learned that sharing with one another was key to beating the botnet because parts of it were hosted on our respective services and none of us had the complete picture. "During our discussions, it became clear that what we needed was a better model for threat sharing." Hammel said that Pinterest, Tumblr, Twitter and Yahoo all played a role in the early development of ThreatExchange, and that the quintet has been joined by Bitly and Dropbox. Access to the network is governed by a number of privacy controls that were requested at the start of the project. These allow companies to choose what information they share and with which other parties, for example. "Feedback from our early partners centred on the need for a consistent, reliable platform that could provide flexibility for organisations to be more open or selective about the information they share," said Hammel. "Threat data is typically freely available information like domain names and malware samples, but for situations where a company might only want to share certain indicators with companies known to be experiencing the same issues, built-in controls make limited sharing easy and help avoid errors by using a pre-defined set of data fields." Hammel said that all firms can become stronger by combining their efforts: "That's the beauty of working together on security. When one company gets stronger, so do the rest of us." Facebook announced recently that the firm has updated its privacy policy to say that it can now track your every move on the internet, even when you're logged out of the app. ? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 11 18:33:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Feb 2015 19:33:51 -0500 Subject: [Infowarrior] - =?windows-1252?q?TO_DRM_OR_NOT_TO_DRM_=85?= Message-ID: <41E4F67E-2722-4745-AB24-232FD5FEFA15@infowarrior.org> TO DRM OR NOT TO DRM ? https://romanceaustralia.wordpress.com/2015/02/12/to-drm-or-not-to-drm/ That is the question a modern day Hamlet and Ophelia might ponder if they could just get past his stabbing of her father. On a serious note, DRM (digital rights management) remains a hot button of conversation in the ebook realm. Traditional publishers are supporters of DRM maintaining it is necessary to prevent illegal downloads and piracy. However, not everyone feels the same way. While most people deplore piracy and illegal downloads, many feel that you should be able to do the same things with an ebook that you can do with a paperback, for example lend it to a friend. Depending on the level of DRM on the particular file, you may or may not be able to do that. Usually not. Other publishers maintain that the key to preventing illegal downloads and piracy is to get your price point right. I once attended an Australian Publishers Association talk at which a high profile Carina Press editor from the US who was adamant that the key issue was price point not DRM. She said that if she had her laptop with her, she could show us all how to unlock DRM in less than 30 seconds! We didn?t put her to the test but I hope most people?s home security is better than that. She did say that their experience at Carina Press was that if the price was right, the vast majority of readers were happy to do the right thing and buy a legal copy of the ebook. Bill Pollock, founder of niche San Francisco publisher No Starch Press, goes one step further. In an interview with Publishing Perspectives*, he said, ?We have never used DRM and we never will. It?s just foolish? I don?t believe in charging people three times for the same information.? Pollock, like Carina Press, believes in the radical notion that, ?You have to trust your readers, and when you show that you them, they will respond to you.? No Starch Press publishes book for geeks on a range of tech-related subjects from hacking to programming for kids including LOTS of books about Lego. When you buy a physical book from them, you get a free copy of the ebook to use however you want to. The approach is paying off for them. They publish about thirty titles a year and their new book, LEGO Neighborhood Book, sold 15,000 copies in two weeks and had to be reprinted. Pollock says that pirate sites are not a real threat with books typically downloaded only a few hundred times. He argues that piracy may actually help build a buzz about new books. ?Our business has been up every one of the last 15 years, but you don?t see those DRM-loving publishers going round talking about what a great year they?re having,? he says. Carina Press is primarily a digital-only imprint. No Starch Press makes their money from their print books. What they have in common is a belief that DRM is not a key factor in building a business / brand / author. Where do you stand on the DRM debate, especially if you are an indie publisher for whom a ?few hundred? pirated copies would make a real difference, especially in a smaller market such as Australia. Do you believe in DRM or not? What do you do for your books? We?d love to hear from you. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 11 19:38:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Feb 2015 20:38:51 -0500 Subject: [Infowarrior] - Thoughts on yesterday's CTIIC proposal Message-ID: <0B00B1D2-CDBE-4D0A-88A3-F1505A6727D8@infowarrior.org> Information sharing to the cyber-rescue, again! https://cyberlaw.stanford.edu/blog/2015/02/information-sharing-cyber-rescue-again -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 12 06:41:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 12 Feb 2015 07:41:04 -0500 Subject: [Infowarrior] - A Crypto Trick That Makes Software Nearly Impossible to Reverse-Engineer Message-ID: A Crypto Trick That Makes Software Nearly Impossible to Reverse-Engineer ? By Andy Greenberg ? 02.11.15 | ? 9:00 pm | http://www.wired.com/2015/02/crypto-trick-makes-software-nearly-impossible-reverse-engineer/ Software reverse engineering, the art of pulling programs apart to figure out how they work, is what makes it possible for sophisticated hackers to scour code for exploitable bugs. It?s also what allows those same hackers? dangerous malware to be deconstructed and neutered. Now a new encryption trick could make both those tasks much, much harder. At the SyScan conference next month in Singapore, security researcher Jacob Torrey plans to present a new scheme he calls Hardened Anti-Reverse Engineering System, or HARES. Torrey?s method encrypts software code such that it?s only decrypted by the computer?s processor at the last possible moment before the code is executed. This prevents reverse engineering tools from reading the decrypted code as it?s being run. The result is tough-to-crack protection from any hacker who would pirate the software, suss out security flaws that could compromise users, and even in some cases understand its basic functions. ?This makes an application completely opaque,? says Torrey, who work as a researcher for the New York State-based security firm Assured Information Security. ?It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits.? A company like Adobe or Autodesk might use HARES as a sophisticated new form of DRM to protect their pricey software from being illegally copied. On the other hand, it could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it. As notable hacker the Grugq wrote on twitter when Torrey?s abstract was posted to SyScan?s schedule, HARES could mean the ?end of easy malware analysis. :D? To keep reverse engineering tools in the dark, HARES uses a hardware trick that?s possible with Intel and AMD chips called a Translation Lookaside Buffer (or TLB) Split. That TLB Split segregates the portion of a computer?s memory where a program stores its data from the portion where it stores its own code?s instructions. HARES keeps everything in that ?instructions? portion of memory encrypted such that it can only be decrypted with a key that resides in the computer?s processor. (That means even sophisticated tricks like a ?cold boot attack,? which literally freezes the data in a computer?s RAM, can?t pull the key out of memory.) When a common reverse engineering tool like IDA Pro reads the computer?s memory to find the program?s instructions, that TLB split redirects the reverse engineering tool to the section of memory that?s filled with encrypted, unreadable commands. ?You can specifically say that encrypted memory shall not be accessed from other regions that aren?t encrypted,? says Don Andrew Bailey, a well-known security researcher for Lab Mouse Security, who has reviewed Torrey?s work. Many hackers begin their reverse engineering process with a technique called ?fuzzing.? Fuzzing means they enter random data into the program in the hopes of causing it to crash, then analyze those crashes to locate more serious exploitable vulnerabilities. But Torrey says that fuzzing a program encrypted with HARES would render those crashes completely unexplainable. ?You could fuzz a program, but even if you got a crash, you wouldn?t know what was causing it,? he says. ?It would be like doing it blindfolded and drunk.? ?Imagine trying to figure out what Stuxnet did if you couldn?t look at it.? Torrey says he intends HARES to be used for protection against hacking?not for creating mysterious malware that can?t be dissected. But he admits that if HARES works, it will be adopted for offensive hacking purposes, too. ?Imagine trying to figure out what Stuxnet did if you couldn?t look at it,? he says. ?I think this will change how [nation-state] level malware can be reacted to.? HARES?s protections aren?t quite invincible. Any program that wants to use its crypto trick needs to somehow place a decryption key in a computer?s CPU when the application is installed. In some cases, a super-sophisticated reverse engineer could intercept that key and use it to read the program?s hidden commands. But snagging the key would require him or her to plan ahead, with software that?s ready to look for it. And in some cases where software comes pre-installed on a computer, the key could be planted in the CPU ahead of time by an operating system maker like Apple or Microsoft to prevent its being compromised. ?There are some concerns with this from a technical point of view,? says Bailey. ?But it?s way better than anything we have out there now.? Another way to crack HARES? encryption, says Torrey, would be to take advantage of a debugging feature in some chips. That feature allows a hardware device between the chip and the motherboard to read every command the processor executes. But taking advantage of that feature requires a five-figure-priced JTAG debugger, not a device most reverse engineers tend to have lying around. ?It?s pretty high level stuff,? he says. ?Obviously nation states will have these things, but probably not very many others.? Torrey notes that it may someday be possible to encrypt a program?s code in a way that its instructions can run without ever being encrypted?making software that?s truly unhackable. But such a system, known as ?fully homomorphic encryption,? is still largely theoretical. It currently makes computer processes take millions of times longer than they would without encryption. HARES slows down the programs it protects by only about 2 percent. ?Fully homomorphic encryption is the holy grail, but it?s an academic math problem,? Torrey says. ?This is something you can stick on your existing computer to protect your existing software.? Torrey developed HARES?s TLB split trick with funding in 2013 from Darpa?s Cyber Fast Track program. He plans to release the project?s code not at March?s SyScan conference, but possibly the next month at the Infiltrate security conference in Miami. Torrey says that he wouldn?t be surprised, however, if coders determine from his March talk how to use HARES?s tricks and begin writing malware that?s far harder to decode. Give hackers an unencrypted hint or two, and they have a way of figuring out your secrets. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 12 16:03:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 12 Feb 2015 17:03:53 -0500 Subject: [Infowarrior] - FBI Says All Public Records Requests For Stingray Documents Must Be Routed Through It Message-ID: FBI Says All Public Records Requests For Stingray Documents Must Be Routed Through It https://www.techdirt.com/articles/20150211/08044329986/fbi-says-all-public-records-requests-stingray-documents-must-be-routed-through-it.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 12 21:13:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 12 Feb 2015 22:13:07 -0500 Subject: [Infowarrior] - Obama to Announce Executive Action on Cybersecurity Message-ID: <04B52F73-3A3A-4C50-9564-E409D6911CE9@infowarrior.org> Obama to Announce Executive Action on Cybersecurity http://www.nbcnews.com/tech/security/obama-announce-executive-action-cybersecurity-n305411 In a continuing push on cybersecurity, President Obama is expected to announce an executive order to encourage information-sharing between the private sector and the government. Ahead of the president's cybersecurity summit at Stanford University on Friday, Director of the National Economic Council Jeff Zients and White House Cybersecurity Coordinator Michael Daniel briefed reporters about the gathering and the administration's efforts. The conference will focus on how to increase cybersecurity for government and businesses and how to bolster consumer protections, which Zients called "two sides of the same coin." Announcements by companies of new commitments to improve cybersecurity as well as executive action by Obama to encourage information sharing are expected. Calling cybersecurity, "one of the defining challenges of the 21st century for us," Daniel said that although the president has been concerned about it since taking office, an ever-growing percentage of the threats he is briefed on are cyber-related. Thus, the administration is accelerating and increasing its focus on the issue as the threat continues to grow. Zients said cybersecurity is also a strategic asset to drive economic growth and that it serves as a "business differentiator" ? American companies that are leaders in cybersecurity will be leaders with consumers. In February 2014, the administration created a "Cybersecurity Framework" to serve as a roadmap for organizations and businesses seeking to manage cybersecurity risk. Earlier this year, the administration sent a legislative package to Congress and said it is reaching out in both the Senate and House, on a bipartisan basis, to get the legislation enacted. And earlier this week, administration officials announced creation of a Cyber Threat Intelligence Integration Center to collect and disseminate information on cyber threats. Zeints and White House Counterterroism Advisor Lisa Monaco open Friday's conference, followed by a series of roundtable discussions led by Commerce Secretary Penny Pritzker and Homeland Security Secretary Jeh Johnson, remarks by Apple CEO Tim Cook, and then a keynote address by President Obama. More than 1,000 people are expected to attend, including CEOs of some of the largest financial, technology and insurance companies, privacy and civil liberties experts and numerous administration officials from across government. From rforno at infowarrior.org Fri Feb 13 06:28:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Feb 2015 07:28:13 -0500 Subject: [Infowarrior] - UK Surveillance Consultation Suggests It Is End-Point Security, Not Encryption, That Cameron Wants To Subvert Message-ID: <8DED694F-11D0-4622-8561-B9AF45FCDB4F@infowarrior.org> UK Surveillance Consultation Suggests It Is End-Point Security, Not Encryption, That Cameron Wants To Subvert https://www.techdirt.com/articles/20150211/04241129983/uk-surveillance-consultation-suggests-it-is-end-point-security-not-encryption-that-cameron-wants-to-subvert.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 13 06:34:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Feb 2015 07:34:57 -0500 Subject: [Infowarrior] - RIP David Carr Message-ID: <8C076AE9-A526-4114-B503-F2A3D682E437@infowarrior.org> David Carr, Times Critic and Champion of Media, Dies at 58 By BRUCE WEBER and ASHLEY SOUTHALLFEB. 12, 2015 http://www.nytimes.com/2015/02/13/business/media/david-carr-media-equation-columnist-for-the-times-is-dead-at-58.html -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 13 08:09:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Feb 2015 09:09:00 -0500 Subject: [Infowarrior] - Where Are the FBI's Drone Privacy Reports? Message-ID: <3960E262-EEC5-4460-915D-F6884129FE94@infowarrior.org> (Most transparent administration ever? --rick) Where Are the FBI's Drone Privacy Reports? Jamie Condliffe Today 4:30am http://gizmodo.com/where-are-the-fbis-drone-privacy-reports-1685610775 The FBI is known to have flown unmanned aerial vehicles since at least 2005 and, like any other federal agency, it's supposed to conduct a privacy impact assessment prior to such activity. But according to Muckrock, the Beaurau can't track them down, and nor can the Justice Department office that's supposed to collate them. An investigation by Muckrock has been hurling FOIA requests at both the FBI and the DOJ. We know the FBI flies drones, but each request for the corresponding privacy impact assessments comes back empty. Each of the assessments?that are legally required to be produced by the FBI?should, at least, include details about what information is being collected, why, how it will be used, and who'll be able to use it. They're designed to be fit for public consumption. After refusing to provide Muckrock with these assessments last year, FOIA requests have also failed to procure the documents. Muckrock claims that the Justice Department has confirmed that it has been unable to find?at the FBI or in its own offices?the documents after "an adequate, reasonable search for such records." What counts as adequate, reasonable search isn't explained. We perhaps shouldn't be surprised. In Washington, DC, the FBI is being sued over failure to publish other privacy impact assessments. The Privacy Impact Assessment process is, according to Department of Justice guidelines, supposed to be"built into the system from the start?not after the fact," to "promote trust between the public and the Department by increasing transparency of the Department's systems and missions." Clearly, that isn't quite the case at the moment. [Muckrock] -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 13 08:10:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Feb 2015 09:10:26 -0500 Subject: [Infowarrior] - EFF's analysis of TPP's hideous provisions Message-ID: Go to Prison for Sharing Files? That's What Hollywood Wants in the Secret TPP Deal The Trans-Pacific Partnership agreement (TPP) poses massive threats to users in a dizzying number of ways. It will force other TPP signatories to accept the United States' excessive copyright terms of a minimum of life of the author plus 70 years, while locking the US to the same lengths so it will be harder to shorten them in the future. It contains extreme DRM anti-circumvention provisions that will make it a crime to tinker with, hack, re-sell, preserve, and otherwise control any number of digital files and devices that you own. The TPP will encourage ISPs to monitor and police their users, likely leading to more censorship measures such as the blockage and filtering of content online in the name of copyright enforcement. And in the most recent leak of the TPP's Intellectual Property chapter, we found an even more alarming provision on trade secrets that could be used to crackdown on journalists and whistleblowers who report on corporate wrongdoing. Here, we'd like to explore yet another set of rules