From rforno at infowarrior.org Tue Sep 1 08:02:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Sep 2015 09:02:17 -0400 Subject: [Infowarrior] - Oz reporter crowdsources analysis of his metadata Message-ID: <72B07A30-D7BC-4BF6-992D-A0438D7A6744@infowarrior.org> Show this to any skeptics who say they have 'nothing to hide' when it comes to metadata. --rick What reporter Will Ockenden's metadata reveals about his life http://www.abc.net.au/news/2015-08-24/metadata-what-you-found-will-ockenden/6703626 -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 1 14:44:48 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 1 Sep 2015 15:44:48 -0400 Subject: [Infowarrior] - "Comcast: Because Screw You, Customer" Message-ID: Comcast Users Now Need To Pay A $30 Premium If They Want To Avoid Usage Caps https://www.techdirt.com/articles/20150901/10393132134/comcast-users-now-need-to-pay-30-premium-if-they-want-to-avoid-usage-caps.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 2 08:14:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 2 Sep 2015 09:14:20 -0400 Subject: [Infowarrior] - =?utf-8?q?_Indiana_State_Police_won=E2=80=99t_giv?= =?utf-8?q?e_up_stingray_records_due_to_=E2=80=9Cterrorism=E2=80=9D_risk?= Message-ID: Indiana State Police won?t give up stingray records due to ?terrorism? risk http://arstechnica.com/tech-policy/2015/09/indiana-state-police-wont-give-up-stingray-records-due-to-terrorism-risk/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 2 08:14:23 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 2 Sep 2015 09:14:23 -0400 Subject: [Infowarrior] - Ashley Madison Code Shows More Women, and More Bots Message-ID: <8A2C591C-8EAA-476E-8782-35784BE8DDC1@infowarrior.org> Ashley Madison Code Shows More Women, and More Bots http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924 -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 2 08:15:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 2 Sep 2015 09:15:26 -0400 Subject: [Infowarrior] - Did Sony cave to the NFL? Message-ID: <22297200-2560-42F3-8DC4-82E77E104F7E@infowarrior.org> E-mails show Sony altered ?Concussion? movie?s ?unflattering moments? for NFL https://www.washingtonpost.com/news/early-lead/wp/2015/09/01/report-e-mails-show-sony-altered-concussion-movies-unflattering-moments-for-nfl/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 3 18:40:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 3 Sep 2015 19:40:34 -0400 Subject: [Infowarrior] - New federal requirements on cellphone surveillance Message-ID: <3EADF20F-5E8E-4C67-9A94-D17DEB9190CA@infowarrior.org> New federal requirements on cellphone surveillance By ERIC TUCKER Sep. 3, 2015 6:44 PM EDT http://bigstory.ap.org/article/fe09c51a246f4da5bd7ad54df4d0e112/new-federal-requirements-cellphone-surveillance WASHINGTON (AP) ? Federal law enforcement officials will be routinely required to get a search warrant before using secretive and intrusive cellphone-tracking technology under a new Justice Department policy announced Thursday. The policy represents the first effort to create a uniform legal standard for federal authorities using equipment known as cell-site simulators, which tracks cellphones used by suspects. It comes amid concerns from privacy groups and lawmakers that the technology, which is now widely used by local police departments, is infringing on privacy rights and is being used without proper accountability. "The policy is really designed to address our practices, and to really try to promote transparency and consistency and accountability ? all while being mindful of the public's privacy interest," Deputy Attorney General Sally Yates told reporters in announcing the policy change. The policy applies only to federal agencies within the Justice Department and not, as some privacy advocates had hoped, to state and local law enforcement whose use of the equipment has stirred particular concern and scrutiny from local judges. The technology ? also known as a Stingray, a suitcase-sized device ? can sweep up basic cellphone data from a neighborhood by tricking phones in the area to believe that it's a cell tower, allowing it to identify unique subscriber numbers. The data is then transmitted to the police, helping them determine the location of a phone without the user even making a call or sending a text message. The equipment used by the Justice Department does not collect the content of communications. Even as federal law enforcement officials tout the technology as a vital tool to catch fugitives and kidnapping suspects, privacy groups have raised alarms about the secrecy surrounding its use and the collection of cellphone information of innocent bystanders who happen to be in a particular neighborhood or location. In creating the new policy the Justice Department was mindful of those concerns and also sought to address inconsistent practices among different federal agencies and offices, Yates said. "We understand that people have a concern about their private information, and particularly folks who are not the subjects or targets of investigations," Yates said. The new policy requires a warrant in most cases, except for emergencies like an immediate national security threat, as well as unspecified "exceptional circumstances." The warrant applications are to set out how the technology will be used. In addition, authorities will be required to delete data that's been collected once they have the information they need, and are expected to provide training to employees. The policy could act as a blueprint for state and local law enforcement agencies in developing their own regulations. But it's unclear how broad an impact Thursday's announcement will have, since it does not directly affect local police agencies unless they're working alongside federal authorities on a case or relying on their assistance. Use of the technology has spread widely among local police departments, who have been largely mum about their use of the technology and hesitant to disclose details ? often withholding materials or heavily censoring documents that they do provide. Local departments have faced scrutiny from judges about how they deploy the equipment, though agencies have often insisted that non-disclosure agreements with the FBI limit what they can say. The FBI has said that while specific capabilities of the equipment are considered sensitive, it did not intend for the agreements to prevent the police from disclosing to a court that the equipment was used in a particular case. Yates said she expected the FBI to revise any such agreements to be more transparent. The American Civil Liberties Union called the policy a good first step, but expressed disappointment that it did not cover federal agencies outside the Justice Department or local police who use federal funds to purchase the surveillance equipment. It called on the Justice Department to close remaining loopholes, such as the one allowing for warrantless surveillance under undefined "exceptional circumstances." "After decades of secrecy in which the government hid this surveillance technology from courts, defense lawyers, and the American public, we are happy to see that the Justice Department is now willing to openly discuss its policies," ACLU lawyer Nathan Freed Wessler said in a statement. Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, a privacy group, praised the policy as an important step, though he said he suspected Justice Department attorneys saw "the writing on the wall" and recognized that judges would increasingly begin requiring warrants. Though the policy does not require local police to follow the lead of federal agencies, "this is going to let the air out of state law enforcement's argument that a warrant shouldn't be required." "We think that given the power of cell-site simulators and the sort of information that they can collect ? not just from the target but from every innocent cellphone user in the area ? a warrant based on probable cause is required by the Fourth Amendment," Cardozo said. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 4 11:46:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Sep 2015 12:46:09 -0400 Subject: [Infowarrior] - FTC Commissioner Says The Public Needs Strong Encryption, Not Backdoors Message-ID: FTC Commissioner Says The Public Needs Strong Encryption, Not Backdoors from the good-move dept https://www.techdirt.com/articles/20150903/17322932164/ftc-commissioner-says-public-needs-strong-encryption-not-backdoors.shtml It would appear that the FTC is quickly emerging as the counterforce to the FBI/NSA's push to backdoor encryption. We recently wrote about how the FTC's CTO, Ashkan Soltani, put up a blog post extolling the virtues of full disk encryption for devices, noting that it can even help to prevent or solve crimes (contrary to the scare stories you hear from the FBI and other law enforcement officials). And now, pretty quickly after that, FTC Commissioner Terrell McSweeny, has written a post for the Huffington Post arguing in favor of strong encryption as well. After discussing the range of threats, as well as the rise of personal data being collected by services, she notes that strong encryption is now being used to better protect consumers: < - > It's great to see the FTC coming out so publicly on this issue. I hope that others in other parts of the government will do the same as well. Unfortunately, thanks to the overly vocal FBI and NSA, many believe that the entire federal government believes that we should backdoor encryption, and that sets up a very unfortunate "us v. them" attitude between technologists and the government. Instead, it's clear that many, many people in government support strong encryption and are against backdoors. It's good to see more of them speaking up and making their voices heard. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 4 12:02:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Sep 2015 13:02:19 -0400 Subject: [Infowarrior] - Ken Burns's The Civil War rides again Message-ID: (One of the best and most compelling documentaries I've ever seen. Supposedly remastered in BluRay/HD/whatever so it should be even more awesome. My DVR is ready. --rick) Ken Burns's The Civil War: America's greatest documentary rides again Repeated next week on PBS, 25 years ago The Civil War made history live again on US TV screens, and turned the obscure historian Shelby Foote into a star http://www.theguardian.com/tv-and-radio/2015/sep/04/ken-burns-the-civil-war-americas-greatest-documentary-rides-again -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 4 16:11:54 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Sep 2015 17:11:54 -0400 Subject: [Infowarrior] - Bugzilla Breached, Private Vulnerability Data Stolen Message-ID: <602BF2D6-EDAC-43DB-B7A0-739FBB9657DD@infowarrior.org> Bugzilla Breached, Private Vulnerability Data Stolen http://tech.slashdot.org/story/15/09/04/206228/bugzilla-breached-private-vulnerability-data-stolen -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 4 16:20:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Sep 2015 17:20:05 -0400 Subject: [Infowarrior] - clarification ... Re: Bugzilla Breached, Private Vulnerability Data Stolen In-Reply-To: References: <602BF2D6-EDAC-43DB-B7A0-739FBB9657DD@infowarrior.org> Message-ID: > On Sep 4, 2015, at 5:18 PM, jericho wrote: > > > No no no, bad bad bad! > > Bugzilla (bugzilla.org) was not breached. Mozilla's instance of Bugzilla > was breached... huge difference, and many articles are picking this up as > the headline. Misleading titles like this should be punished by > taser. > > On Fri, 4 Sep 2015, Richard Forno wrote: > > : Bugzilla Breached, Private Vulnerability Data Stolen > : http://tech.slashdot.org/story/15/09/04/206228/bugzilla-breached-private-vulnerability-data-stolen From rforno at infowarrior.org Fri Sep 4 20:26:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 4 Sep 2015 21:26:01 -0400 Subject: [Infowarrior] - Reinventing the cyber-sharing wheel. Again. Message-ID: Reinventing the wheel, again. Because information-sharing remains the go-to solution to fix America's many cybersecurity problems, obviously. ---rick DHS awards $11M to set cyber-sharing standards http://thehill.com/policy/cybersecurity/252766-dhs-awards-11m-to-set-cyber-sharing-standards By Katie Bo Williams - 09/04/15 10:10 AM EDT The Department of Homeland Security on Thursday awarded an $11 million grant to the University of Texas at San Antonio to serve as the standards-setting body for new cyber information-sharing groups. A February executive