From rforno at infowarrior.org Wed Jul 1 08:10:10 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jul 2015 09:10:10 -0400 Subject: [Infowarrior] - Leaked: What's in Obama's trade deal Message-ID: Leaked: What's in Obama's trade deal Is the White House going to bat for Big Pharma worldwide? By Michael Grunwald A recent draft of the Trans-Pacific Partnership free-trade deal would give U.S. pharmaceutical firms unprecedented protections against competition from cheaper generic drugs, possibly transcending the patent protections in U.S. law. POLITICO has obtained a draft copy of TPP?s intellectual property chapter as it stood on May 11, at the start of the latest negotiating round in Guam. While U.S. trade officials would not confirm the authenticity of the document, they downplayed its importance, emphasizing that the terms of the deal are likely to change significantly as the talks enter their final stages. Those terms are still secret, but the public will get to see them once the twelve TPP nations reach a final agreement and President Obama seeks congressional approval. Still, the draft chapter will provide ammunition for critics who have warned that TPP?s protections for pharmaceutical companies could dump trillions of dollars of additional health care costs on patients, businesses and governments around the Pacific Rim. The highly technical 90-page document, cluttered with objections from other TPP nations, shows that U.S. negotiators have fought aggressively and, at least until Guam, successfully on behalf of Big Pharma. The draft text includes provisions that could make it extremely tough for generics to challenge brand-name pharmaceuticals abroad. Those provisions could also help block copycats from selling cheaper versions of the expensive cutting-edge drugs known as ?biologics? inside the U.S., restricting treatment for American patients while jacking up Medicare and Medicaid costs for American taxpayers. ?There?s very little distance between what Pharma wants and what the U.S. is demanding,? said Rohat Malpini, director of policy for Doctors Without Borders. < - > http://www.politico.com/agenda/story/2015/06/tpp-deal-leaked-pharma-000126?hp=t4_r From rforno at infowarrior.org Wed Jul 1 09:22:42 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jul 2015 10:22:42 -0400 Subject: [Infowarrior] - WaPo moves to https Message-ID: <59C30FBD-F3C2-4E36-8246-5116BBECBBE7@infowarrior.org> Washington Post starts to automatically encrypt part of Web site for visitors By Andrea Peterson June 30 https://www.washingtonpost.com/blogs/the-switch/wp/2015/06/30/washington-post-starts-to-automatically-encrypt-part-of-web-site-for-visitors/ A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris in this April 15, 2014 file photo. (REUTERS/Mal Langsdon/Files) The Washington Post will begin encrypting parts of its Web site Tuesday, making it more difficult for hackers, government agencies and others to track the reading habits of people who visit the site. The added security will immediately apply to The Post's homepage as well as stories on the site's national security page and the technology policy blog The Switch. The encryption will roll out to the rest of the site over the coming months. "The biggest gain is letting users feel secure," said Shailesh Prakash, the company's chief information officer. Most browsers will note the added security with a display icon, a small lock, in the Web address bar. Secure sites also start with the letters "https" rather than "http." (The S is for secure.) Encrypted traffic is standard for many sites, including online banking and Web-based e-mail services, and is becoming increasingly common across the Internet. The Obama administration has made encrypting traffic a priority: Earlier this month, the White House ordered all public federal Web sites to start using https technology by the end of 2016. But the news media has lagged. Last year, the New York Times published a blog post challenging news organizations to begin automatically encrypting their sites' traffic by the end of 2015. But the Times has yet to make the security feature automatic for its readers. Although some smaller online-only outlets, including the Intercept and TechDirt, use https technology by default, The Post is the first major general news organization to roll out the added security measures to all of its readers. Almost everything a user does on the Web leaves a trail of digital bread crumbs. And a person's news habits can be especially revealing, privacy advocates say. "The articles you read paint a picture of your life. They can reveal your political interests, suggest your sexuality, your interest in medical issues and other sensitive topics that are really no one else's business but your own," said Christopher Soghoian, a privacy researcher and technologist with the American Civil Liberties Union, who has long urged news organizations and other groups to encrypt their Web sites. The type of encryption being rolled out by The Post, known as https or SSL, establishes a private connection between the Web site and the user, making spying or hijacking Web traffic much more difficult. The technology also has the potential to make online censorship more difficult for government regimes: When visitors go to a site using the technology, someone monitoring their traffic can only see the domain they are visiting - not the specific page. So a country won't have the option to filter only some content; it would be forced to block an entire site. The Post expects there to be some drop-off in online advertising revenue in response to the change, although it is unclear how much, said Jeff Burkett, the company's senior director for sales operations and product strategy. The new security measures will require advertisers to make sure their content is also secure, an extra step that may drive some away, he said. The Post will monitor the site to make sure ads are secure. "Every third party we use on the site needs to be https-compliant, or it either stops working or the browser will warn about it being insecure," said Greg Franczyk, chief digital architect of The Post's Web site. That will include content from advertising partners, but also content that reporters embed in their stories, such as videos or social media posts. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 1 17:03:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jul 2015 18:03:45 -0400 Subject: [Infowarrior] - Cameron is going to try and ban encryption in Britain Message-ID: <5193631B-5AC3-49B7-A4FA-ADB1613654EB@infowarrior.org> David Cameron is going to try and ban encryption in Britain Rob Price http://www.businessinsider.com/david-cameron-encryption-back-doors-iphone-whatsapp-2015-7 David Cameron has signalled that he intends to ban strong encryption ? putting the British government on a collision course with some of the biggest tech companies in the world. As reported by Politics.co.uk, the British Prime Minister reaffirmed his commitment to tackling strong encryption products in Parliament on Monday in response to a question. Strong encryption refers to the act of scrambling information in such a way that it cannot be understood by anyone ? even law enforcement with a valid warrant, or the software company itself ? without the correct key or password. It's currently used in some of the most popular tech products in the world, including the iPhone, WhatsApp, and Facebook. But amid heightened terrorism fears, David Cameron is attempting to take action. Encryption is a contentious issue right now Over the last year, encryption has become a hot tech policy issue. Following exiled whistleblower Edward Snowden?s revelations about mass surveillance online by the NSA and other spy agencies, tech companies have increasingly moved to incorporate strong encryption into their products to protect consumers? data. And simultaneously, governments and law enforcement officials have upped their rhetoric, warning that proliferation of the tech could help terrorists and criminals evade capture. When Apple implemented strong encryption by default in late 2014, for example, a senior US police officer warned that the iPhone would become the ?phone of choice for the paedophile? as a result. And European police chief Rob Wainwright said in March 2015 that encryption is now the ?biggest problem? in tackling terrorism. It?s a difficult situation. On the one hand, it?s easy to sympathise with law enforcement, who fear that large amounts of communications data they previously had access to are now ?going dark.? But security experts warn that any attempt to weaken encryption or introduce ?back doors? for the authorities can have unintended and dangerous consequences. There?s no back door that can only be used by the good guys, they argue, and weakening the tech will put consumers at risk from criminals and hackers. Cameron already made his thoughts clear As it currently stands, it's already illegal for Britons to refuse to surrender their passwords or encryption keys, and you can be jailed for doing so. But if someone's refusing to talk (or they can't be found), and police need to gain access to communication data urgently, then this isn't much help. APThe Charlie Hebdo massacre sparked Cameron's initial anti-encryption rhetoric. In the aftermath of the Charlie Hebdo massacre in Paris earlier this year, Cameron first signalled his intention to take action against strong encryption products. In a speech, he asked whether "we want to allow a means of communication between two people which even in extemis with a signed warrant from the home secretary personally that we cannot read? ... My answer to that question is no, we must not. The first duty of any government is to keep our country and our people safe." The inference was clear: If your encryption product cannot be intercepted and decrypted by law enforcement, even with a warrant, we?re coming for you. These comments immediately sparked a flurry of criticism from privacy and security activists. Jim Killock, executive director of human rights organisation Open Rights Group, said that Cameron's plans "appear dangerous, ill-thought out and scary." They make "us all more vulnerable to criminal attack." Author and activist Cory Doctorow also wrote a scathing takedown of Cameron's plans, arguing that if you leave in a vulnerability for law enforcement, it'll be abused by "foreign spies, criminals, crooked police." And writing for the Guardian, James Ball suggested that a blanket ban on encryption would "spell the end of e-commerce" in the UK since credit card details are generally always sent via secure encrypted connections. "Cameron either knows his anti-terror talk is unworkable and is looking for headlines," Ball said, "or he hasn?t got a clue." An encryption ban is now on the cards GettyIncreased spy powers were announced at this year's Queen's Speech. Following the General Election earlier this year, David Cameron laid out his government?s plans for the year in the Queen?s Speech. In it, he included increased spy powers in the form of the Investigatory Powers Bill ? but at the time, it wasn?t clear whether this would include a crackdown or outright ban on strong encryption products. But Politics.co.uk reports that Cameron is now set to attempt to curtail the use of strong encryption in the coming year. The Prime Minister was asked by Conservative MP Henry Bellingham in Parliament on Monday whether "companies such as Google, Facebook and Twitter? understand that their current privacy policies are completely unsustainable?" Cameron responded (emphasis ours): Britain is not a state that is trying to search through everybody?s emails and invade their privacy ? We just want to ensure that terrorists do not have a safe space in which to communicate. That is the challenge, and it is a challenge that will come in front of the House. We have always been able, on the authority of the home secretary, to sign a warrant and intercept a phone call, a mobile phone call or other media communications, but the question we must ask ourselves is whether, as technology develops, we are content to leave a safe space?a new means of communication?for terrorists to communicate with each other. My answer is no, we should not be, which means that we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on. Business Insider has reached out to 10 Downing Street for further comment and will update when it responds. Encryption is everywhere REUTERS/Kevin LamarqueApple CEO Tim Cook has spoken out repeatedly in favour of strong encryption products. There's a serious problem with these plans, however: Dozens of top tech companies all incorporate strong encryption into their products, and are unlikely to budge on the issue. As already mentioned, Apple now incorporates it by default, and CEO Tim Cook has become a staunch defender of user privacy. In an open letter on Apple's website, he says the Cupertino company has "never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will." Wildly popular messaging app WhatsApp also uses encryption. Its founder, Jan Koum, grew up in the Soviet Union, and the legacy of constant state surveillance left a lasting impression upon him. Facebook, which owns WhatsApp, recently introduced support for encryption software PGP ? letting users receive emails in an encrypted format and publicise their PGP public key that lets others contact them securely on their profiles. There are huge technical challenges facing any ban These companies are highly unlikely to agree to any demand from Cameron's government to weaken their encryption product, in part because it would create an extremely dangerous precedent. If Apple provides back doors in its software for Britain, then why not China, or Russia, or Saudi Arabia? Flickr/SallamMany protesters around the world use encryption for protection. Further complicating the matter is that millions of activists, dissidents, journalists and whistleblowers around the world already use strong encryption products (like PGP) to keep their sensitive communications secure. It's inconceivable that the developers of such tools would agree to Cameron's plans, as any backdoor would endanger the lives of activists that rely on the service worldwide. If Cameron tried to block the software in the UK, it would mean that many digital journalists in Britain would be breaking the law by continuing to use it to communicate with sources. On a purely technical level, it's difficult to imagine how such a ban could ever be implemented. As Cory Doctorow pointed out earlier this year, the level of internet filtering that would be required to block rogue software from getting in would put Britain on a par with "Syria, Russia, and Iran" ? and even then it's not very effective. The "great firewall of China" was built at enormous expense to the country, but activists are still able to circumvent it. Incredibly popular coding sites like GitHub might also have to be banned or policed at great expense, lest they're used to distribute illicit encryption software. Doctorow even suggests that "anyone visiting the country from abroad must have their smartphones held at the border until they leave," because their devices ? with strong encryption enabled by default ? would be illegal in Britain. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 1 17:06:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jul 2015 18:06:00 -0400 Subject: [Infowarrior] - =?utf-8?q?Most_Americans_suffer_from_=E2=80=98Dig?= =?utf-8?b?aXRhbCBBbW5lc2lh4oCZ?= Message-ID: <9F6084E3-07B6-4215-8548-3B037192ACA2@infowarrior.org> I've been saying this for years!!! --rick Study: Most Americans suffer from ?Digital Amnesia? By WTOP Staff July 1, 2015 2:15 pm http://wtop.com/health/2015/07/study-most-americans-suffer-from-digital-amnesia/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 1 18:22:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jul 2015 19:22:28 -0400 Subject: [Infowarrior] - 'Cloud tax' jacks up Netflix bills in Chicago Message-ID: 'Cloud tax' jacks up Netflix bills in Chicago The new charge is separate from sales tax, and could add 9 percent to customers' bills. Jared Newman Jul 1, 2015 10:04 AM http://www.techhive.com/article/2942606/cloud-tax-jacks-up-netflix-bills-in-chicago.html The city of Chicago is enforcing a new and unprecedented tax on cloud services, possibly raising the cost of Netflix, Spotify, and other forms of streaming entertainment for residents. As The Verge reports, the so-called ?cloud tax? went into effect on July 1, and levies a 9 percent tax on ?electronically delivered amusements? such as streaming video, streaming music, and online gaming subscriptions. It does not apply to books, or to content that users download permanently. Netflix says it?s already planning to add the extra charge to Chicago customers? monthly bills. Keep in mind that this tax is separate from sales tax, which Netflix and other services already charge in many states as required by law. The rationale behind this new charge is that streaming services are eliminating the need for brick-and-mortar video rental shops and music stores, which would have been paying Chicago property taxes. In the midst of a budget crisis, the city is hoping that streaming services can make up some of the difference. The cloud tax doesn?t only apply to streaming. Chicago is also extending its Lease Transaction tax to extract 9 percent from databases and cloud computing platforms that do business in the city. Companies in Chicago that are paying for server time from platforms like Amazon Web Services will therefore face an extra $9 charge for every $100 they spend. Cloud storage appears to be exempt from the new rules, at least. Why this matters: While the new charge is bad news for Chicago residents, it?s unlikely that this will be an isolated incident. Other cities around the world have also been trying to tax the cloud, and whether or not you agree with the justification, the reality will likely be new headaches for services and their customers as various municipalities tries to cash in. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 1 18:37:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Jul 2015 19:37:31 -0400 Subject: [Infowarrior] - Windows 10 will share your Wi-Fi key with your friends' friends Message-ID: Windows 10 will share your Wi-Fi key with your friends' friends 30 Jun 2015 at 20:59, Simon Rockman http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/ A Windows 10 feature, Wi-Fi Sense, smells like a security risk: it shares Wi-Fi passwords with the user's contacts. Those contacts include their Outlook.com (nee Hotmail) contacts, Skype contacts and, with an opt-in, their Facebook friends. There is method in the Microsoft madness ? it saves having to shout across the office or house ?what?s the Wi-Fi password?? ? but ease of use has to be teamed with security. If you wander close to a wireless network, and your friend knows the password, and you both have Wi-Fi Sense, you can now log into that network. Wi-Fi Sense doesn?t reveal the plaintext password to your family, friends, acquaintances, and the chap at the takeaway who's an Outlook.com contact, but it does allow them, if they are also running Wi-Fi Sense, to log in to your Wi-Fi. The password must be stored centrally by Microsoft, and is copied to a device for it to work; Microsoft just tries to stop you looking at it. How successful that will be isn't yet known. "For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts' phone if they use Wi-Fi Sense and they're in range of the Wi-Fi network you shared," the Wi-Fi Sense FAQ states. Microsoft also adds that Wi-Fi Sense will only provide internet access, and block connections to other things on the wireless LAN: "When you share network access, your contacts get internet access only. For example, if you share your home Wi-Fi network, your contacts won't have access to other computers, devices, or files stored on your home network." That sounds wise ? but we're not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access. In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the corporate wireless network. The feature has been on Windows Phones since version 8.1. If you type the password into your Lumia, you won?t then need to type it into your laptop, because you are a friend of yourself. Given the meagre installed base of Windows Phones it's not been much of a threat ? until now. With every laptop running Windows 10 in the business radiating access, the security risk is significant. A second issue is that by giving Wi-Fi Sense access to your Facebook contacts, you are giving Microsoft a list of your Facebook friends, as well as your wireless passwords. In an attempt to address the security hole it has created, Microsoft offers a kludge of a workaround: you must add _optout to the SSID (the name of your network) to prevent it from working with Wi-Fi Sense. (So if you want to opt out of Google Maps and Wi-Fi Sense at the same time, you must change your SSID of, say, myhouse to myhouse_optout_nomap. Technology is great.) Microsoft enables Windows 10's Wi-Fi Sense by default, and access to password-protected networks are shared with contacts unless the user remembers to uncheck a box when they first connect. Choosing to switch it off may make it a lot less useful, but would make for a more secure IT environment. Yes, wireless passwords can be written down and trivially passed along to others: we know network security shouldn't end at the Wi-Fi login prompt. But there's nothing like an OS automating the practice of blabbing passphrases to your mates, eh? ? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 2 06:30:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jul 2015 07:30:52 -0400 Subject: [Infowarrior] - No Craig Newmark Did Not Donate To EFF; He Helped Make CFAA Worse Instead Message-ID: No Craig Newmark Did Not Donate To EFF; He Helped Make CFAA Worse Instead There's been a bunch of fuss online over the "news" that Craigslist is supposedly donating $1 million to EFF when the money is not actually from Craig. It's from a startup that Craigslist has sued out of business, under a dangerous interpretation of the CFAA that harms the open internet. Obviously, EFF getting an additional $1 million in resources is really great. But it's troubling to see so many people congratulate Craigslist and Craig Newmark for "supporting EFF." Craig himself has contributed to this misleading perception with this tweet implying he's giving his own money to EFF < - > As part of the settlement, 3taps and its founder, Greg Kidd, have agreed to pay craigslist $1 million, all of which must then be paid by craigslist to the EFF, which supported 3taps' position on the CFAA in this litigation, and continues to do great work for Internet freedom generally. < - > https://www.techdirt.com/articles/20150701/14150431519/no-craig-newmark-did-not-donate-to-eff-he-helped-make-cfaa-worse-instead.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 2 07:07:16 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jul 2015 08:07:16 -0400 Subject: [Infowarrior] - DC Navy Yard under lockdown - active shooter Message-ID: <48EBBAA8-D23F-4EC7-9D81-9420E912C9F9@infowarrior.org> Park Police mobilized after reports of shooter at Navy Yard By Arelis R. Hern?ndez July 2 at 7:51 AM U.S. Park Police confirmed that officers responded Thursday to reports of an active shooter at the Washington Navy Yard. The call came in about 7:40 a.m. The military installation was the site of a 2013 shooting in which a lone gunman shot and killed 12 workers and injured three others. Few details were immediately available on the latest incident. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 2 10:08:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jul 2015 11:08:33 -0400 Subject: [Infowarrior] - =?utf-8?q?The_Inner_Workings_of_NSA=E2=80=99s_XKE?= =?utf-8?q?YSCORE=2C_Part_2?= Message-ID: Behind the Curtain A look at the Inner Workings of NSA?s XKEYSCORE By Micah Lee, Glenn Greenwald, and Morgan Marquis-Boire @micahflee at ggreenwald@headhntr 21 minutes ago Second in a series. https://firstlook.org/theintercept/2015/07/02/look-under-hood-xkeyscore/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 2 14:36:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jul 2015 15:36:07 -0400 Subject: [Infowarrior] - As FBI Fearmongers About 'Going Dark' Because Of Encryption, Actual Wiretaps Almost Never Run Into Encryption Message-ID: <0DE9BD23-120B-437C-B179-E36CBEACB381@infowarrior.org> As FBI Fearmongers About 'Going Dark' Because Of Encryption, Actual Wiretaps Almost Never Run Into Encryption The FBI has been really screaming its head off about the evils of encryption over the last year or so. Director James Comey keeps fearmongering about encryption, though when asked to give examples of cases where encryption had created problems, all of his "examples" turn up empty. Yet, the FBI keeps insisting that something needs to be done and, if not, there's a real risk of "going dark." One of Comey's top deputies has insisted that tech companies need to "prevent encryption above all else." And the fearmongering is working. Some politicians are already freaking out about this so-called "going dark" scenario. In fact, next Wednesday, both the Senate Intelligence Commitee and the Senate Judiciary Committee are hosting "hearings" for Comey, about the issue of "going dark" due to encryption. The Intelligence Committee's is called "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy," while the Judiciary's is "Counterterrorism, Counterintelligence, and the Challenges of 'Going Dark.'" So it's rather interesting that before all that, the US Courts had released their own data on all wiretaps from 2014, in which it appears that encryption was almost never an issue at all, and in the vast majority of cases when law enforcement encountered encryption, it was able to get around it. Oh, and the number of wiretaps where encryption was even encountered has been going down rather than up: < - > https://www.techdirt.com/articles/20150701/23344231523/as-fbi-fearmongers-about-going-dark-because-encryption-actual-wiretaps-almost-never-run-into-encryption.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 2 14:40:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Jul 2015 15:40:20 -0400 Subject: [Infowarrior] - =?utf-8?q?Yo_Air_Force=3A_Don=E2=80=99t_You_Dare_?= =?utf-8?q?Kill_Off_Our_Toughest_Warplane?= Message-ID: <02576B45-AB65-4218-A382-1C3E11A6D1C6@infowarrior.org> Yo Air Force: Don?t You Dare Kill Off Our Toughest Warplane ? Jordan Golson ? Date of Publication: 07.02.15. 07.02.15 ? Time of Publication: 1:41 pm. 1:41 pm http://www.wired.com/2015/07/a-10-thunderbolt/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 3 06:31:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Jul 2015 07:31:15 -0400 Subject: [Infowarrior] - Clever warrant canary prepwork Message-ID: Let's Encrypt Releases Transparency Report -- All Zeroes Across The Board https://www.techdirt.com/articles/20150702/17014131531/lets-encrypt-releases-transparency-report-all-zeroes-across-board.shtml < - > This is actually pretty important for a variety of reasons. First, it clearly acts as something of a warrant canary. And by posting this now, before launch and before there's even been a chance for the government to request information, Let's Encrypt is actually able to say "0." That may seem like a strange thing to say but, with other companies, the government has told them that they're not allowed to claim "0," but can only give ranges -- such as 0 to 999 if they separate out the specific government requests, or 0 to 249 if they lump together different kinds of government orders. Twitter has been fighting back against these kinds of rules, and others have argued that revealing an accurate number should be protected speech under the First Amendment. Let's Encrypt is, smartly, getting this first report out there -- with all the zeroes -- before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It's also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That's an important step that it would be nice to see others follow as well. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Jul 5 09:01:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 5 Jul 2015 10:01:15 -0400 Subject: [Infowarrior] - =?utf-8?q?SSCI_proposes_sites_flag_=E2=80=98terro?= =?utf-8?q?rist_activity=E2=80=99_to_law_enforcement?= Message-ID: <58EA25F6-999E-43B9-9E5D-69727FE956C0@infowarrior.org> Lawmakers want Internet sites to flag ?terrorist activity? to law enforcement By Ellen Nakashima July 4 at 2:51 PM Social media sites such as Twitter and YouTube would be required to report videos and other content posted by suspected terrorists to federal authorities under legislation approved this past week by the Senate Intelligence Committee. The measure, contained in the 2016 intelligence authorization, which still has to be voted on by the full Senate, is an effort to help intelligence and law enforcement officials detect threats from the Islamic State and other terrorist groups. It would not require companies to monitor their sites if they do not already do so, said a committee aide, who requested anonymity because the bill has not yet been filed. The measure applies to ?electronic communication service providers,? which includes e-mail services such as Google and Yahoo. Companies such as Twitter have recently stepped up efforts to remove terrorist content in response to growing concerns that they have not done enough to stem the propaganda. Twitter removed 10,000 accounts over a two-day period in April. Although officials are generally pleased to see such accounts taken down, they also worry that threats might go unnoticed. < - > https://www.washingtonpost.com/world/national-security/lawmakers-want-internet-sites-to-flag-terrorist-activity-to-law-enforcement/2015/07/04/534a0bca-20e9-11e5-84d5-eb37ee8eaa61_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 6 05:44:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jul 2015 06:44:18 -0400 Subject: [Infowarrior] - Egypt's new anti-media law Message-ID: <701E7F8E-2E9B-42D7-9450-FFE04AB124FA@infowarrior.org> New terrorism law could target journalists in Egypt By Sarah Sirgany, CNN Updated 2:51 AM ET, Mon July 6, 2015 http://www.cnn.com/2015/07/05/africa/egypt-terrorism-law-journalists/index.html Cairo (CNN)A new anti-terrorism law in Egypt will make publishing news that contradicts the official version of events in terrorism-related cases a crime punishable by prison sentences, a setback for the freedom of the press, according to the local journalists union. The anti-terrorism draft law lists more than 25 crimes, 12 of which are punishable by death. It was approved by the Cabinet and the State Council and is pending the approval of President Abdel-Fattah el-Sisi, who has legislative powers in the absence of a parliament. A terrorist attack on military outposts in Sinai led to an hourslong battle in a town near the Gaza border, killing at least 17 soldiers and over 200 militants on July 1, the military said. Some local and international media said military casualties were between 50 and 70. Egyptian authorities criticized such reports. In a video released by the Ministry of Defense, Al-Jazeera network and Muslim Brotherhood affiliated TV channels were singled out for spreading false news and participating in anti-military propaganda. The military removed the Brotherhood-affiliated president Mohamed Morsy from power in 2013 after mass protests. A deadly security crackdown and a wave of terrorism left hundreds of civilians, police and soldiers dead over the past two years. 'Chained by the law' Last Wednesday's attack in Sinai was "unprecedented in the number of militants involved and the weapons used," a high-ranking security official told CNN. Together with the assassination of the prosecutor general two days prior, it prompted calls for an anti-terrorism law in a bid to combat terrorism and bring justice. "The hands of swift justice is chained by the law," el-Sisi said on June 30, during the funeral of the Prosecutor General Hesham Barakat. Barakat was killed in an explosion that targeted his convoy on June 29. "Egypt is at the forefront of the fight against terrorism. We are cooperating with our international partners," Foreign Minister Sameh Shoukry told journalists on Saturday. The press briefing included "observations" on foreign media's coverage of the latest terrorist attacks. Guidelines handed it out to journalists suggested the use of words such as "terrorists, rebels, slayers and eradicators" instead of "jihadists." El-Sisi's call for expedited judicial procedure and implementations of verdicts was answered in the quick drafting of a number of laws, led by the anti-terrorism law. The draft law, which got the approval of a number of political parties and regime allies, "transcends the main goal of the law of combating terrorism to appropriating freedom of the press," the Journalists' Syndicate said in a statement. According to a draft of the law published by local media, the law stipulates no less than two years in prison for "publishing false news or statements about terrorist operations in contradiction to official statements." 