in TPP that will chill users' rights. Those are the criminal enforcement provisions, which based upon the latest leak from May 2014 is still a contested and unresolved issue. It's about whether users could be jailed or hit with debilitating fines over allegations of copyright infringement. < -- > https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 13 15:21:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Feb 2015 16:21:29 -0500 Subject: [Infowarrior] - Anonymous v. ISIL Message-ID: Anonymous reportedly hacks into Twitter, Facebook accounts linked to Islamic State Published February 11, 2015 FoxNews.com http://www.foxnews.com/tech/2015/02/11/anonymous-reportedly-hacks-into-twitter-facebook-accounts-linked-to-islamic/ Anonymous, the online hacking collective known as 'hacktivists,' took credit Tuesday with shutting down hundreds of social media accounts they linked to Islamic State supporters. The campaign is called "Operation ISIS" or #OpISIS. The group's online declaration of cyberwar was prompted by last month's deadly attack on the French satirical newspaper, Charlie Hebdo. The hack is potentially a major blow to ISIS' online propaganda strategy. The militants have utilized the easy access to the public provided by social media. These militants, with little tech savvy, have been able to use social media for recruiting, issuing threats and posting killings. As recent as Tuesday, a group that identified itself as the 'CyberCaliphate' hacked into Newsweek's Twitter account to promote its propaganda. TheHackerNews.com said Anonymous released more than 100 social media accounts that they identified as Islamic militants. These accounts were posted by Anonymous on a Pastebin link, DazedDigital.com reported. "We will hunt you, take down your sites, accounts, emails and expose you," the group said on YouTube. "From now on, there [will be] no safe place for you online?you will be treated like a virus, and we are the cure. We own the internet." To be sure, any perceived vulnerability, especially with the threat of exposing identities, would be a major problem for militants to connect with potential recruits. Anonymous, which has staged cyberattacks on governments and businesses, finds itself in the unusual position of positive media coverage. News of the hack was featured on the front page of The Sun, with the headline, "The Digilantes." The hacking appeared to get under the skin of at least one ISIS sympathizer who threatened to kill members of Anonymous if the group proceeds, The International Business Times reported. The ramifications of the hack remains as unclear as the hackers themselves. Hackers say they exposed or destroyed nearly 800 Twitter accounts, 12 Facebook pages and over 50 email addresses linked with the terrorist organization. A total of 1,500 accounts hackers linked to terror groups have been hacked in total. "We will hunt you, take down your sites, accounts, emails and expose you," the group said on YouTube. "From now on, there [will be] no safe place for you online?you will be treated like a virus, and we are the cure. We own the internet." The hackers identified themselves as a multi-ethnic group consisting of Muslims, Christians and Jews. ?We are students, administrators, workers, clerks, unemployed, rich, poor. We are young, or old, gay or straight. We wear smart clothes or Uggs. We come from all races, countries, religions, and ethnicity. United as one, divided by zero. We are Anonymous.? -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 15 16:23:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 15 Feb 2015 17:23:06 -0500 Subject: [Infowarrior] - Bank Hackers Steal Millions via Malware Message-ID: <7C774CE9-A2E2-49C6-BF7F-C36F1922BFCB@infowarrior.org> (c/o geer) Bank Hackers Steal Millions via Malware By DAVID E. SANGER and NICOLE PERLROTH FEB. 14, 2015 http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0 -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 15 16:23:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 15 Feb 2015 17:23:12 -0500 Subject: [Infowarrior] - Megaupload programmer pleads guilty, sentenced to a year in prison Message-ID: <9F108FD8-293C-4204-B9B2-1F449D6B72C6@infowarrior.org> (c/o ajr) Megaupload programmer pleads guilty, sentenced to a year in prison Andrus N?mm "was aware that copyright-infringing content was stored" on-site. by Cyrus Farivar - Feb 13 2015, 2:21pm EST http://arstechnica.com/tech-policy/2015/02/megaupload-programmer-pleads-guilty-sentenced-to-a-year-in-prison/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 16 14:46:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 16 Feb 2015 15:46:31 -0500 Subject: [Infowarrior] - Russian researchers expose breakthrough U.S. spying program Message-ID: <9CB79F47-7625-4079-B10F-5DA380319B5C@infowarrior.org> Russian researchers expose breakthrough U.S. spying program By Joseph Menn SAN FRANCISCO Mon Feb 16, 2015 3:08pm EST http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216 (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives. That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations. Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0) The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States. A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it. NSA spokeswoman Vanee Vines declined to comment. Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001. (bit.ly/17bPUUe) The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of U.S. technology products abroad. The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection. TECHNOLOGICAL BREAKTHROUGH According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on. Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up. "The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview. Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections. Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd. Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment. GETTING THE SOURCE CODE Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily. "There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said. Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies. It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA. Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code." According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe. "They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code." Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas. The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said. Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus. (Reporting by Joseph Menn; Editing by Tiffany Wu) -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 07:03:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 08:03:12 -0500 Subject: [Infowarrior] - Terror Inc.: How the Islamic State became a branding behemoth Message-ID: <5B8C7DFB-26BB-452B-AA69-C7F983578318@infowarrior.org> (Part of me wants to respond "let's not go blaming technology again" as I read this, but the article overall raises some fair issues. --rick) Terror Inc.: How the Islamic State became a branding behemoth With Vines, tweets and listicles, IS spreads its hateful message. Can the West find a way to fight back? By Alyssa Bereznak 3 hours ago Yahoo News http://news.yahoo.com/terror-inc---how-the-islamic-state-became-a-branding-behemoth-034732792.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 07:04:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 08:04:41 -0500 Subject: [Infowarrior] - =?windows-1252?q?Scientists_have_discovered_natur?= =?windows-1252?q?e=92s_newest=2C_strongest_material?= Message-ID: <1D7DC0FC-E286-4D5C-9B04-D65B0CB09DED@infowarrior.org> Scientists have discovered nature?s newest, strongest material http://www.washingtonpost.com/news/morning-mix/wp/2015/02/18/scientists-have-discovered-natures-newest-strongest-material-and-it-comes-from-a-sea-snail/?tid=hp_mm -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 15:09:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 16:09:44 -0500 Subject: [Infowarrior] - AG Nominee tapdances around Aaron Swartz Message-ID: Nominee For Attorney General Tap Dances Around Senator Franken's Question About Aaron Swartz https://www.techdirt.com/articles/20150217/11185730056/nominee-attorney-general-tap-dances-around-senator-frankens-question-about-aaron-swartz.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 15:09:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 16:09:48 -0500 Subject: [Infowarrior] - What is HTTP/2 and is it going to speed up the web? Message-ID: <34019B37-8343-400F-9A5F-7CC4BFA703D9@infowarrior.org> What is HTTP/2 and is it going to speed up the web? Biggest change to how the web works since 1999 should make browsing on desktop and mobile faster Samuel Gibbs Wednesday 18 February 2015 10.10 EST http://www.theguardian.com/technology/2015/feb/18/http2-speed-up-web-browsing-desktop-mobile The web is about to get faster thanks to a new version of HTTP ? the biggest change since 1999 to the protocol that underpins the world wide web as we know it today. Hypertext Transfer Protocol is familiar to most as the http:// at the beginning of a web address. It governs the connections between a user?s browser and the server hosting a website, invented by the father of the web Sir Tim Berners-Lee. What is HTTP/2? HTTP/2 is the next version of HTTP and is based on Google?s SPDY, which was designed to speed up the loading of web pages and the browsing experience. It is a new standard and will take over from the current protocol HTTP1.1 used by most sites on the internet today. What?s the difference? HTTP/2 is a more modern protocol that essentially speeds web browsing up using new ways of transporting data between the browser and server across the internet. It is backwards compatible with HTTP1.1 and uses most of the same technologies, but it is more efficient and allows servers to respond with more content than was originally requested, removing the need for the user?s computer to continually send requests for more information until a website is fully loaded. Browsers can also request more than one piece of data at a time from one site and request data from several websites at once, again speeding up the process of loading single or multiple websites. Will I actually see a difference? Yes. Web pages will load much quicker compared to those using HTTP1.1. High-speed broadband internet connections already mean web pages load much faster, but the new protocol will allow webpages and browsers to take advantage of the increased bandwidth. Modern sites that have lots of images, text and data could load dramatically faster at first, although caching on a computer means that the benefits won?t be so obvious after the first loading of the site. The new protocol will also speed up mobile browsing, which is often held back by the extended time it takes for a request to travel from a smartphone or tablet to the website server over a mobile broadband connection. Allowing the mobile browser to request more than one item at the same time should cut load times considerably. Will I have to do anything? No. From the user?s point of view nothing changes other than the speed. The address bar will still show http://, if at all, and the browser will automatically switch between HTTP1.1 and HTTP/2 as required. Google Chrome users have been using SPDY protocols with Google services and a few other websites for the last two years and probably haven?t noticed. What about HTTPS? The secure version of the web used by banks, shops, email and other services will remain the same. HTTP/2 has full support for encryption in the same way HTTP1.1 does, and will not change the way users access secure services. HTTP/2 requires an improved version of the transport layer security (TLS1.2), which was standardised in 2008 and offers better security than previous versions and should already be used by the majority of services. When will I see it? The HTTP/2 standard has now formally been approved by the Internet Engineering Task Force and will be published soon. At that point it is up to websites, hosting services and companies such as Google to implement the standard. Google has already said that it?s current SPDY protocol will be withdrawn in favour of HTTP/2 in Chrome by early 2016. It is likely that we?ll see high profile websites and services, including those who have implemented SPDY ? including Google, Twitter, Facebook, Wordpress and Yahoo ? in the near future. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 15:18:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 16:18:43 -0500 Subject: [Infowarrior] - Google warns of US government 'hacking any facility' in the world Message-ID: <362360C8-3D32-45EF-AF1E-F9E15DEBBDA2@infowarrior.org> Google warns of US government 'hacking any facility' in the world Ed Pilkington in New York Google says increasing the FBI?s powers set out in search warrants would raise ?monumental? legal concerns that should be decided by Congress Wednesday 18 February 2015 12.17 EST Last modified on Wednesday 18 February 2015 12.58 EST http://www.theguardian.com/technology/2015/feb/18/google-warns-government-hacking-committee-hearing Google is boldly opposing an attempt by the US Justice Department to expand federal powers to search and seize digital data, warning that the changes would open the door to US ?government hacking of any facility? in the world. In a strongly worded submission to the Washington committee that is considering the proposed changes, Google says that increasing the FBI?s powers set out in search warrants would raise ?monumental and highly complex constitutional, legal and geopolitical concerns that should be left to Congress to decide?. The search giant warns that under updated proposals, FBI agents would be able to carry out covert raids on servers no matter where they were situated, giving the US government unfettered global access to vast amounts of private information. In particular, Google sounds the alarm over the FBI?s desire to ?remotely? search computers that have concealed their location ? either through encryption or by obscuring their IP addresses using anonymity services such as Tor. Those government searches, Google says, ?may take place anywhere in the world. This concern is not theoretical. ... [T]he nature of today?s technology is such that warrants issued under the proposed amendment will in many cases end up authorizing the government to conduct searches outside the United States.? Google raised its objections as part of a public consultation that ended on Tuesday. Its submission, and 37 others made by interested parties, will be considered by the Advisory Committee on Criminal Rules, an obscure but powerful Washington body consisting mainly of judges that has responsibility over federal rules including those governing the actions of the FBI. Federal agents wishing to search a property have to apply to a judge for a warrant to do so. Under existing rules, known as Rule 41, the authorizing judge has to be located in the same district as the property to be searched. But the Justice Department argues that in the modern computer age, such an arrangement no longer works. It is calling for the scope of warrants to be widened so that FBI agents can search property ? in this case computers ? outside the judge?s district. The FBI argues that this new power would be essential in investigations where suspects have concealed the location of their computer networks. A comment to the committee from a coalition of prosecutors, the National Association of Assistant US Attorneys, said that ?suspects are increasingly using sophisticated anonymizing technologies and proxy services designed to hide their true IP addresses. This creates significant difficulties for law enforcement to identify the district in which the electronic information is located.? The Justice Department itself has tried to assuage anxieties about its proposed amendment. In its comment to the committee, DoJ officials say that federal agents would only request the new type of warrants where there was ?probable cause to search for or seize evidence, fruits, or instrumentalities of crime?. But civil liberties and legal groups remain unconvvinced, insisting that the language is so vaguely worded that it would have draconian and global implications. In its submission, the American Civil Liberties Union said that the proposed changes could violate the fourth amendment of the US constitution, which bans unreasonable searches and seizures. The ACLU?s principal technologist, Christopher Soghoian, said: ?The government is seeking a troubling expansion of its power to surreptitiously hack into computers, including using malware. Although this proposal is cloaked in the garb of a minor procedural update, in reality it would be a major and substantive change that would be better addressed by Congress.? The FBI has been developing its computer surveillance techniques over almost 15 years. It now regularly uses ?network investigative techniques?, or NITs, to implant malware software onto target devices that in effect allow agents to control the machine ? they can turn on or off cameras and recording equipment, download the entire database of information and gain access to other linked computers. Google argues such tactics run the risk of the private information of innocent third parties being hoovered up in a massive data sweep. Recent high-profile hacks such as the breach of Sony Pictures, which the FBI blamed on North Korea, have highlighted global cybersecurity as a growing area of importance for the Obama administration. But the US government now stands accused of trying to acquire the ability to carry out routine extra-territorial hacking raids that it has accused other countries of conducting. Google contends that by doing so, the US government risks undermining diplomatic arrangements it has built up with other countries over many years that allow cross-border investigations to take place with the approval of all parties. ?The US has long recognized the sovereignty of nations,? the company says in its submission, quoting legal authorities that say that in the absence of a treaty or other national agreement, ?the jurisdiction of law enforcement agents does not extend beyond a nation?s borders?. In October, FBI director James Comey gave remarks ? widely derided by privacy watchers and tech-industry officials ? in which he said ?encryption threatens to lead us all to a very, very dark place?. Comey asked: ?Have we become so mistrustful of government and law enforcement in particular that we are willing to let bad guys walk away, willing to leave victims in search of justice?? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 17:03:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 18:03:51 -0500 Subject: [Infowarrior] - White House Names DJ Patil as the First US Chief Data Scientist Message-ID: <1F89949D-AA64-47B2-9051-86FD10AD83C4@infowarrior.org> White House Names DJ Patil as the First US Chief Data Scientist ? By Jessi Hempel ? 02.18.15 | ? 