order called for the creation of Information Sharing and Analysis Organizations (ISAOs). The new entities are intended to facilitate cyber threat sharing and collaboration between the private sector and the government. ?The University of Texas at San Antonio will work with existing information sharing organizations, owners and operators of critical infrastructure, federal agencies, and other public and private sector stakeholders to identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs,? Andy Ozment, Homeland Security's assistant secretary of cybersecurity and communications, said in a statement. The new information-sharing entities are intended to broaden the exchange of cybersecurity data beyond industry-specific hubs known as Information Sharing and Analysis Centers (ISACs). ?In encouraging the rapid creation of ISAOs, the Executive Order expands information sharing by encouraging the formation of communities that share information not just within a sector but across a region or in response to a specific emerging cyber threat,? Ozment said. Although the administration is pushing forward with its data-sharing agenda, industry groups and lawmakers continue to wrestle over the appropriate level of collaboration between private industry and government. Some maintain that increased cooperation between the two sectors is important to safeguard national security, but tech companies have pushed back, concerned that they will be exposed to lawsuits or regulatory action. Privacy advocates also say that data sharing is merely another way for an already-intrusive government to collect more private data on its citizens. A stalled cybersecurity bill that may or may not see Senate floor time this fall also seeks to smooth communication lines between the feds and private industry, although it faces fierce debate. Senate Ma?jor?ity Lead?er Mitch Mc?Con?nell (R-Ky.) has lined up 22 amendments with wide-ranging goals for a vote. The White House publicly supported the bill, titled the Cybersecurity Information Act, this spring. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Sep 5 08:00:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 5 Sep 2015 09:00:38 -0400 Subject: [Infowarrior] - Bogus Security Company Can't Take Criticism, Issues Bogus DMCA Takedowns Message-ID: Bogus Security Company Can't Take Criticism, Issues Bogus DMCA Takedowns, Creates Sockpuppet Accounts https://www.techdirt.com/articles/20150904/16030832168/bogus-security-company-cant-take-criticism-issues-bogus-dmca-takedowns-creates-sockpuppet-accounts.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Sep 5 08:20:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 5 Sep 2015 09:20:02 -0400 Subject: [Infowarrior] - NYC Unveils Pilot Program To Track Driving Habits Message-ID: A Benefit Or Big Brother? NYC Unveils Pilot Program To Track Driving Habits Little Black Box Under The Steering Wheel Records Data For The 'Drive Smart' Initiative September 4, 2015 6:21 PM http://newyork.cbslocal.com/2015/09/04/nyc-department-of-transportation-drive-smart-program/ NEW YORK (CBSNewYork) ? It?s a new city pilot program to track how you drive, when you drive, how fast your drive and how much gas you use. The Department of Transportation says it will help fix street problems. Others say its like Big Brother is watching you, CBS2?s Marcia Kramer reported Friday. It?s a tiny black box about the size of a pack of gum that is installed right under the steering wheel. It will allow city officials under a program called ?Drive Smart? to collect and access data about how you drive ? if you drive like a maniac, or if you?re Mr. or Mrs. Slow Poke. ?It can tell the g-force of hard stopping or hard acceleration and a hard turn,? DOT senior project manager Alex Keating said. ?So the driver, as well as the service provider, are able to look at speeds, hard-breaking events, time of day and basic GPS.? City officials say they?ll use to information to make the streets safer, but drivers can also allow various DOT partners to use the information. Allstate, for example, will give you insurance discounts of 10-30 percent, and Metropia will get you home faster with less congested routes ? all of it hooked up to smartphone apps. Security expert Manny Gomez said there are many reasons to just say no to this program. Like, for instance, the danger of hacking. ?Anything is hackable as we?ve already seen. Sony was hacked; the U.S. government was hacked, so clearly the City of New York could be hacked and ths information could easily become public,? Gomez said. Gomez questions whether the city could use the information against people. DOT officials said that will not happen. ?All of the data is anonymous. We actually erase the data from our data base every 48 hours,? Keating said. New Yorkers seem split on the idea. ?More control over the people ? I wouldn?t be down for that, definitely not,? Brian Bradford said. ?Yeah, I?d definitely do that. Thirty percent is 30 percent,? one woman said of the potential insurance discount. ?Enough. Enough. Enough. There is the NSA, CIA, FBI ? you have more information than you need,? taxi driver Nour Chad said. The Department of Transportation is looking for 400 volunteers to participate in the year-long program. You have to have a valid driver?s license and drive in the city at least four days a week. In addition to an app to reduce car insurance rates, there are apps to tell you where to buy the cheapest gas, and how to drive safely. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 8 08:52:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 8 Sep 2015 09:52:09 -0400 Subject: [Infowarrior] - HP Drops Support For Hacking Competition As Wassenaar Message-ID: <3F1988B4-2EFE-4BCB-AC6A-C813DB1E75CF@infowarrior.org> HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe from the things-will-get-worse-before-they-get...-worse dept An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons. < - > https://www.techdirt.com/articles/20150907/11423632186/hp-drops-support-hacking-competition-as-wassenaar-arrangement-continues-to-make-computing-less-safe.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 9 06:27:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 9 Sep 2015 07:27:30 -0400 Subject: [Infowarrior] - OpEd: The Constitution, post 9/11 Message-ID: <258A3C53-0EF0-4162-B478-6C6E7F9B1946@infowarrior.org> "Give Me Liberty Or Give Me Death": The Loss Of Our Freedoms In The Wake Of 9/11 http://www.rutherford.org/publications_resources/john_whiteheads_commentary/give_me_liberty_or_give_me_death_the_loss_of_our_freedoms_in_the_wake_ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 9 06:27:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 9 Sep 2015 07:27:27 -0400 Subject: [Infowarrior] - Intel to End Sponsorship of Science Talent Search Message-ID: Intel to End Sponsorship of Science Talent Search By QUENTIN HARDYSEPT. 9, 2015 http://www.nytimes.com/2015/09/09/technology/intel-to-end-sponsorship-of-science-talent-search.html?_r=0 SAN FRANCISCO ? Intel, the world?s largest maker of semiconductors, is dropping its longtime support of the most prestigious science and mathematics competition for American high school students. The contest, called the Science Talent Search, brings 40 finalists to Washington for meetings with leaders in government and industry and counts among its past competitors eight Nobel Prize winners, along with chief executives, university professors and award-winning scientists. Over the years, the award for work in so-called STEM fields ? science, technology, engineering and mathematics ? has made national headlines and been an important indicator of America?s educational competitiveness and national priorities. When it was started as an essay competition in 1942, its first topic was ?How science can help win the war.? The male winner, or ?Top Boy,? went on to develop an artificial kidney. The ?Top Girl? became an ophthalmologist. A single winner was first named in 1949. Continue reading the main story Related Coverage ? Intel to Invest Heavily in Software That Enhances Cloud-Computing CapabilitiesAUG. 24, 2015 ? Intel Earnings Surpass Forecasts, Driven by Data CentersJULY 15, 2015 ? Milestones in Science EducationSEPT. 2, 2013 ?When I was a finalist in 1961, it was the Sputnik generation, when America was competing with Russia to get into space,? said Mary Sue Coleman, a former president of the University of Michigan and a current member of the board of the Society for Science and the Public, which administers the contest. ?It was a national obsession. People in school cheered us on like we were star athletes. I got letters from the heads of corporations.? Photo Mimi Yen in a lab at N.Y.U. She took third place at the 2012 Intel Science Talent Search. Credit Elbert Chu Dropping support for the high school contest is a puzzling decision by Intel, since it costs about $6 million a year ? about 0.01 percent of Intel?s $55.6 billion in revenue last year ? and it generates significant good will for the sponsoring organization. Intel has also increased the size and scope of the award, giving more than $1.6 million annually to students and schools, compared with $207,000 when it began its sponsorship in 1998. The Silicon Valley giant took over sponsorship of the award with great fanfare from Westinghouse, becoming only the second company to back the prize in its 73-year history. At the time it was seen as something of a passing of the torch in American industry, to a company then at the heart of the Information Age from one renowned for industrial work in things like nuclear power plants. Craig Barrett, a former chief executive of Intel, is even a member of the board of the Society for Science and the Public. He said he was ?surprised and a little disappointed? by Intel?s decision. ?It?s such a premier event in terms of young people and technology,? Mr. Barrett said. ?But they appear to be more interested in applied things, like? Maker Faire, an all-ages event that showcases homemade engineering projects. Mr. Barrett said he had talked with Brian M. Krzanich, Intel?s chief executive for the last two years, about the contest. Though Mr. Barrett thought it was inappropriate to aggressively lobby his old employer, he termed the annual cost ?a rounding error? against Intel?s finances. ?My only comment to Brian was that we?d move forward,? said Mr. Barrett, who became Intel?s chief executive in 1998 and retired as chairman of Intel?s board in 2009. He now runs a chain of charter schools, called Basis, from Phoenix. There is little indication that the contest has lost its prestige. Applications have held steady at around 1,800 a year for a decade. And in March, President Obama met with the Talent Search finalists at the White House. Gail Dudas, a spokeswoman for Intel, could not say why it was ending its support, but she said the company, which has struggled with a shift to mobile computing devices but is still one of the tech industry?s most influential names, is ?proud of its legacy? in supporting the award. The Science Talent Search is open to any student in the United States or its territories in his or her last year of secondary school. Independent individual research by thousands of students is narrowed down to 300 semifinalists. Of those, 40 finalists are chosen. Previous finalists include Ray Kurzweil, a well-known author and director of engineering at Google, and Brian Greene, a best-selling science writer. Thomas Leighton, the chief executive of the Internet company Akamai, was a finalist and is now on the society?s board. The finalists travel to Washington, where they present their work, meet government and private sector leaders and have their projects reviewed by a panel of judges. There were nine top awards in 2015, worth $35,000 to $150,000. Photo Senator Barack Obama at the 2006 Science Talent Search. Credit Society for Science and the Public This year, Intel gave out three first prizes to highlight the variety of the research conducted. One student developed an algorithm to study adaptive mutations across the human genome. Another studied how phonons, the basic particles of sound, interact with electrons. ?They have been an excellent partner for almost 20 years, but their corporate priorities have changed,? said Maya Ajmera, president of the Society for Science and the Public. To more recent winners, Intel may have received a benefit besides publicity ? it got to teach the young stars more about Intel. ?They showed us stuff they were doing with wearable technologies and machine learning,? a