'Dangerous and unconstitutional' The Journalists' Syndicate noted four other articles of the law that were also "dangerous and unconstitutional." "It appropriates the right of the journalist to acquire information from different sources and limits it to one side. This is a clear setback for the freedom of thought and press," the syndicate was quoted as saying by the state-run daily Al-Ahram. Eighteen journalists are in prison in Egypt, according to the Committee to Protect Journalists' tally in June -- the highest in Egypt's history in CPJ records. "The threat of imprisonment in Egypt is part of an atmosphere in which authorities pressure media outlets to censor critical voices," CPJ said. "Authorities don't want journalists to reach Egyptians, but want to control all information and be the only source of information," Khaled El-Balshy, the head of the freedoms committee at the Journalists' Syndicate, told CNN. The syndicate called for an emergency meeting on Monday to discuss the draft law in a bid to lobby for the removal or amendment of the controversial articles. For rights groups, the government's restrictive measures would be counterproductive. "More attacks on civil and political rights and freedoms by security institutions won't be a successful solution in the face of all these [terrorist] threats," 14 Egyptian rights groups said in a joint statement last week. Answering questions about that possible wide interpretations for terrorism and incitement in the draft law, the foreign minister said that "it will be up to the judge to determine what constitutes incitement." -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 6 07:47:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jul 2015 08:47:22 -0400 Subject: [Infowarrior] - Zero for 40 at Predicting Attacks: Why Do Media Still Take FBI Terror Warnings Seriously? Message-ID: <6498C26A-BB56-4BDB-A446-FFD85FB5F727@infowarrior.org> Zero for 40 at Predicting Attacks: Why Do Media Still Take FBI Terror Warnings Seriously? http://fair.org/home/zero-for-40-at-predicting-attacks-why-do-media-still-take-fbi-terror-warnings-seriously/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 6 17:16:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jul 2015 18:16:22 -0400 Subject: [Infowarrior] - FBI Spent $775K on Hacking Team's Spy Tools Since 2011 Message-ID: <013A4A3E-1E8A-4919-B744-CB069FACC8C6@infowarrior.org> The FBI Spent $775K on Hacking Team's Spy Tools Since 2011 | WIRED Author: Joseph Cox http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-2011/ The FBI is one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It?s long been suspected that the FBI used Hacking Team?s tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true. The FBI is not in good company here. According to several spreadsheets within the hacked archive, which contain a list of Hacking Team?s customers, many of the other governments who bought the same software are repressive regimes, such as Sudan and Bahrain. The documents show that the FBI first purchased the company?s ?RCS? in 2011. RCS stands for ?Remote Control Service,? otherwise known as ?Galileo,? Hacking Team?s premiere spy product. RCS is a simple piece of hacking software that has been used by the Ethiopian regime to target journalists based in Washington DC. It has also been detected in an attack on a Moroccan media outlet, and a human rights activist from the United Arab Emirates. Once a target?s computer has been infected, RCS is able to siphon off data, and listen in on communications before they have been encrypted. According to researchers based at the University of Toronto?s Citizen Lab, who have monitored the use of RCS throughout the world, the tool can also ?record Skype calls, e-mails, instant messages, and passwords typed into a Web browser.? To top that off, RCS is also capable of switching on a target?s web camera and microphone. Hacking Team has generated a total of 697,710 Euros ($773,226.64) from the FBI since 2011, according to the hacked spreadsheets. In 2015, the FBI spent 59,855 Euros on ?maintenance,? and in 2014 the agency spent the same amount on ?license/upgrades.? No expenditure was recorded for the whole of 2013. In 2012, however, the FBI allegedly spent 310,000 Euros for Hacking Team?s services, all on licenses or upgrades, and the year before it spent 268,000 Euros. Despite this expenditure on controversial surveillance technology, it appears that the FBI is only using Hacking Team?s software as a ?back up? to other tools, according to internal emails. As highlighted by Forbes, Eric Rabe, Hacking Team?s communications chief, wrote in a leaked email that ?The FBI unit that is using our system seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they user.? A final column on one of the hacked spreadsheets is entitled ?Exploit?. For the FBI, the entry is written as ?Yes.? Though it?s unclear exactly what this means, we can infer that the FBI?s version of RCS came with an exploit of some kind that could gain access to user?s computers, rather than being deployed through social-engineering means. Regardless, the FBI has been known to hack the computers of criminals in the past. In fact, the agency has been using malware since at least 2002 for all sorts of criminal cases, and the FBI develops some of its own tools. In 2012, ?Operation Torpedo? was launched, which involved loading malware onto a number of child pornography sites, and identifying the IP addresses of anyone who visited. A similar operation was launched shortly after, in order to catch users of Freedom Hosting, a dark web hosting company. Those were both broad attacks, designed to sweep up as many offenders as possible. Hacking Team?s tools, on the other hand, are used for more targeted surveillance of specific individuals or groups. According to the hacked spreadsheets, the FBI has used RCS against 35 targets, although it is unclear who these targets are. The FBI did not immediately respond to multiple requests for comment. One interesting tidbit from the spreadsheet is that it appears that Hacking Team has not been selling these products directly to the FBI. Though the FBI is listed as the client, its ?Partner/Fulfillment Vehicle? is listed as ?CICOM USA.? That name is familiar. Earlier this year, an investigation from Motherboard revealed that the Drug Enforcement Administration had been secretly purchasing surveillance technology from Hacking Team. Within that contract, $2.4 million was sent ?between the DEA?s Office of Investigative Technology and a government contractor named Cicom USA,? according to Motherboard. An invoice with the file name ?Commessa019.2014. CICOM USA x FBI.xls,? also included in the Hacking Team archive, lists a ?One year renewal for Remote Control System,? charged to Cicom USA. The invoice says that the product lasts from July 1, 2014 to the June 30, 2015. The file name for the invoice explicitly includes the FBI, and not the DEA. However, the spreadsheet with the client list shows that the FBI is, in fact, joined by the DEA and the DOD in buying products from Hacking Team, which both also use Cicom USA as their ?fulfillment vehicles.? Cicom USA is little more than a shell company for Hacking Team. ?They have the same address, they have the same telephone number,? as Hacking Team?s US office, Edin Omanovic, a technologist at Privacy International, told WIRED in a phone interview. As for what protections might be in place to make sure that the FBI (or any US government agency) is using this technology responsibly, it?s all a bit hazy. ?We think they get court orders, and we have even seen a few, but the applications don?t really describe how the software works, or how they will get it onto the target?s device,? Christopher Soghoian, Principal Technologist at the American Civil Liberties Union, told WIRED in an encrypted chat. The problem is that the discussion around law enforcement using hacking as a means of information gathering has never been carried out in public. ?Congress has never explicitly granted law enforcement agencies the power to hack. And there have never been any congressional hearings on the topic,? Soghoian continued. ?We need to have a national debate about whether we want law enforcement agencies to be able to hack into the computers of targets. This is too dangerous a tool for them to start using by themselves.? Updated at 5:40 pm 7/06/15 with a quote from an additional leaked email. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 6 17:45:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Jul 2015 18:45:03 -0400 Subject: [Infowarrior] - FBI chief defends encryption stance Message-ID: <0CC0F818-3917-47E1-A830-FF665C08E56B@infowarrior.org> FBI chief defends encryption stance By Cory Bennett - 07/06/15 04:43 PM EDT http://thehill.com/policy/cybersecurity/246968-fbi-head-defends-encryption-stance-ahead-of-senate-hearings FBI Director James Comey tried to clear the air Monday in an ongoing clash between the government and technologists, privacy advocates and lawmakers over encryption standards. Ahead of back-to-back Senate hearings on Wednesday, Comey penned a short op-ed on the popular national security blog Lawfare that defended his agency?s much-maligned position that there are downsides to widespread encryption. ?My job is to try to keep people safe,? he said. ?In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job.? Comey has been pressing for Congress to give investigators a legal framework that would guaranteed access, with a warrant, to encrypted data. Many have pushed back, arguing any such guarantee ruins encryption, creating a vulnerability for nefarious actors to exploit. The FBI head claims he is simply trying to inform public debate as society weighs the benefits and drawbacks of universal encryption. Americans are not far from living in a world where ?our conversations and our ?papers and effects? will be locked in such a way that permits access only by participants to a conversation or the owner of the device holding the data,? Comey said. ?There are many benefits to this,? he acknowledged, explaining that encryption protects ?innovation? and ?private thoughts? from thieves. However, ?there are many costs to this,? Comey added. For example, Comey said Islamic extremists behind the Islamic State in Iraq and Syria (ISIS) recruit and Americans and plan attacks through ?a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment.? This has created a ?tension? between private and safety, he said. ?Democracies resolve such tensions through robust debate.? Comey conceded that society may ?decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context.? But until then, Comey will continue to push his warnings of the dangers such a decision would pose to the country. He?ll get his biggest chance yet to bring this message to Congress on Wednesday, when the agency director will appear before the Senate Intelligence and Judiciary Committees. In past hearings on encryptions, FBI officials have not been greeted kindly by lawmakers. Comey will likely receive a similar grilling from both panels. Sen. Chuck Grassley (R-Iowa), who chairs the Judiciary panel, has hammered the bureau over its use of remote surveillance technology to potentially crack encrypted communications. The committee chair wrote the FBI in June, requesting more information about how it uses these type of technologies. The Intelligence panel also includes staunch encryption advocates such as Sen. Ron Wyden (D-Ore.), who bashed Comey?s digital security stance in a December op-ed. "What these officials are proposing would be bad for personal data security and bad for business and must be opposed by Congress," Wyden wrote. Last month, Wyden unsuccessfully tried to amend a surveillance reform bill to forbid the government from compelling companies to install access points into their encryption. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 7 06:30:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jul 2015 07:30:06 -0400 Subject: [Infowarrior] - Russia's super-jammer Message-ID: Russia's 'superweapon' can switch off satellites and enemy weapons By Mark Prigg For Dailymail.com Published: 13:11 EST, 6 July 2015 | Updated: 16:02 EST, 6 July 2015 Russia has claimed to have built a revolutionary new weapon system that can render enemy satellites and weapons useless. Its Russian makers say it is a 'fundamentally new electronic warfare system' which can be mounted on ground-based as well as air- and sea-borne carriers. However, it has refused to reveal how the system works. Experts claim a revolutionary new weapon that can jam enemy missile guidance systems and satellites is set to enter testing this year. An earlier version of the system, called Krasuha-4, is shown here. < - > http://www.dailymail.co.uk/sciencetech/article-3151339/Russia-claims-developed-superweapon-capable-switching-foreign-satellites-enemy-weapons.html -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 7 06:38:54 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jul 2015 07:38:54 -0400 Subject: [Infowarrior] - Company Sends Bogus Copyright Takedown Over Hacking Team Docs Message-ID: <8DADFA00-8011-4E6D-BA86-F7FC02D66364@infowarrior.org> Company Sends Bogus Copyright Takedown Over Hacking Team Docs https://www.techdirt.com/articles/20150706/17293031564/company-sends-bogus-copyright-takedown-over-hacking-team-docs.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 7 06:48:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jul 2015 07:48:26 -0400 Subject: [Infowarrior] - Second cybersecurity ETF launches Message-ID: (x-posted) Posted without comment. --rick http://blogs.barrons.com/focusonfunds/2015/07/06/second-cyber-security-etf-to-launch-tuesday/ July 6, 2015, 4:45 P.M. ET Second Cyber-Security ETF to Launch Tuesday By Chris Dieterich A second cyber-security exchange-traded fund will hit the market tomorrow, just as the sector is hitting a major bout of turbulence. First Trust Advisors announced in a statement that the First Trust NASDAQ CEA Cybersecurity ETF (CIBR) will debut on Tuesday, July 7. The new ETF will attempt to mimic the popularity the PureFunds ISE Cyber Security ETF (HACK), which first hit markets in November. The investment thesis behind holdings such as FireEye (FEYE) and CyberArk Software (CYBR) relies on ramped-up spending by corporations and governments to defend against hacker attacks. Just keep in mind that many stock in the space are small-cap, momentum plays that can can turn around in a hurry. HACK is off more than 9% over the past two weeks, a period that?s seen increased volatility amid Greece?s will-it, won?t-it action. Over that same stretch, the PowerShares QQQ (QQQ) is down just 2%. HACK declined 1.4% on Monday. Here?s Ryan Issakainen, ETF strategist at First Trust: ?Along with the clear benefits of an increasingly interconnected world comes the growing need to ensure the security of cyberspace. This presents significant opportunities for companies involved with this task, many of which are not represented in traditional index ETFs. We believe this ETF provides a diversified, efficient way for investors to gain exposure to this important theme.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 7 08:16:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jul 2015 09:16:50 -0400 Subject: [Infowarrior] - Code Specialists Oppose U.S. and British Government Access to Encrypted Communication Message-ID: <837CC1A7-3E9F-4660-AFED-BFF0587C9559@infowarrior.org> Code Specialists Oppose U.S. and British Government Access to Encrypted Communication Nicole Perlroth http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-british-government-access-to-encrypted-communication.html SAN FRANCISCO ? An elite group of code makers and code breakers is taking American and British intelligence and law enforcement agencies to task in a new paper that evaluates government proposals to maintain special access to encrypted digital communications. On Tuesday, the group ? 13 of the world?s pre-eminent cryptographers, computer scientists and security specialists ? will release the paper, which concludes there is no viable technical solution that would allow the American and British governments to gain ?exceptional access? to encrypted communications without putting the world?s most confidential data and critical infrastructure, in danger. The report is being released a day before James B. Comey Jr., the director of the Federal Bureau of Investigation, and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to testify before the Senate Judiciary Committee on the concerns that they and other government agencies have about ?going dark? ? the fear that new encryption technologies will prevent them from monitoring the communications of kidnappers, terrorists and other adversaries. Peter G. Neumann, a computer security pioneer, says ?there are more vulnerabilities than ever" that could be exploited through access to encrypted communications. Jim Wilson/The New York Times The authors of the report said such fears did not justify putting the world?s digital communications at risk. Given the inherent vulnerabilities of the Internet, they argued, reducing encryption is not an option. Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm ? most recently at the United States Office of Personnel Management, the State Department and the White House ? the security specialists said authorities cannot be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, it would spur China and other governments in foreign markets to do the same. ?Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,? the report said. ?The costs would be substantial, the damage to innovation severe, and the consequences to economic growth hard to predict. The costs to the developed countries? soft power and to our moral authority would also be considerable.? While government pleas for exceptional access to encrypted communications have already drawn plenty of criticism from privacy advocates and technology companies, the report is the first in-depth, technical analysis of government proposals by leading cryptographers and security thinkers. The group ? which includes Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the ?R? in the widely used RSA public cryptography algorithm ? fought a similar proposal for encryption access in 1997. Back then, the group analyzed the technical risks and practical shortcomings of a proposal in the Clinton administration called the Clipper chip. Clipper would have poked a hole in cryptographic systems by requiring technology manufacturers to include a small hardware chip in their products that would have ensured the government would always be able to unlock scrambled communications. The group of cryptographers won that round. The Clinton administration, which had pushed for the Clipper chip, abandoned the effort after the group?s analysis showed it would have been technically unfeasible. An unlikely coalition of technologists, liberals, conservatives and even evangelicals argued that the chip would destroy privacy. The final nail in the coffin came after Matthew Blaze, then a 32-year-old computer scientist at AT&T Bell Laboratories, discovered a flaw in the Clipper system that would have allowed anyone with technical know-how to get access to the key to encrypted communications. Now the group of cryptographers has convened for the first time since 1997. ?The decisions for policy makers are going to shape the future of the global Internet and we want to make sure they get the technology analysis right,? said Daniel J. Weitzner, head of the MIT Cybersecurity and Internet Policy Research Initiative and a former deputy chief technology officer at the White House, who coordinated the latest report. Encryption has been gaining momentum ? and been hotly debated ? over the last few years, after several security breaches and revelations by Edward J. Snowden, the former National Security Agency contractor, which showed the extent to which the United States and its allies were siphoning and spying on digital communications. Leading technology companies, including Microsoft, Facebook and Twitter, have been moving to transient messaging plans that dispose of the encryption key to customers? messages once their session ends. If American and British government proposals were carried out, those companies would have to ease such programs. In Britain, Prime Minister David Cameron has threatened to ban encrypted messaging apps altogether. In the United States, Michael S. Rogers, the director of the N.S.A., has proposed that technology companies be required to create a digital key that could unlock encrypted communications, but divide and secure the key into pieces so that no one person or government agency could use it alone. The report?s authors argue that not only is such a plan technically unfeasible, the approach understates how much higher the stakes are today. In the 1990s, the Internet era was just beginning ? their 1997 report is littered with references to ?electronic mail? and ?facsimile communications,? which are now quaint communications methods. Today, the government?s plans could affect the technology used to lock financial institutions and medical data, and poke a hole in mobile devices and the countless other critical systems ? including pipelines, nuclear facilities, the power grid ? that are moving online rapidly. ?The problems now are much worse than they were in 1997,? said Peter G. Neumann, a co-author of both the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon Valley research laboratory. ?There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything down further.? Other report authors include Harold Abelson, a computer science professor at MIT; Josh Benaloh, a leading cryptographer at Microsoft; Susan Landau, a professor of cybersecurity at Worcester Polytechnic Institute and formerly a senior privacy analyst at Google; and Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School and a widely read security author. ?The government?s proposals for exceptional access are wrong in principle and unworkable in practice,? said Ross Anderson, a professor of security engineering at the University of Cambridge and the paper?s sole author in Britain. ?That is the message we are going to be hammering home again and again over the next few months as we oppose these proposals in your country and in ours.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 7 14:57:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Jul 2015 15:57:06 -0400 Subject: [Infowarrior] - Comey: Crypto is Evil because ... ISIS! Message-ID: <0367B33C-E960-4E8C-A8EE-6A94F1E633A7@infowarrior.org> FBI and Comey Find New Bogeyman For Anti-Encryption Arguments: ISIS By Jenna McLaughlin @JennaMC_Laugh Today at 2:36 PM https://firstlook.org/theintercept/2015/07/07/fbi-finds-new-bogeyman-anti-encryption-arguments-isis/ After months of citing hypothetical crimes as a reason to give law enforcement a magical key to unlock encrypted digital messages, FBI Director James Comey has latched onto a new bogeyman: ISIS. In a speech he gave back in October 2014, as part of his coordinated push to make the case that the FBI is ?going dark,? Comey leaned on examples of kidnappers and child abusers who texted details of their violent plots that law enforcement agents weren?t privy to. But, as The Intercept reported shortly after, those examples were largely bogus and had nothing to do with encryption. Now, in a preview of his appearance Wednesday before the Senate Intelligence Committee, Comey is playing the ISIS card, saying that it is becoming impossible for the FBI to stop their recruitment and planned attacks. (He uses an alternate acronym, ISIL, for the Islamic State.) ?The current ISIL threat? involves ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people, a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment,? Comey wrote on Monday in a blog post on the pro-surveillance website Lawfare. While providing no specific, independently confirmable examples, Comey has claimed that FBI agents are currently encountering problems because of encrypted communications as they track potential ISIS sympathizers and radicals. Comey has long argued that sophisticated encryption technology being implemented by tech giants, including Google and Apple, will make it harder and harder for the FBI to track its targets. Encryption scrambles the contents of digital communications, making it impossible for users without the ?key? to read messages in plain language. Comey has vaguely indicated that he wants tech companies to build a special entrance to communications: a specific passcode or key ? or combination of keys ? that only law enforcement can use, when appropriate. Privacy and cryptology experts have come out strongly against Comey?s suggestion, arguing that encryption makes people safer, and that creating a hole in encryption for law enforcement creates a hole for criminals to go through, too. They also note that law enforcement can thwart encryption in most cases, and can supplement their investigations with traditional methods not involving surveillance. ?The FBI have been trying to argue that the internet is ?going dark? for several years now, and Congress has not yet bought into their propositions,? Amie Stepanovich, the U.S. Policy Manager for digital rights at Access, an international pro-privacy organization, wrote in an email to The Intercept. ?Terrorist threats are harder to substantiate and easier to use as justifications for additional funding,? she wrote. According to a Federal Courts report on wiretapping in 2014 published last week, law enforcement personnel at the state and federal level were only stymied by encryption on four wiretaps all year. Neema Singh Guliani, legislative council for the American Civil Liberties Union, said she thinks that report might be a reason Comey has switched from arguing about the restrictions on federal law enforcement to focusing on the dangers posed by ISIS. ?According to the report, encryption has not been a significant impediment for law enforcement,? Guliani wrote in an e-mail. ?This represents a decrease from prior years. Given this report, Comey?s prior contention that backdoors are needed for federal law enforcement needs is unpersuasive.? Tiffiny Cheng, co-founder of Fight for the Future, a nonprofit dedicated to privacy rights, said that Comey is fueling a culture of fear that enriches both defense contractors and the agencies they support. ?The U.S. government has not looked at data on efficacy to decide where the line between security and liberty should be, instead they just shoot whatever they want from the mouth in order to stay in the game,? she wrote in an email. To the extent that Comey has mentioned any specific ISIS-related investigation, it is one that doesn?t support his argument. In May, after two gunmen arrived at a controversial anti-Muslim exhibition in Garland, Texas, and were slain by law enforcement before they could carry out their attack, Comey publicly announced that the FBI had been tracking one of the would-be attackers, Elton Simpson, for months. ?This is the ?going dark? problem in living color. There are Elton Simpsons out there that I have not found and I cannot see,? he said. But FBI surveillance didn?t stop Elton Simpson ? the Garland Police Department did. The local police never got the FBI?s email, and if they had, Garland?s Police Chief Bates told NPR, the response would not have been any different: ?Please note that the contents of that email would not have prevented the shooting nor would it have changed the law enforcement response in any fashion.? Even the Pentagon has come out in favor of strong encryption. When Schneier, a widely known privacy expert and cryptographer, asked Admiral James A. Winnefeld, the vice chairman of the Joint Chiefs of Staff, about encryption, Winnefeld said ?I think we all win if our networks are more secure.? (This post is from our blog: Unofficial Sources.) -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 05:44:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 06:44:47 -0400 Subject: [Infowarrior] - ICANN plan to end website anonymity 'could lead to swatting attacks' Message-ID: <53E66EC8-DB7B-4C6E-9A3B-6E8822CE756C@infowarrior.org> (Swatting attacks, among other problems, I should add. If it becomes reality, this is a copyright maximalist's and IP troll's wet dream come true! --rick) Icann plan to end website anonymity 'could lead to swatting attacks' Coalition of free-speech and anti-harassment campaigners, led by the Online Abuse Prevention Initiative, calls for internet governing body not to enact proposal Alex Hern @alexhern Tuesday 7 July 2015 09.37 EDT Last modified on Wednesday 8 July 2015 03.37 EDT http://www.theguardian.com/technology/2015/jul/07/icann-plan-to-end-website-anonymity-could-lead-to-swatting-attacks A coalition of anti-harassment initiatives and digital rights organisations is fighting a proposal from the internet?s governing body, Icann, to strip anonymity from website owners. Icann?s plan is to require all website owners who use their domains for commercial purposes to provide a direct contact address for their registration records, known as the Whois record. At the moment many use privacy-protecting services, where often the domain name registration company?s details are given instead. If implemented, the proposal would effectively end the ability to run a commercial website without revealing significant personal information such as business address and real name. In an open letter penned by the Online Abuse Prevention Initiative (OAPI)?s Randi Harper and four other activists, the signatories argue that the move will ?physically endanger many domain owners and disproportionately impact those who come from marginalised communities?. Specifically, they argue that the proposals will make it easier to ?dox? and ?swat? people online. Doxing refers to the practice of uncovering personal information about someone online, sometimes with the intent to carry out further harassment, and sometimes simply to publish the information. Swatting, in turn, refers to the practice of using personal information to place hoax calls with law enforcement with the intention of bringing down a squad of armed police. The practice is common among gaming communities, from which the four founding members of OAPI were drawn. ?Our concern about doxing is not hypothetical. Randi Harper, a technologist, anti-harassment activist, and founder of the Online Abuse Prevention Initiative, was swatted based on information obtained from the Whois record for her domain. The only reason law enforcement did not draw their weapons and break down Harper?s door was that she had previously warned her local police department about swatting.? The OAPI?s letter has now been signed by more than 30 separate organisations drawn from a whole host of areas. Internet freedom organisations including the Electronic Frontier Foundation (which spoke out against the proposal independently last week); the Tor project; and Fight for the Future have signed. So too have domestic violence charities such as the National Coalition Against Domestic Violence, New York State Coalition Against Domestic Violence and the National Centre on Domestic and Sexual Violence. A number of other organisations with an interest in protecting at-risk communities online back the campaign, including the Council of Ex-Muslims of Britain, Jewish Women International and Internet Democracy Project, India. In a personal capacity, the campaign has also been backed by Richard Stallman of the Free Software Foundation, writer Cory Doctorow, and former American football player (and major Warcraft fan) Chris Kluwe. Harper says she?s been ?humbled? by the support. ?We knew that between all of the original authors, we would be able to drum up a good amount of people that would be interested in signing. It?s rare to see anti-abuse organisations standing on the same side of an argument as free speech advocates, but this is an issue that has the potential to affect everyone. We know for certain that Icann has been watching this letter, and I think it?s going to have a lot of impact,? she told the Guardian. The campaign in favour of Icann?s proposal has been backed by a coalition of copyright industry bodies, including the Recording Industry Association of America, Motion Picture Association of America and Entertainment Software Association, the last of which represents the gaming industry in the US. Through their lobby group, the Coalition for Online Accountability, the organisations argue that proxy registrations are abused to protect those who infringe copyright online. The Coalition for Online Accountability?s Steven Metalitz told Congress: ?While there is a legitimate role for proxy registrations in limited circumstances, the current system is manipulated to make it impossible to identify or contact those responsible for abusive domain name registrations.? Meanwhile, Harper told the Guardian that more should be done to hold the internet governing body to account. ?Icann is a strange beast that doesn?t get a lot of attention from the public,? she said. ?We had only found out about this proposal the day before EFF commented on it, and not a lot of people were talking. ?I?m really not sure why we?ve been ignoring Icann. They?ve made some spectacularly horrific decisions lately, such as introducing the .sucks TLD, which is now selling domain names at $2,500 ? basically endorsing extortion and creating an industry around abuse. ?I think that it?s time that we start paying attention to this organisation that has a huge amount of power in defining the way the internet works.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 05:50:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 06:50:25 -0400 Subject: [Infowarrior] - Secret plan forcing Internet services to report terror activity advances Message-ID: Senate advances secret plan forcing Internet services to report terror activity Legislation modeled on 2008 law requiring Internet companies to report child porn. by David Kravets - Jul 6, 2015 1:45pm EDT http://arstechnica.com/tech-policy/2015/07/senate-advances-secret-plan-forcing-internet-services-to-report-terror-activity/ The Senate Intelligence Committee secretly voted on June 24 in favor of legislation requiring e-mail providers and social media sites to report suspected terrorist activities. The legislation, approved 15-0 in a closed-door hearing, remains "classified." The relevant text is contained in the 2016 intelligence authorization, a committee aide told Ars by telephone early Monday. Its veil of secrecy would be lifted in the coming days as the package heads to the Senate floor, the aide added. The proposal comes as the Islamic State and other terror groups have taken to the Internet to gain converts across the globe, including in the United States. The FBI issued a public warning in March about American teens being susceptible to the Islamic State's online recruitment tactics. And the Brookings Institute estimated in March that there were as many as 70,000 pro-Islamic State Twitter accounts. Twitter has removed tens of thousands of these terror propaganda accounts, which violate its terms of service. "Our nation is facing more threats every day. America's security depends on our intelligence community?s ability to detect and thwart attacks on the homeland, our personnel and interests overseas, and our allies. This year?s legislation arms the intelligence community with the resources they need and reinforces congressional oversight of intelligence activities," Intelligence Committee Chairman Richard Burr, a Republican of North Carolina, said in a statement about the bill. Senator Dianne Feinstein (D-CA), who sponsored the Internet services provision, did not return a call seeking comment. The legislation is modeled after a 2008 law, the Protect Our Children Act. That measure requires Internet companies to report images of child porn, and information identifying who trades it, to the National Center for Missing and Exploited Children. That quasi-government agency then alerts either the FBI or local law enforcement about the identities of online child pornographers. The bill, which does not demand that online companies remove content, requires Internet firms that obtain actual knowledge of any terrorist activity to "provide to the appropriate authorities the facts or circumstances of the alleged terrorist activity," wrote The Washington Post, which was able to obtain a few lines of the bill text. The terrorist activity could be a tweet, a YouTube video, an account, or a communication. Twitter, Google, and Facebook haven't publicly taken a position on the new legislation. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 09:05:16 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 10:05:16 -0400 Subject: [Infowarrior] - The FBI's latest scareathon over crypto begins now Message-ID: <980E3B59-70DC-4B06-971E-E67AF8E2EC46@infowarrior.org> http://www.judiciary.senate.gov/meetings/going-dark-encryption-technology-and-the-balance-between-public-safety-and-privacy Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy Full Committee Date: Wednesday, July 8, 2015 Add to my Calendar Time: 10:00 AM Location: Dirksen 226 Presiding: Chairman Grassley Agenda July 1, 2015 NOTICE OF COMMITTEE HEARING The Senate Committee on the Judiciary has scheduled a hearing entitled ?Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy? for Wednesday, July 8 at 10:00 a.m., in Room 226 of the Dirksen Senate Office Building. By order of the Chairman. Member Statements ? Senator Chuck Grassley R (IA) Witnesses Panel I ? The Honorable Sally Quillian Yates Deputy Attorney General U.S. Department of Justice ? The Honorable James B. Comey, Jr. Director Federal Bureau of Investigation Panel II ? The Honorable Cyrus Vance, Jr. District Attorney New York County New York , NY ? Dr. Herbert Lin Senior Research Scholar, Center for International Security and Cooperation Research Fellow, Hoover Institution Stanford University , CA ? Professor Peter Swire Huang Professor of Law and Ethics Scheller College of Business, Georgia Institute of Technology Atlanta , GA -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 09:16:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 10:16:13 -0400 Subject: [Infowarrior] - more on ... The FBI's latest scareathon over crypto begins now References: <559D2F3C.6020400@mykolab.com> Message-ID: <511031D5-27BD-426E-9974-D62F705471C7@infowarrior.org> -- It's better to burn out than fade away. > Begin forwarded message: > > From: Paul Ferguson > Subject: Re: [Infowarrior] - The FBI's latest scareathon over crypto begins now > Date: July 8, 2015 at 10:10:04 AM EDT > To: rforno at infowarrior.org > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > You may want to point this out to your readership -- the Senate > apparently doesn't understand anything about "encryption" since they > can't even get their SSL certs right: > > www.judiciary.senate.gov uses an invalid security certificate. > > The certificate is only valid for the following names: > senate.gov, efd.senate.gov, efdsearch.senate.gov, oar.senate.gov, > placementoffice.senate.gov, sdc1.senate.gov, www.ag.senate.gov, > www.aging.senate.gov, www.baldwin.senate.gov, www.bennet.senate.gov, > www.blumenthal.senate.gov, www.booker.senate.gov, > www.boxer.senate.gov, www.brown.senate.gov, www.cardin.senate.gov, > www.casey.senate.gov, www.coats.senate.gov, www.coons.senate.gov, > www.corker.senate.gov, www.cornyn.senate.gov, www.donnelly.senate.gov, > www.dpc.senate.gov, www.durbin.senate.gov, www.feinstein.senate.gov, > www.finance.senate.gov, www.foreign.senate.gov, > www.franken.senate.gov, www.gillibrand.senate.gov, > www.harkin.senate.gov, www.heinrich.senate.gov, www.help.senate.gov, > www.hirono.senate.gov, www.hsgac.senate.gov, www.kaine.senate.gov, > www.king.senate.gov, www.leahy.senate.gov, www.levin.senate.gov, > www.menendez.senate.gov, www.merkley.senate.gov, > www.mikulski.senate.gov, www.portman.senate.gov, www.reed.senate.gov, > www.reid.senate.gov, www.republican.senate.gov, > www.republicans.senate.gov, www.ronjohnson.senate.gov, > www.rpc.senate.gov, www.sanders.senate.gov, www.schatz.senate.gov, > www.schumer.senate.gov, www.scott.senate.gov, www.senate.gov, > www.shaheen.senate.gov, www.src.senate.gov, www.tester.senate.gov, > www.tomudall.senate.gov, www.whitehouse.senate.gov, www.wyden.senate.gov > > (Error code: ssl_error_bad_cert_domain) > > > - - ferg From rforno at infowarrior.org Wed Jul 8 10:23:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 11:23:05 -0400 Subject: [Infowarrior] - QOTD regarding DOJ and crypto Message-ID: <49C73B5B-BB72-4525-B2EF-8F267D8B0D0B@infowarrior.org> If the "going dark" problem is so serious, how come the FBI and DOJ can't come up with anything except hypotheticals and anecdotes? -- @EFFLive -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 12:23:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 13:23:09 -0400 Subject: [Infowarrior] - =?utf-8?q?NYSE_shut_down_over_=27technical_issue?= =?utf-8?b?JyDigJMgbGl2ZSB1cGRhdGVz?= Message-ID: <9BEE25A6-9090-4635-A0B6-476785809A2B@infowarrior.org> New York Stock Exchange shut down over 'technical issue' ? live updates ? Wall Street trading unexpectedly ceases ? Website reads: ?additional information will follow as soon as possible? ? Stoppage coincides with glitch at United Airlines and sharp global market falls http://www.theguardian.com/business/live/2015/jul/08/new-york-stock-exchange-wall-street -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 17:01:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 18:01:44 -0400 Subject: [Infowarrior] - Flash Player update closes vulnerability identified by Hacking Team Message-ID: <9D94D893-F061-4F00-906C-965B85EC5B03@infowarrior.org> Flash Player update closes vulnerability identified by Hacking Team By Roger Fingas Wednesday, July 08, 2015, 02:02 pm PT (05:02 pm ET) http://appleinsider.com/articles/15/07/08/flash-player-update-closes-vulnerability-identified-by-hacking-team Adobe on Wednesday updated Flash Player to fix a number of security vulnerabilities, including one in the hands of Hacking Team, a company that infamously sold snooping tools and services to government agencies around the world ? potentially including harsh authoritarian regimes. The flaw was first uncovered several days ago by security researcher Brian Krebs, who found a related document in data published by a separate group of hackers that recently broke into Hacking Team's systems, TechCrunch noted. On Tuesday, Adobe issued a security bulletin promising to close the hole the next day. At the time, Adobe claimed that people did not need to worry, as no active use of the exploit had been discovered. Mac, Windows, and Linux systems could be at risk if left unpatched. Apple and much of the rest of the technology world has slowly distanced itself from Flash, partly because of the rise of mobile devices, but also because of security threats. Flash and Java are two of the most popular vectors for exploits. Flash hasn't been pre-installed on Macs since late 2010. Many websites, such as YouTube, have dropped Flash from their primary interfaces and video players. Mac, Windows, and Linux versions of the update can be downloaded from Adobe's website. The Mac release is identified as 18.0.0.203. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 17:01:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 18:01:47 -0400 Subject: [Infowarrior] - FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma Message-ID: <11826340-F385-4DFA-ADF6-14F8D29490F1@infowarrior.org> FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma By Jenna McLaughlin @JennaMC_Laugh https://firstlook.org/theintercept/2015/07/08/fbi-director-comey-proposes-imaginary-solution-encryption/ Testifying before two Senate committees on Wednesday about the threat he says that strong encryption presents to law enforcement, FBI Director James Comey didn?t so much propose a solution as wish for one. Comey said he needs some way to read and listen to any communication for which he?s gotten a court order. Modern end-to-end encryption ? increasingly common since the revelations of mass surveillance by NSA whistleblower Edward Snowden ? doesn?t allow for that. Only the parties on either end can do the decoding. Comey?s problem is that there is currently nearly universal agreement among cryptographers, technologists and security experts that there is no way to give the government access to encrypted communications without poking an exploitable hole that would put confidential data and things like banks and the power grid at risk. But while speaking at Senate Judiciary and Senate Intelligence Committee hearings on Wednesday, Comey repeatedly refused to accept that as reality. ?A whole lot of good people have said it?s too hard?maybe that?s so,? he said to the Intelligence Committee. ?But my reaction to that is: I?m not sure they?ve really tried.? In a comment worthy of climate denialists, Comey told one senator: ?Maybe the scientists are right. Ennnh, I?m not willing to give up on that yet.? He described his inability to make a realistic proposal as the act of a humble public servant. ?We?re trying to show humility to say we don?t know what would be best.? Comey said American technologists are so brilliant that they surely could come up with a solution if properly incentivized. Julian Sanchez, a senior fellow at the Cato Institute, was incredulous about Comey?s insistence that experts are wrong: ?How does his head not explode from cognitive dissonance when he repeats he has no tech expertise, then insists everyone who does is wrong?? he tweeted during the hearing. Prior to the committee hearings, a group of the world?s foremost cryptographers and scientists wrote a paper including complex technical analysis concluding that mandated backdoor keys for the government can only be a dangerous thing for national security. This is the first time the group has gotten back together since 1997, the previous time that the FBI asked for a technical backdoor into communications. But no experts were invited to testify, a fact that several intelligence committee members brought up, demanding a second hearing to hear from them. Comey got little pushback from the panel, despite his lack of any formal plan and his denial of science. Sen. Martin Heinrich, D-N.M., thanked him for his display of ?humility? in not presenting a solution, while Committee Chairman Richard Burr, R-N.C., said ?I think you deserve a lot of credit for your restraint.? Comey at one point briefly considered the possibility of a world not like the one he imagined, then concluded: ?If that?s the case, then I think we?re stuck.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 17:01:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 18:01:49 -0400 Subject: [Infowarrior] - FBI and DOJ Target New Enemy In Crypto Wars: Apple and Google Message-ID: <402158A4-0B2A-4A3E-9D1B-9833FC653335@infowarrior.org> FBI and DOJ Target New Enemy In Crypto Wars: Apple and Google By Jenna McLaughlin @JennaMC_Laugh Today at 2:10 PM https://firstlook.org/theintercept/2015/07/08/fbi-doj-name-new-enemy-crypto-wars-apple-google/ The FBI and Department of Justice on Wednesday targeted a new set of threats to national security and law enforcement: not ISIS, or pedophiles, but Apple and Google. Those companies and others that provide or will soon provide end-to-end encryption make it impossible to read intercepted digital messages ? and without naming names, FBI Director James Comey and Deputy Attorney General Sally Quillian Yates said that they will ?work with? those companies to ensure access to their customers? communications. In a Senate Judiciary hearing Wednesday morning, Yates and Comey said companies that ?do not retain access? to consumers? information can complicate authorized criminal and national security investigations. Google and Apple, in response to demands from consumers who request higher levels of privacy and security, have been slowly rolling out stronger end-to-end encryption on their devices and services such as Gmail and iPhones. When messages are encrypted end-to-end, only the sender and the recipient have access to those messages, which are decrypted by means of specific ?keys.? Without those keys, the messages look like ?gobbledygook,? as Comey put it during the hearing. ?We want to work with the communications providers to find a way with them to get access to the information we need ? while protecting privacy.? Yates said. ?We want to have each provider think about and work out a way where they will find a way to respond to these requests.? What Yates really meant was that she wants companies to stop providing end-to-end encryption, or find ways to circumvent it. Comey and Yates insisted that there must be some new technology that Silicon Valley could develop that would give them the access they want without risking strong encryption. But privacy and cryptology experts have insisted for years that this would be impossible without compromising overall security and opening holes for criminals to exploit. Yates and Comey both insisted that they would prefer not to force compliance through a legislative mandate. ?The approach of the administration,? Yates said, ?is not to have a one size fits all legislative solution at this point.? However, she noted that a mandate ?may ultimately be necessary? to force companies to comply. Several senators, including Sen. Thom Tillis, R-N.C., agreed. ?Maybe no one will be creative enough? to solve the problem, Comey said, ?unless you force them to.? Sen. John Cornyn, R-Texas, wondered aloud whether companies that ?intentionally design a product in a way that prevents you from complying with a lawful court order? are the equivalent of a citizen who refuses to answer questions in court, and is subsequently held in contempt. Despite the FBI and DOJ?s insistence that end-to-end encryption is a danger, Yates refused to provide data on the number of cases in which encryption has posed an insurmountable barrier. She told the committee that she sees the problem ?every day,? but does not keep track of cases in which encryption has stopped the department from monitoring communications. Her explanation was that the DOJ, when presented with instances of encryption, no longer even tries to secure a wiretap order. ?Being able to give you hard numbers on the number of cases that have been impacted is impossible,? she told Sen. Al Franken, D-Minn., who looked unconvinced. A Federal Courts report on wiretapping in 2014 released last week disclosed that federal and state law enforcement personnel at all levels encountered only four cases all year in which wiretaps were thwarted because of encryption. And, as Comey himself reminded the committee, without going into any detail, the FBI and DOJ have other methods of tracking and monitoring criminals and their communications. Franken pointed to the recent Office of Personnel Management breaches as evidence that government itself couldn?t be trusted to safeguard its own data, and as reason for companies to continue seeking improvement in encryption. ?With each new story about a cyberattack,? he noted, ?we learn that we should have strong encryption.? But as they made clear, law enforcement officials are instead ramping up efforts to target the companies who are leading the effort toward safer and more secure communication. (This post is from our blog: Unofficial Sources.) Photo: FBI Director James Comey and Deputy Attorney General Sally Quillian Yates testify before the Senate Judiciary Committee about encryption on July 8, 2015. (Carolyn Kaster, AP) Email the author: jenna.mclaughlin at theintercept.com -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 8 18:30:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Jul 2015 19:30:50 -0400 Subject: [Infowarrior] - OPM: first 4, then 12, now 32 million affected Message-ID: <1DF1D951-215C-4BE4-B8CA-7B7657A9F8E8@infowarrior.org> (x-posted) OPM hack may have affected 32 million government employees By Priya Anand Published: July 8, 2015 6:19 p.m. ET http://www.marketwatch.com/story/opm-hack-may-have-affected-32-million-government-employees-2015-07-08 The hacks at the Office of Personnel Management may have compromised the data of 32 million current, former and prospective federal employees, Politico reported Wednesday. The figure, cited by Rep. Jason Chaffetz (R-Utah) at a House Oversight and Government Reform Committee hearing Wednesday, was included in OPM?s budget proposal for the next fiscal year and is nearly double the previously reported estimate of about 18 million. It also could include potential military enlistees. OPM Director Katherine Archuleta declined to say how many people were affected by the breach, according to Politico, because she said she didn't have a ?completely accurate? number yet. The head of information security issues for the U.S. Government Accountability Office, a watchdog agency, also testified on Capitol Hill today about cybersecurity challenges at federal agencies. The number of reported security incidents involving personally identifiable information at federal agencies has more than doubled from 2009 to 2014, reaching 27,624. ?The danger posed by the wide array of cyberthreats facing the nation is heightened by weaknesses in the federal government?s approach to protecting its systems and information,? Gregory Wilshusen?s testimony read. He also said that the GAO has found many federal agencies don't respond effectively to security incidents, or don?t use encryption to protect sensitive data in the first place. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 9 07:06:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jul 2015 08:06:26 -0400 Subject: [Infowarrior] - More on Hacking Team Message-ID: <06CEB8A4-7D84-477B-89F9-7ADE5905A28C@infowarrior.org> More on Hacking Team https://www.schneier.com/blog/archives/2015/07/more_on_hacking_1.html Read this: Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team's "crisis procedure," it could have killed their operations remotely. The company, in fact, has "a backdoor" into every customer's software, giving it ability to suspend it or shut it down? -- something that even customers aren't told about. To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they're targeting with it. It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. I don't think the company is going to survive this. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 9 07:10:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jul 2015 08:10:09 -0400 Subject: [Infowarrior] - more on ... OPM: first 4, then 12, now 32 million affected References: <382F86EA-1BB4-45E7-96E2-980F3B239B83@well.com> Message-ID: <21B5FA04-29B0-4D76-820D-4FA6AAB511C1@infowarrior.org> > Begin forwarded message: > > From: "Dan" > >> http://www.nextgov.com/cybersecurity/2015/07/opm-hiring-it-staff-work-cyber-upgrades/117013/ > OPM is hiring new Senior IT Project Managers for a new architecture they call The Shell: > https://www.usajobs.gov/GetJob/ViewDetails/407697700 > > > I got the link from a friend who also works in the MIC and also got his SF86 lifted. > I tried to lighten the mood with a little satire, by riffing on the NextGov article? > > Step 1: "The managers will be working in the office of Chief Information Officer Donna Seymour..." #fail > > But there is so much more hilarious juicy goodness in this article... > > 2. "...needs at least four more senior IT project managers..." > They need a CIO with a vision and a clue. But what they get is the same emperor, more minions. > > 3. "The new hires will be responsible for transporting the agency's decades-old computer systems to a new network, dubbed "the Shell...?" > So the architecture is already described and planned, and they are going with the recognized and well known architecture of "The Shell". Not "a shell", but The Shell. Because this has been used successfully in so many other places already. > > 4. "...following at least three damaging breaches over the past few years." > So the count of known penetrations has gone from 1 to 2 to 3... > > 5. "The modern network will be capable of..." > Wait - is this a modern network or is this The Shell??? I mean, you can't have both. > > 6. "But the agency's internal watchdog views the strategy as a potential boondoggle." > Do tell. > > 7. "While agency officials currently calculate a two-year, $93 million project, that cost does not include the expense of transitioning over existing applications,..." > Wow. Just 'wow'. They're going to create a newly invented IT infrastructure and public facing DMZ which works with a modern application infrastructure, but what they get is the same old 1970s-era stuff with a new Shell bolted on. WCPGW? > > 8. "...the agency has not estimated the total time or money required for the undertaking." > Though it truth, with the past 4 weeks of day-to-day hearings there is no way the current CIO could have planned any of the future. > Oh wait - with infinite time (and money) there is no way the current CIO could have planned any improvement for the future. > > 9. "Job seekers interested in the new IT openings must be certified program managers..." > ...and proven fools and Beltway bureaucrats. Outside IT experience is helpful but not required. > > 10. "...OPM Director Archuleta..." > Is still there... But she's probably not going to many Beltway cocktail parties any longer. > > 11. 'Each of the OPM senior IT managers will help lead the "dynamic migration of existing software applications to OPM's new infrastructure environment,"...' > FBC - fully buzzword compliant. > > 12. "...known as the Shell..." > I think that word does not mean what you think it means. > > 13. "The pay scale ranges from $121,956 to $168,700 a year." > "Let me see, if I retire in a year at 50% of my final salary of $170k, I can go live in the Bahamas..." > > 14. 'The duties of the incoming IT senior project managers include maintaining current IT programs, blueprinting replacement systems and developing a strategy for moving the existing systems to the "Shell."' > "So we made this cool brand name that sounds really tech. Now we need you to figure out how to wedge the old stuff into the new brand." > > 15. "The managers will also have to justify to Congress..." > Because the Director and the CIO aren't going up to The Hill any more than they absolutely have to. Here's the Band-Aid box, you go. > > 16. "...produce progress reports for the Office of Management and Budget." > That well known IT and InfoSec organization known as OMB. > > 17. "Meanwhile, some members of Congress are seeking more details about OPM's planned technology overhaul. Sen. James Lankford, R-Okla., last month sent Archuleta a letter asking whether OPM would revise the IT strategy in light of the breaches. Lankford said he was then told the answer was no." > I mean, a junior director of Baptist Student Ministries knows all about IT architecture and infosec processes and procedures. Doesn't he? I mean, he has been directing teenage evangelists for years, and they have computers and cell phones. How different can it be? > https://en.wikipedia.org/wiki/James_Lankford > "From 1996 to 2009, Lankford was the student ministries and evangelism specialist for the Baptist General Convention of Oklahoma, and he was director of the Falls Creek youth programming at the Falls Creek Baptist Conference Center in Davis, Oklahoma. He stepped down on September 1, 2009, to run for Congress." > > 18. '"I am concerned by your statement that you do not intend to revise OPM's IT strategic plan," he wrote in a follow-up letter to Archuleta on Thursday...' > "I need you to come back and 'splain me what you mean by "firewall". Is that some heathen ritual to pagan gods?" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rforno at infowarrior.org Thu Jul 9 07:20:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jul 2015 08:20:06 -0400 Subject: [Infowarrior] - Trevor Timm on Comey's remarks yesterday Message-ID: <0D99B990-83B7-4F6E-9AFA-D39BEBE627D1@infowarrior.org> The FBI doesn't want to have to force tech companies to weaken encryption Trevor Timm @trevortimm Thursday 9 July 2015 07.51 EDT Last modified on Thursday 9 July 2015 08.17 EDT http://www.theguardian.com/commentisfree/2015/jul/09/government-access-backdoor-encryption-bad It?s never a good sign when you have to declare during a debate that ?I really am not a maniac.? But that?s what FBI director Jim Comey found himself saying in advance of his testimony to the senate on Wednesday where he once again argued that tech companies need to figure out a way to install backdoors in all their communications tools so that there?s never an email, text or phone call that the US government can?t get its hands on. Ever since Apple commendably announced last September that it would increase the security protecting millions of iPhones so that only the user - and not the company - would be able to unlock them, Comey has spent months arguing that this could spell disaster for the FBI trying to access what is on suspects? phones. Since then, other popular messaging services like WhatsApp have followed in Apple?s footsteps and encrypted user?s chats ?end-to-end.? Since his initial objection to tech companies enabling end-to-end encryption, Comey has rightly been bombarded with criticism from security experts, cryptographers and engineers, who have at various times called his backdoor proposal technically impossible, an enormous setback for cybersecurity, an invitation for countries like China to mandate the same, potentially devastating to the economy and not needed. (Comey admitted Tuesday he has no specific data to back up his claim that encryption has prevented the FBI from solving crimes.) Notably, just one day before Comey?s testimony, an all-star group of leading technical experts released a paper running through, in specific detail, the myriad of problems mandated backdoors in encryption would cause for the public. The paper posed dozens of technical questions about how such backdoors would work in practice, which the FBI has so far not even attempted to answer. The scale of the questions ? and the fact that many of them will never have clear answers ? shows just how ill-thought out the FBI?s idea really is. The criticism seems to have forced the FBI to scale back its ambitious and dangerous rhetoric. Comey kept emphasizing Wednesday that he ?was not an expert,? does not prefer a ?one size fits all? law anymore, and that he wanted to work with tech companies ? so they weaken our security voluntarily. He also claimed he doesn?t want the government to hold those master keys to everyone?s communications, he just wants companies to hold them and hand over data to the government when asked. But no matter who holds the keys, the same problems persist. The FBI ? and apparently many senators, judging by today?s hearings ? think that all you need to do is force a bunch of smart people to get into a room and they?ll be able to wave their hands to magically to solve one of the hardest unsolved problems that has vexed computer engineers for decades. Here?s a question for the FBI director ? or UK Prime Minister David Cameron, who is pushing a similar proposal in Britain ? which no one seems to ask: can you name a single security engineer or technical expert who thinks this is even remotely a good idea? So far those experts have universally lined up against it. If Comey is really interested in a debate, he should bring in a technical expert to argue the case, instead of throwing up his hands every time the conversation starts veering into specifics. The entire premise of the debate that the FBI is ?going dark? and can no longer read the communications of criminals ? which they have been claiming for 20 years, by the way ? is false, as the law professor Peter Swire later told the same senate panel. We are living in ?the golden age of surveillance,? Swire argued, and we can look no further than the countless stories about NSA mass surveillance that have come out in the past two years, which by the way, could not be done without the FBI?s close assistance. Comey says all he wants is a ?debate? about the issue. Well, we?ve had the debate. We had it for 20 years. The debate is over ? embrace encryption to protect our security. Don?t outlaw it for marginal gains at the expense of everyone. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 9 14:53:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jul 2015 15:53:33 -0400 Subject: [Infowarrior] - U.N. body agrees to U.S. norms in cyberspace Message-ID: U.N. body agrees to U.S. norms in cyberspace By Joseph Marks 7/9/15 12:44 PM EDT http://www.politico.com/story/2015/07/un-body-agrees-to-us-norms-in-cyberspace-119900.html A United Nations body has agreed for the first time that there are rules of the road in cyberspace that all nations should respect, even during peacetime, a senior State Department official tells POLITICO. It?s a breakthrough for U.S. diplomats, who have been pushing these ?norms? as an alternative to formal treaties as a way to help tame the lawless frontier of cyberspace. The norms agreed by the U.N.?s Group of Governmental Experts include understandings that nations should not intentionally damage each other?s critical infrastructure with cyberattacks; should not target each other?s cyber emergency responders; and should assist other nations investigating cyberattacks and cybercrime launched from their territories. The next U.N. General Assembly must adopt the norms before they?re binding on nations ? an endorsement that?s far from assured. Still, it?s more likely they will be adopted by other international organizations or individual nations, the State Department official told POLITICO. The Group of Governmental Experts ?has tended to be the beacon, the framework that other states really look to for these types of issues,? the official said. The norms are included in the consensus document produced by the panel of experts from 20 nations. That report was sent to U.N. Secretary General Ban Ki-moon after the group completed its work last week and will be officially released in about six weeks after it?s been reviewed and translated, the official said. Excluded from the consensus document was another U.S. proposal: One that sought to spell out the implications of a 2013 experts? group agreement that international law generally applies in cyberspace just as it does on land or at sea. That proposal was rebuffed by a bloc of nations ? including Russia, China, Pakistan, Malaysia and Belarus ? that argued the move would institutionalize U.S. hegemony in cyberspace, said James Lewis, the experts? group rapporteur and director of the Center for Strategic and International Studies? Strategic Technologies Program. Specifically, the U.S. wanted to include a reference to Article 51 of the U.N. Charter, which authorizes the use of force in self defense against an ?armed attack? and would add legitimacy to a military response to a cyberattack that caused death and destruction. ?The Chinese line was ?we don?t want to say Article 51, because that would militarize cyberspace and that?s a zone of peace,? Lewis said. Unspoken, he said, was a concern that ?the U.S. will use this to legitimize some kind of counteraction for things like OPM,? a reference to the breach of millions of federal employee records at the Office of Personnel Management that officials have anonymously attributed to China. As a result of the objections, the experts? group ultimately agreed to workaround language that endorsed the essence of Article 51 without referencing the document, Lewis said. ?There?s language in there that makes it clear that the right of self defense applies and you have to observe principles of [the Law of Armed Conflict] in doing it,? Lewis said. ?Some of this was thinking of ways to say Article 51 without saying it.? In general, Lewis said, the discussions were dogged by anger from Russia, China and other nations over non-cyber issues, including the U.S. use of drones to hunt terrorists abroad and, to a lesser extent, NSA surveillance. ?People say: ?