4:35 pm | ? Permalink http://www.wired.com/2015/02/white-house-names-dj-patil-first-us-chief-data-scientist/ It?s finally official: The White House has named DJ Patil its first ever Chief Data Scientist and Deputy Chief Technology Officer for Data Policy. Yes, that?s a mouthful. Even as an acronym, Patil?s new title is ten letters long: CDSaDCTODT. But the gist is that Patil?who has worked inside several big-name Silicon Valley operations, including LinkedIn, eBay, PayPal, Skype, and venture capital firm Greylock Partners?will now act as an evangelist for new applications of big data across all areas of government, with a particular focus on healthcare. President Obama recruited him personally, and Patil will work in the Office of Science and Technology Policy, reporting to US Chief Technology Officer Megan Smith. He joins a growing number of technology executives defecting to Washington to apply their tech smarts to government. Earlier this month, Obama appointed former VMWare executive Tony Scott as the country?s chief information officer, responsible for modernizing and improving the country?s tech tools. And former US Chief Technology Officer Todd Park is leading a Silicon Valley-based effort to recruit top talent to help the federal government to overhaul its IT. There is arguably no one better suited to help the country better embrace the relatively new discipline of data science than Patil. He is often credited with coining the term. In 2012, he co-authored the Harvard Business Review article that called out ?data scientist? as the sexiest job of the 21st century. At the time, he was the data-scientist-in-residence at Greylock Partners, where he shared with me his life?s mantra: ?If you can?t measure it, you can?t fix it.? Over the course of two decades of work in the private and public sectors and in academia, Patil has pioneered new ways for institutions to benefit from data. As a doctoral student and faculty member at the University of Maryland, Patil used open datasets to improve weather forecasting. He worked briefly for the Department of Defense, advising on efforts to use social network analysis, for example, to anticipate emerging threats to the United States. Most recently, he was the vice president of product at enterprise software company RelateIQ, which was acquired by Salesforce last July. Patil is moving his family to Washington where he?ll play a role in helping the United States government maximize its investments in big data and advise on policy issues and technology practices. And like his tech peers, he?ll be recruiting others to the cause. Patil will also be devoting time to the Administration?s Precision Medicine Initiative, which focuses on giving clinicians new tools, knowledge, and therapies to select which treatments will work best for which patients, while protecting patient privacy. Patil will have more details on his new role tomorrow when he speaks at the Lollapalooza of big data conferences, the Strata +Hadoop World event put on by O?Reilly Media and Cloudera, in San Jose.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 17:14:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 18:14:53 -0500 Subject: [Infowarrior] - =?windows-1252?q?We_don=92t_need_more_STEM_majors?= =?windows-1252?q?=2E_We_need_more_STEM_majors_with_liberal_arts_training?= =?windows-1252?q?=2E?= Message-ID: <30C477F0-748C-431E-A92E-C04F18FA536B@infowarrior.org> (I agree 110% with the sentiment in this op-ed. ?rick) We don?t need more STEM majors. We need more STEM majors with liberal arts training. Loretta Jackson-Hayes February 18 at 6:00 AM Dr. Loretta Jackson-Hayes is an associate professor of chemistry at Rhodes College in Memphis. In business and at every level of government, we hear how important it is to graduate more students majoring in science, technology, engineering and math, as our nation?s competitiveness depends on it. The Obama administration has set a goal of increasing STEM graduates by one million by 2022, and the ?desperate need? for more STEM students makes regular headlines. The emphasis on bolstering STEM participation comes in tandem with bleak news about the liberal arts ? bad job prospects, programs being cut, too many humanities majors. As a chemist, I agree that remaining competitive in the sciences is a critical issue. But as an instructor, I also think that if American STEM grads are going lead the world in innovation, then their science education cannot be divorced from the liberal arts. Our culture has drawn an artificial line between art and science, one that did not exist for innovators like Leonardo da Vinci and Steve Jobs. Leonardo?s curiosity and passion for painting, writing, engineering and biology helped him triumph in both art and science; his study of anatomy and dissections of corpses enabled his incredible drawings of the human figure. When introducing the iPad 2, Jobs, who dropped out of college but continued to audit calligraphy classes, declared: ?It?s in Apple?s DNA that technology alone is not enough ? it?s technology married with liberal arts, married with the humanities, that yields us the result that makes our heart sing.? (Indeed, one of Apple?s scientists, Steve Perlman, was inspired to invent the QuickTime multimedia program by an episode of ?Star Trek.?) Carly Fiorina, former CEO of Hewlett-Packard, credits her degree in philosophy and medieval history in helping her be the first woman to lead a high-tech Fortune 20 corporation. ?If you go into a setting and everybody thinks alike, it?s easy,? she has said. ?But you will probably get the wrong answer.? I became a chemistry professor by working side-by-side at the bench with a number of mentors, and the scholar/mentor relationships I?ve enjoyed were a critical aspect of my science education. And it is the centerpiece of a college experience within the liberal arts environment. For me, it was the key that unlocked true learning, and for my students, it has made them better scientists and better equipped to communicate their work to the public. Like apprentices to a painter, my students sit with me and plan experiments. We gather and review data and determine the next questions to address. After two to three years of direct mentoring, students develop the ability to interpret results on their own, describe how findings advance knowledge, generate ideas for subsequent experiments and plan these experiments themselves. Seniors train new students in the lab, helping them learn gene recombination techniques that depend on accurate calculations and precise delivery of reagents. Put simply, a microliter-scale mistake can spell disaster for an experiment that took days to complete. And while my students work on these sensitive projects, they often offer creative and innovative approaches. To reduce calculation errors, one of my students wrote a user-friendly computer program to automatically measure replicate volumes. He did this by drawing on programming skills he learned in a computer science course he took for fun. Young people stuck exclusively in chemistry lecture halls will not evolve the same way. A scientist trained in the liberal arts has another huge advantage: writing ability. The study of writing and analyses of texts equip science students to communicate their findings as professionals in the field. My students accompany me to conferences, where they do the talking. They write portions of articles for publications and are true co-authors by virtue of their contributions to both the experiments and the writing. Scientists are often unable to communicate effectively because, as Cornell University president David J. Skorton points out, ?many of us never received the education in the humanities or social sciences that would allow us to explain to nonscientists what we do and why it is important.? To innovate is to introduce change. While STEM workers can certainly drive innovation through science alone, imagine how much more innovative students and employees could be if the pool of knowledge from which they draw is wider and deeper. That occurs as the result of a liberal arts education. Many in government and business publicly question the value of such an education. Yet employers in every sector continue to scoop up my students because of their ability to apply cross-disciplinary thinking to an incredibly complex world. They like my chemistry grads because not only can they find their way around a laboratory, but they?re also nimble thinkers who know to consider chemistry?s impact on society and the environment. Some medical schools have also caught on to this. The University of Pennsylvania School of Medicine has been admitting an increasing number of applicants with backgrounds in the humanities for the past 20 years. ?It doesn?t make you a better doctor to know how fast a mass falls from a tree,? Gail Morris, head of the school?s admissions, told Newsweek. ?We need whole people.? By all means, let?s grow our STEM graduates as aggressively as possible. But let?s make sure they also have that all-important grounding in the liberal arts. We can have both. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 18 20:05:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Feb 2015 21:05:14 -0500 Subject: [Infowarrior] - =?windows-1252?q?America=92s_Cyber_Espionage_Proj?= =?windows-1252?q?ect_Isn=92t_About_Defense=2E_It=92s_About_Waging_War?= Message-ID: <30FA3DD3-735A-44EA-A50C-95AFDAECEF02@infowarrior.org> America?s Cyber Espionage Project Isn?t About Defense. It?s About Waging War ? By Kevin Poulsen ? 02.18.15 | ? 8:40 pm | http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war/ ?What we really need is a Manhattan Project for cybersecurity.? It?s a sentiment that swells up every few years in the wake of some huge computer intrusion?most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America?s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible. A Google search on ?cyber Manhattan Project? brings up results from as far back as 1997?it?s second only to ?electronic Pearl Harbor? in computer-themed World War II allusions. In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. ?This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,? Goodman writes. ?Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.? These arguments have so far not swayed a sitting American president. Sure, President Obama mentioned cybersecurity at the State of the Union, but his proposal not only doesn?t boost security research and development, it potentially criminalizes it. At the White House?s cybersecurity summit last week, Obama told Silicon Valley bigwigs that he understood the hacking problem well??We all know what we need to do. We have to build stronger defenses and disrupt more attacks??but his prescription this time was a tepid executive order aimed at improving information sharing between the government and industry. Those hoping for something more Rooseveltian must have been disappointed. On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We?ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn?t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America?s cyber Manhattan Project is purely offensive. This revelation came by way of the Russia-based anti-virus company Kaspersky. At a conference in Cancun this week, Kaspersky researchers detailed the activities of a computer espionage outfit it calls the ?Equation Group,? which, we can fairly surmise from previous leaks, is actually the NSA?s Tailored Access Operations unit. NSA?s cyber capabilities have been broadly known since the German news magazine Der Spiegel published a leaked 50-page catalog of NSA spy gear and malware in late 2013. But the one-page catalog descriptions didn?t convey the full flavor of the NSA?s technology. For that, somebody had to actually get their hands on that technology?capture it in the wild?and take it apart piece by piece, which is what Kaspersky did. The result is impressive. The company has linked six different families of malware??implants,? as the NSA calls them?to the Equation Group, the oldest of which has been kicking around since 2001. The malware has stayed below the radar in part because the NSA deploys it in limited, cautious stages. In the first stage, the agency might compromise a web forum or an ad network and use it to serve a simple ?validator? backdoor to potential targets. That validator checks every newly infected computer to see if it?s of interest to the NSA. If not, it quietly removes itself, and nobody is the wiser. Only if the computer is a target of interest to the NSA does the validator take the next step and load a more sophisticated implant from a stealth NSA website like suddenplot.com or technicalconsumerreports.com. That?s where it gets interesting. The top tier of NSA malware discovered by Kaspersky is a generation ahead of anything previously reported in the wild. It uses a well-engineered piece of software called a bootkit to control the operating system from the ground up. It hides itself encrypted in the Windows registry, so that anti-virus software can?t find it on the computer?s disk. It carves out its own virtual file system on your machine to store data for exfiltration. There are update mechanisms, dozens of plug-ins, a self-destruct function, massive code obfuscation, hundreds of fake websites to serve as command-and-control. One of the NSA?s malware plug-ins can even reprogram your hard drive?s firmware, allowing the implant to survive a complete disk wipe?a feat that?s been demonstrated by computer scientists under laboratory conditions but never before seen in the wild. ?The group is unique almost in every aspect of their activities,? Kaspersky concludes. ?They use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data, and hide activity in an outstandingly professional way.? If you combine Kaspersky?s malware analysis with the Snowden revelations, you start to see just how strong a position the US has on the chess board of cyber espionage, and how hard it has worked to get there. Other countries use computer intrusion for spying, but not with the NSA?s $10 billion budget, and no public analysis of Chinese or Russian attacks has ever found a capability comparable to the Equation Group?s. The US has made the strategic choice to put its resources into engineering better attack tools and an infrastructure to support them. In a way it?s a smart choice. It?s a truism that the cyber battlefield is asymmetric?a defender has to get it right every time, while an attacker only has to succeed once. If the US spends a billion dollars in cyber defense, it will still be vulnerable. But spend it on cyber attack, and you get the most advanced computer espionage and sabotage tools that history has ever seen. It all makes sense in a 1970s Rand-Corporation-nuclear-game-theory kind of way. But we can stop pretending now that the government is ever going to have a ?Manhattan Project? that improves the state of the art in computer defense. That would undermine the very attack system it has spent billions of dollars and a decade-and-a-half building. Despite the popular can-do appeal, a defensive Manhattan Project isn?t just unlikely. It?s a moon shot. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 19 06:30:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 19 Feb 2015 07:30:27 -0500 Subject: [Infowarrior] - The James Risen case and Eric Holder's tarnished press freedom legacy Message-ID: <062A7B97-4207-44F1-A0CC-9C329400DF38@infowarrior.org> The James Risen case and Eric Holder's tarnished press freedom legacy By Trevor Timm at 3:51 pm Wed, Feb 18, 2015 http://boingboing.net/2015/02/18/the-james-risen-case-and-eric.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 19 11:04:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 19 Feb 2015 12:04:45 -0500 Subject: [Infowarrior] - Lenovo's tone-deaf Superfish statement Message-ID: <7B2C9663-A2EE-41B0-A7E5-A314B209ABB0@infowarrior.org> Lenovo honestly thought you?d enjoy that Superfish HTTPS spyware http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 19 16:44:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 19 Feb 2015 17:44:47 -0500 Subject: [Infowarrior] - The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle Message-ID: <04D58B41-F879-4222-974B-A7C96EDC0892@infowarrior.org> The Great SIM Heist How Spies Stole the Keys to the Encryption Castle By Jeremy Scahill and Josh Begley @jeremyscahill at joshbegley Today at 2:25 PM AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world?s cellular communications, including both voice and data. The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania. In all, Gemalto produces some 2 billion SIM cards a year. Its motto is ?Security to be Free.? With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider?s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt. As part of the covert operations against Gemalto, spies from GCHQ ? with support from the NSA ? mined the private communications of unwitting engineers and other company employees in multiple countries. Gemalto was totally oblivious to the penetration of its systems ? and the spying on its employees. ?I?m disturbed, quite concerned that this has happened,? Paul Beverly, a Gemalto executive vice president, told The Intercept. ?The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn?t happen again, and also to make sure that there?s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.? He added that ?the most important thing for us now is to understand the degree? of the breach. Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. ?Once you have the keys, decrypting traffic is trivial,? says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. ?The news of this key theft will send a shock wave through the security community.? < - > https://firstlook.org/theintercept/2015/02/19/great-sim-heist/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 20 06:10:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 20 Feb 2015 07:10:24 -0500 Subject: [Infowarrior] - OT: Oliver Sacks, My Own Life Message-ID: My Own Life Oliver Sacks on Learning He Has Terminal Cancer By OLIVER SACKSFEB. 