type of artificial intelligence, said Noah Golowich, a freshman at Harvard. He shared this year?s prize for his work in a branch of mathematics known as the Ramsey theory, which finds structure in complex systems. ?I didn?t know much about all the things Intel does before I went to Washington.? Ms. Ajmera said her group would start looking for a new corporate sponsor on Wednesday. ?We pride ourselves on recognizing thousands of leaders in science and technology and hope to keep doing so,? she said. Other board members expressed confidence that national competition would produce another corporate sponsor. Ms. Coleman was a finalist in 1961 for researching drug-resistant bacteria. First prize that year was awarded to a study of bowing in the courtship behavior of the male ring dove. She said she was ?very aware? that Larry Page, co-founder and chief executive of Google, is a Michigan graduate and that Google might be a candidate. ?This isn?t a huge amount of money for what it represents,? she said. ?I assume another corporation will step up to this.? Intel informed the group of its decision about 18 months ago, she said, and it will continue to support the award through 2017, in keeping with an earlier contract. Intel will continue to support a separate talent search aimed at international student competition at least through 2019, which is Intel?s contractual term, said Ms. Dudas, the Intel spokeswoman. In addition to the Intel-sponsored prize, the society also runs a science and technology competition for middle school students, financed by the Broadcom Foundation. Although Broadcom, another semiconductor company, was bought this year, the Broadcom Foundation is independent and will continue to support the prize. ?Intel?s interests have changed,? said Ms. Coleman. ?But we still think this is a very attractive prize to a number of corporations. It is still really important for the nation.? Correction: September 9, 2015 An earlier version of this article misspelled the name of the Harvard freshman who shared this year?s prize for his work in mathematics. It is Noah Golowich, not Gulwich. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 10 06:28:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Sep 2015 07:28:47 -0400 Subject: [Infowarrior] - Alzheimer's may be spread thru surgery Message-ID: <308911EE-34D3-4D73-BB1A-8DA4B3DB0A92@infowarrior.org> Protein linked to Alzheimer's could be spread during surgery, say researchers Ian Sample Fragments of sticky proteins found in the brains of people with Alzheimer?s disease could potentially be spread to others via contaminated surgical instruments and other medical procedures, scientists warn. Researchers called for further work into the possibility that metal instruments used in medical procedures could pick up harmful proteins which survive conventional sterilisation with formaldehyde. The concern comes after scientists found that a small number of people who died from Creutzfeldt-Jakob disease (CJD) after being treated with growth hormone taken from cadavers, developed brain changes seen in Alzheimer?s disease. New clinical trial data suggest that nerve growth factor gene therapy is safe for extended periods of time Doctors examined the brains of eight CJD patients who had received pituitary growth hormone, given predominantly to children with stunted growth until it was stopped in 1985. Six of the brains had an unusual build-up of protein called amyloid beta, which has long been linked to Alzheimer?s disease. The patients were aged 36 to 51 years old, but none carried gene variants that bring about the early onset of dementia. John Collinge, director of the Medical Research Council Prion Unit at University College London, said the findings suggest that the hormone might have spread tiny pieces, or ?seeds?, of amyloid beta, alongside the abnormal proteins, or prions, that gave people CJD. None of the patients developed Alzheimer?s disease, or other brain changes linked to the disease. They may never have done. Or they may have died before the symptoms had time to emerge. Reporting their findings in the journal Nature, the scientists say the work should drive investigations into whether amyloid beta can be spread through other medical procedures, referred to as ?iatrogenic routes? in the study. ?While there is no suggestion that Alzheimer?s disease is a contagious disease and no supportive evidence from epidemiological studies that Alzheimer?s disease is transmissible ... our findings should prompt consideration of whether other known iatrogenic routes of prion transmission, including surgical instruments and blood products, may also be relevant to amyloid beta,? the authors write. Collinge told reporters that his team now suspected people could acquire amyloid beta ?seeds? in three different ways: from a spontaneous, unlucky biological event, from a faulty gene or through a medical accident. He said there was no evidence that Alzheimer?s could be transmitted through blood transfusions, but added: ?I think it?s not unreasonable to have a look. My concerns would be more to see if there is a risk of seeding from metal surfaces. I think that is something we ought to prioritise.? < - > http://www.theguardian.com/science/2015/sep/09/protein-linked-to-alzheimers-could-be-spread-during-surgery-say-researchers From rforno at infowarrior.org Thu Sep 10 15:14:21 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Sep 2015 16:14:21 -0400 Subject: [Infowarrior] - Of course, it's an 'anonymous US official' Message-ID: <428D6E92-7F01-4552-948B-D1A35D17A4D2@infowarrior.org> US Counterterrorism Official Says US Is 'The Angel Of Death' And Should Be Target Killing ISIS Tweeters https://www.techdirt.com/articles/20150909/18072332213/us-counterterrorism-official-says-us-is-angel-death-should-target-killing-isis-tweeters.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 10 18:19:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Sep 2015 19:19:51 -0400 Subject: [Infowarrior] - FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers Message-ID: <7B3DE7D2-C589-49EC-90A7-8F9AAD6D50C2@infowarrior.org> Major web security company sought to conceal that it ran compromised servers Richard Morrell Thu 10 Sep 2015 4.21pm https://thestack.com/security/2015/09/10/major-web-security-company-sought-to-conceal-that-it-ran-compromised-servers/ A controversy has erupted today at London security conference 44CON as details emerge of U.S. security company FireEye?s attempts to stifle any public disclosure of a major series of vulnerabilities in its suite ? all of which have now been patched. The vulnerabilities are said to have included the default use of the ?root? account on a significant number of the Apache servers providing services to FireEye?s clients. Apache is designed to be started by a ?root? user ? who has absolute power over all the functionality of the software ? and quickly passed to normal operation via a user account with far fewer privileges. An attacker able to compromise the server would face no further permissions barriers in obtaining any data and starting or manipulating any connections or file/database operations of which the server is capable. For a security suite, that?s about as bad as it gets. On the 13th August an ex-parte injunction was awarded to the California-based company in a German District Court, to prevent the security researcher who found the vulnerabilities from discussing it in a keynote speech at today?s conference. However it was not served until the 2nd of September. Conversation at the conference today has reflected criticism of the company for what reads as an attempt to allow no time for an effective legal challenge to the injunction. Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and reportedly worked with the company to help them resolve the issues successfully. But FireEye eventually decided that no disclosure of the vulnerabilities should be allowed to take place. FireEye, founded in 2004, is a leading network security company focused on protecting businesses from malware, zero-day exploits and other cyber attacks. The U.S.-based firm has over 2,500 customers globally, including Fortune 500 companies and many federal departments. FireEye was tightly involved in cyber investigations following the high-profile attacks on Sony Pictures and Anthem. UPDATE: A spokeswoman for FireEye contacted The Stack with the following statement: Have just seen your story around FireEye and I wanted to correct some points We tried to conceal from the researchers to publish our IP. No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now. Our Customers are protected. This was not about stopping them from issuing a report neither the vulnerabilities, it was about protecting intellectual property that they didn?t have a legal right to publish. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 10 19:49:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Sep 2015 20:49:17 -0400 Subject: [Infowarrior] - U.S. government blocks release of new CIA torture details Message-ID: U.S. government blocks release of new CIA torture details NEW YORK | By David Rohde http://www.reuters.com/article/2015/09/10/us-usa-cia-torture-idUSKCN0RA2RM20150910 U.S. government officials have blocked the release of 116 pages of defense lawyers' notes detailing the torture that Guantanamo Bay detainee Abu Zubaydah says he experienced in CIA custody, defense lawyers said on Thursday. The treatment of Zubaydah, who lost one eye and was waterboarded 83 times in a single month while held by the CIA, according to government documents, has been the focus of speculation for years. "We submitted 116 pages in 10 separate submissions," Joe Margulies, Zubaydah?s lead defense lawyer, told Reuters. "The government declared all of it classified." Margulies and lawyers for other detainees said that the decision showed that the Obama administration plans to continue declaring detainees? accounts of their own torture classified. A Central Intelligence Agency spokesperson declined to comment. After the release of a U.S. Senate report on CIA torture in December, the government loosened its classification rules and released 27 pages of interview notes compiled by lawyers for detainee Majid Khan in which he described his torture. Khan, a Guantanamo detainee turned government cooperating witness, said interrogators poured ice water on his genitals, twice videotaped him naked and repeatedly touched his "private parts" - none of which was described in the Senate report. Khan said that guards, some of whom smelled of alcohol, also threatened to beat him with a hammer, baseball bats, sticks and leather belts. "The CIA has apparently changed its mind about allowing detainees to talk about their torture," said Wells Dixon, Khan?s lawyer. CIA and White House officials opposed releasing the Senate report, but Senator Dianne Feinstein, who then chaired the Intelligence Committee, made public its 480-page executive summary. A month after the report's release, government lawyers said in a January 2015 court filing that the CIA had issued new classification rules that permitted the release of ?general allegations of torture,? and ?information regarding the conditions of confinement.? But they said the names of CIA employees or contractors could not be released. Nor the locations of the secret "black" sites where detainees were held around the world after the Sept. 11, 2001 attacks. Margulies said the 116 pages of notes he submitted for clearance were limited to Zubayda's description of his torture and did not include prohibited information. Margulies said he followed "the rule to the letter" and accused the CIA of trying "guarantee that Abu Zubaydah never discloses what was done to him." Zubaydah, a 44-year-old Saudi national, has been held in Guantanamo for nine years and not been charged with a crime. (Reporting by David Rohde; Editing by Cynthia Osterman) -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 11 07:01:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Sep 2015 08:01:45 -0400 Subject: [Infowarrior] - GCHQ defines "irony" in security advice Message-ID: GCHQ recommending users NOT change passwords regularly, yet offers no real evidence supporting this idea other than some basic thoughts. While I agree that password aging is a moronic approach that causes more problems for users and techies alike (and the only time I've ever written down a password!) one can't help wonder if this recommendation was originally titled "Help Make Spying Easier." (I do, however, agree w/the other