[the U.S.] violates national sovereignty; you do what you want; this is contrary to international law and you don?t care. That?s a little hypocritical,?? Lewis said, ?but this is the U.N. after all. The Russians and Chinese want to really damage the U.S., to destroy the system of international relations we?ve created and undo a lot of things we?ve done since the Cold War.? The takeaway, Lewis said, is that the world?s a long way from agreeing on basic principles of cyber sovereignty and those principles may not be written on U.S. terms. ?We?ve assumed that countries have a common understanding of how the world works and this shows that?s increasingly not the case,? he said. Lewis added that the Russian delegation requested that another GGE be held in 2016. ?The Russians seem to think they have the upper hand and they think they can dominate another GGE and get it to endorse what they want, so that?s a dilemma,? he said. ?They?re probably not wrong, but it?s not as easy as they make out.? As rapporteur, Lewis? job was to be a neutral arbiter helping the delegates reach consensus. The State Department official described the document?s international law section as ?a very worthwhile step forward from 2013? but also ?more ambiguous than we would have liked.? ?Certain countries had always been sensitive about being more specific and that sensitivity continued,? the official added. The agreement on norms that the U.S. government has successfully lobbied for, however, suggests the U.S. does maintain significant influence in the world of cyber diplomacy, despite anger over larger foreign policy issues, analysts said. ?Even in the face of all the ways these countries can distrust each other, we still have stuff to agree on,? said Jason Healey, a senior fellow and former director at the Atlantic Council?s Cyber Statecraft Initiative. ?That, to me, is really the important message out of this. As crappy as the world has been the last two years ? that we can still find stuff to agree on is a wonderful bellwether for maybe we?re starting to come to terms and have more agreement on this.? An interagency group in the U.S. government adopted the three norms as official government policy earlier this year along with a fourth stating the U.S. will not use cyber surveillance to steal information about foreign companies to benefit U.S. firms ? something the U.S. has frequently accused the Chinese of doing, including in indictments against five members of the People?s Liberation Army last year. Secretary of State John Kerry also outlined similar principles during an address in Seoul May 18. That address also prominently criticized North Korea for its 2014 cyberattack against Sony Pictures Entertainment. The GGE report also includes meaty sections about confidence building measures nations can take in cyberspace, the State Department official said, and on helping developing nations build digital infrastructure and Computer Emergency Response Teams. ?Parts of this were highly contested, but, all in all, [we?re] pleased with most of it,? the official said. The development of peacetime norms may ultimately be more important than establishing how international law applies during armed conflict, said Catherine Lotrionte, director of Georgetown University?s Institute for Law, Science and Global Security and former assistant general counsel at the CIA. That?s because the majority of current cyber conflict takes place beneath the level of armed conflict. Lotrionte urged more specificity on how the norms would apply, for example, by outlining precisely what assistance nations should offer other nations investigating cyberattacks. When Russia pummeled Estonia with cyberattacks in 2007, she noted, Estonia asked Russia to investigate the attack under an existing mutual legal assistance treaty. Russian officials declined, she said, saying their reading of the MLAT?s wording did not obligate them to assist in that instance. The adoption of the norms also marks the latest in a string of cyber policy victories by the Obama administration, Healey noted, even as it?s been less successful at warding off cyberattacks from its own networks. In particular, he said, violation of the norms could be used to justify imposing cyber-specific sanctions recently developed by the Treasury Department. ?I?ve been a critic of the White House because I want to see a slugger come in and aim for the fences and the White House has been playing small ball, just a little bit at a time,? Healey said. ?But they?ve been getting runs across the plate.? Read more: http://www.politico.com/story/2015/07/un-body-agrees-to-us-norms-in-cyberspace-119900.html#ixzz3fQSlTI9D -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 9 19:28:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Jul 2015 20:28:31 -0400 Subject: [Infowarrior] - Hacking Team Employee Jokes About Assassinating ACLU Technologist Message-ID: Hacking Team Employee Jokes About Assassinating ACLU Technologist By Micah Lee @micahflee https://firstlook.org/theintercept/2015/07/09/hacking-team-employee-jokes-assassinating-aclu-technologist-christopher-soghoian/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 10 13:12:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Jul 2015 14:12:52 -0400 Subject: [Infowarrior] - The rise of the new Crypto War Message-ID: <16E898C5-8098-4858-A763-1E2FD7EFE5C4@infowarrior.org> The rise of the new Crypto War By Eric Geller Jul 10, 2015, 7:00am CT http://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 10 13:17:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Jul 2015 14:17:41 -0400 Subject: [Infowarrior] - OPM director resigns over hack Message-ID: OPM director resigns over hack By Cory Bennett - 07/10/15 12:35 PM EDT http://thehill.com/policy/cybersecurity/247513-opm-director-resigns-over-hack The embattled director of the Office of Personnel Management (OPM) has resigned, bowing to mounting pressure from Capitol Hill for her to step aside over a devastating government hack. Katherine Archuleta stepped down a day after she revealed that multiple breaches at her agency had exposed more than 22 million people?s sensitive information. President Obama accepted her resignation Friday morning, according to a White House official. Her resignation is effective at the close of business. "I conveyed to the President that I believe it is best for me to step aside and allow new leadership to step in, enabling the agency to move beyond the current challenges and allowing the employees at OPM to continue their important work," Archuleta said in a statement. "Leading this agency has been the highlight of my career." White House press secretary Josh Earnest said Archuleta resigned "of her own volition" and not under pressure from the president. She realized the agency's leadership "required a manager with a set of specialized skills and experiences,? Earnest said. Beth Cobert, the U.S. chief performance officer and deputy director for management at the Office of Management and Budget, will assume the role of acting director starting Saturday. The administration had stood behind Archuleta through this week, with the White House repeatedly insisting it had confidence in the agency head. As recently as Thursday, Archuleta herself batted off calls for her resignation. "I am committed to the work that I am doing at OPM," she told reporters in a conference call. But the chorus on Capitol Hill calling for her firing ? which had been building since shortly after the breach was first revealed in early June ? swelled on Thursday after Archuleta and OPM revealed the stunning sweep of the data breach. More than 22 million people had their personal information stolen, OPM announced, including 21.5 million people whose sensitive data was taken in a breach of a security clearance database. The tally also included 4.2 million government workers whose personnel files were stolen in an earlier intrusion. But 3.6 million people were hit by both hacks, putting the final tally at 22.1 million. In the wake of the revelation, the top three House Republican leaders asked for her ouster, as did Sen. Mark Warner (D), who represents the sizable chunk of the federal workforce that resides in Virginia. ?Director Archuleta?s slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis,? Warner said. Earnest on Firday said he does not know if the president's personal data was compromised in the hack. "I don?t have information about the president?s personal data," he said. "Even if I did, I am not sure I would share it." Lawmakers on both sides of the aisle had slammed Archuleta for not heeding myriad warnings from her inspector general about glaring security weaknesses in the OPM?s outdated networks. Archuleta insisted she was taking into account the watchdog?s recommendations both in a long-term plan to modernize the OPM system, and to aggressively patch flaws discovered in a security review following the breaches. ?Their strategic plan and aggressive efforts were failures,? Rep. Ted Lieu (D-Calif.), who was the first lawmaker to call for Archuleta?s resignation, told The Hill. Archuleta's insistence that her plans were anything but failures ?is nauseating,? Lieu added. Archuleta's opponents on Capitol Hill were quick to praise her decision to step aside. "This is the absolute right call," said House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), who led the grilling of Archuleta over two hearings and wrote the White House asking for her firing. "OPM needs a competent, technically savvy leader to manage the biggest cybersecurity crisis in this nation's history." Chafftez accused Obama of hiring Archuleta based on her stint as national political director for his 2012 campaign. Archuleta had also served as chief of staff and senior aide at three Cabinet-level departments in the Clinton and Obama administrations. "In the future, positions of this magnitude should be awarded on merit and not out of patronage to political operatives," Chaffetz said. Cobert, who is taking over OPM amid the furor, started work at OMB in 2013 and has worked to streamline the government?s turgid process for acquiring information technology. She has also worked with the U.S. Digital Service to improve the government?s online services for Americans. OPM has a huge task ahead as it seeks to limit the fallout from the hack, which compromised information with remarkable espionage value. ?A treasure trove for blackmail,? Lieu told The Hill. Officials have called China the "leading suspect" in the digital assault. Experts see it as part of Beijing?s broad effort to compile a comprehensive database on all U.S. government workers. For years to come, China could use the stolen data to imitate officials, launch targeted cyberattacks, or even recruit informants. ?They now have 21 million americans they can go after,? Lieu said. - Jordan Fabian contributed. This story was last updated at 1:26 p.m. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 10 17:23:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Jul 2015 18:23:18 -0400 Subject: [Infowarrior] - =?utf-8?q?Ellen_Pao_Is_Stepping_Down_as_Reddit?= =?utf-8?q?=E2=80=99s_Chief?= Message-ID: Ellen Pao Is Stepping Down as Reddit?s Chief Mike Isaac http://www.nytimes.com/2015/07/11/technology/ellen-pao-reddit-chief-executive-resignation.html Ellen Pao, the interim chief executive of Reddit, resigned from the online message board on Friday after a week of ceaseless criticism from scores of angry users over the handling of an employee departure. Ms. Pao will be replaced by Steve Huffman, who, along with Alexis Ohanian, started Reddit from a two-bedroom apartment in a suburb of Boston a decade ago. Ms. Pao said she would remain as an adviser to Reddit?s board for the remainder of the year. Her exit, which the company described as a mutual agreement between her and Reddit?s board, follows a week of unrest in the Reddit community, which is made up of more than 160 million regular users who use the site to talk about anything from current events to viral cat photos. Ms. Pao characterized her departure as a result of a disagreement with Reddit?s board on the future of the company. ?It became clear that the board and I had a different view on the ability of Reddit to grow this year,? Ms. Pao said in an interview. ?Because of that, it made sense to bring someone in that shared the same view.? Sam Altman, a member of Reddit?s board, said he personally appreciated Ms. Pao?s efforts during her two years working at the start-up. ?Ellen has done a phenomenal job, especially in the last few months,? he said. Reddit, now based in San Francisco, is composed of topic-based forums, known as subreddits, where discussions take place on subjects like news and technology. The company has 70 to 80 employees and relies largely upon its thousands of dedicated power users to govern the site. That tight-knit community erupted into upheaval when the news broke that Victoria Taylor, a prominent and well-liked Reddit employee, had been abruptly dismissed from the company with no public explanation. Many Reddit users blamed Ms. Pao directly in the hours after Ms. Taylor?s firing, flooding Reddit?s forums with vitriolic messages ? often racist and misogynistic ? calling for Ms. Pao?s ouster. Reddit users circulated an online petition calling for her removal that garnered more than 200,000 signatures. Ms. Pao apologized to the site?s members for the episode earlier this week. Reddit?s management made errors, ?not just on July 2, but also over the past several years,? Ms. Pao said in a post on one of the site?s forums on Monday. ?The mods? ? moderators ? ?and the community have lost trust in me and in us, the administrators of Reddit.? Ms. Pao has long been a figure of controversy in Silicon Valley. In March, she lost a gender discrimination lawsuit against the venture capital firm Kleiner Perkins Caufield & Byers, where she had previously worked. The trial, which involved big-name Silicon Valley investors such as John Doerr, mesmerized Silicon Valley with its salacious details while also amplifying concerns about a lack of diversity in the technology industry. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Jul 12 17:28:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Jul 2015 18:28:09 -0400 Subject: [Infowarrior] - Who Is Apple? Message-ID: <0AD9CFAC-8B03-49FB-ACF1-A5419844460B@infowarrior.org> http://www.ritholtz.com/blog/2015/07/who-is-apple/ Who Is Apple ? by Bob Lefsetz - July 12th, 2015, 2:00pm Individuals matter. Jimmy Iovine willed Interscope to success. And Steve Jobs did the same with Apple. But now he?s gone and Apple is hurting. APPLE WATCH Tech is about a level playing ground, albeit an oftentimes expensive one. Everybody gets to eat at the buffet, as long as they can afford the entry ticket. But please explain to me the three different Apple watches that work exactly the same, that are evanescent products with a useful life of two years at best. Sure, iMacs came in different colors, but they were all the same price. Fashion is subsidiary in tech, it?s the cherry on top, never the whole enchilada. Functionality comes first, and a $10,000 Apple Watch works no better than one for $349. Which is why Apple has only sold 2,000 copies of the 10k Edition in the U.S. Proving that the bad press the company got is not worth the extra revenue. How did they get it so wrong? By not having a visionary who could say no. Unless you?re making clothing, fashion is a feature, not the essence. APPLE WATCH 2 Yes, Steve Jobs never employed research, but he also developed products he thought the public would want to buy. Only early adopters want the Apple Watch, and there?s no word of mouth. Publicity will get you started, word of mouth will make you triumph. The Watch was dead from the get-go. Maybe it should have been introduced as a hobby, like Apple TV. So people would have low expectations and know they were along for the journey. The Watch tells time poorly and has a steep learning curve for uses you?re not sure you need. Sound like a winning product to you? Of course not. Steve Jobs didn?t play in all arenas, only ones in which he could win. The Apple Watch proves there?s no vision in Cupertino, not that we can see. And no one who can say no. APPLE MUSIC Me-too is usually death. Its success is predicated on market share in a world where there?s little penetration. Which is how Windows 95 almost put Apple out of business. And the truth is streaming music adoption is still low, so Apple has a chance. But it?s a little more complicated than that. You see streaming has already won, on YouTube, it?s just that that?s free to the customer. So if you?re not free, you?ve got to be a whole lot better, and Apple Music is not. So? Once again, Steve Jobs only introduced a product when he knew he could win. Design did not sell the original iPod, however appealing it might have been, but functionality/usability. The iPod was the first MP3 player that transferred tracks at high speed, FireWire instead of USB. Furthermore, the software eliminated stupidity. That?s right, you just plugged your iPod into your computer and the software, i.e. iTunes, took care of the rest. There is no great advance in Apple Music. Even Songza had hand-curated playlists. So the company?s only hope is it?s so early in the game that they can end up winning. One can argue that Apple should have truly differentiated its product. Maybe by giving less. No playlists, but easier functionality. FUNCTIONALITY/USABILITY This was Steve Jobs?s credo, make it easy to use, with no flaws. Apple Music is MobileMe on steroids. And there are so many options included that functionality is crippled, users are overwhelmed. MobileMe sucked and heads rolled. Whose head is rolling for the bugs in Apple Music? Someone needs to be fired, someone needs to take responsibility. People are afraid to download the software for fear of it screwing up their library. I?m still waiting for a fix to library corruption, but Apple is mum. Not only is there no admission of fault, there?s no manual. Steve Jobs may have put up a press blockade, but he was unafraid of explaining his product, which Jimmy Iovine and his cohorts did so poorly during the WWDC presentation. Jimmy Iovine. He succeeded by being a friend to the artist, by working relationships. At first the money was Ted Field?s, but it turned out Jimmy just needed that to get him started. Jimmy?s biggest triumph was the 9/11 TV broadcast. Give the man credit. But Jimmy?s no visionary. He had one success, with Beats headphones. You?ve got to have two to prove it?s not luck. Jimmy failed with Beats Music. Disastrously. Unless you say selling to Apple was a victory. Steve Jobs had multiple victories, the original iMac, the iPod, iPhone and iPad, never mind the Apple II and original Macintosh. But now the company is running on fumes. Because it needs a Steve Jobs and all it?s got is Tim Cook, a supply chain expert. Let?s investigate what has been achieved since Steve?s death. A smaller iPad, whose sales have now been cannibalized by a larger iPhone. A larger iPhone, after Samsung cleaned Apple?s clock with bigger handsets for years. Software releases are hitting deadlines, but there are so many bugs loyalists are frustrated. And I used to be a loyalist. There?s a fiction that corporations rule in America. The truth is it?s all about individuals. Sure, a group can effectuate the vision, but it always comes from one person, maybe a team of two, certainly not a committee. Jeff Bezos is Amazon. Mark Zuckerberg is Facebook. Larry and Sergey are Google. Daniel Ek is Spotify Evan Spiegel is Snapchat. Who is Apple? -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Jul 12 18:23:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Jul 2015 19:23:09 -0400 Subject: [Infowarrior] - =?utf-8?q?Hacking_Team_orchestrated_brazen_BGP_ha?= =?utf-8?q?ck_to_hijack_IPs_it_didn=E2=80=99t_own?= Message-ID: <19B156E8-E003-4A30-A0F1-E74A863185C3@infowarrior.org> Hacking Team orchestrated brazen BGP hack to hijack IPs it didn?t own Hijacking was initiated after Italian Police lost control of infected machines. by Dan Goodin - Jul 12, 2015 6:53pm EDT http://arstechnica.com/security/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/ Spyware service provider Hacking Team orchestrated the hijacking of IP addresses it didn't own to help Italian police regain control over several computers that were being monitored in an investigation, e-sent among company employees showed. Over a six day period in August 2013, Italian Web host Aruba S.p.A. fraudulently announced its ownership of 256 IP addresses into the global routing system known as border gateway protocol, the messages document. Aruba's move came under the direction of Hacking Team and the Special Operations Group of the Italian National Military Police, which was using Hacking Team's Remote Control System malware to monitor the computers of unidentified targets. The hijacking came after the IP addresses became unreachable under its rightful owner Santrex, the "bullet-proof" Web hosting provider that catered to criminals and went out of business in October 2013, according to KrebsOnSecurity. It's not clear from the e-mails, but they appear to suggest Hacking Team and the Italian police were also relying on Santrex. The emails were included in some 400 gigabytes of proprietary data taken during last weekend's breach of Hacking Team and then made public on the Internet. With the sudden loss of the block of IP addresses, Italy's Special Operations Group was unable to communicate with several computers that were infected with the Hacking Team malware. The e-mails show Hacking Team support workers discussing how the law enforcement agency could regain control. Eventually, Italian police worked with Aruba to get the block?which was known as 46.166.163.0/24 in Internet routing parlance?announced in the BGP system as belonging to Aruba. It's the first known case of an ISP fraudulently announcing another provider's address space, said Doug Madory, director of Internet analysis at Dyn Research, which performs research on Internet performance. "Stupid, old, insecure core protocol" The revelation is the latest to raise troubling questions about BGP, the core Internet routing mechanism that's almost entirely based on trust. Although the /24 block of affected addresses was small and inexplicably inactive at the time, the hijacking is already generating criticism not only of the world's continued dependence on the insecure framework, but also of the impropriety of Aruba, Hacking Team, and the Italian government for jointly making the fraud happen. "BGP is a stupid, old, insecure core protocol of the Internet," Filippo Valsorda, an engineer on the CloudFlare Security Team, told Ars. "The affected IP class, 46.166.163.0/24, was unannounced (dead) at the time. However, the BGP trust game is delicate and critical and this reckless irresponsibility undermines the trust that the Internet survives on (and makes it sorely clear how it needs to move on from it)." It's not the first time BGP has been abused. In late 2013, Dyn Research presented evidence showing that huge chunks of Internet traffic belonging to financial institutions, government agencies, and network service providers had repeatedly been diverted to distant and unauthorized locations, stoking suspicions the traffic may have been surreptitiously monitored or modified before ultimately reaching its intended destination. While the repeated hijackings were the most serious to come to light so far, other large swaths of Internet traffic routinely are found diverted to distant and unexplained networks, including Russia's domestic Internet traffic passing through China in 2014 and 167 important British Telecom customers' data being routed through Ukraine earlier this year. The Hacking Team e-mails show the impunity employees felt as they worked to hijack the block of inactive IP addresses, some of which hosted virtual private servers (VPSes) used as part of a command and control system for the computers infected with the RCS malware. By having Aruba fraudulently announce the addresses, Hacking Team and its Italian customer could impersonate the Santrex hosting provider and reestablish communications with the infected machines. "If everything was done correctly, we should get back the VPS online hoping then that the backdoor is still alive and [we] may contact the VPS," an unidentified Hacking Team support worker wrote in an August 13, 2013 e-mail, which Ars translated from Italian into English using Google Translate. As a result, the fraudulent routing table was broadcast to networks including Italian telecommunications companies Fastweb, MC-link S.p.A, and Reteivo.it, global service provider Easynet, and Internet backbone and colocation provider Hurricane Electric, according to a blog post published Sunday by researchers from OpenDNS. From there, the bogus route was spread around the world from Australia to the Philippines, Dyn Research's Madory told Ars. Word of the hijacking first surfaced on Friday here. As noted earlier in this post, the ease of fraudulently manipulating the BGP system has long been recognized as a key weak point in Internet security. The Hacking Team e-mails (1, 2, 3, 4, 5, 6, 7, 8, and 9) move that risk out of the theoretical and into the practical. It also underscores the need for universal norms to be observed by service providers and for enforceable penalties when they're breached. "In general, the issue is that BGP is the underlying system for directing Internet traffic around the world and there is presently nothing to stop an entity from announcing another entity's IP address space?effectively impersonating it," Madory wrote in an e-mail. "These techniques can be used to intercept or manipulate the contents of affected Internet traffic or simply to 'blackhole' traffic." -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 13 06:28:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jul 2015 07:28:09 -0400 Subject: [Infowarrior] - Comcast's laughable new cord-cutter package Message-ID: <421AE018-E794-4963-A4F4-D657B23C0A72@infowarrior.org> (Translation: Get SlingTV, it's a much better deal and includes some useful channels. --rick) Comcast Offers Its Alternative to Cable TV, Using the Web By EMILY STEELJULY 12, 2015 http://www.nytimes.com/2015/07/13/business/media/comcast-offers-its-alternative-to-cable-tv-using-the-web.html Comcast, the country?s largest cable operator, is responding to the rush of new streaming television alternatives with the start of its own web-based offering that includes a bundle of broadcast networks and the premium cable network HBO. The new service, which costs $15 a month, represents a bid from a mainstream cable company to stay relevant to a new generation of viewers. Many consumers ? especially younger ones ? are willing to pay for Internet service but are ditching cable packages in favor of streaming services that are often cheaper and offer more flexibility than the typical cable bundle. For an extra $15 a month added to a Comcast Internet subscription, viewers will have access to live and on-demand programming on computers and mobile devices from about a dozen networks, along with cloud DVR storage and Streampix, Comcast?s movie offering. Called Stream, the new service will be available in Boston, Chicago and Seattle later this year and across the company?s coverage areas in the United States in 2016 < - > There are limitations, however, that could curb the new service?s appeal to potential subscribers. To start, Comcast?s streaming service will not include any cable networks beyond HBO. That excludes networks like the sports hub ESPN and AMC, home to the zombie-apocalypse hit ?The Walking Dead.? The broadcast networks ? ABC, CBS, Fox, NBC and PBS ? along with several other networks, are typically available free via high-definition antennas that cost about $25. Subscribers to the Comcast app will not be able to stream the service to their television sets, an option for most other rival streaming services. (There is a workaround. Customers could use their account details to unlock access to network apps, like HBO Go, that are available for streaming to television sets.) Also, people who live in areas where Comcast is not the cable provider will not be able to subscribe to the service. Mr. Strauss said that people seeking a broader lineup of channels and the ability to watch on their TVs had the option of subscribing to Comcast?s standard cable package. He added that the new offering was aimed at younger consumers keen to watch TV on computers and mobile devices. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 13 08:44:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jul 2015 09:44:26 -0400 Subject: [Infowarrior] - =?utf-8?q?Here=E2=80=99s_how_not_to_report_on_the?= =?utf-8?q?_US_government=E2=80=99s_terror_warnings?= Message-ID: <2BEA471A-A9DB-421B-8A42-EA6CD63F0166@infowarrior.org> Here?s how not to report on the US government?s terror warnings By Trevor Timm July 10, 2015 1093 words http://www.cjr.org/analysis/heres_how_not_to_report_on_the_us_governments_terror_warnings.php If you turned on the television or checked your phone in the lead up to July 4th, it was almost impossible to miss the wall-to-wall coverage blaring ominous warnings from the US government: ISIS terrorists could strike Americans at any minute over the holiday weekend. As it often is in such instances, the media?s reporting was breathless, hyperbolic, and barely contained a hint of skepticism. When nothing happened?as has been the case literally every time the government has issued these warnings in the past?there was no apparent self-reflection by these media outlets about how they could have tempered their coverage. Instead, many doubled down by re-writing government press releases, claiming that arrests that happened well before July 4th, and in which the alleged criminals never mentioned the American holiday, are proof of ?just how close? the US came to a terror attack over the holiday weekend. During the Bush administration, terror alerts were issued with such frequency that they were widely derided and criticized?even by seasoned counter-terrorism experts. Now that ISIS has emerged, the Bush administration?s derided ?color code system? is gone, but the willingness of the media to immediately buy into the idea that the public should be freaking out is still alive and well. The last two years have seen the media become much more skeptical of government surveillance powers. Yet when the terror alert flashes, they revert right back to their old ways. Last weekend?s coverage was a case study in rash judgment. All the caveats issued with the warning?s release were hardly noticeable, downplayed and buried in the middle of the articles, sandwiched in-between urgent calls for caution from various government agencies. There will soon be a next time; the government will issue a warning, and the media will inevitably jump. When it does, the first rule of reporting should be to determine whether the alerts are based on anything at all and to put that information in the lede. Authorities flatly acknowledged two weeks ago that they have no ?credible? or ?specific? information that any attacks will occur, but that barely registered in the media?s coverage. CBS News waited until the sixth paragraph in one of their main articles on the subject to tell its readers of the mitigating information. USA Today also stuck the phrase in the middle of its sixth paragraph and never returned to it. CNN, with a finely honed talent for siren headlines, didn?t disclose this information until their 10th paragraph. NBC News, though, was the most brazen. They told readers that authorities ?are unaware of any specific or credible threat inside the country? in the 7th paragraph, quickly followed by a qualifier that could not contain more hyperbole if they tried: ?But the dangers are more complex and unpredictable than ever.? Really? Apparently the dangers are more complex and unpredictable than ever if you ignore the fact that terrorism attacks in the US are close to all-time lows, and that Americans have generally never been safer. Photo: After watching three or four terrifying CNN clips that we?re all going to die, they squeeze in one segment telling us, actually, we?ve never been safer. None of these major news stories mentioned that the US government had issued similar terrorism warnings that generated alarming headlines at least forty times since 9/11. As FAIR?s Adam Johnson detailed, all forty times nothing happened. If news organizations are going to list all the reasons readers should be scared, they should at least attempt to note the reasons that they probably shouldn?t be. Even taking the terror alerts at face value, almost no one asked the question of why there was a sudden and intense worry about ISIS attacks in the United States. Is it because ISIS?s modus operandi calls for terrorism in the US, or is it because US military attacks on ISIS increase the chances that ISIS will want to attack the US back? Recent academic research, after all, concludes ?the deployment of troops overseas increases the likelihood of transnational terrorist attacks against the global interests of the deploying state.? Shouldn?t the fact that the US might be increasing the chances that ISIS will aim an attack against civilians in the United States by starting another long term war in the Middle East be part of the discussion? The US government quickly justified its terrorism warnings after July 4th, announcing that it had arrested a few alleged ISIS sympathizers planning attacks. It?s hard to tell who the FBI arrested, as the FBI director ?would not say what the plots entailed or how many people had been arrested.? But judging from public arrest records, there is no indication that any terrorism suspects were planning anything around that specific day. They were arrested before the alerts even went out, and before large numbers of people were ever at risk. Like the vast majority of other recent arrests of terrorism suspects in the US, it?s also likely these arrestees were hapless rubes with mental health issues, not terrorism masterminds. It has become a pattern: the FBI announces a high-profile terrorism arrest that sounds gravely dangerous, and then we later find out through court documents the suspect was poor and likely mentally-ill, and that FBI informants were directing the ?attack? every step of the way. Several recent investigations have shown the disturbing frequency in which FBI informants suggested, cajoled, pressured, entrapped, and even planned the ?terrorist attacks? for the arrested suspects every step of the way. The gripping HBO documentary ?The Newburgh Four? or the more recent short film ?Entrapped??about a group of ?terrorists? first prosecuted by presidential candidate Chris Christie, who never attempted to commit terrorism at all?have exposed this practice to a wider audience, yet this tactic still barely makes it into traditional media coverage announcing yet another attack thwarted. I?m certainly not arguing the media should ignore ISIS or any potential threat it poses to Americans. Terrorist attacks of all stripes, while extremely rare, will always be a risk to the American public and citizens around the world. But evidence-free fear-mongering at the behest of the government does no one any good. A little perspective would certainly go a long way. Over July 4th weekend, two people in Indiana died in separate fireworks accidents. That?s two more people than ISIS has killed on US soil in the terrorist group?s entire existence. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 13 12:38:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jul 2015 13:38:04 -0400 Subject: [Infowarrior] - The RIAA's latest non-sensical talking point Message-ID: <483FFE34-996D-4100-AEDB-E035469C62CE@infowarrior.org> Top RIAA Exec: There's No More Music In Africa And The Middle East Because They Need Stronger Copyright https://www.techdirt.com/articles/20150712/22271931622/top-riaa-exec-theres-no-more-music-africa-middle-east-because-they-need-stronger-copyright.