19, 2015 Oliver Sacks, a professor of neurology at the New York University School of Medicine, is the author of many books, including ?Awakenings? and ?The Man Who Mistook His Wife for a Hat.? http://www.nytimes.com/2015/02/19/opinion/oliver-sacks-on-learning-he-has-terminal-cancer.html A MONTH ago, I felt that I was in good health, even robust health. At 81, I still swim a mile a day. But my luck has run out ? a few weeks ago I learned that I have multiple metastases in the liver. Nine years ago it was discovered that I had a rare tumor of the eye, an ocular melanoma. Although the radiation and lasering to remove the tumor ultimately left me blind in that eye, only in very rare cases do such tumors metastasize. I am among the unlucky 2 percent. I feel grateful that I have been granted nine years of good health and productivity since the original diagnosis, but now I am face to face with dying. The cancer occupies a third of my liver, and though its advance may be slowed, this particular sort of cancer cannot be halted. It is up to me now to choose how to live out the months that remain to me. I have to live in the richest, deepest, most productive way I can. In this I am encouraged by the words of one of my favorite philosophers, David Hume, who, upon learning that he was mortally ill at age 65, wrote a short autobiography in a single day in April of 1776. He titled it ?My Own Life.? ?I now reckon upon a speedy dissolution,? he wrote. ?I have suffered very little pain from my disorder; and what is more strange, have, notwithstanding the great decline of my person, never suffered a moment?s abatement of my spirits. I possess the same ardour as ever in study, and the same gaiety in company.? I have been lucky enough to live past 80, and the 15 years allotted to me beyond Hume?s three score and five have been equally rich in work and love. In that time, I have published five books and completed an autobiography (rather longer than Hume?s few pages) to be published this spring; I have several other books nearly finished. Hume continued, ?I am ... a man of mild dispositions, of command of temper, of an open, social, and cheerful humour, capable of attachment, but little susceptible of enmity, and of great moderation in all my passions.? Here I depart from Hume. While I have enjoyed loving relationships and friendships and have no real enmities, I cannot say (nor would anyone who knows me say) that I am a man of mild dispositions. On the contrary, I am a man of vehement disposition, with violent enthusiasms, and extreme immoderation in all my passions. And yet, one line from Hume?s essay strikes me as especially true: ?It is difficult,? he wrote, ?to be more detached from life than I am at present.? Over the last few days, I have been able to see my life as from a great altitude, as a sort of landscape, and with a deepening sense of the connection of all its parts. This does not mean I am finished with life. On the contrary, I feel intensely alive, and I want and hope in the time that remains to deepen my friendships, to say farewell to those I love, to write more, to travel if I have the strength, to achieve new levels of understanding and insight. This will involve audacity, clarity and plain speaking; trying to straighten my accounts with the world. But there will be time, too, for some fun (and even some silliness, as well). I feel a sudden clear focus and perspective. There is no time for anything inessential. I must focus on myself, my work and my friends. I shall no longer look at ?NewsHour? every night. I shall no longer pay any attention to politics or arguments about global warming. This is not indifference but detachment ? I still care deeply about the Middle East, about global warming, about growing inequality, but these are no longer my business; they belong to the future. I rejoice when I meet gifted young people ? even the one who biopsied and diagnosed my metastases. I feel the future is in good hands. I have been increasingly conscious, for the last 10 years or so, of deaths among my contemporaries. My generation is on the way out, and each death I have felt as an abruption, a tearing away of part of myself. There will be no one like us when we are gone, but then there is no one like anyone else, ever. When people die, they cannot be replaced. They leave holes that cannot be filled, for it is the fate ? the genetic and neural fate ? of every human being to be a unique individual, to find his own path, to live his own life, to die his own death. I cannot pretend I am without fear. But my predominant feeling is one of gratitude. I have loved and been loved; I have been given much and I have given something in return; I have read and traveled and thought and written. I have had an intercourse with the world, the special intercourse of writers and readers. Above all, I have been a sentient being, a thinking animal, on this beautiful planet, and that in itself has been an enormous privilege and adventure. # # # # # A version of this op-ed appears in print on February 19, 2015, on page A25 of the New York edition with the headline: My Own Life. Order Reprints| Today's Paper|Subscribe -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 20 08:08:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 20 Feb 2015 09:08:48 -0500 Subject: [Infowarrior] - More on the Lenovo and Superfish fiasco Message-ID: Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish... While Superfish Says 'No Consumers Vulnerable' https://www.techdirt.com/articles/20150219/16143030074/lenovo-quietly-deletes-that-bit-about-no-security-concerns-to-superfish-while-superfish-says-no-consumers-vulnerable.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 20 09:18:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 20 Feb 2015 10:18:58 -0500 Subject: [Infowarrior] - OT: 10 Insane Things We Believe On Wall Street Message-ID: <04EB4E2E-EC2E-4CD9-91C5-26D1D0D0311B@infowarrior.org> 10 Insane Things We Believe On Wall Street by Downtown Josh Brown - February 20th, 2015, 9:30am http://www.ritholtz.com/blog/2015/02/10-insane-things-we-believe-on-wall-street/ To outsiders, Wall Street is a manic, dangerous and ridiculous republic unto itself ? a sort of bizarro world where nothing adds up and common sense is virtually inapplicable. Consider the following insane things that we believe on Wall Street, that make no sense whatsoever in the real world: 1. Falling gas and home heating prices are a bad thing 2. Layoffs are great news, the more the better 3. Billionaires from Greenwich, CT can understand the customers of JC Penney, Olive Garden, K-Mart and Sears 4. A company is plagued by the fact that it holds over $100 billion in cash 5. Some companies have to earn a specific profit ? to the penny ? every quarter but others shouldn?t dare even think about profits 6. Wars, weather, fashion trends and elections can be reliably predicted 7. It?s reasonable for the value of a business to fluctuate by 5 to 10 percent within every eight hour period 8. It?s possible to guess the amount of people who will get or lose a job each month in a nation of 300 million 9. The person who leads a company is worth 400 times more than the average person who works there 10. A company selling 10 million cars a year is worth $50 billion, but another company selling 40,000 cars a year is worth $30 billion because its growing faster Away from Wall Street, no one believes in any of this stuff. It?s inconceivable. On Wall Street, these are core tenets of our collective philosophy. No wonder everyone else thinks we?re insane. From rforno at infowarrior.org Fri Feb 20 14:03:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 20 Feb 2015 15:03:58 -0500 Subject: [Infowarrior] - FreeBSD random number generator broken Message-ID: <252882E8-AFFE-4563-B634-C8FD225A9838@infowarrior.org> (c/o DOD) The FreeBSD RNG has been non-functional for 4 months. Affected users probably already know about this, but just in case people should 1) upgrade their kernel then 2) rev their keys. Info below. https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html https://lists.freebsd.org/pipermail/freebsd-current/2015-February/thread.html#54580 -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 22 08:34:32 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 22 Feb 2015 09:34:32 -0500 Subject: [Infowarrior] - =?windows-1252?q?Spies_Can_Track_You_Just_by_Watc?= =?windows-1252?q?hing_Your_Phone=92s_Power_Use?= Message-ID: <11EE76B5-5AA0-4E09-901A-561FD775494F@infowarrior.org> Spies Can Track You Just by Watching Your Phone?s Power Use ? By Andy Greenberg ? 02.19.15 | ? 8:45 pm | http://www.wired.com/2015/02/powerspy-phone-tracking/ Smartphone users might balk at letting a random app like Candy Crush or Shazam track their every move via GPS. But researchers have found that Android phones reveal information about your location to every app on your device through a different, unlikely data leak: the phone?s power consumption. Researchers at Stanford University and Israel?s defense research group Rafael have created a technique they call PowerSpy, which they say can gather information about an Android phone?s geolocation merely by tracking its power use over time. That data, unlike GPS or Wi-Fi location tracking, is freely available to any installed app without a requirement to ask the user?s permission. That means it could represent a new method of stealthily determining a user?s movements with as much as 90 percent accuracy?though for now the method only really works when trying to differentiate between a certain number of pre-measured routes. Spies might trick a surveillance target into downloading a specific app that uses the PowerSpy technique, or less malicious app makers could use its location tracking for advertising purposes, says Yan Michalevski, one of the Stanford researchers. ?You could install an application like Angry Birds that communicates over the network but doesn?t ask for any location permissions,? says Michalevski. ?It gathers information and sends it back to me to track you in real time, to understand what routes you?ve taken when you drove your car or to know exactly where you are on the route. And it does it all just by reading power consumption.? PowerSpy takes advantage of the fact that a phone?s cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental conditions and cell tower distance is strong enough that momentary power drains like a phone conversation or the use of another power-hungry app can be filtered out, Michalevsky says. One of the machine-learning tricks the researchers used to detect that ?noise? is a focus on longer-term trends in the phone?s power use rather than those than last just a few seconds or minutes. ?A sufficiently long power measurement (several minutes) enables the learning algorithm to ?see? through the noise,? the researchers write. ?We show that measuring the phone?s aggregate power consumption over time completely reveals the phone?s location and movement.? Even so, PowerSpy has a major limitation: It requires that the snooper pre-measure how a phone?s power use behaves as it travels along defined routes. This means you can?t snoop on a place you or a cohort has never been, as you need to have actually walked or driven along the route your subject?s phone takes in order to draw any location conclusions. The Stanford and Israeli researchers collected power data from phones as they drove around California?s Bay Area and the Israeli city of Haifa. Then they compared their dataset with the power consumption of an LG Nexus 4 handset as it repeatedly traveled through one of those routes, using a different, unknown choice of route with each test. They found that among seven possible routes, they could identify the correct one with 90 percent accuracy. ?If you take the same ride a couple of times, you?ll see a very clear signal profile and power profile,? says Michalevsky. ?We show that those similarities are enough to recognize among several possible routes that you?re taking this route or that one, that you drove from Uptown to Downtown, for instance, and not from Uptown to Queens.? Michalevsky says the group hopes to improve its analysis to apply that same level of accuracy to tracking phones through many more possible paths and with a variety of phones?they already believe that a Nexus 5 would work just as well, for instance. The researchers also are working on detecting more precisely where in a known route a phone is at any given time. Currently the precision of that measurement varies from a few meters to hundreds of meters depending upon how long the phone has been traveling. The researchers have attempted to detect phones? locations even as they travel routes the snooper has never fully seen before. That extra feat is accomplished by piecing together their measurements of small portions of the routes whose power profiles have already been pre-measured. For a phone with just a few apps like Gmail, a corporate email inbox, and Google Calendar, the researchers were able determine a device?s exact path about two out of three times. For phones with half a dozen additional apps that suck power unpredictably and add noise to the measurements, they could determine a portion of the path about 60 percent of the time, and the exact path just 20 percent of the time. Even with its relative imprecision and the need for earlier measurements of power use along possible routes, Michalevsky argues that PowerSpy represents a privacy problem that Google hasn?t fully considered. Android makes power consumption data available to all apps for the purpose of debugging. But that means the data easily could have been restricted to developers, nixing any chance for it to become a backdoor method of pinpointing a user?s position. Google didn?t respond to WIRED?s request for comment. This isn?t the first time that Michalevsky and his colleagues have used unexpected phone components to determine a user?s sensitive information. Last year the same researchers? group, led by renowned cryptographer Dan Boneh, found that they could exploit the gyroscopes in a phone as crude microphones. That ?gyrophone? trick was able to to pick up digits spoken aloud into the phone, or even to determine the speaker?s gender. ?Whenever you grant anyone access to sensors on a device, you?re going to have unintended consequences,? Stanford professor Boneh told WIRED in August when that research was unveiled. Stanford?s Michalevsky says that PowerSpy is another reminder of the danger of giving untrusted apps access to a sensor that picks up more information than it?s meant to. ?We can abuse attack surfaces in unexpected ways,? he says, ?to leak information in ways that it?s not supposed to leak.? Read the full PowerSpy paper below. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 22 14:16:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 22 Feb 2015 15:16:42 -0500 Subject: [Infowarrior] - Kudos to SECDEF Carter Message-ID: <5921E24C-A5E5-43C4-A9C8-8BD3D32D3D47@infowarrior.org> New Defense Secretary Ashton B. Carter, seeking to put his imprimatur on the U.S. fight against the Islamic State, has summoned about 30 high-ranking military commanders and diplomats to Kuwait for an unusual session to review war plans and strategy. The summit, which is scheduled to take place Monday, will include the U.S. military?s combatant commanders for the Middle East, Africa and Europe, the three-star Army general in charge of the war in Iraq and Syria, the head of the secretive Joint Special Operations Command, several ambassadors in the region and other key players from Washington. < - > In a sign of how Carter intends to challenge his commanders? thinking, he has banned them from making any PowerPoint presentations ? a backbone feature of most U.S. military briefings. < - > http://www.washingtonpost.com/world/middle_east/carter-summons-us-military-commanders-diplomats-to-kuwait/2015/02/22/0d06c36e-baab-11e4-b274-e5209a3bc9a9_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 23 08:01:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 23 Feb 2015 09:01:03 -0500 Subject: [Infowarrior] - Snowden Film 'Citizenfour' Wins Oscar for Best Documentary Message-ID: <2EDDCF27-271B-4841-8E74-1D41A442D5BE@infowarrior.org> Snowden Film 'Citizenfour' Wins Oscar for Best Documentary The fugitive leaker?s globetrotting escapades are now officially part of Hollywood lore. By Dustin Volz http://www.nationaljournal.com/tech/snowden-film-citizenfour-wins-oscar-for-best-documentary-20150222 February 22, 2015 Citizenfour, a film chronicling the living history of Edward Snowden's unprecedented heist of U.S. government secrets, won the Academy Award for best documentary Sunday night?an unusual feat for a movie so critical of a sitting president's policies. Directed by Laura Poitras, the political thriller captures Snowden in a claustrophobic Hong Kong hotel room in the days leading up to and after the release of the first of batch of classified documents that publicly revealed the sweeping scope of the National Security Agency's mass surveillance of phone and Internet communications. "The disclosures that Edward Snowden revealed don't only expose a threat to our privacy but to our democracy itself," Poitras, who also co-produced the film, said during her acceptance speech. "When the most important decisions being made affecting all of us are made in secret, we lose our ability to check the powers that control." In a statement provided by the American Civil Liberties Union, Snowden applauded Poitras and the movie as "a brave and brilliant film that deserves the honor and recognition it has received." Snowden, who lives in Russia under asylum, added, "My hope is that this award will encourage more people to see the film and be inspired by its message that ordinary citizens, working together, can change the world." The award serves as a testament to the continued cultural and political relevance of the Snowden leaks, which began in June 2013 and continue to drip out even today. Last week, The Intercept published new Snowden documents detailing a joint operation in which American and British spies hacked into a Dutch SIM-card manufacturer and stole millions of cell-phone encryption keys. Snowden supporters will likely seize on the award as further validation that his actions?which some politicians continue to claim were treasonous and undermined national security?were justified. The win also amounts to a tacit rebuke by Hollywood of the Obama administration's civil-liberties record, a sensitive issue for an industry that was once dogged by accusations of communist sympathies during the Red Scare of the 1940s and 1950s. "Edward Snowden could not be here for some treason," Oscar host Neil Patrick Harris jokingly quipped after the award was given. Citizenfour also has succeeded where other documentaries critical of a sitting president have come up short. Michael Moore's Fahrenheit 9/11, which sharply ridiculed George W. Bush and the Iraq War, failed to earn a best documentary nomination in 2005, despite considerable attention and box-office success. Citizenfour is the final installment of a trilogy of films by Poitras that examine the post-9/11 tension between privacy and security during the Bush and Obama administrations. Though it documents in real time how Snowden orchestrated with Poitras and journalist Glenn Greenwald the release of government secrets that shocked a nation, the film is at its core a character study of a 29-year-old computer technician who felt compelled to risk his safety in order to leak a massive trove of classified secrets. "The film isn't trying to break news," Poitras told National Journal last fall after Citizenfour's world premiere in New York. "It's really a story about people, and what happens when people make personal sacrifice to expose what they think is wrongdoing." Poitras currently lives in Berlin and has said she does not feel she could continue her work if she remained in the United States. She was apparently placed on the Homeland Security Department's terror watch list and was repeatedly detained at airports in the years after the September 11 attacks. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 23 08:06:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 23 Feb 2015 09:06:55 -0500 Subject: [Infowarrior] - Google Blasts DOJ's Request For Expanded Search Powers; Calls Proposal A Threat To The Fourth Amendment Message-ID: Google Blasts DOJ's Request For Expanded Search Powers; Calls Proposal A Threat To The Fourth Amendment https://www.techdirt.com/articles/20150221/19524830103/google-blasts-dojs-request-expanded-search-powers-calls-proposal-threat-to-fourth-amendment.