recommendations, though) Document @ https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 11 07:05:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Sep 2015 08:05:41 -0400 Subject: [Infowarrior] - DHS pressures library to stop offering anonymous web browsing Message-ID: First Library to Offer Anonymous Web Browsing Stops Under DHS Pressure Julia Angwin - ProPublica Filed to: privacy9/11/15 5:20am http://gizmodo.com/first-library-to-offer-anonymous-web-browsing-stops-und-1730014951 A library in a small New Hampshire town started to help Internet users around the world surf anonymously using Tor. Until the Department of Homeland Security raised a red flag. Since Edward Snowden exposed the extent of online surveillance by the U.S. government, there has been a surge of initiatives to protect users? privacy. But it hasn?t taken long for one of these efforts ? a project to equip local libraries with technology supporting anonymous Internet surfing ? to run up against opposition from law enforcement. In July, the Kilton Public Library in Lebanon, New Hampshire, was the first library in the country to become part of the anonymous Web surfing service Tor. The library allowed Tor users around the world to bounce their Internet traffic through the library, thus masking users? locations. Soon after state authorities received an email about it from an agent at the Department of Homeland Security. ?The Department of Homeland Security got in touch with our Police Department,? said Sean Fleming, the library director of the Lebanon Public Libraries. After a meeting at which local police and city officials discussed how Tor could be exploited by criminals, the library pulled the plug on the project. ?Right now we?re on pause,? said Fleming. ?We really weren?t anticipating that there would be any controversy at all.? He said that the library board of trustees will vote on whether to turn the service back on at its meeting on Sept. 15. Used in repressive regimes by dissidents and journalists, Tor is considered a crucial tool for freedom of expression and counts the State Department among its top donors. But Tor has been a thorn in the side of law enforcement; National Security Agency documents made public by Snowden have revealed the agency?s frustration that it could only identify a ?very small fraction? of Tor users. The idea to install Tor services in libraries emerged from Boston librarian Alison Macrina?s Library Freedom Project, which aims to teach libraries how to ?protect patrons? rights to explore new ideas, no matter how controversial or subversive, unfettered by the pernicious effects of online surveillance.? (The Library Freedom Project is funded by Knight Foundation, which also provides funding to ProPublica.) After Macrina conducted a privacy training session at the Kilton library in May, she talked to the librarian about also setting up a Tor relay, the mechanism by which users across the Internet can hide their identity. The library board of trustees unanimously approved the plan at its meeting in June, and the relay was set up in July. But after ArsTechnica wrote about the pilot project and Macrina?s plan to install Tor relays in libraries across the nation, law enforcement got involved. A special agent in a Boston DHS office forwarded the article to the New Hampshire police, who forwarded it to a sergeant at the Lebanon Police Department. DHS spokesman Shawn Neudauer said the agent was simply providing ?visibility/situational awareness,? and did not have any direct contact with the Lebanon police or library. ?The use of a Tor browser is not, in [or] of itself, illegal and there are legitimate purposes for its use,? Neudauer said, ?However, the protections that Tor offers can be attractive to criminal enterprises or actors and HSI [Homeland Security Investigations] will continue to pursue those individuals who seek to use the anonymizing technology to further their illicit activity.? When the DHS inquiry was brought to his attention, Lt. Matthew Isham of the Lebanon Police Department was concerned. ?For all the good that a Tor may allow as far as speech, there is also the criminal side that would take advantage of that as well,? Isham said. ?We felt we needed to make the city aware of it.? Deputy City Manager Paula Maville said that when she learned about Tor at the meeting with the police and the librarians, she was concerned about the service?s association with criminal activities such as pornography and drug trafficking. ?That is a concern from a public relations perspective and we wanted to get those concerns on the table,? she said. Faced with police and city concerns, library director Fleming agreed to turn off the Tor relay temporarily until the board could reconsider. ?We need to find out what the community thinks,? he said. ?The only groups that have been represented so far are the Police Department and City Hall.? Fleming said that he is now realizing the downside of being the first test site for the Tor initiative. ?There are other libraries that I?ve heard that are interested in participating but nobody else wanted to be first,? he said. ?We?re lonesome right now.? This article first appeared on ProPublica and is republished here under Creative Commons license. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 11 09:40:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Sep 2015 10:40:34 -0400 Subject: [Infowarrior] - MS forcing stealth 6GB Win10 downloads Message-ID: <62E0C8AD-1D24-461D-B9C9-720415370B75@infowarrior.org> Microsoft is downloading Windows 10 to PCs, even if you don?t ?reserve? a copy by Cassandra Khaw (UK) - Sep 11, 2015 9:20am EDT Files of up to 6GB in size showing up in a hidden directory. http://arstechnica.com/information-technology/2015/09/microsoft-is-downloading-windows-10-to-pcs-even-if-you-dont-reserve-a-copy/ You might be in the process of acquiring Windows 10?whether you want the free upgrade or not. Microsoft has confirmed that it is ?helping upgradable devices get ready for Windows 10 by downloading the files they need? in the event that owners decide to migrate to the new OS, even if they have heretofore passed up on "reserving" their free upgrade from Windows 7 or 8. The issue seems to revolve around the Microsoft update KB3035583, and as such it appears to only afflict individuals who have chosen to receive automatic updates. As far as we can tell, if you have automatic updates turned off, Windows 10 won't be pre-loaded onto your PC. According to The Inquirer, the situation was first reported by an anonymous reader who claimed to have discovered a hidden directory called $Windows.~BT on his computer, despite not opting in for a free upgrade to Windows 10. The directory weighed in at "3.5GB to 6GB," according to the reader. ?I thought Microsoft [said] this 'upgrade' was optional. If so, why is it being pushed out to so many computers where it wasn't reserved, and why does it try to install over and over again?? he told the outlet. His concerns are mirrored by numerous people across the Internet, who have been reporting similar revelations since as early as July. Getting rid of the unwanted files isn?t as quite as simple as clicking the delete button, unfortunately. But it doesn?t require any significant computer knowledge, either. Addictive Tips has a concise solution for the dilemma, which involves uninstalling the KB3035583 update prior to removing the actual folder. While potentially disconcerting at first blush, the news isn?t exactly a shocker. Microsoft has been aggressive about promoting Windows 10, bombarding Windows 7 & 8 users with pop-ups suggesting the change. More crucially, by opting for automatic upgrades, a user is essentially agreeing to allow software developers to do as they will?in this case, proactively downloading Windows 10 in preparation for any changes of heart. Here's Microsoft's statement to The Inquirer, in full: For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they?ll need if they decide to upgrade. When the upgrade is ready, the customer will be prompted to install Windows 10 on the device. This post originated on Ars Technica UK -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 11 18:53:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Sep 2015 19:53:46 -0400 Subject: [Infowarrior] - Passwords: yes, people are still that stup1d Message-ID: <08D4B14C-D5F2-4CA6-BE86-6A1B491B981B@infowarrior.org> Meet the worst 100 passwords from the Ashley Madison hack And, what a surprise, they're about as inventive (and easy to crack) as "123456." By Zack Whittaker for Zero Day | September 11, 2015 -- 19:22 GMT (12:22 PDT) | Topic: Security A list of the worst passwords in the Ashley Madison breach just got longer -- and a lot more depressing. Security research group CynoSure Prime were able to find out the most common passwords that were used on Ashley Madison, a site which helps married people cheat on their partners, which suffered a massive data breach earlier this year when it was targeted by hackers. The list of the 100 most commonly-used passwords was first posted on Ars Technica.... < - > http://www.zdnet.com/article/these-are-the-top-100-passwords-from-the-ashley-madison-hack/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Sep 13 13:17:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 Sep 2015 14:17:45 -0400 Subject: [Infowarrior] - Fwd: Delivering Outcomes through Cyberspace References: <20150912010931.F05F5A0AE5F@palinka.tinho.net> Message-ID: -- It's better to burn out than fade away. > Begin forwarded message: > > From: dan at geer.org > Subject: referral: Delivering Outcomes through Cyberspace > Date: September 11, 2015 at 9:09:31 PM EDT > To: rforno at infowarrior.org > Cc: dan at geer.org > > http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/docs/US-Cyber-Command-Commanders-Vision.pdf > > Beyond the Build > Delivering Outcomes through Cyberspace > The Commander's Vision and Guidance for US Cyber Command > > --dan > > From rforno at infowarrior.org Mon Sep 14 19:52:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Sep 2015 20:52:20 -0400 Subject: [Infowarrior] - Fair-use proponents score early win in copyright case Message-ID: <09A28AE7-C233-4A10-B18A-78589BD015E1@infowarrior.org> Fair-use proponents score early win in copyright case By Mario Trujillo - 09/14/15 02:43 PM EDT http://thehill.com/policy/technology/253576-fair-use-proponents-win-early-victory-in-copyright-case The Ninth Circuit Court of Appeals on Monday ruled that copyright holders must consider fair use before demanding companies such as YouTube remove potentially infringing content. The three-judge panel on the court determined Stephanie Lenz, who posted a YouTube video of her child dancing to a Prince song in 2007, could proceed with her lawsuit seeking damages from Universal Music Corp., which pressed YouTube to remove the video under the Digital Millennium Copyright Act (DMCA). ?We hold that the statute requires copyright holders to consider fair use before sending a takedown notification, and that failure to do so raises a triable issue as to whether the copyright holder formed a subjective good faith belief that the use was not authorized by law,? according to the majority opinion. The video was eventually restored, but Lenz is seeking damages with help from the Electronic Frontier Foundation. The ruling is an early victory for advocates who argue music and movie publishers are too quick to allege infringement when requesting that Web companies ? like YouTube or Twitter ? remove copyrighted content. Even presidential candidates have been the victims of hasty takedown notices, with Sen. Rand Paul?s (R-Ky.) presidential announcement video being briefly removed earlier this year because it contained John Rich?s song, ?Shuttin' Down Detroit.? The DMCA relieves online companies of liability for content their users post. But the law also requires that those online companies react quickly when artists and other copyright holders identify infringing material and ask for it to be removed. Fair use, however, provides a large exception for otherwise copyrighted work. Copyrighted work can generally be used without infringing if it is being used for criticism, comment, reporting, teaching or research. The court on Monday ruled copyright holders must have a good faith belief that content they ask to be removed does not fall under the fair use exception. Otherwise, they can be liable for damages. ?To be clear, if a copyright holder ignores or neglects our unequivocal holding that it must consider fair use before sending a takedown notification, it is liable for damages,? the court ruled. The court added: ?A copyright holder who pays lip service to the consideration of fair use by claiming it formed a good faith belief when there is evidence to the contrary is still subject to ? liability.? The facts of the case do not reflect the current takedown process. At the time, Universal had an employee monitor YouTube each day to spot infringing content and ask that it be removed. With the mountains of new content posted online each day, that model became ineffective. Major movie and music publishers have moved to computer programs that search for potentially infringing content. But it is unclear how fair use is analyzed ? if at all ? with those programs. Without making a precedent setting ruling, the court found that ?the implementation of computer algorithms appears to be a valid and good faith middle ground for processing a plethora of content while still meeting the DMCA?s requirements to somehow consider fair use.? It speculated about a model in which a company sets up a computer program to send automatic takedown notices for content it identifies as nearly identical to copyrighted work, while a backup process uses humans to manually review other content that the computer program identified with less certainty. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 14 19:56:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Sep 2015 20:56:58 -0400 Subject: [Infowarrior] - Federal Court Invalidates 11-Year-old FBI gag order on National Security Letter recipient Nicholas Merrill Message-ID: Federal Court Invalidates 11-Year-old FBI gag order on National Security Letter recipient Nicholas Merrill FOR IMMEDIATE RELEASE: September 14, 2015 CONTACT: Debra Kroszner (203) 432-1053 debra.kroszner at yale.edu (link sends e-mail) https://www.calyxinstitute.org/news/federal-court-invalidates-11-year-old-fbi-gag-order-national-security-letter-recipient-nicholas FEDERAL COURT INVALIDATES 11-YEAR-OLD FBI GAG ORDER ON NATIONAL SECURITY LETTER RECIPIENT NICHOLAS MERRILL Court Rules There Is ?No Good Reason? To Prohibit Merrill from Describing the Array of Private Information that the FBI Sweeps Up Using NSLs NEW HAVEN, CT ? A federal district court has ordered the FBI to lift an eleven-year- old gag order imposed on Nicholas Merrill forbidding him from speaking about a National Security Letter (?NSL?) that the FBI served on him in 2004. The ruling marks the first time that an NSL gag order has been lifted in full since the PATRIOT Act vastly expanded the scope of the FBI?s NSL authority in 2001. Mr. Merrill, the executive director of the Calyx Institute, is represented by law students and supervising attorneys of the Media Freedom and Information Access Clinic, a program of Yale Law School?s Abrams Institute for Freedom of Expression and Information Society Project. For more than a decade, the government has refused to allow Mr. Merrill and other NSL recipients to tell the public just how broadly the FBI has interpreted its authority to surveil individuals? digital lives in secret using NSLs. Tens of thousands of NSLs are issued by FBI officers every year without a warrant or judicial oversight of any kind. The letters demand disclosure of user information and are almost always accompanied by complete gag orders. Today?s decision will finally allow Mr. Merrill to speak about all aspects of the NSL and, specifically, to inform the public about the categories of personal information that the FBI believes it can obtain using an NSL. ?For more than a decade, the FBI has fought tooth and nail in order to prevent me from speaking freely about the NSL I received,? said Mr. Merrill. ?Judge Marrero?s decision vindicates the public?s right to know how the FBI uses warrantless surveillance to peer into our digital lives. I hope today?s victory will finally allow Americans to engage in an informed debate about proper the scope of the government?s warrantless surveillance powers.? U.S. District Judge Victor Marrero?s decision invalidated the gag order in full, finding no ?good reason? to prevent Merrill from speaking about any aspect of the NSL, particularly an attachment to the NSL that lists the specific types of ?electronic communication transactional records? (?ECTR?) that the FBI believed it was authorized to demand. The FBI has long refused to clarify what kinds of information it sweeps up under the rubric of ECTR, a phrase that appears in the NSL statute but is not publicly defined anywhere. Judge Marrero?s decision describes the FBI?s position as ?extreme and overly broad,? affirming that ?Courts cannot, consistent with the First Amendment, simply accept the Government?s assertions that disclosure would implicate and create a risk.? The Court observed that, according to the government, Mr. Merrill would only be allowed to discuss the kinds of records the FBI demanded in ?a world in which no threat of terrorism exists, or a world in which the FBI, acting on its own accord and its own time, decides to disclose the contents of the Attachment.? The Court decisively rejected this position: ?Such a result implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.? Merrill first challenged the NSL statute in 2004 in a landmark ACLU lawsuit that resulted in significant changes to the law but ended in 2010 with much of the gag order still intact. ?Mr. Merrill has fought tirelessly for years to expose the government?s excessive use of gag orders that prevent the American public from having an informed conversation about NSL surveillance. Time and again he has been vindicated in court,? said Amanda Lynch, student director of the Media Freedom and Information Access Clinic. ?This decision has once again affirmed the crucial role courts play in serving as an important check on intelligence agencies, defending the Constitution, and protecting the civil liberties of all,? Lynch added. ?Today?s decision will finally allow Mr. Merrill to shed light on the scope of the FBI?s claimed authority under the NSL statute, and to explain how the FBI?s interpretation is deeply problematic and potentially unlawful,? stated Jonathan Manes, supervising attorney in the Media Freedom and Information Access Clinic. ?If the recent revelations and debates over mass surveillance have taught us anything, it is that there can be no meaningful democratic oversight if the public does not know how the law has been interpreted behind closed doors,? Manes added. The Court?s order will go into effect in 90 days. Mr. Merrill will remain gagged for that period, in order to allow the government time to decide whether to appeal the decision. ?Judge Marrero?s careful and comprehensive decision confirms that there is no longer any reason to prevent Mr. Merrill from telling the public what he knows about NSL surveillance,? observed Lulu Pantin The FBI has conceded that the investigation that prompted the 2004 NSL is now closed. Pantin continued, ?We hope the government will not appeal, so that a crucial public conversation about warrantless surveillance is not further delayed.? Mr. Merrill is represented by law student interns Amanda Lynch, Lulu Pantin, and Rebecca Wexler and supervising attorneys Jonathan Manes and David Schulz. Former clinic students Benjamin Graham (?15), Matthew Halgren (?15), and Nicholas Handler (?15) previously worked on the case. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 15 06:30:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Sep 2015 07:30:04 -0400 Subject: [Infowarrior] - Blue Cross targets nuns for cross image Message-ID: <97C6F18B-ED72-423E-83CC-0CAA8593C2C4@infowarrior.org> Put this in the YHGTBFKM category of corporate IP idiocy. --rick Blue Cross Threatens To End Coverage For Patients At Christian Hospital Group Over Blue Cross Logo https://www.techdirt.com/articles/20150908/07242332191/blue-cross-threatens-to-end-coverage-patients-christian-hospital-group-over-blue-cross-logo.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 16 06:22:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Sep 2015 07:22:18 -0400 Subject: [Infowarrior] - Weather Channel: Yes, we'll cover the weather again Message-ID: (face, meet palm. Only in network-tv-land .... or Washington. --rick) The Weather Channel Finally Gets The Message: Announces Plan To Actually Cover...The Weather from the brilliant-ideas dept https://www.techdirt.com/articles/20150909/12571532207/weather-channel-finally-gets-message-announces-plan-to-actually-coverthe-weather.shtml Over the last few years, The Weather Channel has been slowly but surely veering away from its core competency in a ham-fisted attempt to cater to the lowest common denominator. While its TV channel now offers a rotating variety of relative-awful reality TV only tangentially related to the weather, (ranging from Prospectors to Fat Guys in the Woods) its website often focuses on non-weather related subjects like kooky buffalo and hard-hitting analysis of the world's "sexiest" beaches. Having anchors stand stupidly around in thundersnow storms is another favorite channel pastime. But then something interesting happened. When The Weather Channel executives tried to up the rates on cable operators like DirecTV and Verizon FiOS, both companies balked -- and pulled The Weather Channel from their lineups, replacing it with channels, apps and services that actually reported the weather. Apparently, threatening to pull your product from the market if you don't get more money -- only works when people give a damn about your product. Meanwhile, cable companies are having a harder time pushing off programming rate hikes to consumers awash with alternative options. Initially, The Weather Channel executives responded by trying to claim DirecTV and Verizon were threatening public safety by pulling access to an invaluable public resource (an argument that fell flat on its face since most realize the channel doesn't actually provide that). Then, the company amusingly tried to attack competitors like AccuWeather by actually claiming it offered too much fluff. But with a little time to think about it, The Weather Channel executives appear to have finally learned something. The company this week announced a notable restructuring that will, amazingly enough, involve refocusing The Weather Channel on actually covering the weather: "The plan calls for a singular focus "on our unique strength -- and that is the weather." With the cable channel bundle coming under increasing pressure, and "skinny bundles" becoming more common, "it's inevitable that channels will be cut," Weather Company CEO David Kenny said in an interview. With this in mind, "we need to be really clear who we are," Kenny said. That means paring back its original programming investments (shows like "Prospectors" and "Fat Guys in the Woods") and lifestyle coverage. The priority is essential, live weather coverage -- particularly during periods of severe weather -- and local information. Granted there's only so many ways you can monetize a quick glance at the five-day forecast, and filling twenty-four hours of eyeball-grabbing airtime in the smartphone era without catering to nitwits will likely be a continued challenge. But it's at least a positive sign that the company sees the cable TV landscape changing and needs to either change with it, or be left behind. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 17 13:18:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Sep 2015 14:18:41 -0400 Subject: [Infowarrior] - WH Realizes Mandating Backdoors To Encryption Isn't Going To Happen Message-ID: White House Realizes Mandating Backdoors To Encryption Isn't Going To Happen from the option-1-please dept https://www.techdirt.com/articles/20150916/15035232275/white-house-realizes-mandating-backdoors-to-encryption-isnt-going-to-happen.shtml Over the last few months, I've heard rumblings and conversations from multiple people within the Obama administration suggesting that they don't support the FBI's crazy push to back door all encryption. From Congress, I heard that there was nowhere near enough support for any sort of legislative backdoor mandate. Both were good things to hear, but I worried that I was still only hearing from one side, so that there could still be serious efforts saying the opposite as well. However, the Washington Post has been leaked quite a document that outlines three options that the Obama administration can take in response to the whole "going dark" question. And the good news? None of them involve mandating encryption. Basically, the key message in this document is that no one believes legislation is a realistic option right now (more on that in another post coming shortly). That's big! The document's three options can be summarized as follows: ? Option 1: Do the right thing, admit that backdooring encryption is a bad idea and dumb, and stand up for real cybersecurity by saying that more encryption is generally good for society. This will make lots of people happy -- including civil liberties folks and the tech industry, and it will also do more to protect the public. It will also help the most with many foreign countries in showing that the US isn't just trying to spy on everyone -- though it may piss off a few countries (mainly the UK) who have doubled down on backdooring encryption. Also, it will undermine China's plan to backdoor encryption as well. Let's call this the right option. ? Option 2: Yeah, we know what the right thing to do is, but we'll take a half-assed approach to it to try to appease the FBI/law enforcement folks and not come out nearly as strongly against legislation. We'll say there's no legislation, but we'll at least leave the door open to it. In private, we may still push tech companies to backdoor stuff. This will anger lots of folks, but maybe (the administration believes) some civil liberties types will think it's enough of a win to celebrate. Then we pretend that we can hold some sort of "discussion" between people who disagree. ? Option 3: We totally punt on the issue and don't really say anything. If we do say something, we say that this issue needs a lot more discussion and study (just like people have been saying for the last year). In other words, endless cryptowars with no end in sight. Clearly, Option 1 is the only sensible option, and the report lays out some pretty strong arguments for why coming out against backdooring encryption would be good. It would actually make the tech industry much more willing to work with the government in productive ways, rather than stupid, privacy and security-destroying ways. It would actually better protect the public and it would stop authoritarian regimes from using our own language against us to break encryption. The cons are basically that law enforcement might whine about it. Well, the administration actually says that it "provides no immediate solution to the challenges that the expanding use of encryption poses to law enforcement and national security" but given that law enforcement still hasn't done a good job showing this is a real problem, that's not really a big deal. In fact, law enforcement is still relying on made up ghost stories rather than any real evidence that encryption is a problem. So, now the big question is which option the administration will choose. Will it stand up and take leadership on this issue (Option 1), thereby actually protecting Americans? Or will it do a variety of half-assed measures believing that it has to support "both sides" or some crap like that? From the leaked report, it appears that if it chooses either Option 1 or 2, the White House will make a public statement on the matter within the next few weeks. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 17 17:52:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Sep 2015 18:52:41 -0400 Subject: [Infowarrior] - =?utf-8?q?TSA_Doesn=E2=80=99t_Care_That_Its_Lugga?= =?utf-8?q?ge_Locks_Have_Been_Hacked?= Message-ID: <79615A1A-2D18-442C-9394-0512D16AA158@infowarrior.org> TSA Doesn?t Care That Its Luggage Locks Have Been Hacked Jenna McLaughlin Sep. 17 2015, 12:51 p.m. https://theintercept.com/2015/09/17/tsa-doesnt-really-care-luggage-locks-hacked/ In a spectacular failure of a ?back door? designed to give law enforcement exclusive access to private places, hackers have made the ?master keys? for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer. The TSA-recognized luggage locks were a much-vaunted solution to a post-9/11 conundrum: how to let people lock their luggage, on the one hand, but let the TSA inspect it without resorting to bolt cutters, on the other. When the locks were first introduced in 2003, TSA official Ken Lauterstein described them as part of the agency?s efforts to develop ?practical solutions that contribute toward our goal of providing world-class security and world-class customer service.? Now that they?ve been hacked, however, TSA says it doesn?t really care one way or another. ?The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,? wrote TSA spokesperson Mike England in an email to The Intercept. ?These consumer products are ?peace of mind? devices, not part of TSA?s aviation security regime,? England wrote. ?Carried and checked bags are subject to the TSA?s electronic screening and manual inspection. In addition, the reported availability of keys to unauthorized persons causes no loss of physical security to bags while they are under TSA control. In fact, the vast majority of bags are not locked when checked in prior to flight.? In other words: not our problem. How the Keys Were Hacked Last month, security enthusiasts and members of a lockpicking forum on Reddit began circulating a nearly year-old Washington Post story about ?the secret life of baggage,? and how the TSA handles and inspects airport luggage. What no one had previously noticed was that the article included close-up photos of the ?master keys? to TSA-approved luggage locks ? which it turns out, are really easy to copy, as long as you can see the pattern of the teeth and have access to a 3D printer. The photos were removed from the Post?s website, but not before privacy devotees spread the images far and wide. Then, according to his self-published timeline, Shahab Shawn Sheikhzadeh, a system administrator and lockpicker, obtained an official-looking document with even more detailed imagery. Sheikhzadeh told The Intercept that anonymous hackers inspired by the Washington Post photos found a 2008 ?Guide to Travel Sentry Passkeys? posted on Travel Sentry?s website. Travel Sentry is the organization responsible for generating and enforcing security guidelines for TSA-approved locks, working with both the government and private manufacturers to guarantee its standards are being met. It does not sell or manufacture locks itself. Steven Knuchel, a hacker/security researcher who goes by Xylitol or Xyl2k, used the detailed images obtained from the Travel Sentry website to create the kind of files that 3D printers use to produce models. Since the files were first published, several people have demonstrated that they work, using inexpensive 3D printing plastic called PLA. TSA?s Response TSA?s nonchalant response to the proliferation of master keys is at odds with how the agency has historically advertised the approved locks. ?There?s a difference in how TSA talks about the locks to travelers and the statement they made,? said Chris Soghoian, chief technologist for the American Civil Liberties Union, after hearing the TSA?s statement to The Intercept. Over the years, TSA has published various blog posts trumpeting the power of the locks to prevent all theft, writing, for instance, that the locks ?will prevent anyone from removing items out of your ? bags.? Soghoian described that post as an example of TSA ?lying to consumers? in a tweet. ?There?s nothing in that blog post about ?peace of mind?? being the reason for the locks, Soghoian told The Intercept. Security experts, by comparison, have long recognized that TSA locks do not fully protect your belongings. University of Pennsylvania computer science professor Matt Blaze told Wired that he sometimes picks his own TSA-recognized lock to save time looking for the actual key, because it?s faster. Chris McGoey, a security consultant specializing in travel safety, told the Intercept that ?there are several ways of opening TSA locks short of having a 3D printer.? He explained that ?TSA locks on luggage is only one step above having no lock at all especially on soft-sided luggage with zippers.? The Problem With Backdoors Although the actual impact remains unclear, the hacking of the master keys is a powerful example of the problem with creating government backdoors to bypass security, physically or digitally. Most security experts and computer scientists believe backdoors for law enforcement inevitably make systems less secure, and easier for bad actors to break into. Nicholas Weaver, a computer security researcher at Berkeley, wrote on the Lawfare blog about the TSA locks and how they are ?similar in spirit to what [FBI] Director [James] Comey desires for encrypted phones.? Comey has recently been trying to convince technology companies to design some sort of special way for his agents to access encrypted communications on digital devices. But companies including Apple and Google have resisted this pressure, insisting that developing backdoors will only weaken security that they have worked hard to improve for the sake of average customers around the world. ?In theory, only the Transportation Security Agency or other screeners should be able to open a TSA lock using one of their master keys,? Weaver wrote. ?All others, notably baggage handlers and hotel staff, should be unable to surreptitiously open these locks. ? Unfortunately for everyone, a TSA agent and the Washington Post revealed the secret. ? The TSA backdoor has failed.? Xylitol, the GitHub user who published the blueprint of the keys, said that was his point. ?This is actually the perfect example for why we shouldn?t trust a government with secret backdoor keys (or any kind of other backdoors),? he wrote in an email to The Intercept. ?Security with backdoor[s] is not security and inevitably exposes everyone.? Soghoian tweeted a congratulations to the Post and TSA ?for proving the stupidity of key escrow,? the arrangement in which keys needed to decrypt communications are held in escrow to be accessed by a third party if necessary. End-to-end encryption, which the FBI and the Justice Department have continually urged against, only allows for the sender and the recipient of a message to hold onto keys to decrypt the message. Clarification: An earlier version of this story incorrectly reported that hackers had broken into Travel Sentry?s internal website. Caption: Master TSA keys for various TSA-approved locks. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 17 20:16:38 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Sep 2015 21:16:38 -0400 Subject: [Infowarrior] - The FBI Says Retweets Are Endorsements Message-ID: <3E4FA731-2D0F-49D5-B6FC-2D7B86DC1349@infowarrior.org> The FBI Says Retweets Are Endorsements http://gizmodo.com/the-fbi-says-retweets-are-endorsements-1731526051 -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 18 11:09:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Sep 2015 12:09:51 -0400 Subject: [Infowarrior] - Court: 'Slide To Unlock' not in the public interest Message-ID: <91C5524E-82E9-425D-979C-59B838627361@infowarrior.org> Appeals Court: It Is In The Public's Interest That Samsung Not Be Allowed To 'Slide To Unlock' Devices from the wait,-what? dept The patent fight between Apple and Samsung has been going on for many years now with Samsung being told to pay a lot of money to Apple. But on one point Apple has been unsuccessful: getting an injunction barring Samsung from offering products for sale that include the "infringing" inventions -- such as the concept of "slide to unlock." I still have trouble understanding how "slide to unlock" could possibly be patentable, but there it is: US Patent 8,046,721 on "unlocking a device by performing gestures on an unlock image." < - > https://www.techdirt.com/articles/20150917/15315232286/appeals-court-it-is-publics-interest-that-samsung-not-be-allowed-to-slide-to-unlock-devices.