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 13 14:00:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jul 2015 15:00:22 -0400 Subject: [Infowarrior] - Fwd: Privacy talk at DEF CON canceled under questionable circumstances References: <55A409E7.9090804@mykolab.com> Message-ID: > Begin forwarded message: > > From: Paul Ferguson > Subject: Privacy talk at DEF CON canceled under questionable circumstances > Date: July 13, 2015 at 2:56:39 PM EDT > To: Richard Forno > > Signed PGP part > Not sure if you've seen this: > > "Privacy is important, and if recent events are anything to go by ? > such as the FBI pushing to limit encryption and force companies to > include backdoors into consumer oriented products and services; or the > recent Hacking Team incident that exposed the questionable and > dangerous world of government surveillance; striking a balance between > law enforcement and basic human freedoms is an uphill struggle." > > http://www.csoonline.com/article/2947377/network-security/privacy-talk-a > t-def-con-canceled-under-questionable-circumstances.html > > - ferg > > -- > Paul Ferguson > PGP Public Key ID: 0x54DC85B2 > Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 From rforno at infowarrior.org Mon Jul 13 14:37:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Jul 2015 15:37:55 -0400 Subject: [Infowarrior] - Laura Poitras Sues U.S. Government Message-ID: Laura Poitras Sues U.S. Government to Find Out Why She Was Repeatedly Stopped at the Border By Jenna McLaughlin @JennaMC_Laugh 7 minutes ago https://firstlook.org/theintercept/2015/07/13/laura-poitras-sues-u-s-government-find-repeatedly-stopped-border/ Over six years, filmmaker Laura Poitras was searched, interrogated, and detained more than 50 times at U.S. and foreign airports. When she asked why, U.S. agencies wouldn?t say. Now, after receiving no response to her Freedom of Information Act requests for documents pertaining to her systemic targeting, Poitras is suing the U.S. government. In a complaint filed on Monday afternoon, Poitras demanded that the Department of Justice, the Department of Homeland Security, and the Office of the Director of National Security release any and all documentation pertaining to her tracking, targeting, and questioning while traveling between 2006 and 2012. ?I?m filing this lawsuit because the government uses the U.S. border to bypass the rule of law,? Poitras said in a statement. Poitras co-founded The Intercept with Glenn Greenwald and Jeremy Scahill. She said she hopes to draw attention to how other people, who aren?t as well known, ?are also subjected to years of Kafkaesque harassment at the borders.? Poitras has been the subject of government monitoring since 2006, when she was working on a documentary film, My Country, My Country, the story of the Iraq War told from the perspective of an Iraqi doctor. Airport security informed her that the Department of Homeland Security assigned her the highest ?threat rating? possible, despite the fact that she has never been charged with a crime. She described the government?s inspection and forceful seizure of her notebooks, laptop, cellphone, and other personal items as ?shameful? in an interview with Democracy Now in 2012. On one occasion, security officers at the airport refused to allow her to take notes on her interrogation, arguing that her pen could be used as a weapon. Poitras was only freed from the constant harassment after Glenn Greenwald published an article about her plight in 2012, and a group of filmmakers united to write a petition against the government?s monitoring. Based on her earlier work, NSA whistleblower Edward Snowden picked Poitras, along with Greenwald, to receive his archive of documents that revealed massive world-wide surveillance by the U.S. and the U.K. Poitras won an Academy Award in 2014 for her documentary about Snowden, called CITIZENFOUR, and shared the 2014 Pulitzer Prize for public service. In 2013, Poitras filed a Freedom of Information Act request to access any information about herself that the government used to determine that she was a danger to national security and worthy of intense scrutiny. There is an immense backlog of unanswered FOIA requests across the government. Just this year, the number of unanswered FOIA requests swelled to over 200,000?more than 50 percent more than last year. Poitras is being represented by lawyers at the Electronic Frontier Foundation, a digital rights advocacy group. ?The well-documented difficulties Ms. Poitras experienced while traveling strongly suggest that she was improperly targeted by federal agencies as a result of her journalistic activities,? EFF senior counsel David Sobel told the Intercept. ?Those agencies are now attempting to conceal information that would shed light on tactics that appear to have been illegal. We are confident that the court will not condone the government?s attempt to hide its misconduct under a veil of ?national security.'? (This post is from our blog: Unofficial Sources.) Photo: Adam Berry/Getty Images Email the author: jenna.mclaughlin at theintercept.com -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 14 07:15:10 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Jul 2015 08:15:10 -0400 Subject: [Infowarrior] - Pluto Day! Message-ID: New Horizons: Nasa spacecraft speeds past Pluto By Jonathan Amos BBC Science Correspondent, Laurel, Maryland 21 minutes ago http://www.bbc.com/news/science-environment-33524589 -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 15 11:14:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Jul 2015 12:14:57 -0400 Subject: [Infowarrior] - WH's list of cybersecurity 'results' so far in 2015 Message-ID: (x-posted) Two comments: 1) I note that another 'cybersecurity strategy' document will be produced. Le sigh..... 2) More 'standards' will be developed. Because when it comes to cybersecurity, we can't have enough administrative things to measure, bypass, waive, or flat-out ignore, right? -- rick > http://www.nextgov.com/cybersecurity/2015/07/heres-everything-white-house-says-its-done-cyber-2015/117628/ > > As news coverage of the devastating hack at the Office of Personnel Management first began intensifying last month, the White House called on agencies to complete a 30-day ?cybersecurity sprint" to immediately plug security holes over the next month. > > That 30-day exercise, which included replacing notoriously insecure password-only sign-ons with multifactor authentication and patching ?critical? software vulnerabilities, officially wrapped up Sunday. > > Some results are already being touted by the administration. Across government, the percentage of agencies using two-factor sign-on measures has increased by 20 percent within the first 10 days of the sprint alone, federal Chief Information Officer Tony Scott told reporters during a July 9 conference call. > > More details about the progress agencies made during the sprint -- as well as areas that still need some work -- won?t be released until next week, officials say. > > In the meantime, the White House issued a fact sheet laying out some of the steps the administration says it?s taken to bolster agencies? cybersecurity practices, including some before the OPM hack even came to light. > > Those steps include: > > ? Creating a dedicated cybersecurity team under the federal CIO -- called the E-Gov Cyber unit -- to oversee dot-gov network security. The unit has established a new program to scan for critical vulnerabilities on agencies? public-facing websites. > ? Planning to rapidly accelerate the deployment of the second-phase of the Department of Homeland Security-managed ?continuous diagnostics and mitigation? program, which can detect unauthorized access in ?near-real-time.? The program now covers 97 percent of executive branch personnel and is expected to protect more than 60 civilian agencies by the end of September. > ? Expanding the ?EINSTEIN 3A? intrusion-prevention system, another DHS tool, across federal agencies. The more advanced version of the EINSTEIN tool now covers 15 agencies, a 20 percent jump since last November. DHS plans to award a contract to cover all agencies with the latest version by the end of the year. > ? Releasing new standards aiming to protect potentially sensitive data on systems owned by contractors and other third parties. Last month, the National Institute of Standards and Technology published guidelines for the handling of so-called ?controlled unclassified? information housed by third parties. > ? Taking steps to improve recruiting and hiring of cybersecurity talent in government. The Office of Management and Budget is examining gaps in the current cyber workforce and plans to outline existing special hiring authorities agencies can use to onboard additional cyber talent. > Meanwhile, later this summer, the administration plans to release a ?Federal Cybersecurity Civilian Strategy? to help agencies secure their networks. The guidance will include steps for agencies to more rapidly procure security technology. > > Still, the timing of the fact sheet -- released last week as OPM officials finally detailed the full scope of the massive hack of background check files at OPM -- struck some observers as a bit off. > > Referring to the administration?s fact sheet, Christopher Soghoian, the American Civil Liberties Union principal technologist, tweeted, ?Maybe this isn't the best time for the White House to do a cybersecurity victory lap.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 15 17:42:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Jul 2015 18:42:03 -0400 Subject: [Infowarrior] - =?utf-8?q?ISP_Doesn=E2=80=99t_Have_to_Police_Musi?= =?utf-8?q?c_Labels=E2=80=99_Trademark?= Message-ID: July 15, 2015 | By Mitch Stoltz Victory for CloudFlare Against SOPA-like Court Order: Internet Service Doesn?t Have to Police Music Labels? Trademark https://www.eff.org/deeplinks/2015/07/victory-cloudflare-against-sopa-court-order-internet-service-doesnt-have-police Striking a blow against the continuing effort to force service providers to serve as IP police, CloudFlare and EFF have pushed back against a court order that would have required CloudFlare to monitor its service to enforce a trademark held by a group of music labels. Last week, Judge Alison J. Nathan of the U.S. District Court for the Southern District of New York ruled that CloudFlare does not have to search out and block customers who use variations on the name ?grooveshark.? Instead, CloudFlare must take action only if it has ?knowledge of an infringement? (for example, when the labels send a takedown notice). Given that this is essentially what US law already requires, Judge Nathan?s order puts paid to the latest strategy to institute trademark- and copyright-related filtering ? at least in this case. The dispute started in May, as record labels sought to disappear a website that called itself Grooveshark and appeared to be a clone of a popular music-sharing site those same labels had shut down in April after settling a copyright lawsuit. That settlement left the labels in control of the original Grooveshark?s trademarks. Claiming trademark infringement, the labels applied to the U.S. District Court for the Southern District of New York for a secret order to shut down the site, which was then located at grooveshark.io. Judge Deborah A. Batts granted the order in secret. Three weeks later, Judge Nathan ruled that the order also applied to CloudFlare, a content delivery network and ?reverse proxy? service. The order apparently required CloudFlare to block all of its customers from using domain names that contained ?grooveshark,? regardless of whether those domains contained First Amendment-protected speech, or had any connection with the ?New Grooveshark? defendants who were the targets of the actual lawsuit. That ruling spelled trouble. Laws like Section 512 of the Digital Millennium Copyright Act, Section 230 of the Communications Decency Act, and court decisions on trademark law such as Tiffany v. eBay, protect Internet intermediaries from legal responsibility for the actions of their users, including the responsibility to proactively block or filter users. That protection has been vital to the growth of the Internet as a medium for communication, innovation, and learning. The original order against CloudFlare, if it had become the norm, would put service providers in the uncomfortable position of having to figure out who?s allowed to use terms like ?grooveshark? and who isn?t?or of having to block them all. Turning Internet companies into enforcers of who can say what on the Internet is exactly what laws like the DMCA were meant to avoid. With help from EFF and Goodwin Procter, CloudFlare asked the court to modify the order so that its responsibilities would be limited to blocking users identified by the music labels as being affiliated with the ?New Grooveshark? defendants, or if CloudFlare knew of that affiliation through other means. CloudFlare told the court that the music labels shouldn?t be able to ?parlay the happy accident (for them) of CloudFlare?s having unknowingly and unintentionally provided its services to a single trademark infringer into a means of compelling CloudFlare to enforce [the labels?] trademark against all comers, potentially permanently.? Judge Nathan apparently agreed. She issued a new order making clear that CloudFlare does not have to police the ?grooveshark? trademark proactively. In fact, the new order tracks existing trademark law very closely. Although this dispute involved just one provider and a relatively small number of sites, it could have significant implications for Internet speech. Major entertainment distributors, including music labels, want the ability to make websites disappear from the Internet at their say-so. The failed Internet blacklist bills SOPA and PIPA were part of that strategy, along with the Department of Homeland Security?s project of seizing websites based on unverified accusations of copyright infringement by entertainment companies. Entertainment distributors are also lobbying ICANN, the nonprofit organization that oversees the domain name system, to gain the power to censor and de-anonymize websites without a court order. Attempts to impose new policing or filtering responsibilities on infrastructure companies like CloudFlare are another facet of this strategy. Last week?s order should help to close off this avenue towards a website-blocking power and all of the harms to free speech it would cause. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 15 17:42:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Jul 2015 18:42:07 -0400 Subject: [Infowarrior] - Researcher Receives Copyright Threat After Exposing Security Hole Message-ID: <13229519-6FD3-4780-A0A1-F0FEF80E547E@infowarrior.org> Researcher Receives Copyright Threat After Exposing Security Hole ? By Andy ? on July 15, 2015 A researcher who exposed security flaws in tools used to monitor the Internet usage of UK students has been hit with a copyright complaint. 'Slipstream' discovered flaws in Impero Education Pro which could reveal the personal details of thousands of pupils but in response Impero has sent in its legal team. < - > https://torrentfreak.com/researcher-receives-copyright-threat-after-exposing-security-hole-150715/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 16 07:06:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Jul 2015 08:06:28 -0400 Subject: [Infowarrior] - Risky Business interview Message-ID: Risky Business #374 -- Anti-Flash sentiment sweeps the globe July 16, 2015 -- On this week's show we'll be checking in with Richard Forno on the fallout from the OPM breach. Richard has been kicking around in DC infosec circles for a long time now and he let's us know what the mood is like inside the beltway. In this week's sponsor interview we chat with Chris Gatford of HackLabs! HackLabs is an Australia-based pentesting and consulting firm and we're speaking to Chris about the changing nature of security consultancies. Adam Boileau, as usual, joins the show to discuss the week's news, which has been dominated by calls for the axing of the Flash plugin and the continued fallout from the Hacking Team breach. http://risky.biz/RB374 -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 17 06:22:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jul 2015 07:22:52 -0400 Subject: [Infowarrior] - Google Revamps Patent Search To Actually Do What Patent Office Should Do Message-ID: Google Revamps Patent Search To Actually Do What Patent Office Should Do from the pulling-in-more-info dept https://www.techdirt.com/articles/20150716/11094731663/google-revamps-patent-search-to-actually-do-what-patent-office-should-do.shtml A few years ago, Google seemed to downgrade its patent search features, pulling away a separate "Google Patents" section and mixing it back into the main Google search. This seemed like a major step backwards, especially given how terrible the US Patent Office's own patent search engine was. Google has tried to do a few things like launching a "prior art finder" and teaming up with StackExchange to help crowdsource prior art. I'm not quite sure how well either program has gone, but Google has now upgraded its patent search efforts yet again to create a service that one would have hoped the patent office would have built itself, though it has not: The new Google Patents helps users find non-patent prior art by cataloguing it, using the same scheme that applies to patents. We?ve trained a machine classification model to classify everything found in Google Scholar using Cooperative Patent Classification codes. Now users can search for ?autonomous vehicles? or ?email encryption? and find prior art across patents, technical journals, scientific books, and more. We?ve also simplified the interface, giving users one location for all patent-related searching and intuitive search fields. And thanks to Google Translate, users can search for foreign patent documents using English keywords. As we said in our May 2015 comments on the PTO?s Patent Quality Initiative, we hope this tool will make patent examination more efficient and help stop bad patents from issuing which would be good for innovation and benefit the public. Of course, it's not clear if USPTO examiners are even allowed to use tools like this, but it seems like providing better tools to examiners, and widening the corpus that they're allowed to search (right now they focus on past patents and limited journal searches) can only serve to stop at least some bogus patents from getting through. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 17 06:22:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jul 2015 07:22:57 -0400 Subject: [Infowarrior] - UK's emergency surveillance law struck down by MPs Message-ID: UK's emergency surveillance law struck down by MPs http://www.engadget.com/2015/07/17/dripa-high-court-ruling/?ncid=rss_truncated The High Court has ruled today that parts of the UK's emergency surveillance legislation, the Data Retention and Investigatory Powers Act 2014 (DRIPA), is unlawful. Conservative MP David Davis and Labour MP Tom Watson, represented by the Liberty human rights organisation, have successfully argued that the law breaks the public's right to a private life and to the protection of personal data, set out in the EU Charter of Fundamental Rights. Section 1 and 2 of DRIPA, which forces telecoms companies and internet providers to store customer data for up to 12 months, will now be abolished in March next year. The law is due to expire at the end of 2016 anyway, but bringing the date forward for these two crucial points could force the government to introduce replacement legislation earlier. Slowly but surely, the UK has been increasing its ability to monitor people's communications. In 2003, a code of practice was introduced that reimbursed companies for voluntarily storing customer data for government-set periods. The Data Retention (EC Directive) Regulations 2006, incorporated into UK law in 2009, then made this retention mandatory. The European Court of Justice ruled against the latter in 2014, however, so the UK government fast-tracked DRIPA to maintain its current surveillance powers. While today's court decision is a win for privacy advocates, it represents but one battle in their war. DRIPA was always going to be replaced, and the upcoming Investigatory Powers Bill is thought to be a stronger law similar to the panned Snooper's Charter. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 17 06:30:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jul 2015 07:30:50 -0400 Subject: [Infowarrior] - Friday OT: Iceland in 4K glory Message-ID: <89AE3BE7-6083-4387-BDC1-8F13AB1C4B84@infowarrior.org> The beauty of Iceland in stunning 4K Two filmmakers spent 14 days in the stark landscapes of Iceland, capturing their wild, strange, breathtaking beauty. ? by Michelle Starr ? July 17, 2015 12:16 AM PDT http://www.cnet.com/news/the-beauty-of-iceland-in-stunning-4k/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 17 07:06:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jul 2015 08:06:12 -0400 Subject: [Infowarrior] - =?utf-8?q?There=E2=80=99s_A_Plan_to_Immediately_P?= =?utf-8?q?urge_Some_Governmentwide_Network_Surveillance_Data?= Message-ID: <86787010-FD4D-41D9-982C-96D1A8C25D1E@infowarrior.org> There?s A Plan to Immediately Purge Some Governmentwide Network Surveillance Data By Aliya Sternstein July 16, 2015 NEXTGOV http://www.nextgov.com/cybersecurity/2015/07/theres-plan-immediately-purge-some-dhs-network-surveillance-data/118003/ After a series of stinging government hacks, the Department of Homeland Security said scans of incoming Internet traffic from the public would be amped up. It has been unclear how this monitoring might affect the privacy of citizens and employees. Now, a little-noticed National Archives and Records Administration assessment offers some insight: Any surveillance data collected that does not trigger alarms will be erased pronto, according to a pending records disposal plan. DHS? National Cybersecurity Protection System, better known as EINSTEIN, collects streams of traffic containing, among other things, emails and Web-surfing habits, to flag patterns indicative of known malicious attacks. On June 9, NARA tentatively green-lighted a DHS request to "destroy or delete immediately" information "inadvertently collected or captured by any or all NCPS capabilities that are determined not to be related to known or suspected cyberthreats or vulnerabilities." Such data typically includes anything from authorized online banking sessions to, some federal employees suspect, porn-site visits. "It?s likely they are bulk-collecting data and to avoid any accusations of monitoring things they aren't chartered to monitor, they must purge the data," said Jason Lewis, chief collections and intelligence officer at LookingGlass Cyber Solutions. EINSTEIN "casts a wide collection net, so they have to delete information they didn't intend to capture." Last year, Archives gave DHS permission to trash data after three years, if the information had no research value. A DHS official told Nextgov the newly released plan was part of that original records disposal schedule, but NARA "inadvertently missed the inclusion of this file plan in its approval" at that time. Deeper network surveillance was in the works even before the Office of Personnel Management hacks laid bare intimate details on federal employees, contractors and their families. The latest iteration of EINSTEIN, E3A, is expected to roll out governmentwide by the end of 2015, according to the White House. "The department works to ensure that privacy, confidentiality, civil rights and civil liberties are not diminished by our security initiatives," the Homeland Security official said. "DHS only retains data that is related to known or suspected cybersecurity threats. DHS has no business need for any other data that may be inadvertently captured by National Cybersecurity Protection System capabilities, such as EINSTEIN, and is proposing to destroy them immediately." For instance, social media interactions that turn up when EINSTEIN harvests data probably do not need to be retained, Lewis said. "If someone accesses Facebook to do an update, that might be benign traffic, but if someone accesses Facebook and a piece of malware tries to infect the computer, that is something they would probably alert on," he said. Data destruction is a way of freeing up storage that has the added benefit of enhancing privacy, some security analysts said. ?This is an engineering decision, not a policy decision. Storing data takes time, effort and resources," said Ron Gula, chief executive officer of Tenable Network Security. "Stored data also presents an attractive target for rival nation states and cyber criminals and can be stolen." He pointed to OPM, where hackers poached a database that had stockpiled 1.1 million fingerprints from personnel screened to handle classified information. "Limiting data retention to a specific timeframe makes the engineering easier and makes it easier for the agency to keep inadvertently collected" personal and other sensitive information secure, Gula said. Privacy experts praised the move to wipe nonthreat data collected. ?To the extent this information includes personally identifiable information that DHS does not need for cybersecurity reasons, disposing of it immediately is a good practice," said Gregory Nojeim, senior counsel with the Center for Democracy and Technology. "It builds confidence that the EINSTEIN program is about cybersecurity and not about surveillance for other reasons." But other security experts warned getting rid of any network data during an ongoing probe into what happened at OPM could obliterate clues. When OPM detected suspicious behavior with its own sensors, DHS retroactively fed intelligence about the threat into EINSTEIN to determine the extent of the attack. "Given the recent OPM breach, discarding such data during an ongoing forensic investigation seems unwise, even if there are sound technical and cost reasons, if for no other reason than potentially negative public perception surrounding accountability and control,? said Ivan Shefrin, a vice president at cyber startup TaaSera. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 17 07:08:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Jul 2015 08:08:05 -0400 Subject: [Infowarrior] - Cybersecurity intern accused in huge hacking bust References: <20150717005902.62B222281AC@palinka.tinho.net> Message-ID: <7438439D-12D5-491F-B775-67A8739DAEA2@infowarrior.org> > Begin forwarded message: > > From: dan > http://money.cnn.com/2015/07/15/technology/hacker-fireeye-intern/ > > Cybersecurity intern accused in huge hacking bust > Jose Pagliery > > The guy accused of being one of the world's top Android phone hackers > is a bright young student who's been honing his skills as an intern > at the cybersecurity firm FireEye. > > On Wednesday the U.S. Justice Department announced a massive > international bust of Darkode, an online black market for hackers. > > Among those charged with crimes was Morgan Culbertson, a 20-year-old > from Pittsburgh. He's accused of creating a nasty malware that > infects Android phones, steals data and controls the device. > > Culbertson is currently a sophomore at Carnegie Mellon University > in Pittsburgh. He's a two-time intern at the cybersecurity software > maker FireEye where he's been researching malware on Android > smartphones, tearing apart viruses, and analyzing them. > > According to federal investigators, Culbertson went on to create > the infamous "Dendroid" malware. For $300, anyone who bought it > could turn any legitimate Android app into malware. Buyers even got > round-the-clock software support. > > The Dendroid malware was so bad that the cybersecurity companies > Trend Micro and Symantec each issued separate reports and warnings > about it. They cautioned that it allowed hackers to remotely -- and > quietly -- take screenshots, photos, videos and audio recordings. > dendroid malware Hacker forums displayed Dendroid advertisement > banners like this one. > > FireEye issued a statement to CNNMoney that confirmed its intern > was charged. The firm said it was caught be surprise. > > "Mr. Culbertson's internship has been suspended pending an internal > review of his activities," FireEye said. > > The concern now is that Culbertson has compromised FireEye's software > -- and used the corporation's knowledge and tools for criminal > hacking. According to his online resume, he worked with FireEye's > elite Advanced Persistent Threat team, which investigates hackers > and their tactics. > > CNNMoney wrote an email to Culbertson but did not receive an immediate > response. > > Fellow interns at FireEye described Culbertson as "very technically > capable." But they expressed shock at the criminal accusations, > noting that Culbertson was sociable and not the kind of person who > would knowingly cause such widespread damage. > From rforno at infowarrior.org Sun Jul 19 19:13:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Jul 2015 20:13:09 -0400 Subject: [Infowarrior] - Singapore team in Parkinson's cure breakthrough Message-ID: <291A4EE7-388C-44EB-809E-6D1AF2DF6E07@infowarrior.org> Singapore team in Parkinson's cure breakthrough Nyshka Chandran http://www.cnbc.com/2015/07/15/potential-parkinsons-cure-unveiled.html A team of international scientists announced a medical breakthrough in Singapore on Thursday that could improve millions of lives: existing anti-malaria drugs have the ability to treat Parkinson's disease, according to new research by Nanyang Technological University (NTU) and Harvard Medical School's McLean Hospital. Parkinson's is a fatal degenerative disorder that impacts the central nervous system, causing people to lose control of motor movements. Seven to ten million people worldwide are currently diagnosed with the disease and there is no known cure. After screening over 1000 drugs approved by the U.S. Food and Drug Administration, the scientists discovered that chloroquine and amodiaquine?two common anti-malaria treatments?could bind and activate a class of proteins in the brain vital to fight Parkinson's. Called Nurr1, these proteins protect the brain's ability to generate dopamine neurons, which are essential to the body's movement of muscles. Patients with the disease gradually cease the production of dopamine neurons, thus losing motor control. "Backed by various lines of scientific evidence, Nurr1 is known to be a potential drug target to treat Parkinson's. Despite great efforts from pharmaceutical companies and academia, no one has managed to find a molecule which can directly bind to it and activate it, except for us," said Professor Kwang-Soo Kim from Harvard's McLean Hospital. In laboratory tests on rats, the team found that by activating Nurr1, the rats with Parkinson's appeared to have their symptoms alleviated. Current treatment for the disorder is aimed at replenishing dopamine levels via medication or surgical methods but while these methods improve mobility functions in the early stage, they cannot slow down or stop the disease, Professor Kim explained. "Our research shows that existing drugs can be repurposed to treat other diseases and once several potential drugs are found, we can redesign them to be more effective in combating their targeted diseases while reducing the side effects," said NTU Associate Professor Yoon Ho Sup. Parkinson's typically affects people over the age of 60, according to the National Institute of Neurological Disorders and Stroke (NINDS), and as countries battle with rapidly ageing populations, cases of neurodegenerative diseases like Parkinson's are widely expected to rise. The scientists are now aiming to design better drugs for the disease by modifying chloroquine and amodiaquine with the hope of carrying out clinical trials soon. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 20 05:49:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jul 2015 06:49:12 -0400 Subject: [Infowarrior] - Data breach at AshleyMadison and other sites Message-ID: <9901D08A-0764-4642-8F10-7680A06D3AD1@infowarrior.org> Online cheaters exposed after hackers access AshleyMadison hookup site By Wilborn P. Nobles III July 20 at 5:05 AM http://www.washingtonpost.com/news/morning-mix/wp/2015/07/20/online-cheaters-exposed-after-hackers-access-ashleymadison-hookup-site/?tid=hp_mm The secret?s out. Maybe lots of secrets. Data stolen by hackers from AshleyMadison.com, the online cheating site that claims 37 million users, has been posted online, according to Krebs on Security, the authoritative Web site that monitors hacking across the globe. The breach was confirmed in a statement from Avid Life Media, Inc., which owns AshleyMadison. ?We apologize for this unprovoked and criminal intrusion into our customers? information.? AshleyMadison?s slogan is ?Life is short. Have an affair.? It?s an unusual and apparently very popular dating Web site for those seeking extramarital relations. It gains attention by, among other things, wrapping itself in a social science mantle and publishing data about the frequency and location of cheaters across America, for anyone who happens to be interested, without, of course, mentioning any names. Krebs on Security reported that the hackers, who identify as ?The Impact Team,? got a hold of ?sensitive internal data? not only for AshleyMadison but also for other hookup sites owned by the company, Cougar Life, which appeals to ?single moms and sexy singles looking for a young Stud,? and Established Men, which promises to connect ?young, beautiful women with successful men.? According to Brian Krebs, from Krebs on Security: In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee. According to the hackers, although the ?full delete? feature that Ashley Madison advertises promises ?removal of site usage history and personally identifiable information from the site,? users? purchase details ? including real name and address ? aren?t actually scrubbed. Krebs reported that ?The Impact Team? is threatening to expose all customer records unless Avid Life Media takes AshleyMadison and Established Men offline ?permanently in all forms.? But it wasn?t clear how much data had been posted online, Krebs said. And it was impossible to actually find ?The Impact Team?s? revelations on the Internet early Monday morning, just hours after Krebs broke the story. Noel Biderman, Avid Life Media CEO, confirmed the hack to Krebs on Security as well as in a statement, but declined to discuss the company?s ?ongoing and fast-moving? investigation. Biderman told Krebs on Security that it was likely ?not an employee but certainly? someone who ?had touched our technical services.? ?We?re not denying this happened,? Biderman said to Krebs on Security. ?Like us or not, this is still a criminal act.? CNN reported on a similar data breach two months ago in which intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder. Although it is unknown how much user account data from AshleyMadison is online, Krebs on Security reports that it appears to be a small amount that will increase by each day the company remains online. AshleyMadison claims to be the world?s second-largest paid-for Internet dating site after Match.com, Bloomberg reports. Fusion reports that tech blogger Robert Scoble posted an e-mail from AshleyMadison?s public relations team last year that ironically claimed the site was ?the last truly secure space on the Internet.? Which is apparently not the case. ?Too bad for those men, they?re cheating dirtbags and deserve no such discretion,? the hackers wrote. ?We have always had the confidentiality of our customers? information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world,? Avid Life Media said in its statement. ?As other companies have experienced, these security measures have unfortunately not prevented this attack to our system. ?At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber?terrorism will be held responsible.? In a second statement e-mailed to The Post Monday morning, Avid Life Media said it was working to gain control of the situation. ?Following the earlier unprovoked and criminal intrusion into our system, Avid Life Media immediately engaged one of the world?s top IT security teams ? with whom we have worked in the past ? to take every possible step toward mitigating the attack. ?Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers? information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.? Wilborn P. Nobles, III is a police and courts reporter for The Washington Post. He writes for the Morning Mix news blog. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 20 08:18:08 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jul 2015 09:18:08 -0400 Subject: [Infowarrior] - WaPo remains clueless on the Crypto War 2.0 Message-ID: Washington Post Observes Encryption War 2.0 For Several Months, Learns Absolutely Nothing https://www.techdirt.com/articles/20150719/19031331697/washington-post-observes-encryption-war-20-several-months-learns-absolutely-nothing.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Jul 20 09:10:08 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jul 2015 10:10:08 -0400 Subject: [Infowarrior] - Fwd: UCLA Health breached References: Message-ID: <4DF5DAB2-4851-4901-A090-D27B79A80250@infowarrior.org> -- It's better to burn out than fade away. > Begin forwarded message: > > From: Dan > > Haven?t seen this announcement yet in InfoWarrior, so thought I?d send it along. > Am going to send it to dataloss db as well. > > https://www.uclahealth.org/news/ucla-health-victim-of-a-criminal-cyber-attack > > uly 17, 2015 > UCLA Health Victim of a Criminal Cyber Attack > > UCLA Health announced today it was a victim of a criminal cyber attack. While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual?s personal or medical information. > > UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been involved in the attack, believed to be the work of criminal hackers. UCLA Health is working with investigators from the Federal Bureau of Investigation, and has hired private computer forensic experts to further secure information on network servers. > > ?We take this attack on our systems extremely seriously,? said Dr. James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System. ?Our patients come first at UCLA Health and confidentiality is a critical part of our commitment to care. We sincerely regret any impact this incident may have on those we serve. We have taken significant steps to further protect data and strengthen our network against another cyber attack.? > > UCLA Health detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information. As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the UCLA Health network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information. Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter. > > At this time, there is no evidence that the attacker actually accessed or acquired individuals? personal or medical information. Because UCLA Health cannot conclusively rule out the possibility that the attackers may have accessed this information, however, individuals whose information was stored on the affected parts of the network are in the process of being notified. > > To reduce risk, UCLA Health is offering all potentially affected individuals 12 months of identity theft recovery and restoration services as well as additional health care identity protection tools. In addition, individuals whose Social Security number or Medicare identification number was stored on the affected parts of the network will receive 12 months of credit monitoring. These services are being provided to affected individuals at no cost. > > In today?s information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack. UCLA Health identifies and blocks millions of known hacker attempts each year. In response to this attack, however, we have engaged the services of leading cyber-surveillance and security firms, which are actively monitoring and protecting our network. We have also expanded our internal security team. These are just a few of the important measures we are taking to help protect against another cyber attack. > > UCLA Health is sending letters to affected individuals with details on how to access the identity theft and restoration services, which individuals will receive over the next few weeks, and has established a website for patients that may have been impacted (www.myidcare.com/uclaprotection). Patients with questions about the matter can contact a UCLA Health representative via a special hotline at 877-534-5972, Monday through Friday from 6AM to 6PM. (Pacific Time). > > About UCLA Health > UCLA Health has provided high-quality health care and the most advanced treatment options to the people of the greater Los Angeles region and the world for more than 60 years. UCLA Health includes four hospitals on two campuses -- Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children?s Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA -- and more than 150 primary and specialty offices throughout Southern California. UCLA Health is consistently ranked as one of the top hospitals and the best in the western United States in the national rankings by U.S. News and World Report. > From rforno at infowarrior.org Mon Jul 20 16:31:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Jul 2015 17:31:48 -0400 Subject: [Infowarrior] - DHS Leaders Bent Rules on Private E-Mail Message-ID: <153C1C1F-B3CB-433E-BF4E-E64CEF0870B4@infowarrior.org> Homeland Security Leaders Bent Rules on Private E-Mail 120 Jul 20, 2015 3:50 PM EDT By Josh Rogin http://www.bloombergview.com/articles/2015-07-20/homeland-security-leaders-bent-rules-on-private-e-mail Jeh Johnson, the secretary of homeland security, and 28 of his senior staffers have been using private Web-based e-mail from their work computers for over a year, a practice criticized by cybersecurity experts and advocates of government transparency. The department banned such private e-mail on DHS computers in April 2014. Top DHS officials were granted informal waivers, according to a top DHS official who said that he saw the practice as a national security risk. The official said the exempt staffers included Deputy Secretary Alejandro Mayorkas, Chief of Staff Christian Marrone and General Counsel Stevan Bunnell. Asked about the exceptions on Monday, the DHS press secretary, Marsha Catron, confirmed that some officials had been exempted. "Going forward," she said, "all access to personal webmail accounts has been suspended." Future exceptions are to be granted only by the chief of staff. Catron said that a "recent internal review" had found the chief of staff and some others were unaware that they had had access to webmail. The DHS rule, articulated last year after hackers first breached the Office of Personnel Management, states: "The use of Internet Webmail (Gmail, Yahoo, AOL) or other personal email accounts is not authorized over DHS furnished equipment or network connections." Johnson and the 28 other senior officials sought and received informal waivers at different times over the past year, the official said. Catron said exceptions were decided on a case-by-case basis by the chief information officer, Luke McCormack. DHS employees are permitted to use their government e-mail accounts for limited personal use. Erica Paulson, a spokeswoman for the DHS Office of the Inspector General, said that the office does not confirm or deny the existence of any open investigations. It remains unclear whether Johnson and the other officials conducted DHS business on their private webmail accounts. (The DHS spokeswoman said "the use of personal e-mail for official purposes is strictly prohibited.") If even one work-related e-mail was sent or received, they could be in violation of regulations and laws governing the preservation of federal records, said Jason R. Baron, a former director of litigation at the National Archives and Records Administration. "I suppose it is remotely conceivable that in seeking a waiver, 20 or more government officials could all be wishing to talk to each other through a Web-based e-mail service about such matters as baseball games or retirement luncheons they might be attending," he said. "But it is simply not reasonable to assume that in seeking a waiver that the officials involved were only contemplating using a commercial network for personal (that is, non-official) communications." In March, the New York Times reported that as secretary of state, Hillary Clinton had used a private e-mail server exclusively to conduct her State Department business. Clinton said she had not violated any transparency laws because the Federal Records Act states that officials are permitted to use private e-mail, so long as they forward on any government-related communications to their government accounts so they can be archived and used to respond to requests under the Freedom of Information Act. In November 2014, the Federal Records Act was amended to impose a 20-day limit on the time an official has to transfer records from private e-mail to government systems. Clinton transferred over 30,000 e-mails from her private server to the State Department in early 2015. She deleted another 30,000 e-mails on her private server, claiming they were all strictly personal. It is unclear how Johnson and the other officials used their webmail accounts, and whether they forwarded any messages about government business to their official accounts. Johnson has used his personal Gmail for government business at least once, before he was head of DHS; that was disclosed during the scandal that led to David Petraeus's resignation as CIA director. The Justice Department is fighting to keep Johnson from having to give a video deposition in that case. Anne Weismann, executive director of the Campaign for Accountability and a former Justice Department official dealing with FOIA litigation, said that even by seeking the waivers at DHS, Johnson and the other officials created at least an appearance and opportunity for impropriety. "How could they possibly justify exempting the secretary and the most senior people from the policy? You are allowing the people who are most likely to create e-mails that are most worthy of preservation to bypass the system that would ensure their preservation," she said. The issue of top government officials using private e-mail is widespread and the rules barring such practices are rarely enforced, said Weismann. "What they really want is to have the ability to have off-the-record discussions," she said. "It creates problems for record keeping and it puts it out of the reach of FOIA." Cybersecurity experts said that allowing the use of commercial webmail on otherwise secure computers increases the risk that those computers could be penetrated by hackers, foreign intelligence services or malware. Webmail messages are often stored without encryption, leaving them vulnerable to theft by anyone who gains access to the webmail server. "The fundamental issue is that these commercial webmail systems were not designed with the threat in mind that is present when government officials are using consumer tools," said Johannes B. Ullrich, dean of research for the SANS Technology Institute. The threat is not just theoretical. In 2008, Sarah Palin's Yahoo e-mail account was hacked by someone who used a password reset function to gain access, he said. There's also a moral hazard. "If there are just certain individuals being exempted here, it's setting a bad precedent for the rest of the department. If you say, 'Hey, it doesn't apply to everybody over a certain pay grade,' the idea of these controls gets diminished and people look for workarounds," said Ullrich. Aside from the legal risk and the national security risk, exceptions to the department's policies reinforce the narrative that the Obama administration lets senior officials skirt the rules, including by keeping their communications secret. The pattern was present in the previous administration as well, but after the OPM hacks and the deletion of Clinton's e-mails, it is widely criticized and hard to defend. This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners. To contact the author on this story: Josh Rogin at joshrogin at bloomberg.net To contact the editor on this story: Philip Gray at philipgray at bloomberg.net -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 06:31:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 07:31:12 -0400 Subject: [Infowarrior] - 'ISIS' move to ban beheading videos Message-ID: <210723BA-21B4-4935-BBBE-BB63E452B135@infowarrior.org> ISIS 'banning' of beheading videos a 'not surprising' PR move Added 5 hours ago by Khidr Suleman The head of ISIS has attempted to initiate a radical switch in PR strategy by reportedly banning brutal execution videos. http://www.prweek.com/article/1356689/isis-banning-beheading-videos-not-surprising-pr-move The media wing of ISIS has revelled in the distribution of professionally edited videos through social networking sites and news organisations over the past 12 months. Videos have typically depicted atrocities such as beheadings and have been used as key propaganda and recruitment tools. However, they no longer appear to be having the required effect hence the change in strategy, according to Chris Calland, senior account director at Hanover Communications. He told PRWeek: "ISIS is repulsive but sadly not all of the people within the organisation will be stupid. Releasing videos of executions in the first place was a calculated move: they wanted to terrify their opponents, intimate people to bend to their will, and rally their recruits by demonstrating their seriousness. "With the mainstream media reporting ISIS videos less and less these days, this will no doubt make ISIS think whether it needs to be even more shocking in its actions or rethink its propaganda ? hence why this move, if true, is not surprising." The order to ban the videos was issued by the leader of the ?Caliphate?, Abu Bakr al-Baghdadi. Letters were sent out to ISIS media wings banning the production of graphic clips. Pro-ISIS sources have been quoted as saying this is to preserve the "general feelings of Muslims, who may regard the scenes as disgusting and scary to children," according to Arabic-language media. The terrorist group has become synonymous with these videos, which first came to prominence in August 2014 when a masked man known as ?Jihadi John? appeared on camera and issued threats of violence. He went on to execute numerous hostages including journalist James Foley along with foreign aid workers Alan Henning and Peter Kassig. Reports suggest that there is an internal split within ISIS as to whether such a media blackout should be put in place. At the time of writing the most recent video was of a child soldier beheading a Syrian army officer on 17 July. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 09:47:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 10:47:25 -0400 Subject: [Infowarrior] - RedStar OS Watermarking Message-ID: RedStar OS Watermarking http://www.insinuator.net/2015/07/redstar-os-watermarking/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 10:46:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 11:46:47 -0400 Subject: [Infowarrior] - OPM passing hack response costs to agencies Message-ID: <43A32070-8B2E-4058-9F6D-C1BFB5E14E41@infowarrior.org> (As one of the article commenters said, "they take their cues from Congress: We F*d up, you're going to pay." --rick) OPM to federal agencies: We got hacked, but you have to help pay for the response By Eric Yoder July 21 at 10:23 AM http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/21/opm-to-federal-agencies-we-got-hacked-but-you-have-to-help-pay-for-the-response/ Federal agencies have been told that they will be expected to pay the costs of responding to the breach of security clearance files affecting more than 21 million federal employees, military personnel and contractor employees. Such costs will amount to an unplanned obligation that will hit agencies late in the government?s current fiscal year, and agencies should expect to have to absorb further costs in future years as well, according to a memo from the Office of Personnel Management, whose systems were breached. [Hacks of OPM databases compromised 22.1 million people, federal authorities say] How much those costs will be is unknown, since OPM has not yet issued a contract to notify those affected by the clearance files breach and to provide them credit monitoring and identity theft services. The breach involves highly personal information on virtually everyone who applied for a security clearance or had one renewed since 2000, and in some cases before. For a separate breach involving personnel records of some 4.2 million current and former federal employees held for OPM at the Department of Interior, the cost of sending notices and providing services was $21 million. OPM and Interior paid for that contract but cannot afford to cover what could be much higher costs of the next contract, agency officials were told in a briefing late last week. ?Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year?s costs of credit monitoring and related services / benefits for the second incident involving 21.5M individuals,? acting OPM director Beth Cobert said in a follow-up memo. The Office of Management and Budget ?fully supports the decision for cost sharing across all agencies given these circumstances,? wrote Cobert, who was transferred from her post as OMB deputy director for management after OPM director Katherine Archuleta resigned under pressure related to the breaches and OPM?s response. In addition to paying costs related to the clearance files breach out of current year funding, the memo said, agencies will be charged higher rates for OPM to process clearance applications on their behalf, retroactive to the start of this fiscal year. The requirements come late in the fiscal year, which ends Sept. 30, leaving questions regarding how agencies will be able to cover them. Typically, when agencies must meet such requirements they look to administrative costs such as employee awards, training and travel and to general overhead such as office equipment. Those accounts, which in many cases already are pinched by years of budgetary restrictions, also pay employee salaries. While salaries could not be cut, restrictions on those accounts could translate into pressure to hold down the number of employees. ?My mouth dropped open when I read this. I get the fact that the money has to come from somewhere, but, man, oh man,? said a federal official not authorized to speak on the record on the matter. Cobert?s memo said that while the total costs won?t be known until the second contract is issued, ?OPM is currently working to approximate each agency?s portion of the total number of individuals impacted and we are gaining more information on the anticipated cost per person in the coming week based on requirements.? In addition to affecting more people than the personnel files breach, the clearance files breach involves far more extensive information that clearance applicants have to disclose, including on any personal financial problems, criminal records, foreign travel and much more. In some cases, it also involves fingerprint records and findings of background investigations. Further, while the personnel files breach affected persons for whom the federal personnel agency typically would have current contact information, the clearance files breach involves a substantial number of people who worked for contractors, not directly as federal employees. Also, OPM has promised more extensive services, to be provided longer, for those affected by the clearance files breach. About 3.6 million federal employees affected by the security clearance files breach also were impacted by the personnel records breach; almost all of those affected by that breach already have been notified. ?We understand and appreciate the complexities of this late in FY15 request for funds,? the memo added. ?We cannot stress enough the importance and significance of this funding. This funding is critical to ensure that OPM is able to maintain its operational capability in order to allow agencies to continue to fill critical positions and accomplish their missions.? In addition, agencies will have to help fund costs in at least 2016 and 2017, the memo said. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 12:08:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 13:08:00 -0400 Subject: [Infowarrior] - NY Times Falsely Claims ISIS Is Using Encryption & Couriers Because Snowden Message-ID: <8DB1582E-0427-4E29-95DE-F8785906C2F9@infowarrior.org> NY Times Falsely Claims ISIS Is Using Encryption & Couriers Because Snowden https://www.techdirt.com/articles/20150720/18091631710/ny-times-falsely-claims-isis-is-using-encryption-couriers-because-snowden.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 13:49:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 14:49:40 -0400 Subject: [Infowarrior] - The Spirit of Judy Miller is Alive and Well at the NYT Message-ID: <2E2A7DCE-87DE-40F5-BF2B-B5A58A2636C2@infowarrior.org> https://firstlook.org/theintercept/2015/07/21/spirit-judy-miller-alive-well-nyt-great-damage/ The Spirit of Judy Miller is Alive and Well at the NYT, and it Does Great Damage Glenn Greenwald July 21 2015, 12:30 p.m. One of the very few Iraq War advocates to pay any price at all was former New York Times reporter Judy Miller, the classic scapegoat. But what was her defining sin? She granted anonymity to government officials and then uncritically laundered their dubious claims in The New York Times. As the paper?s own editors put it in their 2004 mea culpa about the role they played in selling the war: ?we have found a number of instances of coverage that was not as rigorous as it should have been. In some cases, information that was controversial then, and seems questionable now, was insufficiently qualified or allowed to stand unchallenged.? As a result, its own handbook adopted in the wake of that historic journalistic debacle states that ?anonymity is a last resort.? But 12 years after Miller left, you can pick up that same paper on any given day and the chances are high that you will find reporters doing exactly the same thing. In fact, its public editor, Margaret Sullivan, regularly lambasts the paper for doing so. Granting anonymity to government officials and then uncritically printing what these anonymous officials claim, treating it all as Truth, is not an aberration for The New York Times. With some exceptions among good NYT reporters, it?s an institutional staple for how the paper functions, even a decade after its editors scapegoated Judy Miller for its Iraq War propaganda and excoriated itself for these precise methods. < - > Look at what The New York Times, yet again, has done. Isn?t it amazing? All anyone in government has to do is whisper something in their ears, demand anonymity for it, and instruct them to print it. Then they obey. Then other journalists treat it as Truth. Then it becomes fact, all over the world. This is the same process that enabled The New York Times, more than any other media outlet, to sell the Iraq War to the American public, and they?re using exactly the same methods to this day. But it?s not just their shoddy journalism that drives this but the mentality of other ?journalists? who instantly equate anonymous official claims as fact. < - > -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 15:24:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 16:24:02 -0400 Subject: [Infowarrior] - Capitol Police Search Powers Provoke Constitutional Concerns Message-ID: Capitol Police Search Powers Provoke Constitutional Concerns http://blogs.rollcall.com/hill-blotter/capitol-police-search-powers-provoke-constitutional-concerns/?dcz= -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 17:30:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 18:30:45 -0400 Subject: [Infowarrior] - IRS Encrypts An Entire CD Of Redacted Documents In Response To FOIA Request Message-ID: <2FF19A50-78F7-4F30-8D15-5F4EC4551CBA@infowarrior.org> IRS Encrypts An Entire CD Of Redacted Documents In Response To FOIA Request https://www.techdirt.com/articles/20150717/18042231677/irs-encrypts-entire-cd-redacted-documents-response-to-foia-request.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Jul 21 18:56:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Jul 2015 19:56:03 -0400 Subject: [Infowarrior] - =?utf-8?q?Private_Sector_Pay_Lures_F=2EB=2EI=2E?= =?utf-8?q?=E2=80=99s_Hacking_Experts?= Message-ID: <80B4F712-BA98-4D07-8B60-CFD1E1C92B74@infowarrior.org> (not to mention leaving for a better work environment and culture, too. -rick) Private Sector Pay Lures F.B.I.?s Hacking Experts By MATTHEW GOLDSTEIN JULY 21, 2015 http://www.nytimes.com/2015/07/22/business/dealbook/fbi-scrambles-as-private-sector-lures-online-crime-investigators.html As attacks on networks and thefts of data grow, federal agents with just a few years of investigations into Internet crime under their belts need not look too hard for work in the private sector. In the last three months, at least a half-dozen agents on the online security squad of the New York office of the Federal Bureau of Investigations have left the federal government for more lucrative jobs in the private sector. The flurry of departures is beginning to concern top law officials at the F.B.I., who are struggling to figure out ways to recruit younger agents and retain veteran investigators. The most recent F.B.I. agent to announce his departure is Leo Taddeo, who oversees much of the online crime operation for the agency in New York. Mr. Taddeo announced his planned August departure in an email sent on Monday to dozens of government employees and private security consultants. Mr. Taddeo, who did not respond to a request for comment, said in the blast email that he would be taking a job as chief security officer for a security software company, which he did not name. Several recipients of Mr. Taddeo?s email responded by congratulating him and noting that his departure would not only be a loss for the government but also for the financial sector, which is a prime target of hackers. Mr. Taddeo?s departure was not a big surprise given that he has more than 20 years of service with the F.B.I., the threshold at which most agents can retire with full benefits. But Mr. Taddeo was promoted to his position less than two years ago, and the timing is an indication of how quickly private companies are looking to snap up any agent with experience in digital investigations. The issue of private industry, including corporations and consulting firms, hiring away veteran investigators is a concern for James B. Comey, the F.B.I.?s director, who has met with several top agents from around the country to discuss their reasons for leaving the bureau, said several people briefed on the matter who spoke on the condition of anonymity. In those conversations, the now-departed agents told Mr. Comey that it was not just a big increase in salary that attracted them to the private sector, but also the prospect of quicker professional advancement. The people briefed on the matter said one problem with the structure of the F.B.I. is that promotions are often based on tenure rather than merit. ?Director Comey has called attracting and retaining good cybertalent a ?continual challenge,? one that both the private and public sectors are dealing with,? John Boles, the acting executive assistant director of the F.B.I. branch that oversees online security response and services, said in a statement. ?In addition to technical capabilities, we are also trying to attract people with character, competence and commitment and we are looking for incentives that will encourage candidates to choose F.B.I. service. While private sector jobs have many attractions, there is simply no career in the private sector as rewarding as working for the F.B.I. and knowing that each day you are helping protect America from threats in cyberspace.? One private firm that has been particularly aggressive in hiring away agents from the F.B.I. in New York is K2 Intelligence, a corporate investigations firm co-founded by Jules Kroll and his son Jeremy. The Kroll family, which has a history of performing corporate investigations, recently received a major investment from the insurance giant American International Group and is looking to strengthen its work in consulting on digital breaches and data thefts. In April, K2 announced it was hiring Austin P. Berglas from the New York office of the F.B.I. Mr. Berglas was one of the agents overseeing the investigation into last summer?s security breach at JPMorgan Chase that compromised some contact information for 83 million households and small businesses. Following Mr. Berglas to K2 were two other agents, Joseph M. Lawlor and Milan Patel. On Tuesday, federal prosecutors announced a series of arrests in Israel and Florida involving a number of pump-and-dump stock schemes. People briefed on the matter said some of the men arrested also had some involvement in the JPMorgan Chase security breach, although the men were not charged in that crime. Other companies that have been hiring F.B.I. agents with digital investigation expertise over the last year are FTI Consulting, a business advisory firm, and Tanium, which markets a platform that enables companies to monitor its systems for attacks. The exodus from the F.B.I.?s office in New York began in earnest a little over a year ago when Christopher Tarbell, one of the lead agents on the investigation into the Silk Road online marketplace for illegal drugs and hacked credit card numbers, took a job at FTI. Mr. Tarbell came to FTI in March 20014 with Thomas G. A. Brown, former chief of the computer and intellectual property crime unit of the United States attorney?s office in Manhattan. Since then, FTI, which has employees in 27 countries, has hired two other experienced digital investigators, Ilhwan Yum and Thomas Kiernan, from of the F.B.I. in New York. Former agents said the talent drain from the F.B.I. is likely to continue for the near future as corporations pay more attention to the threat posed by hackers and the federal government finds it hard to compete with the salaries private employers can pay. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 22 06:21:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jul 2015 07:21:55 -0400 Subject: [Infowarrior] - U.S. decides against publicly blaming China for data hack Message-ID: (NOTE: I agree with Hayden about this being plain good old espionage. The fact I agree w/something he says should suggest that the end of days is nigh. Ye have been warned!) U.S. decides against publicly blaming China for data hack By Ellen Nakashima July 21 at 7:26 PM https://www.washingtonpost.com/world/national-security/us-avoids-blaming-china-in-data-theft-seen-as-fair-game-in-espionage/2015/07/21/03779096-2eee-11e5-8353-1215475949f4_story.html?hpid=z1 Months after the discovery of a massive breach of U.S. government personnel records, the Obama administration has decided against publicly blaming China for the intrusion in part out of reluctance to reveal the evidence that American investigators have assembled, U.S. officials said. The administration also appears to have refrained from any direct retaliation against China or attempt to use cyber-measures to corrupt or destroy the stockpile of sensitive data stolen from the Office of Personnel Management. ?We have chosen not to make any official assertions about attribution at this point,? said a senior administration official, despite the widely held conviction that Beijing was responsible. The official cited factors including concern that making a public case against China could require exposing details of the United States? own espionage and cyberspace capabilities. The official was among several who spoke on the condition of anonymity to describe internal deliberations. [Damage from OPM attack exceeds earlier estimates] As a result, China has so far escaped any major consequence for what U.S. officials have described as one of the most damaging cyberthefts in U.S. government history ? an outcome that also appears to reflect an emerging divide in how the United States responds to commercial vs. traditional espionage. Over the past year and a half, the United States has moved aggressively against foreign governments accused of stealing the corporate secrets of major U.S. firms. Most notably, the Justice Department last year filed criminal charges against five Chinese military officers accused of involvement in alleged hacks of U.S. Steel, Westinghouse and other companies. The response to penetrations targeting government-held data has been more restrained, in part because U.S. officials regard such breaches as within the traditional parameters of espionage. Director of National Intelligence James R. Clapper Jr. and others have even expressed grudging admiration for the OPM hack, saying U.S. spy agencies would do the same against other governments. Economic espionage occupies a separate category ? supposedly off-limits to U.S. spy agencies and seen as deserving of a forceful response when committed by foreign adversaries. In making such a distinction, the United States may be adhering to unwritten rules that other countries disregard. The administration risks sending a signal that it is willing to go further to defend the secrets of U.S. industry than it is to protect employees of federal agencies. U.S. officials stressed that the administration has not ruled out economic sanctions or other punitive measures for the OPM breach. ?We?re still teeing up options? for Obama and his national security team, a second U.S. official said. The senior administration official said that the government could impose new sanctions on China without publicly linking it to the attack, and ?then send a private message that said, ?Oh, and by the way, part of the reason for this is OPM.? ? But the reluctance to confront China openly could complicate the administration?s ability to make a public case for such punitive measures. Other current and former officials said that nations typically do not impose sanctions as penalties for political espionage. The OPM breaches exposed the personal data of more than 22 million people, including Social Security numbers, performance evaluations, and even the names of family members and friends who were listed as references on millions of applications for security clearances. U.S. officials have privately said that forensic evidence leaves little doubt that China was responsible. But officials said the White House is unwilling to reveal even in broad terms how it made that determination, an effort that probably involved not only tracing the source of the intrusion, but also the United States? using its ability to intercept the communications of government officials overseas. ?We don?t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities,? the U.S. official said. A reluctance to retaliate could encourage adversaries to continue targeting U.S. government networks, said Robert K. Knake, a former White House cyber official. He noted that arrests and expulsions of suspected spies were seen as important deterrents throughout the Cold War. ?We?re effectively saying you can do in cyberspace a volume of spying that is far greater than we ever could have during the Cold War and there will be fewer consequences for it,? said Knake, a senior fellow at the Council on Foreign Relations. ?Nobody is going to be put in a jail cell for these cyber-intrusions. The operator in China or Russia isn?t putting themselves at personal risk in any way.? Senior U.S. officials have avoided commenting directly on a Chinese link to the OPM hack, but Lisa Monaco, a counterterrorism adviser to Obama, spoke in broad terms during a public appearance last month about the considerations involved in going public with such an allegation. ?There has to be a policy judgment made as to whether or not we?re going to disclose the actor involved .?.?. and what does that mean for disclosing those intelligence sources and methods,? Monaco said during an event put on by the Aspen Institute. Two different OPM systems were breached ? one handling personnel records such as Social Security numbers and job performance data. The other stored sensitive security-clearance data, including fingerprints and extensive health, personal and financial histories. In the aftermath of the attack, the United States has sought to shore up the security of the OPM systems and computers across the federal government. Officials have reduced the number of privileged user accounts, have added security steps for logging in and are patching critical software flaws. The government also is pursuing an array of counterintelligence measures aimed at guarding against the Chinese government?s ability to use the stolen data to identify federal workers who might be induced to spy for Beijing. Even as the White House continues to weigh options, officials said it is unlikely that the government would pursue criminal charges as it did last year. ?If you start trying to indict members of their intelligence service for conducting this type of espionage, what?s the response going to be? Are they going to start to indict NSA guys?? one U.S. security official said. Former U.S. intelligence officials said the OPM hack is in some ways regarded as fair game because of unwritten spying norms that took shape during the Cold War. ?This is espionage,? said Michael Hayden, a retired Air Force general and former head of the CIA and the National Security Agency, of the OPM hacks. ?I don?t blame the Chinese for this at all. If I [as head of the NSA] could have done it, I would have done it in a heartbeat. And I would have not been required to call downtown, either? to seek White House permission. Even before the OPM breach, the U.S. response to cyber-intrusions had varied depending on the target and nature of the attack. Last year, U.S. officials discovered an attempt to hack unclassified computer networks run by the White House and the State Department. Officials privately acknowledged that investigators had traced the intrusions to hackers associated with the Russian government but refrained from going public with that allegation against Moscow. That case also was seen as traditional espionage. By contrast, when Sony Pictures Entertainment was hacked last fall in an apparent effort to halt its planned release of a movie that lampooned North Korea, Obama quickly blamed Pyongyang and stepped up sanctions on the regime. U.S. officials said the aggressive response was justified by the destructive and coercive nature of the attack. In April, Obama signed an executive order creating a targeted sanctions program for malicious cyber-acts such as damaging critical infrastructure, disrupting networks, or stealing trade secrets of U.S. companies or Americans? personal data for profit. Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 22 09:43:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jul 2015 10:43:58 -0400 Subject: [Infowarrior] - Scientists find first drug that appears to slow Alzheimer's disease Message-ID: Scientists find first drug that appears to slow Alzheimer's disease Hannah Devlin http://www.theguardian.com/science/2015/jul/22/scientists-find-first-drug-slow-alzheimers-disease Scientists appear to have broken a decades-long deadlock in the battle against Alzheimer?s disease after announcing trial results for the first drug that appears to slow the pace of mental decline. The drug, called solanezumab, was shown to stave off memory loss in patients with mild Alzheimer?s over the course of several years. The effects would have been barely discernible to patients or their families, scientists said, and it is no cure. But the wider implications of the results have been hailed as ?hugely significant? because it is the first time any medicine has slowed the rate at which the disease damages the brain. ?This is the first evidence of something genuinely modifying the disease process,? said Dr Eric Karran, director of research at Alzheimer?s Research UK. ?It?s a breakthrough in my mind. The history of medicine suggests that once you get through that door you can explore further therapeutic opportunities much more aggressively. It makes us less helpless.? Existing drugs help with the symptoms but ultimately do nothing to slow the disease?s progression. The drug, developed by the American company Eli Lilly, had previously been tested in a larger group of patients with both mild and moderate dementia and this trial had appeared to end in failure in 2012. Related: Alzheimer's drug trial shows promising early results However, when scientists analysed the data more closely, they found that in the 1,300 patients with mild dementia, those who had been placed on the drug showed a roughly 30% slower decline in memory and cognitive tests than those who had taken a placebo during the 18-month trial. This was a fairly small difference from the perspective of the patients who had not yet suffered the devastating memory loss or profound changes to personality that come later on. But the result hinted that the drug could work as long as it was given early enough. Questions remained about whether the drug was simply treating the symptoms ? improving a patient?s mood or concentration ? rather than actually delaying the loss of neurons in the brain, which drives memory loss. To test this, Eli Lilly switched the half of the 1,300 patients who had been on the placebo on to the drug as well and the entire group was given solanezumab for a further two years. If the drug was just treating the symptoms, the placebo group would be expected to ?catch up? over time. However, the results, unveiled on Wednesday at the Alzheimer?s Association International Conference in Washington DC, in the US, showed that the differences between the two groups were still there ? a sign that the drug had made a genuine impact on the progression of the disease. ?It deflected the course of the disease in an irrevocable manner,? said Karran, who previously worked for Eli Lilly. The company is now looking to see whether the drug is more effective when given at an earlier stage ? something that might be expected given that it apparently had no effect for patients with more serious dementia. ?It?s entirely possible you?ll show an even bigger benefit if people are given solanezumab earlier on,? said Karran. Scientists said the results also support the idea that sticky plaques in the brain ? the most visible hallmark of the disease ? are what causes mental decline. The drug is an antibody that works by disassembling the building blocks that make up the plaques, slowly causing them to disintegrate. Until now, drugs that targeted the plaques have not appeared to have any effect leading some to question whether some other biological process in Alzheimer?s was the real root of the disease. Related: Q&A: Alzheimer's disease Dr Doug Brown, head of research at the Alzheimer?s Society, said: ?Today?s findings strongly suggest that targeting people in the earliest stages of Alzheimer?s disease with these antibody treatments is the best way to slow or stop Alzheimer?s disease. These drugs are able to reduce the sticky plaques of amyloid that build up in the brain, and now we have seen the first hints that doing this early enough may slow disease progression.? The positive trial results follow years of failed clinical research. Between 2002 and 2012, 99.6% of drugs studies aimed at preventing, curing or improving Alzheimer?s symptoms were either halted or discontinued at huge financial cost to drugs companies, many of whom shut down dementia programmes as a result. Richard Morris, professor of neuroscience at the University of Edinburgh, said the result was likely to be significant ? although he added that he was reserving final judgment until he saw the data in more detail. ?I am cautiously optimistic, from the perspective of the audience, they should be too,? he said. ?This is not a mouse study, it?s a people study. And that matters.? Even if further trial results are positive, it is likely to be several years before the drug would become available on the NHS. Another phase-three trial is due to report in 2016 and then the drug would need to go through regulatory approval and would need to be shown to be sufficiently beneficial to patients. About 225,000 people will develop dementia in the UK this year ? a rate of one every three minutes. Alzheimer?s Society research shows that 850,000 people in the UK have a form of dementia, and that in less than 10 years, 1 million people will be living with dementia. This is expected to rise to 2 million by 2051 unless preventative treatments are developed. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 22 17:25:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jul 2015 18:25:18 -0400 Subject: [Infowarrior] - United Airlines Requires You To Install Special Brand Of DRM To Watch Movies On Flights Message-ID: United Airlines Requires You To Install Special Brand Of DRM To Watch Movies On Flights https://www.techdirt.com/articles/20150721/18255431720/united-airlines-requires-you-to-install-special-brand-drm-to-watch-movies-flights.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Jul 22 18:35:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jul 2015 19:35:29 -0400 Subject: [Infowarrior] - Facebook Loses Challenge to Search Warrants Message-ID: <0AF1A14F-FC57-47AD-9237-5D6B3A2DFDF8@infowarrior.org> http://ww2.cfo.com/social-media/2015/07/facebook-loses-challenge-search-warrants/ Facebook Loses Challenge to Search Warrants Social media giants worry the case could set a troubling precedent, granting district attorneys access to the private digital information of users. Matthew Heller July 22, 2015 | CFO.com | US A New York appeals court has rebuffed Facebook in a battle over digital privacy, ruling that the social network cannot challenge search warrants seeking information about hundreds of its users. The Manhattan District Attorney?s Office in 2013 issued 381 substantially identical digital search warrants for Facebook accounts as part of an investigation of Social Security fraud. The warrants applied to users? photos, private messages, and other account information. In affirming a trial court judge who threw out Facebook?s claim that the warrants violated users? Fourth Amendment rights, the appeals court said Facebook had no legal standing to challenge search warrants on behalf of its customers. ?Facebook is seeking the right to litigate pre-enforcement the constitutionality of the warrants on its customers? behalf,? the court said. ?But neither the Constitution nor New York Criminal Procedure Law provides the targets of the warrant the right to such a pre-enforcement challenge ? We see no basis for providing Facebook a greater right than its customers are afforded.? Tech giants, including Google, LinkedIn, and Twitter, filed briefs in support of Facebook, arguing that the case could set a troubling precedent by giving prosecutors access to all kinds of digital information. ?Internet companies are pushing back broadly against U.S. intelligence and law enforcement agencies? demands for customer data, in the wake of revelations by former National Security Agency contractor Edward Snowden of wide-ranging online surveillance,? Reuters noted. The warrants served on Facebook were used to obtain indictments for disability fraud against more than 130 police officers and other former public employees. Prosecutors said Facebook pages showed public employees who claimed to be disabled riding jet skis, playing golf, and participating in martial arts events. The appellate court did not rule on the legality of the warrants but said its decision ?does not mean that we do not appreciate Facebook?s concerns about the scope of the bulk warrants issued here or about the district attorney?s alleged right to indefinitely retain the seized accounts of the uncharged Facebook users.? From rforno at infowarrior.org Wed Jul 22 19:27:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Jul 2015 20:27:45 -0400 Subject: [Infowarrior] - Senators unveil new Homeland Security cyber bill Message-ID: Senators unveil new Homeland Security cyber bill By Cory Bennett - 07/22/15 09:14 AM EDT http://thehill.com/policy/cybersecurity/248775-senators-set-to-unveil-new-dhs-cyber-bill A bipartisan group of senators wants to give the Department of Homeland Security (DHS) more power to repel cyberattacks in the wake of hacks that have rattled the federal government. The group on Wednesday introduced the FISMA Reform Act, which would update the 12-year-old Federal Information Security Management Act (FISMA) and formalize the DHS role in protecting government networks and websites. Over the years, the department has taken on this task, but its authority in the area has never been fully codified. ?While the Department of Homeland Security has the mandate to protect the .gov domain, it has only limited authority to do so,? Sen. Susan Collins (R-Maine), the lead Republican on the bill, told reporters at a press conference. The FISMA Reform Act would lower some of the barriers preventing the DHS from inspecting other agencies? networks and kicking out hackers. Currently, it needs permission to come in and investigate or monitor networks. Legal hurdles have also stymied the agency, said Sen. Mark Warner (D-Va.), the measure?s lead Democrat. ?There is no minimum standard,? he said. ?This is all done on a voluntary basis. And every agency has got their reason why they, in particular, can?t comply. This voluntary system has resulted in an inconsistent patchwork of security across the whole federal government.? The bill?s other co-sponsors include Republican Sens. Dan Coats (Ind.) and Kelly Ayotte (N.H.), and Democratic Sens. Claire McCaskill (Mo.) and Barbara Mikulski (Md.). The recent data breach that rocked the Office of Personnel Management (OPM) and compromised more than 22 million people?s information has spurred lawmakers to action. Hackers made off with almost every federal employee's personnel file in the attack. They also took millions of personal background investigation files from the OPM?s security clearance database. The digital pilfering has exposed the government?s sluggish approach to bolstering its online defenses against the rapidly rising threat of foreign hackers. ?This cyberattack points to a broader problem,? Collins said: ?the glaring gaps in the process for protecting sensitive personal and economic information in federal agencies.? In the wake of the hack, the DHS has scrambled to speed up government-wide implementation of software meant to protect federal data from hacks. The agency manages Einstein, a program designed to detect and repel known digital threats. The DHS also oversees the Continuous Diagnostics and Mitigation (CDM) program, which searches for nefarious actors once they?ve already penetrated the networks. Some have criticized the programs as outdated, multibillion-dollar boondoggles diverting attention from a larger security overhaul. After the OPM breach, DHS Secretary Jeh Johnson promised lawmakers that both programs will be fully implemented by the end of 2015, years ahead schedule. The FISMA Reform Act would assign DHS an even more proactive mandate to jolt the government to action. It would modernize the 2002 law that still governs government network security protocol. Over a decade old, the original law has been knocked as a static, self-certified check list that does not encourage agencies to think about cyber defense in real-time. Wednesday?s measure would give DHS legal authority to deploy tools that search for intrusions on government networks at any agency without a formal request. It?s a power that the National Security Agency (NSA) already has in its mandate to protect the military?s digital domain. Collins said giving DHS equivalent powers will help the government respond to cyberattacks and digital emergencies. ?DHS has the tools, the technology, the cyber center and the privacy and civil liberties protections to be the leader for the .gov domain,? she said. The FISMA Reform Act would also give DHS power to conduct risk assessments of any other agency?s system, allowing inspectors to force agencies to respond to security flaws that might have gone overlooked. The provision may have been spurred by accusations that OPM officials failed to heed warnings from their inspector general about glaring holes in its digital defenses. Against the recommendation of the agency?s watchdog arm, OPM officials did not shut down several databases that were lacking a proper security certificate. Under the FISMA Reform Act, DHS could conduct its own analysis and then issue a binding directive to patch a digital hole or shutd own a database. ?One of the problems that we have now is that there are certain agencies like FDA and the IRS that have not allowed DHS access to their computer networks,? Collins said. Wednesday?s offering builds on a series of small-bore cyber bills that Congress passed during last year?s lame-duck session. Two of those measures attempted to clarify the DHS cyber authority. One bill formally authorized the DHS?s cyber information sharing hub. Known as the NCCIC ? or National Cybersecurity and Communications Integration Center ? the hub collects and analyzes digital threat information from around the government and private sector. Another measure revised FISMA, authorizing the Office of Management and Budget (OMB) to set federal information security policies and directing the DHS to implement those policies. DHS Secretary Jeh Johnson wielded his new powers earlier this year, issuing a first-of-its-kind emergency directive in May that required all federal agencies to patch critical network vulnerabilities within 30 days. The alert came on the heels of the bruising cyberattack that hit the OPM and a string of at least least nine connected digital assaults on industry and government over the past year. ?The cyber threat actors involved in each of these incidents demonstrated a well-planned attack and high level of sophistication,? said the DHS report. It?s believed Chinese officials orchestrated many of these digital hits as part of a broader cyber espionage scheme to create a comprehensive database on U.S. government workers. Such information can be used to stage future cyberattacks, digitally imitate officials, blackmail workers or even recruit government informants. Senators said Wednesday they are angling to tack their language on to a stalled cybersecurity bill that is expected to hit the floor either directly before or right after the August recess. The measure, known as the Cybersecurity Information Sharing Act (CISA), is intended to boost the public-private exchange of data on hackers. While the CISA has bipartisan, industry and perhaps even White House support, an ongoing fight over privacy concerns has sidelined the upper chamber?s efforts. Digital rights advocates believe the bill would simply shuttle Americans personal data to the NSA, further empowering its surveillance programs. Collins told reporters that she thinks the FISMA Reform Act could mitigate some of the privacy concerns that have delayed CISA?s passage. ?If we can secure those [government] databases, then individual privacy will be enhanced,? she said. ?So I see our bill as being a very important measure to strengthen privacy.? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 23 10:16:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Jul 2015 11:16:38 -0400 Subject: [Infowarrior] - US court says 'pocket-dialed' calls are not private Message-ID: US court says 'pocket-dialed' calls are not private http://www.itworld.com/article/2951715/security/us-court-says-pocketdialed-calls-are-not-private.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 23 10:29:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Jul 2015 11:29:56 -0400 Subject: [Infowarrior] - Universal DMCAs localhost Message-ID: <5CE928C3-51DC-4191-ACC9-27AB4D2A9262@infowarrior.org> Universal Asks Google to Censor ?Furious 7? IMDb Page, and More ? By Ernesto ? on July 22, 2015 Universal Pictures has sent a rather unfortunate takedown notice to Google.... < - > And while we?re on the topic of self censorship, it?s worth noting that Universal Pictures also asked Google, in a separate notice, to remove http://127.0.0.1 from the search results. < - > https://torrentfreak.com/universal-asks-google-to-censor-furious-7-imdb-page-and-more-150722/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 23 12:15:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Jul 2015 13:15:38 -0400 Subject: [Infowarrior] - More TSA Asshattery & ignorance of its own policies Message-ID: Video: TSA Supervisor Calls Police on Teen for Filming Dad?s Pat-Down http://petapixel.com/2015/07/22/video-tsa-supervisor-calls-police-on-teen-for-filming-dads-pat-down/ A 16-year-old boy has caused a stir after releasing a video showing himself being denied the right to film a checkpoint pat-down ? something the TSA officially allows. YouTube user Apple Lucas claims that he was denied the right to film while being patted down by a TSA supervisor at Louis Armstrong New Orleans International Airport in Jefferson Parish, Louisiana. He then tried to film his father getting patted down, only to have the TSA agent call a police officer to the scene. ?I explained to him that it clearly states on the TSA website that you are allowed to film the TSA agents as long as you don?t film their monitors and are not interfering with their process,? Apple Lucas writes. And he?s right: the TSA website has a page dedicated to telling the public that photography and filming is perfectly okay at airport security checkpoints. TSA does not prohibit the public, passengers or press from photographing, videotaping or filming at security checkpoints, as long as the screening process is not interfered with or slowed down. We do ask you to not film or take pictures of the monitors. While the TSA does not prohibit photographs at screening locations, local laws, state statutes, or local ordinances might. The TSA also provides a downloadable and printable version of the text, in case you?d like to carry a copy of the text with you while traveling. ?Officer, I need this young man gone,? the TSA agent says in the video. ?I don?t care what he?s seen on the Internet, I need him gone.? ?On the TSA website it says I can film the procedure,? the boy responds. ?I didn?t put that website up,? the agent says. He later adds: ?You don?t like this, you respect this badge right here.? The video has since received tens of thousands of views since being posted on YouTube yesterday, and the story made it to the front page of Reddit as well. We?ve reached out to the TSA for comment, and we?ll update this post if/when we hear back. Update: ?We are aware of the situation and are conducting an internal review,? the TSA tells PetaPixel via email. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 24 22:12:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Jul 2015 23:12:05 -0400 Subject: [Infowarrior] - Smoking Gun: MPAA Emails Reveal Plan To Run Anti-Google Smear Campaign Via Today Show And WSJ Message-ID: <9DE7D778-C419-42F1-AA5C-4A8EFDB34041@infowarrior.org> Smoking Gun: MPAA Emails Reveal Plan To Run Anti-Google Smear Campaign Via Today Show And WSJ https://www.techdirt.com/articles/20150724/15501631756/smoking-gun-mpaa-emails-reveal-plan-to-run-anti-google-smear-campaign-via-today-show-wsj.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:58:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:58:40 -0400 Subject: [Infowarrior] - China-Tied Hackers That Hit U.S. Said to Breach United Airlines Message-ID: <27CCA95D-35BB-4488-B754-B59EE45BB194@infowarrior.org> China-Tied Hackers That Hit U.S. Said to Breach United Airlines by Michael RileyJordan Robertson July 29, 2015 ? 5:00 AM EDT http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-that-hit-u-s-said-to-breach-united-airlines The hackers who stole data on tens of millions of U.S. insurance holders and government employees in recent months breached another big target at around the same time -- United Airlines. United, the world?s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists -- including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc. The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests -- which include information on flights? passengers, origins and destinations -- according to one person familiar with the carrier?s investigation. It?s increasingly clear, security experts say, that China?s intelligence apparatus is amassing a vast database. Files stolen from the federal personnel office by this one China-based group could allow the hackers to identify Americans who work in defense and intelligence, including those on the payrolls of contractors. U.S. officials believe the group has links to the Chinese government, people familiar with the matter have said. That data could be cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances. In all, the China-backed team has hacked at least 10 companies and organizations, which include other travel providers and health insurers, says security firm FireEye Inc. Tracking Travelers The theft of airline records potentially offers another layer of information that would allow China to chart the travel patterns of specific government or military officials. United is one of the biggest contractors with the U.S. government among the airlines, making it a rich depository of data on the travel of American officials, military personnel and contractors. The hackers could match international flights by Chinese officials or industrialists with trips taken by U.S. personnel to the same cities at the same time, said James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington. ?You?re suspicious of some guy; you happen to notice that he flew to Papua New Guinea on June 23 and now you can see that the Americans have flown there on June 22 or 23,? Lewis said. ?If you?re China, you?re looking for those things that will give you a better picture of what the other side is up to.? Computer Glitches The timing of the United breach also raises questions about whether it?s linked to computer faults that stranded thousands of the airline?s passengers in two incidents over the past couple of months. Two additional people close to the probe, who like the others asked not to be identified when discussing the investigation, say the carrier has found no connection between the hack and a July 8 systems failure that halted flights for two hours. They didn?t rule out a possible, tangential connection to an outage on June 2. Luke Punzenberger, a spokesman for Chicago-based United, a unit of United Continental Holdings Inc., declined to comment on the breach investigation. Zhu Haiquan, a spokesman for the Chinese embassy in Washington, said in a statement: ?The Chinese government and the personnel in its institutions never engage in any form of cyberattack. We firmly oppose and combat any forms of cyberattacks.? Embedded Names United may have gotten help identifying the breach from U.S. investigators working on the OPM hack. The China-backed hackers that cybersecurity experts have linked to that attack have embedded the name of targets in web domains, phishing e-mails and other attack infrastructure, according to one of the people familiar with the investigation. In May, the OPM investigators began drawing up a list of possible victims in the private sector and provided the companies with digital signatures that would indicate their systems had been breached. United Airlines was on that list. Safety Concerns In contrast to the theft of health records or financial data, the breach of airlines raises concerns of schedule disruptions or transportation gridlock. Mistakes by hackers or defenders could bring down sensitive systems that control the movement of millions of passengers annually in the U.S. and internationally. Even if their main goal was data theft, state-sponsored hackers might seek to preserve access to airline computers for later use in more disruptive attacks, according to security experts. One of the chief tasks of the investigators in the United breach is ensuring that the hackers have no hidden backdoors that could be used to re-enter the carrier?s computer systems later, one of the people familiar with the probe said. United spokesman Punzenberger said the company remains ?vigilant in protecting against unauthorized access? and is focused on protecting its customers? personal information. There is evidence the hackers were in the carrier?s network for months. One web domain apparently set up for the attack -- UNITED-AIRLINES.NET -- was established in April 2014. The domain was registered by a James Rhodes, who provided an address in American Samoa. James Rhodes is also the alias of the character War Machine in Marvel Comics? Iron Man. Security companies tracking the OPM hackers say they often use Marvel comic book references as a way to ?sign? their attack. Targeting Pentagon This isn?t the first time such an attack has been documented. Chinese military hackers have repeatedly targeted the U.S. Transportation Command, the Pentagon agency that coordinates defense logistics and travel. A report last year from the Senate Armed Services Committee documented at least 50 successful hacks of the command?s contractors from June 2012 through May 2013. Hacks against the agency?s contractors have led to the theft of flight plans, shipping routes and other data from organizations working with the military, according to the report. ?The Chinese have been trying to get flight information from the government; now it looks as if they?re trying to do the same in the commercial sector,? said Tony Lawrence, a former Army sergeant and founder and chief executive officer of VOR Technology, a Columbia, Maryland-based cybersecurity firm. It?s unclear whether United is considering notifying customers that data may have been compromised. Punzenberger said United ?would abide by notification requirements if a situation warranted? it. The airline is still trying to determine exactly which data was removed from the network, said two of the people familiar with the probe. That assessment took months in the OPM case, which was discovered in April and made public in June. M&A Strategy Besides passenger lists and other flight-related data, the hackers may also have taken information related to United?s mergers and acquisitions strategy, one of the people familiar with the investigation said. Flight manifests usually contain the names and birthdates of passengers, but even if those files were taken, experts say that would be unlikely to trigger disclosure requirements in any of the 47 states with breach-notification laws. Those disclosure laws are widely seen as outdated. The theft by hackers of corporate secrets usually goes unreported, while the stealing of customer records such as Social Security numbers and credit cards is required in most states. ?In most states, this is not going to trigger a notification,? said Srini Subramanian, state government leader for Deloitte cyber risk services. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:58:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:58:44 -0400 Subject: [Infowarrior] - =?utf-8?q?Microsoft=E2=80=99s_new_small_print_?= =?utf-8?q?=E2=80=93_how_your_personal_data_is_=28ab=29used?= Message-ID: Microsoft?s new small print ? how your personal data is (ab)used https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/ By Heini J?rvinen Microsoft has renewed its Privacy Policy and Service Agreement. The new services agreement goes into effect on 1 August 2015, only a couple of days after the launch of the Windows 10 operating system on 29 July. The new ?privacy dashboard? is presented to give the users a possibility to control their data related to various products in a centralised manner. Microsoft?s deputy general counsel, Horacio Gutierrez, wrote in a blog post that Microsoft believes ?that real transparency starts with straightforward terms and policies that people can clearly understand?. We copied and pasted the Microsoft Privacy Statement and the Services Agreement into a document editor and found that these ?straightforward? terms are 22 and 23 pages long respectively. Summing up these 45 pages, one can say that Microsoft basically grants itself very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties. The company appears to be granting itself the right to share your data either with your consent ?or as necessary?. A French tech news website Numerama analysed the new privacy policy and found a number of conditions users should be aware of: By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example ?web browser history, favorites, and websites you have open? as well as ?saved app, website, mobile hotspot, and Wi-Fi network names and passwords?. Users can however deactivate this transfer to the Microsoft servers by changing their settings. More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes. Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user?s device is automatically backed up online in the Microsoft OneDrive account. Microsoft?s updated terms also state that they collect basic information ?from you and your devices, including for example ?app use data for apps that run on Windows? and ?data about the networks you connect to.? Users who chose to enable Microsoft?s personal assistant software ?Cortana? have to live with the following invasion to their privacy: ?To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.? But this is not all, as this piece of software also analyses undefined ?speech data?: ?we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.? But Microsoft?s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns: ?We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to?, for example, ?protect their customers? or ?enforce the terms governing the use of the services?. So much for clearly understandable and straightforward terms of service. Microsoft Privacy Statement https://www.microsoft.com/en-us/privacystatement/default.aspx Microsoft Services Agreement https://www.microsoft.com/en-gb/servicesagreement/default.aspx Windows 10, Microsoft and your personal data: what you need to know (only in French, 11.06.2015) http://www.numerama.com/magazine/33357-windows-10-microsoft-et-vos-donnees-privees-ce-que-vous-devez-savoir.html Microsoft provides privacy dashboard ahead of Windows 10 launch (04.06.2015) http://www.pcworld.com/article/2932132/microsoft-provides-privacy-dashboard-ahead-of-windows-10-launch.html (Contribution by Kirsten Fiedler and Heini J?rvinen, EDRi) -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:58:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:58:49 -0400 Subject: [Infowarrior] - Washington Post Publishes... And Then Unpublishes... Opinion Piece By Ex-Intelligence Industry Brass, In Favor Of Strong Encryption Message-ID: <4C08A2AD-CA1D-4EAF-A400-967F43933D1D@infowarrior.org> Washington Post Publishes... And Then Unpublishes... Opinion Piece By Ex-Intelligence Industry Brass, In Favor Of Strong Encryption https://www.techdirt.com/articles/20150729/09460731789/washington-post-publishes-then-unpublishes-opinion-piece-ex-intelligence-industry-brass-favor-strong-encryption.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:58:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:58:53 -0400 Subject: [Infowarrior] - Commerce to rewrite anti-hacking export rules Message-ID: Commerce to rewrite anti-hacking export rules By Cory Bennett - 07/29/15 03:49 PM EDT http://thehill.com/policy/cybersecurity/249667-commerce-to-rewrite-anti-hacking-export-rules It appears the Commerce Department will go back to the drawing board on rules that would attempt to control the export of hacking tools. The decision was spurred by a flurry of opposition from the security community, tech companies and even a few lawmakers during a comment period that ended July 20. Opponents argued the broad language would simply stunt the booming security industry and weaken cybersecurity worldwide. ?I think you will see a very strong effort to be responsive to those comments and to try to figure out, ?What is the next iteration of this?? and frankly give people another opportunity to comment,? Deputy Secretary of Commerce Bruce Andrew said during a podcast interview this week with Stewart Baker, former assistant secretary for policy at the Department of Homeland Security. Commerce confirmed it would revise its proposal. ?In light of the high volume of comments received, it is likely we will publish a second proposed rule,? a Commerce spokesperson said in an emailed statement. ?We have no timetable for that action." With its proposal, Commerce is trying to stem the increasing flow of cyber spying and digital sabotage equipment to cyber crooks and repressive regimes. The desired update would alter the language of the Wassenaar Arrangement, a little-known pact among 41 countries that controls the export of weapons and so-called ?dual-use? technologies that can be corrupted. The agency wants to extend those controls to the technology behind ?intrusion software,? which is used to sneak into computer systems. Essentially, the update would classify that technology as a potential weapon. Security specialists immediately pushed back, saying the language might restrict legitimate cybersecurity research. Companies regularly test networks for flaws using the same technology that malicious hackers use to crack those networks. Researchers fear they would have to get licenses for each one of these regular network tests under the desired update. ?It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,? Google said in a blog post. Andrews? remarks also come as lawmakers are stepping up opposition to the proposal. On Wednesday, Sen. Chuck Schumer (D-N.Y.), the third-ranking Democrat, came out against the rules. ?Our companies must have the ability to install and test the best defenses,? Schumer said. ?Unfortunately, when it comes to self-testing, a new federal rule is forcing companies and power utilities to fight the scourge of cyberattacks with one hand tied behind their backs.? He also sent a letter to the department on Wednesday, urging it to reconsider. ?The goals of the proposal are laudable, and I share them: the proposal is intended to limit access to powerful surveillance tools by oppressive foreign regimes and agents,? it reads. ?Unfortunately, I believe the proposal as drafted is vague and overbroad, and may inhibit the development of important cyber protection tools, as well as limiting the ability of US companies to protect their own networks. The senator was the second lawmaker to take a strong public stance. Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, got three of his colleagues to sign on to a letter delineating his worries about the proposal. His caucus co-chair, House Homeland Security Committee Chairman Michael McCaul (R-Texas), signed the letter, as did Reps. David Schweikert (R-Ariz.) and Ted Lieu (D-Calif.). ?The proposed rule has a number of flaws that could detrimentally affect our national security,? Langevin?s letter reads. ?This could have a chilling effect on research, slowing the disclosure of vulnerabilities and impairing our nation?s cybersecurity.? Langevin submitted the letter during the comment period on the proposal, which ended on July 20. ?It is in the DNA of the Commerce Department to be a public-private partnership,? Andrews said. The comment period is intended to give the private sector time to weigh in before Commerce pushes forward with ill-conceived laws, he insisted. ?That?s the beauty of our system,? Andrews said. ?We actually have the flexibility built in.? ? Updated 7:35 p.m. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:58:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:58:59 -0400 Subject: [Infowarrior] - US Government Funds $3 Million Cryptocurrency Research Initiative Message-ID: <689F3076-D036-49BE-8995-3F15EB0A00B4@infowarrior.org> US Government Funds $3 Million Cryptocurrency Research Initiative http://www.coindesk.com/us-government-funds-3-million-cryptocurrency-research-initiative/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:59:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:59:04 -0400 Subject: [Infowarrior] - =?utf-8?q?RIAA_and_Friends_Accuse_CNET_of_Hosting?= =?utf-8?b?IOKAmFBpcmF0ZeKAmSBTb2Z0d2FyZQ==?= Message-ID: RIAA and Friends Accuse CNET of Hosting ?Pirate? Software ? By Ernesto ? on July 30, 2015 https://torrentfreak.com/riaa-and-friends-accuse-cnet-of-hosting-pirate-software-150730 Several prominent music groups including the RIAA, A2IM and ASCAP have accused CNET of hosting infringing apps on Download.com. In a letter sent to the CEO of parent company CBS, the groups urge the company to reconsider whether it's wise to offer "ripping" software. Despite growing revenue streams from digital music, the music industry still sees online piracy as a significant threat. This week a coalition of 16 music groups including the RIAA, the American Association of Independent Music (A2IM) and the American Society of Composers, Authors and Publishers (ASCAP) voiced their concern over so-called ?ripping? software. The groups are not happy with CNET?s Download.com as the software portal offers access to various YouTube downloaders and other stream ripping tools. In a letter to Les Moonves, CEO of CNET?s parent company CBS, they accuse the download portal of offering infringing software. ?[CNET?s Download.com] has made various computer, web, and mobile applications available that induce users to infringe copyrighted content by ripping the audio or the audio and video from what might be an otherwise legitimate stream,? the letter reads. ?We ask that you consider the above in light of industry best practices, your company?s reputation, the clear infringing nature of these applications, and your role in creating a safe, legitimate, and innovative Internet ecosystem,? the groups add. Despite the strong wording, CBS doesn?t appear to be very impressed by the accusations. In response cited by Billboard the company notes that ?all of the software indexed on Download.com is legal?. According to CBS the mentioned software can be used for legal means and the company notes that this is the responsibility of the user. This isn?t the first time that CNET and CBS have been called out for allegedly facilitating piracy. A few years ago a group of artists sued CBS and CNET for their role in distributing uTorrent, LimeWire and other P2P software. The artists claimed that CNET profits heavily from distributing file-sharing software via Download.com, while demonstrating in editorial reviews how these application can be used to download copyright-infringing material. The judge eventually ruled in favor of CBS and CNET and said that there was no indication that the companies will purposefully encourage copyright infringement in the future. A software ban would therefore needlessly silence ?public discussion of P2P technologies.? Given CBS?s response to the music group?s recent letter, the current request won?t be effective either. TF asked RIAA, A2IM and ASCAP for additional details on the letter it sent to CBS but none of the groups replied to our inquiry before publication. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:59:10 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:59:10 -0400 Subject: [Infowarrior] - Reaping the rewards on drone warfare Message-ID: <06EE6473-AB57-4594-A126-36DFFFD35CC1@infowarrior.org> Drone Warfare Reaping the rewards: How private sector is cashing in on Pentagon?s ?insatiable demand? for drone war intelligence https://www.thebureauinvestigates.com/2015/07/30/reaping-the-rewards-how-private-sector-is-cashing-in-on-pentagons-insatiable-demand-for-drone-war-intelligence/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:59:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:59:17 -0400 Subject: [Infowarrior] - Hollywood drools over TPP fast-track Message-ID: Now That USTR Has Fast Track, Hollywood Ramps Up Demands While USTR Brushes Off Public Interest Group Concerns https://www.techdirt.com/articles/20150729/22185031795/now-that-ustr-has-fast-track-hollywood-ramps-up-demands-while-ustr-brushes-off-public-interest-group-concerns.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:59:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:59:22 -0400 Subject: [Infowarrior] - Floor crunch could spike cyber bill Message-ID: <6FD32C6F-F792-44C4-A409-F7F7CCB7D8D0@infowarrior.org> Floor crunch could spike cyber bill Francis Rivera By Cory Bennett - 07/30/15 03:14 PM EDT http://thehill.com/policy/cybersecurity/249831-floor-crunch-could-still-spike-cyber-bill Senators are wary about Majority Leader Mitch McConnell?s plan to pivot quickly to a stalled cybersecurity bill next week in the waning days before the upper chamber?s August recess. Immediately after the Kentucky Republican revealed his intent to bring up the Cybersecurity Information Sharing Act (CISA) ? intended to boost the public-private sharing of cyber threat data ? both supporters and opponents of the bill questioned the strategy. ?I have mixed feelings about it,? Sen. Dianne Feinstein (D-Calif.), the bill?s co-sponsor, told The Hill. ?I?d obviously like to get it done. We?re working with people. Whether it can get done in a short floor time or not, I don?t know.? For months, CISA has been mired in an ongoing skirmish over digital privacy, which could result in a bruising debate when the bill does hit the floor. ?It?d be good if it came up. I don?t know if we have time to finish it,? Sen. Chuck Schumer (D-N.Y.), a cyber bill backer and the third-ranking Democrat, told The Hill. ?It would be good to start it. The question is, do a lot of the Republicans add totally extraneous amendments? Are they going to try to turn cyber into something else?? Privacy and civil liberties advocates are worried the bill would create another venue for the government?s intelligence arm to collect sensitive data on Americans only months after Congress voted to rein in the National Security Agency?s surveillance powers. But industry groups, many lawmakers and national security experts insist a bolstered public-private data exchange is necessary to better understand and thwart vicious cyber threats. Inaction will leave government and commercial networks exposed to increasingly dangerous hackers, they say. These backers believe existing CISA provisions already guaranttee that personal information will be removed before data is shared with the intelligence community. Sen. Patrick Leahy (D-Vt.), a vocal opponent of the bill as written, accused McConnell of trying to evade privacy advocates? concerns. ?If the majority leader is serious about improving our nation?s cybersecurity, he will listen to Sen. Feinstein and others who have called for a meaningful amendment process,? Leahy said in a statement. ?If he wants yet another political stunt, he will try to jam this bill through the Senate just days before the August recess. That is not the responsible way to legislate about our nation?s cybersecurity.? Leahy and Sen. Ron Wyden (D-Ore.) are leading an expanding caucus within the Senate that is trying to significantly edit the bill. They say the bill does more to protect the privacy of companies than it does the privacy of individuals. CISA shields companies from legal liability when sharing their cyber threat data with the government. If companies are going to be offered this protection, Wyden argued, there should be stricter requirements for firms to strip personal information before handing data over to the government. ?In effect, companies could dump large quantities of their data to the government after only a cursory review,? Wyden told reporters during a Thursday conference call. Because of this opposition ? expected from both the far left and far right ? a protracted floor debate is expected as senators look to stuff the legislation with add-ons. ?I just want to make sure that individual privacy is maintained, that we follow the Constitution as we go along,? Sen. Dean Heller (R-Nev.) told The Hill. ?There's a few of us that feel that way and it?s probably pretty easy to figure out which few it is.? In June, Heller and Sens. Ted Cruz (R-Texas), Rand Paul (R-Ky.) and Mike Lee (R-Utah) joined Democrats to vote against attaching the cyber bill?s language to a recent defense authorization bill. The maneuver would have prohibited lawmakers from offering amendments to the CISA text. ?I think a bill needs to happen, I do, but I just want to make sure we don?t go too far,? Heller said. Both Heller?s GOP group and numerous Democrats are vying to propose their own amendments, a process sure to clog floor time. Sen. Mark Warner (D-Va.), a supporter of moving swiftly on a cyber bill, nonetheless told The Hill ?we need amendments? and that he would suggest ?a series? of his own. Leahy said he is angling to put forward several privacy-focused alterations. ?There?s a lot of improvements that have to be made,? he told reporters. Schumer indicated that Democrats would be open to an across-the-aisle deal that could speed the process. ?We will offer the Republicans an agreement to a certain number of amendments, all relative to the bill,? he said. But since CISA opposition doesn?t split evenly along party lines, such a deal may be difficult to strike. ?I think what?s going to be holding up the bill is their side,? Schumer added. ?The Ted Cruzs and others of the world who want amendments unrelated the bill and won't let it go forward.? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 18:59:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 19:59:27 -0400 Subject: [Infowarrior] - FBI understaffed to tackle cyber threats, says watchdog Message-ID: <799F00BB-C4AC-46C0-A6B4-6D194FA98E27@infowarrior.org> (Bad pay, plus a horrid institutional culture of arrogance. --rick) Thu Jul 30, 2015 1:06pm EDT Related: Tech, Cybersecurity FBI understaffed to tackle cyber threats, says watchdog http://www.reuters.com/article/2015/07/30/us-usa-fbi-cyberattack-idUSKCN0Q428220150730?feedType=RSS&feedName=technologyNews The FBI is struggling to attract computer scientists to its cybersecurity program mainly due to low pay, a report by the U.S. Department of Justice showed, highlighting weaknesses in a flagship initiative to tackle growing cyber threats. As of January 2015, The Federal Bureau of Investigation had only hired 52 of the 134 computer scientists it was authorized to employ under the Justice Department's Next Generation Cyber Initiative launched in 2012, the report showed. Although cyber task forces have been set up at all 56 FBI field offices, five of them did not have a computer scientist assigned to them, the report by the Office of the Inspector General found. Cyber security threats are among the Justice Department's top priorities and there has been a slew of damaging cyberattacks against private companies and U.S. government agencies in the last couple of years. The FBI budgeted $314 million on the program for the 2014 fiscal year, including 1,333 full-time employees, the report by the internal watchdog said. Lower salaries compared to the private sector made it difficult for the FBI to hire and retain cyber experts, the Office of the Inspector General said in the report. It also said extensive background check procedures and drug tests excluded many otherwise qualified candidates. For example, the FBI is unable to hire anyone who is found to have used marijuana in the previous three years or any other illegal drug in the past ten years, it said. The report follows the disclosure by the U.S. government's personnel management agency that up to 22.1 million people were affected by a breach of its computer networks that was discovered in April, or almost 7 percent of the U.S. population. The United States has privately accused China for the cyber attack, but Beijing has denied responsibility. A previous hack on Sony Pictures Entertainment in November 2014 was pinned on North Korea by FBI investigators. The FBI said in a letter to the Office of the Inspector General responding to the report that "the cyber workforce challenge runs throughout the federal government" and that it would continue to develop "aggressive and innovative recruitment and retention strategies". (Reporting by Lindsay Dunsmuir; Editing by Andrew Hay) -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 19:16:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 20:16:31 -0400 Subject: [Infowarrior] - Obama Administration War Against Apple and Google Just Got Uglier Message-ID: <2BF1BA0F-F1DB-4B92-8DDF-E99F6D0DCAD4@infowarrior.org> Obama Administration War Against Apple and Google Just Got Uglier Jenna McLaughlin July 30 2015, 2:14 p.m. https://firstlook.org/theintercept/2015/07/30/obama-administration-war-apple-google-just-got-uglier/ The Obama administration?s central strategy against strong encryption seems to be waging war on the companies that are providing and popularizing it: most notably Apple and Google. The intimidation campaign got a boost Thursday when a blog that frequently promotes the interests of the national security establishment raised the prospect of Apple being found liable for providing material support to a terrorist. Benjamin Wittes, editor-in-chief of the LawFare blog, suggested that Apple could in fact face that liability if it continued to provide encryption services to a suspected terrorist. He noted that the post was in response to an idea raised by Sen. Sheldon Whitehouse, D-R.I., in a hearing earlier this month. ?In the facts we considered,? wrote Wittes and his co-author, Harvard law student Zoe Bedell, ?a court might ? believe it or not ? consider Apple as having violated the criminal prohibition against material support for terrorism.? FBI Director James Comey and others have said that end-to-end encryption makes law enforcement harder because service providers don?t have access to the actual communications, and therefore cannot turn them over when served with a warrant. Wittes and Bedell argue that Apple?s decision to ?move aggressively to implement end-to-end encrypted systems, and indeed to boast about them? after being ?publicly and repeatedly warned by law enforcement at the very highest levels that ISIS is recruiting Americans? ? in part through the use of encrypted messaging apps ? could make the company liable if ?an ISIS recruit uses exactly this pattern to kill some Americans.? The blog compares Apple?s actions to a bank sending money to a charity supporting Hamas ? knowing that it was a listed foreign terrorist organization. ?The question ultimately turns on whether Apple?s conduct in providing encryption services could, under any circumstances, be construed as material support,? Wittes and Bedell write. The answer, they say, ?may be unnerving to executives at Apple.? One way to avoid such liability, Wittes and Bedell argue, would be to end encrypted services to suspected terrorists. But, they acknowledge, ?Cutting off service may be the last thing investigators want, as it would tip off the suspect that his activity has been noticed.? In a hearing on July 8 before the Senate Judiciary Committee, Justice Department officials insisted that companies need to be able to provide them with unencrypted, clear access to people?s communications if presented with a warrant. The problem is that eliminating end-to-end encryption or providing law enforcement with some sort of special key would also create opportunities for hackers. Within minutes of the Lawfare post going up, privacy advocates and technologists expressed outrage: Chris Soghoian, principal technologist for the American Civil Liberties Union, called it a continuation in Wittes? ?brain-dead jihad against encryption,? while Jake Laperruque, a fellow at the Center for Democracy and Technology, wrote that Wittes? post ?equates selling a phone that?s secure from hackers with giving money to terrorists.? If Apple and Google were to cave under the pressure of being likened to terrorist-helpers, and stop making end-to-end encryption, that could be the start of a ?slippery slope? that ends the mainstream availability of strong encryption, said Amie Stepanovich, U.S policy manager for Access. But even so, strong encryption will always exist, whether produced by small companies or foreign outlets. Terrorists can take their business elsewhere, while normal Americans will be left without a user-friendly, easily accessible way of protecting of their communications. ?These tools are available and the government can?t get to all of them,? says Stepanovich. Wittes, while couching his post as hypothetical, left little doubt about his personal sentiment. ?All that said,? he and his coauthor wrote, ?it?s a bit of a puzzle how a company that knowingly provides encrypted communications services to a specific person identified to it as engaged in terrorist activity escapes liability if and when that person then kills an American in a terrorist incident that relies on that encryption.? The authors didn?t say what exactly they wanted Apple to do instead. Wittes tweeted after publishing the post that he is ?not sure at all that Apple is not doing the right thing by encrypting end to end.? Correction: An earlier version of this article misquoted Wittes? tweet, mischaracterizing its meaning. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Jul 30 22:30:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Jul 2015 23:30:48 -0400 Subject: [Infowarrior] - Hell has frozen over.... Message-ID: <76B0237C-2F90-4B80-B133-BFE254ACE1C9@infowarrior.org> (x-posted) ... for I agree with something these 3 men are saying. Which, given their collective backgrounds, I have to blink in amazement. So I'm quietly pleased to see this, but am cautiously interpreting it --- after all, former senior government officials don't publicly break ranks with the establishment desires on hot-button topics often or without good reason. -- rick https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html Why the fear over ubiquitous data encryption is overblown Clarification: Due to a production error, a version of this column was temporarily posted prematurely before the editing process was complete. By Mike McConnell, Michael Chertoff and William Lynn July 28 https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html Mike McConnell is a former director of the National Security Agency and director of national intelligence. Michael Chertoff is a former homeland security secretary and is executive chairman of the Chertoff Group, a security and risk management advisory firm with clients in the technology sector. William Lynn is a former deputy defense secretary and is chief executive of Finmeccanica North America and DRS Technologies. More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation?s well-being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation. In the wake of global controversy over government surveillance, a number of U.S. technology companies have developed and are offering their users what we call ubiquitous encryption ? that is, end-to-end encryption of data with only the sender and intended recipient possessing decryption keys. With this technology, the plain text of messages is inaccessible to the companies offering the products or services as well as to the government, even with lawfully authorized access for public safety or law enforcement purposes. The FBI director and the Justice Department have raised serious and legitimate concerns that ubiquitous encryption without a second decryption key in the hands of a third party would allow criminals to keep their communications secret, even when law enforcement officials have court-approved authorization to access those communications. There also are concerns about such encryption providing secure communications to national security intelligence targets such as terrorist organizations and nations operating counter to U.S. national security interests. Several other nations are pursuing access to encrypted communications. In Britain, Parliament is considering requiring technology companies to build decryption capabilities for authorized government access into products and services offered in that country. The Chinese have proposed similar approaches to ensure that the government can monitor the content and activities of their citizens. Pakistan has recently blocked BlackBerry services, which provide ubiquitous encryption by default. We recognize the importance our officials attach to being able to decrypt a coded communication under a warrant or similar legal authority. But the issue that has not been addressed is the competing priorities that support the companies? resistance to building in a back door or duplicated key for decryption. We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring. First, such an encryption system would protect individual privacy and business information from exploitation at a much higher level than exists today. As a recent MIT paper explains, requiring duplicate keys introduces vulnerabilities in encryption that raise the risk of compromise and theft by bad actors. If third-party key holders have less than perfect security, they may be hacked and the duplicate key exposed. This is no theoretical possibility, as evidenced by major cyberintrusions into supposedly secure government databases and the successful compromise of security tokens held by a major information security firm. Furthermore, requiring a duplicate key rules out security techniques, such as one-time-only private keys. Second, a requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption. The smart bad guys will find ways and technologies to avoid access, and we can be sure that the ?dark Web? marketplace will offer myriad such capabilities. This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them. Finally, and most significantly, if the United States can demand that companies make available a duplicate key, other nations such as China will insist on the same. There will be no principled basis to resist that legal demand. The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process. Strategically, the interests of U.S. businesses are essential to protecting U.S. national security interests. After all, political power and military power are derived from economic strength. If the United States is to maintain its global role and influence, protecting business interests from massive economic espionage is essential. And that imperative may outweigh the tactical benefit of making encrypted communications more easily accessible to Western authorities. History teaches that the fear that ubiquitous encryption will cause our security to go dark is overblown. There was a great debate about encryption in the early ?90s. When the mathematics of ?public key? encryption were discovered as a way to provide encryption protection broadly and cheaply to all users, some national security officials were convinced that if the technology were not restricted, law enforcement and intelligence organizations would go dark or deaf. As a result, the idea of ?escrowed key,? known as Clipper Chip, was introduced. The concept was that unbreakable encryption would be provided to individuals and businesses, but the keys could be obtained from escrow by the government under court authorization for legitimate law enforcement or intelligence purposes. The Clinton administration and Congress rejected the Clipper Chip based on the reaction from business and the public. In addition, restrictions were relaxed on the export of encryption technology. But the sky did not fall, and we did not go dark and deaf. Law enforcement and intelligence officials simply had to face a new future. As witnesses to that new future, we can attest that our security agencies were able to protect national security interests to an even greater extent in the ?90s and into the new century. Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 31 06:48:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Jul 2015 07:48:46 -0400 Subject: [Infowarrior] - Feds Hand Out Funds To Be Used For 'Traffic Safety; ' Local Agencies Buy License Plate Readers Instead Message-ID: Feds Hand Out Funds To Be Used For 'Traffic Safety;' Local Agencies Buy License Plate Readers Instead https://www.techdirt.com/articles/20150724/07455931749/feds-hand-out-funds-to-be-used-traffic-safety-local-agencies-buy-license-plate-readers-instead.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 31 07:18:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Jul 2015 08:18:09 -0400 Subject: [Infowarrior] - Germany Won't Prosecute NSA, But Bloggers (who reported it) Message-ID: <1A7EEC66-3913-4D89-934B-8D6FFC310B8B@infowarrior.org> Despite plenty of evidence that the U.S. spied on German top government officials, German Federal Prosecutor General Harald Range has declined to investigate any wrongdoings of the secret services of allied nations like the NSA or the British GCHQ. But after plans of the German secret service "Bundesamt f?r Verfassungsschutz" to gain some cyper spy capabilities like the NSA were revealed by the blog netzpolitik.org, Hange started an official investigation against the bloggers and their sources. They are now being probed for possible treason charges. http://news.slashdot.org/story/15/07/31/0035248/germany-wont-prosecute-nsa-but-bloggers -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 31 11:31:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Jul 2015 12:31:17 -0400 Subject: [Infowarrior] - Most. Transparent. Administration. (Never). Message-ID: <2A60B019-E74C-45EB-958A-D04D69B3F376@infowarrior.org> 07.30.159:36 PM ET The Iran Nuke Documents Obama Doesn?t Want You to See Seventeen unclassified Iran deal items have been locked in ultra-secure facilities ordinarily used for top secret info. Why is the Obama administration trying to bury this material? < - > http://www.thedailybeast.com/articles/2015/07/30/the-iran-nuke-documents-obama-doesn-t-want-you-to-see.html more @ Congress Alarmed by Iran Pact's Secret Understandings http://www.bloombergview.com/articles/2015-07-24/congress-alarmed-by-iran-pact-s-secret-understandings -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Jul 31 14:50:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Jul 2015 15:50:22 -0400 Subject: [Infowarrior] - Senate likely taking up CISA next week Message-ID: McConnell Looks to Take on Cybersecurity Bill Next Week If it comes up, senators will have little time to debate the measure, with recess around the corner. By Kaveh Waddell http://www.nationaljournal.com/tech/mcconnell-looks-to-take-on-cybersecurity-bill-next-week-20150730 July 30, 2015 After wrapping up a protracted battle over a highway-funding measure, the Senate is expected to turn its attention next week to a controversial cyberinformation-sharing law before heading home for recess. Senate Majority Leader Mitch McConnell said Thursday that he will take up the cybersecurity legislation if the Senate fails to proceed on a measure to defund Planned Parenthood. Moving the Planned Parenthood measure forward requires 60 votes, likely an insurmountable hurdle with most Democrats expected to vote against it. "Well, we hope to get on the Planned Parenthood bill on Monday," McConnell said. "If we don't, then we'll turn to cybersecurity." The Cybersecurity Information Sharing Act, or CISA, would make it easier for companies to share information about cyberthreats with the government. Privacy advocates, security experts, and lawmakers have criticized it for its treatment of personal information and for the many ways that government would be allowed to use the shared information. A coalition of advocacy groups is organizing a coordinated campaign to stop the bill's passage, allowing users to send faxes protesting the law to elected officials. According to the campaign, more than 6 million faxes have been queued, and are still being sent. Sen. Ron Wyden, a Democrat from Oregon, has been one of the most outspoken opponents of the cybersecurity proposal, and has been supporting the activists' Twitter push with the hashtag #StopCISA. In a post on Medium published Thursday, Wyden wrote, "CISA will do little to protect you from hackers, and it may even make things worse." Sen. Patrick Leahy criticized McConnell's timing. "If the Majority Leader is serious about improving our nation's cybersecurity, he will listen to Senator [Dianne] Feinstein and others who have called for a meaningful amendment process," Leahy said Thursday in a statement, referring to the ranking member of the Senate Intelligence Committee and a CISA cosponsor. "If he wants yet another political stunt, he will try to jam this bill through the Senate just days before the August recess," Leahy continued. "That is not the responsible way to legislate about our nation's cybersecurity." Sarah Mimms contributed to this article. -- It's better to burn out than fade away.