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 23 12:39:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 23 Feb 2015 13:39:42 -0500 Subject: [Infowarrior] - Al Jaz covering new intel disclosures Message-ID: <2EA6DBB3-3D32-401B-9D76-C77B5F04E27F@infowarrior.org> (They spell out their deliberative/disclosure process quite well, I think. --rick) One write-up based on this trove, via the Guardian ... Leaked cables show Netanyahu?s Iran bomb claim contradicted by Mossad http://www.theguardian.com/world/2015/feb/23/leaked-spy-cables-netanyahu-iran-bomb-mossad The Spy Cables: A glimpse into the world of espionage Secret documents, leaked from numerous intelligence agencies, offer rare insights into the interactions between spies. Al Jazeera Investigative Unit | 23 Feb 2015 08:23 GMT A digital leak to Al Jazeera of hundreds of secret intelligence documents from the world's spy agencies has offered an unprecedented insight into operational dealings of the shadowy and highly politicised realm of global espionage. Over the coming days, Al Jazeera's Investigative Unit is publishing The Spy Cables, in collaboration with The Guardian newspaper. Spanning a period from 2006 until December 2014, they include detailed briefings and internal analyses written by operatives of South Africa's State Security Agency (SSA). They also reveal the South Africans' secret correspondence with the US intelligence agency, the CIA, Britain's MI6, Israel's Mossad, Russia's FSB and Iran's operatives, as well as dozens of other services from Asia to the Middle East and Africa. < - > http://www.aljazeera.com/news/2015/02/spy-cables-world-espionage-snowden-guardian-mi6-cia-ssa-mossad-iran-southafrica-leak-150218100147229.html -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 23 18:39:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 23 Feb 2015 19:39:41 -0500 Subject: [Infowarrior] - K Street jockeys for cyber supremacy Message-ID: <6B870D55-2569-4160-ACC2-B39429E6F9D8@infowarrior.org> http://thehill.com/policy/cybersecurity/233563-k-street-jockeys-for-cyber-supremacy K Street jockeys for cyber supremacy By Elise Viebeck - 02/23/15 06:56 PM EST The race for cybersecurity business is on. Washington's law and lobby firms are rushing to establish their positions in the lucrative market for cybersecurity counsel, as businesses wake up to the threat posed by hackers worldwide. "Data privacy" ? the preferred K Street term for cybersecurity ? has become the topic du jour in D.C.'s legal community, and firms are jockeying for any possible edge in hiring, client outreach and events. Evidence of the race litters legal tabloids, lobbying disclosure forms and job boards, confirming that cyber threats are not only fodder for headlines ? they present a major opportunity for D.C.'s lawyers and influencers. "Everyone believes this is going to be the next hot thing," said headhunter Ivan Adler, a principal at the Arlington-based McCormick Group. "People that understand what's in cyber legislation and what it means for the corporate sector are going to be valuable,? he said. ?What I'm telling staffers is: If you have a chance to gain that kind of experience in cyber, you should do it." Nearly every major firm in D.C. is looking to get in on the action, from pursuing staffers and administration officials as hires to publishing cyber-related articles in legal journals. High-profile cyberattacks on Target, Sony Entertainment and Anthem made the issue a priority for big legal brands over the last 15 months. Firms are keen to emphasize their lobbying capabilities, as well as their more conventional legal services. "Cybersecurity is one of the key challenges of this century,? said David Turetsky, who recently left a senior post with the Federal Communications Commission to launch Akin Gump's cybersecurity task force. ?There is always room for competition [in the legal market],? he continued. ?It's a complex environment in Washington, and clients should work to get ahead of the curve.? The global rise in cyber crime translates to concrete business for D.C.?s law and lobby outfits. With U.S. corporations poised to lose tens of billions of dollars to hacking each year, firms are eager to court new clients and increase billable work from their existing rosters. In addition to potential revenue, the pursuit of cybersecurity business is also a bid for bona fides in D.C.'s hypercompetitive legal environment. Using different strategies ? from conferences at K&L Gates to new cyber-related subscription software at DLA Piper ? firms are engaged in a wide-scale effort to burnish their legal and lobbying credentials on cybersecurity. ?The law is an incredibly important part of this, whether we're talking about Capitol Hill moving legislation, liability issues, or compliance with competing regulations,? said Fred Cate, senior policy adviser to the Centre for Information Policy Leadership, a global think tank established by Hunton & Williams. ?Lawyers can serve a little bit like the canary in the coal mine,? Cate said. ?The thing that is changing now is that we're seeing lawyers more involved in the security process ? not just when disaster strikes but actually trying to make clients think proactively.? Part of law firms? task is stepping in when in-house corporate legal departments find themselves outpaced by both hackers and federal regulators. Adopting the norm in other areas of law, major companies are retaining outside counsel to work with their internal teams on cyber defense. Outside firms provide a myriad of services, including tasks as simple as evaluating a client?s insurance coverage and developing a response plan in case a data breach takes place. Lawyers also help prepare companies to cope with scrutiny from federal regulators. These efforts typically combine several practices from within one law firm, challenging leaders to organize and better leverage their skills. David Fagan, a partner with Covington & Burling, said clients? needs have evolved over the past five years when it comes to cybersecurity. ?[The] Target and Sony [hacks] captured the minds and also the fears of a lot of boards of directors and executives,? Fagan said. ?As a result, in-house lawyers are starting to pursue more targeted engagement. You have people saying, ?OK, this is no longer just a curiosity; it is something I?ve got to get my arms around.? ? The competition for clients in D.C. is expected to heat up, as the 114th Congress gets fully underway. Debates over cyber threat information sharing, data breach notification and general privacy standards are looming, as lawmakers begin to weigh hacking issues more carefully. Shops like Fierce Government Relations and the new bipartisan boutique West Front Strategies are quickly distinguishing themselves this year as they pick up clients on cyber issues. The challenge for companies seeking representation will now be weeding through firms to identify which have a genuine a grasp on the issue and which do not, experts said. ?When you sense this is a moving issue, suddenly everyone wants to claim to do cybersecurity,? said Cate. ?At the same time,? he added, ?these are savvy firms that work in Washington. They know how to build expertise.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 24 09:19:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Feb 2015 10:19:09 -0500 Subject: [Infowarrior] - Google's sudden crackdown on Blogger Message-ID: Google warns sex bloggers: clean up or get out Blogger, the company?s long-running blogging service, is cracking down on explicit material with just one month?s notice for affected users Alex Hern @alexhern Tuesday 24 February 2015 06.35 EST http://www.theguardian.com/technology/2015/feb/24/google-warns-sex-bloggers-to-clean-up-or-get-out Google is banning public explicit photos and videos from its blogging service Blogger, and giving affected users just one month to comply. The new rules require any blog with ?sexually explicit or graphic nude images or video? to take them down by 23 March, or the blog will be made private by Google. A private blog can only be seen by the owner or admins of the blog, and people who the owner has shared the blog with. Google promises that the majority of users of the service, which Google acquired from Twitter co-founder Evan Williams? Pyra Labs in 2003, won?t see any change from the new rules. But many users are concerned that the new rules represent a huge about-turn from Google?s previously stated support of explicit material on its platform. The company?s previous policy said: ?We do allow adult content on Blogger, including images or videos that contain nudity or sexual activity ? All blogs marked as ?adult? will be placed behind an ?adult content? warning interstitial.? Its only exceptions were to ban illegal explicit content, explicit images shared without the subject?s consent (commonly known as ?revenge porn?) and making money on adult content. Zoe Margolis, author of the Girl with a One Track Mind books and sex blog, joined Blogger in 2004. She says that ?either Google believes in freedom of expression, or it doesn?t. Restricting blogs which contain explicit content to ?private only? effectively kills them off. This is like offering a library where all the books in it are invisible to the readers unless an author is standing there and personally hands each reader a copy of their book.? ?Many blogs, mine included, have been on Blogger for well over a decade. These blogs are not just part of a community which offers an alternative, sex-positive, supportive network, but they also make up how the web functions: millions of interconnected links. By making these blogs invitation only, it immediately kills off all those connections, resulting in people visiting non-existent pages and all the links they click on being dead. A long-standing community will be killed off overnight.? Activist Lauren Weinstein wrote: ?I find it disrespectful to users for Google to announce apparently with only 30 days notice that they are summarily banning most explicit materials from Blogger. It is utterly within their rights to do so, but the lack of longer notice (absent specific legal constraints), and a total lack of any explanation in the announcement for this change (only perfunctory operational details), are extremely disappointing. Google says it will still allow some forms of nudity on the service ?if the content offers a substantial public benefit, for example in artistic, educational, documentary, or scientific contexts.? It also provides instructions for users who want to migrate elsewhere. Although the search firm isn?t known for taking a prudish attitude to content, explicit videos are also banned on YouTube, the biggest site Google has where it directly hosts user content. The site?s rules state: ?YouTube is not for pornography or sexually explicit content. If this describes your video, even if it?s a video of yourself, don?t post it on YouTube.? Other Google services that host user-uploaded content have similar polices. Google Plus, the company?s social network, warns users: ?Do not distribute content that contains nudity, graphic sex acts, or sexually explicit material.? Its rules for profile pictures are even stricter: ?Do not use a photo that is a close-up of a person?s buttocks or cleavage.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 24 09:23:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Feb 2015 10:23:53 -0500 Subject: [Infowarrior] - Blaming the Internet for Terrorism: So Wrong and So Dangerous Message-ID: <00AD3CC2-EAAD-4441-8A5F-4928CF778497@infowarrior.org> February 22, 2015 Blaming the Internet for Terrorism: So Wrong and So Dangerous http://lauren.vortex.com/archive/001087.html You can almost physically hear the drumbeat getting louder. It's almost impossible to read a news site or watch cable news without seeing some political, religious, or "whomever we could get on the air just now" spokesperson bemoaning and/or expressing anger about free speech on the Internet. Their claims are quite explicit. "Almost a hundred thousand social media messages sent by ISIL a day!" "Internet is the most powerful tool of extremists." On and on. Now, most of these proponents of "controlling" free speech aren't dummies. They don't usually come right out and say they want censorship. In fact, they frequently claim to be big supporters of free speech on the Net -- they only want to shut down "extremist" speech, you see. And don't worry, they all seem to claim they're up to the task of defining which speech would be so classified as verboten. "Trust us," they plead with big puppy dog eyes. But blaming the Net for terrorism -- which is the underlying story behind their arguments -- actually has all the logical and scientific rigor of blaming elemental uranium for atomic bombs. Speaking of which, I'd personally be much more concerned about terrorist groups getting hold of loose fissile material than Facebook accounts. And I'm pretty curious about how that 100K a day social media messages stat is derived. Hell, if you multiply the number of social media messages I typically send per day times the number of ostensible followers I have, it would total in the millions -- every day. And you know what? That plus one dollar will buy you a cup of crummy coffee. Proponents of controls on Internet speech are often pretty expert at conflating and confusing different aspects of speech, with a definite emphasis on expanding the already controversial meanings of "hate speech" and similar terms. They also note -- accurately in this respect -- that social media firms aren't required to make publicly available all materials that are submitted to them. Yep, this is certainly true, and an important consideration. But what speech control advocates seem to conveniently downplay is that the major social media firms already have significant staffs devoted to removing materials from their sites that violate their associated Terms of Service related to hate speech and other content, and what's more this is an incredibly difficult and emotionally challenging task, calling on the Wisdom of Solomon as but one prerequisite. The complexities in this area are many. The technology of the Net makes true elimination of any given material essentially impossible. Attempts to remove "terrorist-related" items from public view often draw more attention to them via the notorious "Streisand Effect" -- and/or push them into underground, so-called "darknets" where they are still available but harder to monitor towards public safety tracking of their activities. "Out of sight, out of mind" might work for a cartoon ostrich with its head stuck into the ground, but it's a recipe for disaster in the real world of the Internet. There are of course differences between "public" and "publicized." Sometimes it seems like cable news has become the paid publicity partner of ISIL and other terrorist groups, merrily spending hours promoting the latest videotaped missive from every wannabe terrorist criminal wearing a hood and standing in front of an ISIL flag fresh from their $50 inkjet printer. But that sort of publicity in the name of ratings is very far indeed from attempting to control the dissemination of information on the Net, where information once disseminated can receive almost limitless signal boosts from every attempt made to remove it. This is not to say that social media firms shouldn't enforce their own standards. But the subtext of information control proponents -- and their attempts to blame the Internet for terrorism -- is the implicit or explicit implication that ultimately governments will need to step in and enforce their own censorship regimes. We're well down that path already in some ways, of course. Government-mandated ISP block lists replete with errors blocking innocent sites, yet still rapidly expanding beyond their sometimes relatively narrow original mandates. And whether we're talking about massive, pervasive censorship systems like in China or Iran, or the immense censorship pressures applied in countries like Russia, or even the theoretically optional systems like in the U.K, the underlying mindsets are very much the same, and very much to the liking of political leaders who would censor the Internet not just on the basis of "stopping terrorism," but for their own political, financial, religious or other essentially power hungry reasons as well. In this respect, it's almost as if terrorists were partnering with these political leaders, so convenient are the excuses for trying to crush free speech, to control that "damned Internet" -- provided to the latter by the former. Which brings us to perhaps the ultimate irony in this spectacle, the sad truth that by trying to restrict information on the Internet in the name of limiting the dissemination of "terrorist" materials on the Net, even the honest advocates of this stance -- those devoid of ulterior motives for broader information control -- are actually advancing the cause of terrorism by drawing more attention to those very items they'd declare "forbidden," even while it will be technologically impossible to actually remove those materials from public view. It's very much a lose-lose situation of the highest order, with potentially devastating consequences far beyond the realm of battling terrorists. For if these proponents of Internet information control -- ultimately of Internet censorship -- are successful in their quest, they will have handed terrorists, totalitarian governments, and other evil forces a propaganda and operational prize more valuable to the cause of repression than all the ISIL social media postings and videos made to date or yet to be posted. And then, dear friends, as the saying goes, the terrorists really would have won, after all. Be seeing you. --Lauren-- -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 24 14:34:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Feb 2015 15:34:12 -0500 Subject: [Infowarrior] - Democratic FCC commissioner balks at net neutrality rules Message-ID: <6C4DDCD2-948B-4839-900C-07DC4A41A156@infowarrior.org> Democratic FCC commissioner balks at net neutrality rules A Democrat on the Federal Communications Commission wants to narrow the scope of new net neutrality rules that are set for a vote on Thursday, The Hill has learned. Mignon Clyburn, one of three Democrats on the FCC, has asked Chairman Tom Wheeler to roll back some of the restrictions before the full commission votes on them, FCC officials said. The request ? which Wheeler has yet to respond to ? puts the chairman in the awkward position of having to either roll back his proposals, or defend the tough rules and convince Clyburn to back down. < - > http://thehill.com/business-a-lobbying/233626-fcc-dem-wants-last-minute-changes-to-net-neutrality-rules -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 24 17:14:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Feb 2015 18:14:40 -0500 Subject: [Infowarrior] - NSA Director: If I Say 'Legal Framework' Enough, Will It Convince You Security People To Shut Up About Our Plan To Backdoor Encryption? Message-ID: <9EABB314-B311-49E4-9802-2DFC399E7DD5@infowarrior.org> (Answer: No. ?rick) NSA Director: If I Say 'Legal Framework' Enough, Will It Convince You Security People To Shut Up About Our Plan To Backdoor Encryption? https://www.techdirt.com/articles/20150223/16430030117/nsa-director-if-i-say-legal-framework-enough-will-it-convince-you-security-people-shutting-up-about-our-plan-to-backdoor.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 25 06:42:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Feb 2015 07:42:00 -0500 Subject: [Infowarrior] - Fwd: Internet as failed state References: <20150225031747.0C30C22817D@palinka.tinho.net> Message-ID: <20A1FE04-7427-407F-9A93-819EAA97839B@infowarrior.org> Begin forwarded message: > From: dan > http://arstechnica.com/information-technology/2015/02/fear-in-the-digital-city-why-the-internet-has-never-been-more-dangerous/ > > "...the Internet might soon look less like 1970s New York and more > like 1990s Mogadishu: warring factions destroying the most fundamental > of services, 'security zones' reducing or eliminating free movement, > and security costs making it prohibitive for anyone but the most > well-funded operations to do business without becoming a 'soft target' > for political or economic gain." From rforno at infowarrior.org Wed Feb 25 06:53:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Feb 2015 07:53:13 -0500 Subject: [Infowarrior] - Marlinspike: GPG is passe' Message-ID: <6CAA1C19-A572-4CC8-AFBA-47FCD63CDD70@infowarrior.org> GPG And Me Feb 24, 2015 http://www.thoughtcrime.org/blog/gpg-and-me/ I receive a fair amount of email from strangers. My email address is public, which doesn?t seem to be a popular choice these days, but I?ve received enough inspiring correspondence over the years to leave it be. When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I don?t want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass my inbox entirely, but for now I sigh, unlock my key, start reading, and ? with a faint glimmer of hope ? am typically disappointed. I didn?t start out thinking this way. After all, my website even has my GPG key posted under my email address. It?s a feeling that has slowly crept up on me over the past decade, but I didn?t immediately understand where it came from. There?s no obvious unifying theme to the content of these emails, and they?re always written in earnest ? not spam, or some form of harassment. Eventually I realized that when I receive a GPG encrypted email, it simply means that the email was written by someone who would voluntarily use GPG. I don?t mean someone who cares about privacy, because I think we all care about privacy. There just seems to be something particular about people who try GPG and conclude that it?s a realistic path to introducing private communication in their lives for casual correspondence with strangers. Increasingly, it?s a club that I don?t want to belong to anymore. A philosophical dead end In 1997, at the dawn of the internet?s potential, the working hypothesis for privacy enhancing technology was simple: we?d develop really flexible power tools for ourselves, and then teach everyone to be like us. Everyone sending messages to each other would just need to understand the basic principles of cryptography. GPG is the result of that origin story. Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It?s up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the ?strong set,? and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today?s standards, that?s a shockingly small user base for a month of activity, much less 20 years. A technology dead end In addition to the design philosophy, the technology itself is also a product of that era. As Matthew Green has noted, ?poking through an OpenPGP implementation is like visiting a museum of 1990s crypto.? The protocol reflects layers of cruft built up over the 20 years that it took for cryptography (and software engineering) to really come of age, and the fundamental architecture of PGP also leaves no room for now critical concepts like forward secrecy. All of this baggage has been distilled into a ballooning penumbra of OpenPGP specifications and notes so prolific that the entire picture is almost impossible to grasp. Even projects that are engaged in the process of writing a simplified experience on top of GPG suffer from this legacy: Mailpile had to write 1400 lines of python code just to interface with a native GnuPG installation for basic operations, and it still isn?t rock solid. What we have Today, journalists use GPG to communicate with sources securely, activists use it to coordinate world wide, and software companies use it to help secure their infrastructure. Some really heroic people have put in an enormous amount of effort to get us here, at substantial personal cost, and with little support. Looking forward, however, I think of GPG as a glorious experiment that has run its course. The journalists who depend on it struggle with it and often mess up (?I send you the private key to communicate privately, right??), the activists who use it do so relatively sparingly (?wait, this thing wants my finger print??), and no other sane person is willing to use it by default. Even the projects that attempt to use it as a dependency struggle. These are deep structural problems. GPG isn?t the thing that?s going to take us to ubiquitous end to end encryption, and if it were, it?d be kind of a shame to finally get there with 1990?s cryptography. If there?s any good news, it?s that GPG?s minimal install base means we aren?t locked in to this madness, and can start fresh with a different design philosophy. When we do, let?s use GPG as a warning for our new experiments, and remember that ?innovation is saying ?no? to 1000 things.? In the 1990s, I was excited about the future, and I dreamed of a world where everyone would install GPG. Now I?m still excited about the future, but I dream of a world where I can uninstall it. -- It's better to burn out than fade away. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 837 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rforno at infowarrior.org Wed Feb 25 06:55:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Feb 2015 07:55:49 -0500 Subject: [Infowarrior] - Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It Message-ID: Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It ? By Kim Zetter ? 02.24.15 | ? 7:00 am | ? Permalink http://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/ When Kaspersky Lab revealed last week that it had uncovered a sophisticated piece of malware designed to plant malicious code inside the firmware of computers, it should have surprised no one. And that?s not just because documents leaked by Edward Snowden have shown that spy agencies like the NSA have an intense interest in hacking the firmware of systems, but also because other researchers have shown in the past how insecure firmware?in nearly all systems?is. Computers contain a lot of firmware, all of which is potentially vulnerable to hacking?everything from USB keyboards and web cams to graphics and sound cards. Even computer batteries have firmware. ?There?s firmware everywhere in your computer, and all of it is risky,? says security researcher Karsten Nohl, who demonstrated last year how he could embed malicious code in the firmware of USB sticks. There?s also firmware in all of our popular digital gadgets?smartphones and smart TVs, digital cameras, and music players. Most of it is vulnerable for the same reasons the firmware the Equation Group targeted is vulnerable: it was never designed to be secure. Most hardware makers don?t cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize signed firmware even if they did. Although random hackers wouldn?t be able to pull off what the Equation Group did in a consistent and stable manner?developing a single module that can reflash the firmware on more than a dozen different hard drive brands and steal data from them without crashing systems?other forms of firmware hacking have been successfully demonstrated. There has been a lot of theoretical research done on firmware hacking over the years and a few proof-of-concept demonstrations as well. In 2011, security researcher Charlie Miller found that chips in Apple laptop lithium ion batteries were shipped with default passwords, allowing anyone who discovered the password and learned how to manipulate the firmware to potentially install malware that infects the computer and gives a hacker a persistent hold on it even after the operating system is reinstalled. To demonstrate the firmware vulnerability, he altered the firmware of Apple laptop batteries to trick them into reporting a low charge that would cause the charger to overcharge them until they were bricked. The USB research of Nohl and Jakob Lell showed how they could hide attack code on USB sticks to hijack a computer, alter files or redirect a user?s internet traffic to a malicious site. But not all gadgets and devices are equally vulnerable. One of the few companies that makes hacking its firmware difficult is Apple, which digitally signs firmware and firmware updates for the iPhone. But hackers don?t need to alter the firmware to subvert the iPhone. Instead, says Costin Raiu, head of Kaspersky Lab?s Global Research and Analysis Team, they could go after firmware in the baseband?the component that allows the phone to connect to cellular networks. ?If you want to put something deeply hidden into the iPhone you can put it in the the baseband,? he says, ?though this isn?t easy to do.? In 2011, researcher Ralf-Philipp Weinmann did just this after finding security vulnerabilities in the firmware of mobile phone chipsets produced by Qualcomm and Infineon Technologies. Weinmann showed how he could subvert the firmware to hack an iPhone and an Android phone and turn them into remote listening devices. The hack wasn?t easy, however. Weinmann had to set up a fake cell tower and get the target phones to connect to it in order to deliver his malicious code. Countermeasures So what can you do about these firmware security issues? Unfortunately, there?s very little. Antivirus products currently don?t scan a computer?s firmware for malicious code and doing so is not a simple task. So countermeasures for the firmware insecurities are largely in the hands of hardware and chip makers. Hardware makers should design any firmware or firmware update they distribute to be cryptographically signed. They should also add authentication capability to hardware devices so they can check and verify those signatures. Another protective measure would be to add a write-protect switch on the device side to prevent anyone who is unauthorized from flashing the firmware. All of these measures would guard against low-level hackers subverting the firmware, but persistent attackers could simply steal the master keys to sign their malicious code and subvert the authentication or write protection. An additional countermeasure, says Raiu, would be for hardware vendors to give user?s the ability to easily read their machine?s firmware and establish if it has changed since installation. If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check it to see if it differed from the original. A checksum is a cryptographic representation of data that is created by running the data through an algorithm to produce a unique identifier composed of letters and numbers. Each checksum is supposed to be unique so that if anything changes in the dataset, it will produce a different checksum. But security changes for firmware could take years to implement say researchers. ?If everyone started fixing this now, it would probably be fixed on most computers in five to ten years,? says Nohl. And that?s only if vendors feel pressure from consumers to provide firmware security. Unfortunately, he says ?[N]o one right now has an incentive to start fixing it.? Andy Greenberg contributed reporting to this piece. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 25 16:23:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Feb 2015 17:23:36 -0500 Subject: [Infowarrior] - The Government Refuses to Prove Snowden Damaged National Security Message-ID: <68AF4595-D539-4FE8-A174-1A92BAFAD7BD@infowarrior.org> The Government Refuses to Prove Snowden Damaged National Security http://gizmodo.com/the-government-refuses-to-prove-snowden-damaged-nationa-1688033925 -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 25 16:25:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Feb 2015 17:25:27 -0500 Subject: [Infowarrior] - Is Retweeting ISIS 'Material Support Of Terrorism'? Message-ID: Is Retweeting ISIS 'Material Support Of Terrorism'? https://www.techdirt.com/articles/20150224/12545730130/social-media-isis-material-support-terrorism-documenting-war-crimes.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 06:03:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 07:03:45 -0500 Subject: [Infowarrior] - =?utf-8?b?4oCYSmloYWRpIEpvaG7igJkgbmFtZWQ=?= Message-ID: ?Jihadi John?: The Islamic State killer behind the mask is a young Londoner By Souad Mekhennet and Adam Goldman February 26 at 5:51 AM LONDON ? The world knows him as ?Jihadi John,? the masked man with a British accent who has beheaded several hostages held by the Islamic State and who taunts audiences in videos circulated widely online. But his real name, according to friends and others familiar with his case, is Mohammed Emwazi, a Briton from a well-to-do family who grew up in West London and graduated from college with a degree in computer programming. He is believed to have traveled to Syria around 2012 and to have later joined the Islamic State, the group whose barbarity he has come to symbolize. ?I have no doubt that Mohammed is Jihadi John,? said one of Emwazi?s close friends who identified him in an interview with The Washington Post. ?He was like a brother to me. .?.?. I am sure it is him.? A representative of a British human rights group who had been in contact with Emwazi before he left for Syria also said he believed Emwazi was Jihadi John, a moniker given to him by some of the hostages he once held. Scores of hostages, including Westerners, have been killed by the Islamic State since 2014. Here are some of the major incidents where the Islamic State killed the hostages. View Graphic ?There was an extremely strong resemblance,? Asim Qureshi, research director at the rights group, CAGE, said after watching one of the videos. ?This is making me feel fairly certain that this is the same person.? Authorities have used a variety of investigative techniques, including voice analysis and interviews with former hostages, to try to identify Jihadi John. James B. Comey, the director of the FBI, said in September ? only a month after the Briton was seen in a video killing American journalist James Foley ? that officials believed they had succeeded. Nevertheless, the identity of Jihadi John has remained shrouded in secrecy. Since Foley?s killing, he has appeared in a series of videos documenting the gruesome killings of other hostages, including four other Westerners, some of whom he personally beheaded. [Read: The tactics of Islamic State beheadings] In each, he is dressed in all black, a balaclava covering all but his eyes and the ridge of his nose. He wears a holster under his left arm. A spokeswoman for the British Embassy in Washington said: ?Our prime minister has been clear that we want all those who have committed murder on behalf of ISIL to face justice for the appalling acts carried out. There is an ongoing police investigation into the murder of hostages by ISIL in Syria. It is not appropriate for the government to comment on any part of it while this continues.? ISIL is another name for the Islamic State. U.S. officials declined to comment for this report. Emwazi?s family declined a request for an interview, citing legal advice. < -- > http://www.washingtonpost.com/world/national-security/jihadi-john-the-islamic-state-killer-behind-the-mask-is-a-young-londoner/2015/02/25/d6dbab16-bc43-11e4-bdfa-b8e8f594e6ee_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 08:18:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 09:18:17 -0500 Subject: [Infowarrior] - Everyone Wants You To Have Security, But Not from Them Message-ID: <335881AB-16DB-4F71-9B8A-0B3D87AC42D2@infowarrior.org> Everyone Wants You To Have Security, But Not from Them https://www.schneier.com/blog/archives/2015/02/everyone_wants_.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 11:47:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 12:47:51 -0500 Subject: [Infowarrior] - Music industry moves to Friday global album release Message-ID: <15AFDA51-0511-46EC-8ED5-D6AFAF65CD92@infowarrior.org> Music industry moves to Friday global album release http://news.yahoo.com/music-industry-moves-friday-global-album-release-131728097.html 3 hours ago New York (AFP) - The music industry has announced an agreement to release albums globally on Fridays, ending divergences among regions that have fueled piracy in an age of instant music. Key groups representing music retailers, record companies and artists said that they would coordinate album releases to go out everywhere each Friday at one minute past midnight local time. Thursday's decision, after nine months of consultation, is expected to go into effect by summer in the Northern Hemisphere, said Frances Moore, chief executive officer of the music industry's global body IFPI. "What is absolutely clear is that there is nearly unanimous agreement that a global release date is a good thing," Moore told AFP. Under longstanding traditions, albums are generally released on Monday in Britain and France, Tuesday in the United States, Wednesday in Japan and Friday in Australia and Germany. The variations have looked increasingly anachronistic amid the rapid growth of digital downloading and more recently streaming, contributing to a black market for albums already out in one region. Moore said that a global release date would help bring more excitement to the industry. "Let's say Daft Punk, for example, makes an announcement saying that their album's out today, but it's in America and it's not until Friday in Germany. There is a three- or four-day gap. "As a consumer, you can't find it, even though the artist says it's out there. So now they won't have to go looking on a pirate site -- we are focusing them on the legitimate market," she said. London-based IFPI, which stands for the International Federation of the Phonographic Industry, said it had consulted with the International Federation of Musicians, which represents global unions, as well as leading retailers and streaming services including Spotify. - Still opposition - One source of opposition have been independent retailers in the United States, the world's largest music market, who have supported a global release date but not on Friday. US retailers generally chose Tuesday as it would otherwise be a slow day, and it offers ample time for albums to arrive over the weekend. In recent years, artists including Beyonce and Madonna have also suddenly released albums without warning, either in response to leaks or sometimes to avoid them. Moore said that the Friday plan enjoyed broad support but that there would be no legal ramifications for anyone who insists on another day. "There could be an artist or individual producer who decides at some point they're not going on that day... but there is a clear majority in favor of doing this, and I think eventually it will be aligned," she said. - New source of growth? - The music industry has witnessed turmoil since albums started going digital some 15 years ago. Global music revenue fell 3.9 percent to $15 billion in 2013, according to IFPI, although the drop was led by Japan ? where physical album sales overwhelmingly dominate the market -- and digital sales grew in parts of the West. Cary Sherman, chief executive of the Recording Industry Association of America, which represents US-based labels and distributors, said that a global release on Friday will be "good for fans and good for the business." "Geographic lines are often irrelevant to digital marketing strategies and fans' expectations of instant access to their favorite music," Sherman said in a statement. Paul McGowan, chief executive of Hilco Capital which owns Britain?s largest music retailer HMV, voiced enthusiasm about shifting to Friday releases due to the flow of shoppers. "Quite simply, new music should hit the high street when people hit the street," he said in a statement. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 11:48:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 12:48:52 -0500 Subject: [Infowarrior] - The FCC rules against state limits on city-run Internet Message-ID: <09107CE2-F156-4699-916D-9845BC8D22F5@infowarrior.org> The FCC rules against state limits on city-run Internet By Brian Fung February 26 at 11:24 AM http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/26/the-fcc-rules-against-state-limits-on-city-run-internet/ For years, cities around the country have been trying to build their own, local competitors to Verizon, Charter and other major Internet providers. Such government-run Internet service would be faster and cheaper than private alternatives, they argued. But in roughly 20 states, those efforts have been stymied by state laws. Now, the nation's top telecom regulators want to change that. On Thursday, the Federal Communications Commissions voted 3-2 to override laws preventing Chattanooga, Tenn., and Wilson, N.C. from expanding the high-speed Internet service the cities already offer to some residents. The vote could embolden other cities that feel they have been underserved by traditional Internet providers, potentially undermining years of lobbying by the telecommunications industry. ?It's good to see the FCC standing up to phone and cable company efforts to legislate away competition and choice,? Free Press, a consumer advocacy group. ?By targeting these protectionist state laws, the FCC is siding with dozens of communities seeking to provide essential broadband services where people have few to no other options. Last year, Chattanooga and Wilson asked the FCC to intervene on their behalf, citing numerous state restrictions on the expansion of broadband service. Chattanooga, for example, cannot build its broadband networks anywhere it does not already provide electricity. "What we're looking at here in Tennessee are people who are literally a tenth of a mile off of our system who have no Internet access," said Harold DePriest, the chief executive of Chattanooga's city-owned power utility, EPB. The FCC's intervention in Wilson, N.C. is even more dramatic, overturning a range of state laws that the city says artificially limits competition. One provision in North Carolina law bars cities from charging prices that are lower than the private incumbents'. Another requires municipalities to gain public support for a city-run service through a special referendum before borrowing money to fund such efforts. A third effectively prohibits cities from building in "unserved areas," according to Wilson's petition. Taken together, these restrictions make it difficult for new providers to compete with established Internet providers, FCC officials have said. ?The bottom line of these matters is that some states have created thickets of red tape designed to limit competition,? said FCC Chairman Tom Wheeler. ?When local leaders have their hands tied by bureaucratic state red tape, local businesses and residents are the ones who suffer the consequences." Cities advocating for more leeway to offer Internet service say they are trying to address a lingering problem: Consumers don't have enough choices. More than half of Americans have only one choice of Internet provider at speeds of 25 megabits per second ? the basic threshold for high-speed Internet under a new definition approved by the FCC last month. Internet providers are expected to challenge the FCC's ruling in court, arguing that the agency lacks the authority to come between a state and the cities under its jurisdiction. Republican lawmakers have warned that FCC intervention on municipal broadband would be an example of government overreach. And other critics argue that the private sector, not taxpayers, should be leading the way in promoting greater Internet access. ?In taking this step, the FCC usurps fundamental aspects of state sovereignty. And it disrupts the balance of power between the federal government and state governments that lies at the core of our constitutional system of government,? Republican FCC Commissioner Ajit Pai said. Brian Fung covers technology for The Washington Post, focusing on telecom, broadband and digital politics. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 11:59:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 12:59:42 -0500 Subject: [Infowarrior] - Dan Gilmor on leaving Apple, Google, and Microsoft Message-ID: Why I?m Saying Goodbye to Apple, Google and Microsoft - Dan Gilmor I?m putting more trust in communities than corporations https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 13:26:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 14:26:17 -0500 Subject: [Infowarrior] - With $50M Boost, Silent Circle Aims Blackphone At Enterprise Security Message-ID: <9661C96F-3735-44C1-A8C4-D6D554EC53C4@infowarrior.org> With $50M Boost, Silent Circle Aims Blackphone At Enterprise Security Posted 3 hours ago by Natasha Lomas (@riptari) http://techcrunch.com/2015/02/26/silent-circle-buys-geeksphone-out-of-blackphone-joint-venture/ Encrypted comms company Silent Circle, half of the SGP Technologies joint venture behind the pro-privacy Android smartphone Blackphone, has just announced it?s reached an agreement to buy out its hardware partner, Spanish smartphone maker Geeksphone. It?s expecting to close the buy out this week. Silent Circle?s acquisition of the JV will result in it taking a 100% ownership stake in SGP Technologies and the Blackphone product set. It says the buy-out will bring ?operation efficiencies? and ?an integrated product roadmap?. In a news release put out today, Silent Circle also reveals it has raised $50 million to fuel its next round of growth ? as it positions itself to focus more fully on the enterprise. It?s not clear if this is all new financing but we?ve asked for clarity and will update this post once we know. Silent Circle has confirmed to TechCrunch that this is all new financing. The company adds that it will be unveiling an ?enterprise privacy ecosystem?, using ZRTP cryptographic protocols, at the Mobile World Congress trade show next week, to further flesh out its enterprise strategy. Silent Circle?s clear aim here is to step into the gap left by the marketshare demise of BlackBerry and woo business users with an integrated suite of secure enterprise communication products that better meshes with the realities of a consumerized ?bring your own device? business world. So basically the pitch is encrypted comms running on modern and capable mobile hardware. (The company has previously confirmed a Blackphone tablet is also incoming.) For its part Geeksphone has various other sole hardware projects to keep it occupied post-Blackphone, including its own brand multiOS handsets, and other Firefox OS phones (albeit sales of devices running Mozilla?s mobile platform are inevitably niche). Its latest direction is a move into wearables, with a fitness band called GeeksMe coming this summer. In May last year Silent Circle took in its first ever external funding, a $30 million round led by investors including Ross Perot Jr. and Dallas-based private investment fund Cain Capital LLC, thanks (it said) to demand for Blackphone, which runs a hardened Android fork called PrivatOS. So its investors are also evidently persuaded there is a sizable opportunity to capitalize on BlackBerry?s fall from favor. Add to that, there is generally growing momentum for more secure mobile communications, as security continues to rise up corporate agendas in the wake of high profile leaks such as the hacking of Sony Pictures? email last year. Just last week it emerged that government intelligence agencies might have cracked encryption keys in SIM cards distributed by Gemalto ? according to documents released by NSA whistleblower Edward Snowden ? blowing a huge security hole in mobile voice communications. Commenting in a statement, Silent Circle investor, Ross Perot Jr, flagged up these various growing security concerns. ?As the nature and volume of data breaches increase, institutional trust is eroding,? he said. ?There are companies that have been hacked and there are those that don?t know about it yet, which means that security in the traditional sense has failed us. With the number of employees connecting to an enterprises? network using their own devices rapidly rising, organizations need a different solution. ?In short, in a post-Sony and Gemalto world, security breaches have been made both enterprise and personal so it?s no longer an issue affecting just the boardroom.? ?This first stage of growth has enabled us to raise approximately $50m to accelerate our continued rapid expansion and fuel our second stage of growth,? added Mike Janke, co-Founder and executive chairman of the Silent Circle Board, in another statement. ?Just under a year ago, we introduced Blackphone at Mobile World Congress. Since then, we?ve continued to develop new, privacy-first products for our integrated software suite as well as Blackphone, the first hardware device in our portfolio of privacy solutions.? It?s unclear whether Geeksphone will continue to manufacture hardware under license to SGP Technologies. We?ve put the question to the company, and will likely get more details in Barcelona on Monday ? when Silent Circle is holding a Blackphone-related press conference. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 15:35:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 16:35:51 -0500 Subject: [Infowarrior] - Verizon Responds To NN Decision Via Typewriter, Morse Code Message-ID: They (Verizon) wouldn?t be in this position if they (Verizon) didn?t play games that short-circuited industry-friendly net neutrality proposals in recent years. They only have themselves to blame here. ?rick Verizon Responds To Net Neutrality Decision Via Typewriter, Morse Code http://www.fastcompany.com/3042946/fast-feed/oh-snap-verizon-responds-to-net-neutrality-decision-via-typewriter-morse-code -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 15:43:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 16:43:13 -0500 Subject: [Infowarrior] - =?windows-1252?q?DNI=3A_=93Cyber_Armageddon=94_no?= =?windows-1252?q?t_likely_to_wipe_out_US?= Message-ID: <996DE328-605E-40D9-AEFA-693F8E06E927@infowarrior.org> (Now excuse me while I pick myself up from the floor, having fainted after seeing that a senior USG person dared to downplay the cyber-FUD scenario so over-used by DC insiders. ?rick) ?Cyber Armageddon? not likely to wipe out US, intelligence director says Cyber threats "are increasing in frequency, scale, sophistication, and severity." by David Kravets - Feb 26, 2015 1:31pm EST http://arstechnica.com/tech-policy/2015/02/cyber-armageddon-not-likely-to-wipe-out-us-intelligence-director-says/ The likelihood that the US will suffer from a "catastrophic" cyber attack is unlikely, the nation's top intelligence officer said Thursday. Instead, the country will be peppered with "low-to-moderate level cyber attacks," James Clapper, the director of national intelligence, told the Senate Armed Services Committee on Thursday. "Cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact," according to the "Worldwide Threat Assessment of the US Intelligence Community" (PDF) report that Clapper presented to lawmakers. "Rather than a 'Cyber Armageddon' scenario that debilitates the entire US infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security." Listing cyber attacks as the leading threat to national security over terrorism, the report said the government's "unclassified" IT systems supporting military, commercial, and social activities "remain vulnerable to espionage and/or disruption." The top nation-states where the threats are coming from include China, Iran, North Korea, and Russia, the report said. Cyber attacks are becoming more commonplace, too, according to the report. "The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation." The report noted that Russia, like the US, is establishing cyber offensive capabilities that include "propaganda operations and inserting malware into enemy command and control systems.? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 17:35:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 18:35:02 -0500 Subject: [Infowarrior] - How journalists should reframe the encryption debate Message-ID: <455B4609-D698-43D2-AE7D-3E63842141E7@infowarrior.org> 02:50 PM - February 26, 2015 How journalists should reframe the encryption debate Privacy concerns need to be addressed By Kelly J O?Brien http://www.cjr.org/behind_the_news/how_journalists_are_fighting_t.php Digital encryption may seem like a niche topic to be the center of an international debate. Yet in recent months, UK Prime Minister David Cameron, FBI Director James Comey, NSA Director Adm. Mike Rogers, and President Obama have all weighed in on the possibility of widespread consumer-technology encryption. They have all suggested, with varying degrees of nuance, that tech companies should not encrypt their devices in a way that would make it difficult or impossible for law enforcement to gather information from them during an investigation. Companies like Apple and Google promised to introduce default encryption even they couldn?t break in response to Edward Snowden?s leaks revealing mass government surveillance. On Tuesday, Hillary Clinton called the encryption debate a ?classic hard choice? between privacy concerns and national security. Governments are most concerned with preventing ?bad guys? from using encryption to hide evidence??going dark,? as Comey put it at the Brookings Institute last year. But many journalists, some of whom have been prosthelytizing for encryption as a reporting tool for years, dislike the message they?re hearing from public officials. The challenge is to turn the ?bad guy? narrative into a wider discussion of the legitimate, beneficial uses of encryption. In an attempt to win a major ally in that fight, the Committee to Protect Journalists and the Reporters Committee for Freedom of the Press last week announced they had submitted a joint letter to the United Nations, arguing that reporters must be able to ?use encryption to protect themselves, their sources, and the free flow of news.? The letter was sent in response to a call for submissions by David Kaye, the UN Special Rapporteur for freedom of opinion and expression, who is writing a report on ?the legal framework governing the relationship between freedom of expression and the use of encryption to secure transactions and communications.? Kaye said he hopes to do for encryption what a report by his predecessor at the UN, released about a month before the first Snowden revelations, did for the understanding of mass surveillance. ?Before people thought of surveillance as purely an issue of counterterrorism and law enforcement, and I think people now understand?beyond the human rights community?that surveillance has an impact, and has an impact on rights,? Kaye said in a phone interview. ?It?s one thing for journalists who are covering the Snowden revelations to write about it. It?s another for an independent expert at the UN to kind of provide a framework for thinking about it.? Geoffrey King, an internet advocacy coordinator for CPJ who helped draft the letter to the UN, said that framework needs to urge nations to recognize encryption as a tool for protecting journalists, activists, and other vulnerable groups. ?I think that at this stage, the normative power of having the United Nations take a strong stance is very significant,? he said in a phone interview. ?Really we?re trying to protect the space for journalists to be able to help themselves.? The CPJ/RCFP letter gives examples from around the world of journalists who successfully used encryption to protect sensitive material and of others who were arrested because they did not. It argues that journalists worldwide will be safer from repressive governments when encryption is widely adopted or made the default, and, crucially, makes the point that policies that undermine encryption technology undermine safe journalism. Unfortunately, digital security experts say Western intelligence officials are in fact undermining encryption?s effectiveness when they urge tech companies to retain some sort of access to a user?s device. King said he has been worried to hear the questionable understanding of encryption coming from high places recently. ?Now we have the director of the FBI, the attorney general of the United States, the president of the United States, and the prime minister of the United Kingdom all making some fairly spurious arguments about the actual threats and how encryption works,? King said. ?When we have people at that level, who should know what they?re talking about, who have all the resources available to them, making misstatements like that, it?s very, very troubling.? Kaye said he understands why journalists are concerned to hear the way intelligence officials are framing the encryption debate. He hopes his report?due to be presented to the UN Human Rights Council in June?will provide countries with a road map for making the hard choices necessary to fully accept encryption. ?If anything, the most important impact that we can have is trying to generate a realistic discussion of the trade-offs,? Kaye said. ?If you go down a route of seeking back doors or whatever they want to call it, there are serious implications on other equities that governments have. It has serious implications for activists, for free press, for even our financial securities.? While national governments are the primary audience for Kaye?s report, he also aims to make journalists more comfortable using encryption. A recent Pew poll shows though 80 percent of journalists believed being a reporter makes it more likely the US government will collect their data, half said they don?t use online security tools. ?The technology [of encryption] is scary to some people, or it?s seen as too difficult,? Kaye said. ?I think it?s important for there to be more people actually using it to protect themselves.? Given the current message on encryption emanating from Washington and the lackluster implementation of the technology among journalists, Kaye?s report can?t come soon enough. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 26 19:04:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Feb 2015 20:04:17 -0500 Subject: [Infowarrior] - FBI protecting America from its own manufactured plots Message-ID: <1FF8EF3F-8568-429F-A5A8-95AB2206033A@infowarrior.org> (As it has done time and again over the years. No wonder they?re so ?successful? at it. ?rick) Confidential Informant Played Key Role in FBI Foiling Its Own Terror Plot https://firstlook.org/theintercept/2015/02/25/isis-material-support-plot-involved-confidential-informant/ Why Does the FBI Have to Manufacture its Own Plots if Terrorism and ISIS Are Such Grave Threats? https://firstlook.org/theintercept/2015/02/26/fbi-manufacture-plots-terrorism-isis-grave-threats/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 27 06:33:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Feb 2015 07:33:27 -0500 Subject: [Infowarrior] - Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files Message-ID: (Hrm....will VPN and/or zero-knowledge storage providers be next? --rick) Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files ? By Andy ? on February 27, 2015 http://torrentfreak.com/under-u-s-pressure-paypal-nukes-mega-for-encrypting-files-150227/ After coming under intense pressure PayPal has closed the account of cloud-storage service Mega. According to the company, SOPA proponent Senator Patrick Leahy personally pressured Visa and Mastercard who in turn called on PayPal to terminate the account. Bizarrely, Mega's encryption is being cited as a key problem. During September 2014, the Digital Citizens Alliance and Netnames teamed up to publish a brand new report. Titled ?Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,? it offered insight into the finances of some of the world?s most popular cyberlocker sites. The report had its issues, however. While many of the sites covered might at best be considered dubious, the inclusion of Mega.co.nz ? the most scrutinized file-hosting startup in history ? was a real head scratcher. Mega conforms with all relevant laws and responds quickly whenever content owners need something removed. By any standard the company lives up to the requirements of the DMCA. ?We consider the report grossly untrue and highly defamatory of Mega,? Mega CEO Graham Gaylard told TF at the time. But now, just five months on, Mega?s inclusion in the report has come back to bite the company in a big way. Speaking via email with TorrentFreak this morning, Gaylard highlighted the company?s latest battle, one which has seen the company become unable to process payments from customers. It?s all connected with the NetNames report and has even seen the direct involvement of a U.S. politician. According to Mega, following the publication of the report last September, SOPA and PIPA proponent Senator Patrick Leahy (Vermont, Chair Senate Judiciary Committee) put Visa and MasterCard under pressure to stop providing payment services to the ?rogue? companies listed in the NetNames report. Following Leahy?s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to MEGA. As a result, Mega is no longer able to process payments. ?It is very disappointing to say the least. PayPal has been under huge pressure,? Gaylard told TF. The company did not go without a fight, however. ?MEGA provided extensive statistics and other evidence showing that MEGA?s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal?s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA,? the company explains. What makes the situation more unusual is that PayPal reportedly apologized to Mega for its withdrawal while acknowledging that company?s business is indeed legitimate. However, PayPal also advised that Mega?s unique selling point ? it?s end-to-end-encryption ? was a key concern for the processor. ?MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA?s ?unique encryption model? presents an insurmountable difficulty,? Mega explains. As of now, Mega is unable to process payments but is working on finding a replacement. In the meantime the company is waiving all storage limits and will not suspend any accounts for non-payment. All accounts have had their subscriptions extended by two months, free of charge. Mega indicates that it will ride out the storm and will not bow to pressure nor compromise the privacy of its users. ?MEGA supplies cloud storage services to more than 15 million registered customers in more than 200 countries. MEGA will not compromise its end-to-end user controlled encryption model and is proud to not be part of the USA business network that discriminates against legitimate international businesses,? the company concludes. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 27 06:45:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Feb 2015 07:45:52 -0500 Subject: [Infowarrior] - Google backtracks on porn ban in Blogger Message-ID: <852F425C-913E-4B3D-9459-A6CA91C844F5@infowarrior.org> Google backtracks on porn ban in Blogger Heeding ?ton of feedback? from users, company announces it won?t implement changes, but steps up enforcement of existing policy on sexually explicit content @alexhern Friday 27 February 2015 07.00 EST http://www.theguardian.com/technology/2015/feb/27/google-backtracks-on-porn-ban-in-blogger Google has backtracked on plans to ban sexually explicit images from its blogging platform Blogger, in the face of widespread opposition from users. The company had initially announced a ban on ?sexually explicit or graphic nude images or video?, with just a few exceptions for content which offered ?a substantial public benefit, for example in artistic, educational, documentary, or scientific contexts?. It planned to enforce the ban from 23 March, when any user with offending material still on their blog would be forced to turn it into a private site. Now, the company has backed down. Jessica Pelegio, a social product support manager at Google, wrote: ?We?ve had a ton of feedback, in particular about the introduction of a retroactive change (some people have had accounts for 10+ years), but also about the negative impact on individuals who post sexually explicit content to express their identities. ?So rather than implement this change, we?ve decided to step up enforcement around our existing policy prohibiting commercial porn.? ?Blog owners should continue to mark any blogs containing sexually explicit content as ?adult? so that they can be placed behind an ?adult content? warning page,? she added. Bloggers existing policy is much looser when it comes to adult content than many other providers. Since at least 2012 The company has warned users to ?not use Blogger as a way to make money on adult content?, and says it does not allow ?illegal sexual content, including image, video or textual content that depicts or encourages rape, incest, bestiality, or necrophilia.? Users are also not allowed to ?post or distribute private nude or sexually explicit images or videos without the subject?s consent.? That ban, which has been in place since November 2014, was matched by social news site Reddit this week. The company?s chief executive, Ellen Pao, said that ?effective 10 March, Reddit will prohibit any photograph, video or digital image of a person who is nude or engaged in a sexual act if the subject has not given permission for it to be used?. Google?s attempt to broaden that ban to cover all sexual images was met with opposition from sex bloggers, for whom the platform is one of the most popular. Zoe Margolis, author of the sex blog Girl With a One-Track Mind, wrote in the Guardian that ?forcing millions of blogs to become private is not just a free-speech issue, or one about making adult content harder to find (Google?s own search tool makes that argument redundant), but boils down to Google sabotaging the integrity of the web ? and how it functions ? and it is for this reason that we need to oppose this narrow-minded and short-sighted policy.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 27 06:51:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Feb 2015 07:51:49 -0500 Subject: [Infowarrior] - DOJ IG: FBI still impeding our oversight Message-ID: <73ECB145-FF08-4BD0-9C22-8328ED7136EC@infowarrior.org> (surprise, surprise. --rick) DOJ Inspector General Tells Congress That FBI Isn't Letting His Office Do Its Job... Again from the Fight-Block-Impede dept The FBI is still actively thwarting its oversight. Last fall, DOJ Inspector General Michael Horowitz informed the House Judiciary Committee that the FBI was routinely denying his office documents it needed to perform investigations. The withheld documents included everything from electronic surveillance information to organizational charts. Not only did the FBI refuse to hand over requested documents, but it also stonewalled OIG investigations for so long that "officials under review [had] retired or left the agencies before the report [was] complete." Nearly six months later, the situation remains unchanged. Horowitz is again informing the House Judiciary Committee that the FBI is still less than interested in assisting his office. The same stonewalling tactics and withholding of information continues, preventing the IG from fully examining the DEA's use of administrative subpoenas. < - > https://www.techdirt.com/articles/20150225/07523630139/doj-inspector-general-tells-congress-that-fbi-isnt-letting-his-office-do-its-job-again.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 27 06:54:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Feb 2015 07:54:40 -0500 Subject: [Infowarrior] - admin note re: ZeroSpam Message-ID: If your company uses ZeroSpam to filter its email you may miss some list posts that should not be blocked/filtered. Suggest you take it up with ZeroSpam or your IT department accordingly. ---rick -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 27 11:29:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Feb 2015 12:29:19 -0500 Subject: [Infowarrior] - =?windows-1252?q?Leonard_Nimoy=2C_Spock_of_=91Sta?= =?windows-1252?q?r_Trek=2C=92_Dies_at_83?= Message-ID: Leonard Nimoy, Spock of ?Star Trek,? Dies at 83 Leonard Nimoy, the sonorous, gaunt-faced actor who won a worshipful global following as Mr. Spock, the resolutely logical human-alien first officer of the Starship Enterprise in the television and movie juggernaut ?Star Trek,? died on Friday morning at his home in the Bel Air section of Los Angeles. He was 83. His wife, Susan Bay Nimoy, confirmed his death, saying the cause was end-stage chronic obstructive pulmonary disease. < - > http://www.nytimes.com/2015/02/27/arts/television/leonard-nimoy-spock-of-star-trek-dies-at-83.html -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 27 12:16:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Feb 2015 13:16:28 -0500 Subject: [Infowarrior] - How To Sabotage Encryption Software (And Not Get Caught) Message-ID: How To Sabotage Encryption Software (And Not Get Caught) ? By Andy Greenberg ? 02.27.15 In the field of cryptography, a secretly planted ?backdoor? that allows eavesdropping on communications is usually a subject of paranoia and dread. But that doesn?t mean cryptographers don?t appreciate the art of skilled cyphersabotage. Now one group of crypto experts has published an appraisal of different methods of weakening crypto systems, and the lesson is that some backdoors are clearly better than others?in stealth, deniability, and even in protecting the victims? privacy from spies other than the backdoor?s creator. In a paper titled ?Surreptitiously Weakening Cryptographic Systems,? well-known cryptographer and author Bruce Schneier and researchers from the Universities of Wisconsin and Washington take the spy?s view to the problem of crypto design: What kind of built-in backdoor surveillance works best? Their paper analyzes and rates examples of both intentional and seemingly unintentional flaws built into crypto systems over the last two decades. Their results seem to imply, however grudgingly, that the NSA?s most recent known method of sabotaging encryption may be the best option, both in effective, stealthy surveillance and in preventing collateral damage to the Internet?s security. ?This is a guide to creating better backdoors. But the reason you go through that exercise is so that you can create better backdoor protections,? says Schneier, the author of the recent book Data and Goliath, on corporate and government surveillance. ?This is the paper the NSA wrote two decades ago, and the Chinese and the Russians and everyone else. We?re just trying to catch up and understand these priorities.? The researchers looked at a variety of methods of designing and implementing crypto systems so that they can be exploited by eavesdroppers. The methods ranged from flawed random number generation to leaked secret keys to codebreaking techniques. Then the researchers rated them on variables like undetectability, lack of conspiracy (how much secret dealing it takes to put the backdoor in place), deniability, ease of use, scale, precision and control < -- > http://www.wired.com/2015/02/sabotage-encryption-software-get-caught/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 28 16:57:54 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Feb 2015 17:57:54 -0500 Subject: [Infowarrior] - Which VPN Services Take Your Anonymity Seriously? 2015 Edition Message-ID: <63A9A98F-4266-4304-885A-F015C849205E@infowarrior.org> (f/d: I use one of the services on the list. ?rick) Which VPN Services Take Your Anonymity Seriously? 2015 Edition ? By Ernesto ? on February 28, 2015 http://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 28 16:58:08 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Feb 2015 17:58:08 -0500 Subject: [Infowarrior] - US crypto backdoors good; Chinese, bad. Message-ID: The U.S. Doesn't Like It When China Wants To Build Encryption Backdoors http://gizmodo.com/the-u-s-doesnt-like-it-when-china-wants-to-build-encry-1688651385 Chris Mills Today 4:00pm The NSA and U.S. tech giants have come to blows over government backdoors in encryption products lately, with the government arguing that backdoors are vital to national security, and the likes of Yahoo claiming it will make encryption pointless. Well, it looks the party line on backdoors changes pretty sharpish when China is involved. As Reuters reports, China is considering a counterterrorism law that would require technology firms to surrender encryption keys and install backdoors for security services ? something that's not exactly dissimilar to the NSA activities revealed by Edward Snowden. But in an impressive piece of hypocrisy, the US is throwing up a fit over the proposed Chinese law. Michael Froman, the US trade representative, claims that "the rules aren't about security ? they are about protectionism and favoring Chinese companies...the administration is aggressively working to have China walk back from these troubling regulations." But it's difficult to ignore the fact that the U.S. has undertaken nearly identical actions in the past ? the PRISM program forces major tech companies to hand over access to their servers to the NSA, via a 'specially constructed backdoor', and in a well-publicized case, even forced secure email provider Lavabit to hand over encryption keys and SSL keys. The proposed Chinese regulations would make things easier for the Chinese government ? encryption keys would be handed over as a matter of form, rather than on request ? but the end result is basically identical. Something about chickens coming home to roost would be appropriate about now. [Reuters] -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 28 16:58:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Feb 2015 17:58:15 -0500 Subject: [Infowarrior] - US Court Rules That Kim Dotcom Is A 'Fugitive' And Thus DOJ Can Take His Money Message-ID: US Court Rules That Kim Dotcom Is A 'Fugitive' And Thus DOJ Can Take His Money https://www.techdirt.com/articles/20150227/18171630168/us-court-rules-that-kim-dotcom-is-fugitive-thus-doj-can-take-his-money.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 28 16:59:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Feb 2015 17:59:40 -0500 Subject: [Infowarrior] - Proposed privacy bill protects industry more than it does people Message-ID: <37D159F6-2738-458C-B422-2F7AC325F524@infowarrior.org> Proposed privacy bill protects industry more than it does people by Timothy J. Seppala | @timseppala | 6 hrs ago http://www.engadget.com/2015/02/28/consumer-privacy-bill-of-rights-draft/?ncid=rss_truncated -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 28 19:44:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Feb 2015 20:44:57 -0500 Subject: [Infowarrior] - Why 2015 is the year of encryption Message-ID: <5609B67A-8C8E-4559-AD24-493230ED4712@infowarrior.org> Why 2015 is the year of encryption Andrew Crocker and Jeremy Gillula, Electronic Frontier Foundation Feb. 28, 2015 - 10:30 AM PST https://gigaom.com/2015/02/28/why-2015-is-the-year-of-encryption/ During a visit to Silicon Valley earlier this month, President Obama described himself as ?a strong believer in strong encryption.? Some have criticized the president for equivocating on the issue, but as ?strong believers? ourselves, we?ll take him at his word. Obama isn?t alone; everyone is calling for encryption, from activists to engineers, and even government agencies tasked with cybersecurity. In the past, using encryption to secure files and communication has typically only been possible for technically sophisticated users. It?s taken some time for the tech industry and the open source community to ramp up their efforts to meet the call for widespread, usable encryption, but the pieces are in place for 2015 to be a turning point. Last fall, Apple and Google announced that the newest versions of iOS and Android would encrypt the local storage of mobile devices by default, and 2015 will be the year this change really starts to takes hold. If your phone is running iOS 8 or Android Lollipop 5.0, photos, emails and all the other data stored on your device are automatically secure against rummaging by someone who happens to pick it up. More important, even the companies themselves can?t decrypt these devices, which is vital for protecting against hackers who might otherwise attempt to exploit a back door. Of course the protection from these updated operating systems relies on user adoption, either by upgrading an old device or buying a new one with the new OS preinstalled. Gigaom readers might be on the leading edge, but not everyone rushes to upgrade. Based on past adoption trends, however, a majority of cell phone users will finally be running one of these two operating systems by the end of 2015. As the Supreme Court wrote last year, cell phones are a ?pervasive and insistent part of modern life.? The world looks a whole lot different when most of those phones are encrypted by default. There are two more developments involving encryption which might not make the front page this year, but they?re equally as important as the moves by Apple and Google, if not more so. First, this month saw the finalization of the HTTP/2 protocol. HTTP/2 is designed to replace the aging Hyper-Text Transfer Protocol (HTTP), which for almost two decades has specified how web browsers and web servers communicate with one another. HTTP/2 brings many modern improvements to a protocol that was designed back when dial-up was king, including compression, multiplexed data transfers, and the ability for servers to preemptively push content to browsers. HTTP/2 was also originally designed to operate exclusively over encrypted connections, in the hope that this would lead to the encryption of the entire web. Unfortunately that requirement was watered down during the standards-making process, and encryption was deemed optional. Despite this, Mozilla and Google have promised that their browsers will only support encrypted HTTP/2 connections?which means that if website operators want to take advantage of all the performance improvements HTTP/2 has to offer, they?ll have to use encryption to do so or else risk losing a very large portion of their audience. The net result will undoubtedly be vastly more web traffic being encrypted by default. But as any sysadmin can tell you, setting up a website that supports encryption properly can be a huge hassle. That?s because in order to offer secure connections, websites must have correctly configured ?certificates? signed by trusted third parties, or Certificate Authorities. Obtaining a certificate can be complicated and costly, and this is one of the biggest issues standing in the way of default use of HTTPS (and encrypted HTTP/2) by websites. Fortunately, a new project launching this summer promises to radically lower this overheard. Let?s Encrypt will act as a free Certificate Authority, offering a dramatically sped-up certificate process and putting implementation of HTTPS within the reach of any website operator. (Disclosure: Our employer, the Electronic Frontier Foundation, is a founding partner in Let?s Encrypt.) Of course there are sure to be other developments in this Year of Encryption. For example, both Google and Yahoo have tantalizingly committed to rolling out end-to-end encryption for their email services, which could be a huge step toward improving the famously terrible usability of email encryption. Finally, we?d be accused of naivet? if we didn?t acknowledge that despite President Obama?s ostensible support, many high-level law enforcement and national security officials are still calling for a ?debate? about the balance between encryption and lawful access. Even putting aside the cold, hard fact that there?s no such thing as a ?golden key,? this debate played out in the nineties in favor of strong encryption. We?re confident that in light of the technical strides like the ones we?ve described, calls for backdoored crypto will come to seem increasingly quaint. Andrew Crocker is an attorney and fellow at the Electronic Frontier Foundation. Follow him on Twitter @AGCrocker. Jeremy Gillula is a staff technologist at the Electronic Frontier Foundation. Prior to EFF, Jeremy received his doctorate in computer science from Stanford, and a bachelor?s degree from Caltech. -- It's better to burn out than fade away.