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Sep 19 09:51:34 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Sep 2015 10:51:34 -0400 Subject: [Infowarrior] - AVG Will Sell Your Browsing History to Online Advertisers Message-ID: <3016B120-2A2C-411D-85E2-911FB8513BF4@infowarrior.org> AVG Proudly Announces It Will Sell Your Browsing History to Online Advertisers Only non-personal details will be sold, AVG claims http://news.softpedia.com/news/avg-proudly-announces-it-will-sell-your-browsing-history-to-online-advertisers-492146.shtml AVG, the Czech antivirus company, has announced a new privacy policy in which it boldly and openly admits it will collect user details and sell them to online advertisers for the purpose of continuing to fund its freemium-based products. This new privacy policy is slated to come into effect starting October 15, and the company has published a blog post explaining the decision to go this route, along with the full privacy policy's content, so users can read it in advance and decide on their own if they want to use its services or not. This is what AVG claims it will collect from users for the purpose of selling to interested parties, mainly online advertisers. "We collect non-personal data to make money from our free offerings so we can keep them free, including: - Advertising ID associated with your device; - Browsing and search history, including meta data; - Internet service provider or mobile network you use to connect to our products; and - Information regarding other applications you may have on your device and how they are used." Because "free" is only "free" for users AVG has mentioned that it will not sell personal data like name, emails, addresses, or credit card details, but that these might sometimes leak inside the browsing history. When this happens, the company claims it will take precautionary measures to filter out personal details from the browsing history before selling it. AVG also adds that personal, identifiable information like addresses, age, or IPs, even if not sold, may sometimes be shared with collaborators. This seems to be a provision put in place to allow user data to be used for statistical and research purposes, and the company has stated that data will never be bundled together, only aggregated. This means that only emails would be put together in the same batch, never attached to any name, username, or other personal data. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Sep 19 13:37:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Sep 2015 14:37:00 -0400 Subject: [Infowarrior] - U.S. and China Seek Arms Deal for Cyberspace Message-ID: <7D1C77F6-5B7B-4349-8709-683C5EF5D187@infowarrior.org> U.S. and China Seek Arms Deal for Cyberspace David E. Sanger http://www.nytimes.com/2015/09/20/world/asia/us-and-china-seek-arms-deal-for-cyberspace.html?_r=0 WASHINGTON ? The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other?s critical infrastructure during peacetime, according to officials involved in the talks. While such an agreement could address attacks on power stations, banking systems, cellphone networks and hospitals, it would not, at least in its first version, protect against most of the attacks that China has been accused of conducting in the United States, including the widespread poaching of intellectual property and the theft of millions of government employees? personal data. The negotiations have been conducted with urgency in recent weeks, with a goal to announce an agreement when President Xi Jinping of China arrives in Washington for a state visit on Thursday. President Obama hinted at the negotiations on Wednesday, when he told the Business Roundtable that the rising number of cyberattacks would ?probably be one of the biggest topics? of the summit meeting, and that his goal was to see ?if we and the Chinese are able to coalesce around a process for negotiations? that would ultimately ?bring a lot of other countries along.? Susan E. Rice, the president?s national security adviser, has been pressuring China. Mandel Ngan/Agence France-Presse ? Getty Images But a senior administration official involved in the discussions cautioned that an initial statement between Mr. Obama and Mr. Xi may not contain ?a specific, detailed mention? of a prohibition on attacking critical infrastructure. Rather, it would be a more ?generic embrace? of a code of conduct adopted recently by a working group at the United Nations. One of the key principles of the United Nations document on principles for cyberspace is that no state should allow activity ?that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.? The goal of the American negotiators is to have Chinese leaders embrace the principles of the United Nations code of conduct in a bilateral agreement with Washington. But it seems unlikely that any deal coming out of the talks would directly address the most urgent problems with cyberattacks of Chinese origin, according to officials who spoke on the condition of anonymity to describe continuing negotiations. Most of those attacks have focused on espionage and theft of intellectual property. The rules under discussion would have done nothing to stop the theft of 22 million personal security files from the Office of Personnel Management, which the director of national intelligence, James R. Clapper Jr., recently told Congress did not constitute an ?attack? because it was intelligence collection ? something the United States does, too. The agreement being negotiated would also not appear to cover the use of tools to steal intellectual property, as the Chinese military does often to bolster state-owned industries, according to an indictment of five officers of the People?s Liberation Army last year. And it is not clear that the rules would prohibit the kind of attack carried out last year against Sony Pictures Entertainment, for which the United States blamed North Korea. That attack melted down about 70 percent of Sony?s computer systems. Sony is not, by most definitions, part of the nation?s ?critical infrastructure,? although the Department of Homeland Security does include ?movie studios? on its list of critical ?commercial facilities,? along with stadiums, museums and convention centers. Still, any agreement to limit cyberattacks in peacetime would be a start. ?It would be the first time that cyber is treated as a military capability that needs to be governed as nuclear, chemical and biological weapons are,? said Vikram Singh, a former Pentagon and State Department official who is now vice president for international security at the Center for American Progress. Within the Obama administration, the effort to design ?a set of norms of behavior? to limit cyberattacks has been compared to President John F. Kennedy?s first major nuclear treaty with the Soviet Union in 1963, which banned atmospheric nuclear tests. That accord did not stop the development of nuclear weapons or even halt underground tests, which continued for decades. But it was a first effort to prevent an environmental disaster, just as this would be a first effort by the world?s two biggest economic powers to prevent the most catastrophic use of cyberweapons. Joseph S. Nye, a Harvard professor known for his studies of American power, said the concept of a ?no first use? doctrine for cyberattacks had been ?gestating for some time? in a variety of international forums. ?It could create some self-restraint,? Mr. Nye said, but he added that the problem was, ?how do you verify it, and what is its value if it can?t be verified?? That problem goes to the heart of why arms control agreements in the cyberspace arena are so much more complicated than better-known agreements covering nuclear weapons. In the Cold War and still today, nuclear arms remain in the hands of states, meaning they can usually be counted and their movements observed. Cyberweapons, too, are often developed by countries ? the United States, Russia, China and Iran are among the most sophisticated ? but they can also be found in the hands of criminal groups and teenagers, neither of which negotiate treaties. Moreover, it was usually clear where a conventional attack had originated; the trajectory of a missile could be tracked by radar or satellite. Mr. Obama himself noted last week the difficulty of tracing a cyberattack, and thus of deterring it ? or retaliating with confidence. Earlier efforts to get Mr. Xi and other senior Chinese leaders to address cyberattacks have largely failed. Mr. Obama spent a considerable amount of time on the issue during a summit meeting with Mr. Xi at Sunnylands, a California estate, in 2013. But even after that session, the Chinese denied that their military was involved in attacks, and portrayed themselves as victims of attacks from the United States. It was not an entirely spurious claim: Classified documents released by Edward J. Snowden showed a complex effort by the National Security Agency to get into the systems of a Chinese telecommunications giant, Huawei, though the United States maintained that the effort was for national security surveillance, not for the theft of intellectual property. The recent Chinese movement on cybersecurity can be traced to several events, officials say. The Office of Personnel Management breach, which went undetected for roughly a year, was traced to Chinese sources, and one official said evidence had been presented to Chinese officials. In August, Susan E. Rice, Mr. Obama?s national security adviser, took a trip to Beijing to meet with Mr. Xi and other officials, and used it to increase pressure on China, suggesting that newly devised economic sanctions could be imposed. Mr. Obama referred to that possibility in two recent speeches, suggesting that he would hold off only if there was progress with Mr. Xi. Last week, a high-level Communist Party envoy, Meng Jianzhu, who is responsible for state security, came to Washington and met with Ms. Rice, several American intelligence officials and the director of the F.B.I., James B. Comey. That session focused on coming up with some kind of agreement, however vaguely worded, that Mr. Obama and Mr. Xi could announce on Friday. For the United States, agreements limiting cyberweapons are also problematic. The country is spending billions of dollars on new generations of weapons, and in at least one famous case, the cyberattacks on Iran?s nuclear enrichment site at Natanz, it has used them. American cyberwarriors would be concerned about any rules that limited their ability in peacetime to place ?beacons? or ?implants? in foreign computer networks; these are pieces of code that monitor how foreign computer systems work, and they can be vital in determining how to launch a covert or wartime attack. The Chinese have littered American networks with similar technology, often to the consternation of the Pentagon and intelligence agencies. ?One of the things to look for are any rules that bar ?preparing the battlefield,? ? said Robert K. Knake, a senior fellow at the Council on Foreign Relations who worked in the White House cybersecurity office earlier in the Obama administration. Mr. Obama, who has said little about the United States? development of cyberweapons during his presidency, has begun to talk about it in recent days. ?If we wanted to go on offense, a whole bunch of countries would have some significant problems,? he told the Business Roundtable on Wednesday. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Sep 20 15:14:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Sep 2015 16:14:33 -0400 Subject: [Infowarrior] - future of online news? Message-ID: <70C3E564-AA30-4C4E-B269-394326C376FF@infowarrior.org> (x-posted) Is this the future of 'news' on the Internet? Only accessible in a timely manner if you're on the "right" platform/browser? Wired: "This story is being previewed exclusively on Apple News until Tuesday, September 22nd" http://www.osnews.com/img/28849/wtf.png -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Sep 20 17:42:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Sep 2015 18:42:43 -0400 Subject: [Infowarrior] - India Draft National Encryption Policy Message-ID: <45F0C29A-8E62-4FA8-A5E0-07D8F858585E@infowarrior.org> India Draft National Encryption Policy September 20, 2015 The following draft copy of the National Encryption Policy was released for public comment by the India Department of Electronics and Information Technology. The policy has been widely criticized for requiring businesses, internet service providers and even private citizens to store decrypted versions of encrypted communications for 90 days to provide to the government and law enforcement. An article in the Times of India dated September 20, 2015 quotes Pranesh Prakash, policy director at the Bengaluru-based Center for Internet and Society, who describes the draft policy as a "bad idea conceived by people who do not understand encryption." < - > https://publicintelligence.net/india-draft-encryption-policy/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 21 08:19:04 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Sep 2015 09:19:04 -0400 Subject: [Infowarrior] - CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email Message-ID: <646E2AB0-C0FD-49CC-A4D7-D20162074D04@infowarrior.org> CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email https://www.techdirt.com/articles/20150918/23382332293/cia-fbi-much-us-military-arent-doing-most-basic-things-to-encrypt-email.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 21 08:37:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Sep 2015 09:37:36 -0400 Subject: [Infowarrior] - =?utf-8?q?George_W=2E_Bush_Made_Retroactive_N=2ES?= =?utf-8?b?LkEuIOKAmEZpeOKAmSBBZnRlciBIb3NwaXRhbCBSb29tIFNob3dkb3du?= Message-ID: <1251B950-876F-41FC-9D0B-DCB627E47BAA@infowarrior.org> (Remind me again how the actions of W and O differ on this stuff? -- rick) George W. Bush Made Retroactive N.S.A. ?Fix? After Hospital Room Showdown By CHARLIE SAVAGESEPT. 20, 2015 http://www.nytimes.com/2015/09/21/us/politics/george-w-bush-made-retroactive-nsa-fix-after-hospital-room-showdown.html WASHINGTON ? President George W. Bush sought to retroactively authorize portions of the National Security Agency?s post-9/11 surveillance and data collection program after a now-famous incident in 2004 in which his attorney general refused to certify the program as lawful from his hospital bed, according to newly declassified portions of a government investigation. Mr. Bush?s effort to salvage the surveillance program without changes did not satisfy top Justice Department officials, who threatened to resign. But the newly disclosed passages of a report by inspectors general of six agencies suggest that the confrontation in the hospital room came after the Justice Department identified several problems, including a ?gap? between what Mr. Bush had authorized the N.S.A. to collect and what the agency was collecting in practice. Continue reading the main story Related Coverage ? N.S.A. Will Not Be Allowed to Keep Old Phone RecordsJULY 27, 2015 ? document Newly Disclosed N.S.A. Files Detail Partnerships With AT&T and VerizonAUG. 15, 2015 ? document N.S.A. Inspector General?s Reports About Bulk Phone Records Program Are ReleasedAUG. 12, 2015 ? Setback for Suit Against N.S.A. on Phone Data AUG. 28, 2015 A leak of government documents in 2013 revealed that the fight had been partly about the legality of the N.S.A.?s collection of data about Americans? emails in bulk. But the latest disclosure shows that the Justice Department had additional concerns. Photo President Bush in 2003 with Attorney General John Ashcroft, who refused to authorize a data-collection program as lawful. Credit Doug Mills/The New York Times For example, Mr. Bush?s secret directives to the agency, starting in October 2001, said the N.S.A. could ?acquire? phone and email metadata ? logs showing who contacted whom, but not what they said ? if at least one end was foreign or if a specific message were linked to terrorism. But the agency was apparently gathering purely domestic metadata in bulk, too, the Justice Department found. Mr. Bush, in response to the discrepancy identified by the Justice Department, declared that the N.S.A. was authorized to systematically collect the metadata of purely domestic communications, too, so long as analysts only looked at records linked to terrorism. He also declared that the agency had been authorized to do that all along. The authorization ?gap? was among the disclosures in newly declassified passages of a 746-page report by six agencies? inspectors general about the N.S.A. program, code-named Stellarwind. The report also shows that after March 2004, the Justice Department persuaded the White House to limit the program to investigations of Al Qaeda, rather than allowing it to be used for other types of international counterterrorism investigations, to make the argument that the program was legally justified as a wartime measure. The government provided the information to The New York Times late Friday night as part of a Freedom of Information Act lawsuit seeking the public disclosure of the report. Commissioned by Congress and completed in 2009, the report was entirely classified until April, when the government released a partial version in response to the lawsuit. The government has now revealed additional portions. Stellarwind, which started after the terror attacks of Sept. 11, 2001, involved warrantless wiretapping of terrorism suspects? international phone calls and emails, as well as the bulk collection of metadata about Americans? emails and phone calls. It bypassed rules established by the Foreign Intelligence Surveillance Act, such as a requirement to obtain court permission for wiretaps. Justice Department officials ? Attorney General John Ashcroft and John Yoo, then a lawyer in the Office of Legal Counsel ? initially said the program was lawful. Mr. Yoo subscribed to a sweeping version of a theory that the president, as commander in chief, can lawfully override statutes restricting what he can do in a national-security matter. By 2004, turnover in the department had brought new officials to power, including Jack Goldsmith, a new head of its Office of Legal Counsel, and James Comey, a deputy attorney general who temporarily became the acting head of the department that March when Mr. Ashcroft was hospitalized. (Mr. Comey is now director of the Federal Bureau of Investigation.) Taking a second look at the legal basis for various post-9/11 programs, Mr. Goldsmith and an aide, Patrick Philbin, uncovered problems with Stellarwind. Mr. Goldsmith thought Mr. Yoo?s legal theory was too sweeping, and he spotted disparities between the basis for the program on paper ? how Mr. Yoo?s memos and Mr. Bush?s authorizations described it ? and what the government was doing. While the public has long known about the March 2004 hospital room fight that resulted from their skepticism, the details of the dispute have remained murky. Two years ago, leaked documents revealed one piece of the dispute: whether a component of Stellarwind that collected bulk data about Americans? emails was legal. The newly revealed passages in the report show that the fight was about more than that. The passages consist largely of quotations and descriptions of the evolving Stellarwind authorization orders that Mr. Bush periodically signed, and which were drafted by David Addington, the top counsel to Vice President Dick Cheney. Although some lines in the report remain redacted, it appears that another problem centered on the N.S.A.?s acquisition of bulk domestic metadata. It used phone numbers and email addresses linked to terrorism to search that data, hunting for hidden associates of terrorism suspects. But the text of Mr. Bush?s authorizations to the N.S.A. directed it ?acquire? phone and email metadata only if at least one end of the communications were of foreigners abroad, or if the specific call or email was linked to terrorism. The bulk collection of purely domestic metadata would seem to go beyond the scope of that authority, even if Mr. Yoo?s theory of presidential power was accurate, because Mr. Bush had not explicitly authorized the collection of such data. This gap was one of several concerns that prompted the Justice Department, led temporarily by Mr. Comey because Mr. Ashcroft was sick, to refuse to recertify that the program was lawful as it was operating at the time. On March 10, 2004, White House officials visited the hospital room of Mr. Ashcroft and asked him to overrule Mr. Comey. Mr. Ashcroft refused, citing Mr. Goldsmith?s analysis. The next day, Mr. Bush reauthorized the program anyway without Justice Department approval. This time, Mr. Addington drafted additional language as a ?fix,? the report said. Among them, ?to narrow the gap between the authority given on the face of prior authorizations and the actual operation of the program by the N.S.A.,? the report said, Mr. Bush?s new authorization proclaimed that the N.S.A. could ?obtain and retain? metadata in general, and that the agency would be deemed to have ?acquired? only those records that analysts specifically ?searched for and retrieved? within the larger database. This formulation appeared to permit bulk collection of domestic metadata, so long as the N.S.A. searched the database only for records related to terrorism suspects. Mr. Bush also declared that this newly drafted distinction between obtaining and acquiring data reflected previous N.S.A. conduct that had been ?known to and authorized by me.? The new language, Mr. Bush added, would be deemed to have been a part of his previous authorizations as if those words had been included in them when he signed them, so that he was ratifying and confirming the N.S.A.?s prior actions. Mr. Addington also added language in which Mr. Bush, for the first time, explicitly said that his authorizations were ?displacing? specific federal statutes, including the Foreign Intelligence Surveillance Act and criminal wiretapping laws. The White House counsel, Alberto Gonzales, then told Mr. Goldsmith that the president had ?made an interpretation of law concerning his authorities? and that the Justice Department could not act in contradiction of Mr. Bush?s determinations. But Mr. Bush?s willingness to go forward with the program without operational changes prompted a threat of mass resignation by top department officials. To avert that meltdown, Mr. Bush then agreed to accept curbs on the program. A version of this article appears in print on September 21, 2015, on page A13 of the New York edition with the headline: Bush Made Retroactive N.S.A. ?Fix? After Hospital Room Showdown. Order Reprints| Today's Paper|Subscribe -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 21 17:32:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Sep 2015 18:32:58 -0400 Subject: [Infowarrior] - =?utf-8?q?Provision_Forcing_Companies_to_Report_S?= =?utf-8?q?upposed_=E2=80=9CTerrorist_Activity=E2=80=9D_Struck_From_Bill?= Message-ID: <453CF1EA-05B0-4261-849E-019152A51B9F@infowarrior.org> Provision Forcing Companies to Report Supposed ?Terrorist Activity? Struck From Bill Jenna McLaughlin Sep. 21 2015, 6:11 p.m. https://theintercept.com/2015/09/21/vague-provision-forcing-companies-report-supposed-terrorist-activity-struck-bill/ A provision that would have forced tech companies like Twitter and Facebook to report every inkling of ?terrorist activity? on their services to law enforcement was removed from the 2016 Intelligence Authorization Bill on Monday. Sen. Ron Wyden, D-Ore., put a hold on the bill in July because of the proposal supported by Sen Dianne Feinstein, D-Calif. The proposal generated intense and negative response from technologists and privacy supporters who said it would turn tech companies into ?law enforcement watchdogs.? Wyden celebrated his victory in a press release on Monday. ?Going after terrorist recruitment and activity online is a serious mission that demands a serious response from our law enforcement and intelligence agencies,? he wrote. ?Social media companies aren?t qualified to judge which posts amount to ?terrorist activity,? and they shouldn?t be forced against their will to create a Facebook Bureau of Investigations to police their users? speech.? The provision was removed during negotiations prior to the the bill?s expected approval by unanimous consent?the tradition for passing the Intelligence Authorization. One problem with the provision was that no one actually knew what it meant by ?terrorist activity.? When Feinstein mentioned the provision during an open hearing of the Senate Intelligence Committee in July, FBI Director James Comey didn?t endorse it, instead replying that Twitter is already ?pretty good? at reporting suspicious content to the FBI. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 22 06:24:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Sep 2015 07:24:47 -0400 Subject: [Infowarrior] - Zerodium To Pay $1 Million For Exploit That Breaks iOS 9's Enhanced Security Message-ID: <97EAAB13-9214-45CB-86F7-342456D5F886@infowarrior.org> Zerodium To Pay $1 Million For Exploit That Breaks iOS 9's Enhanced Security By Lucian ArmasuSeptember 21, 2015 11:30 AM http://www.tomshardware.com/news/zerodium-1-million-ios-9,30129.html#xtor=RSS-181 Zerodium, a zero-day vulnerability company that specializes in buying and selling exploits, announced that it will offer a record-breaking $1 million for a full iOS 9 browser-based exploit delivered to it by October 31. The company will be able to offer up to three such prizes for a total of $3 million. Zerodium was created by Chaouki Bekrar, the founder of VUPEN, a company akin to the Hacking Team, which created its own exploits and then sold them to the highest bidder (even if that was a country that often uses such exploits to violate human rights). After the Hacking Team hack and all the media and political attention that came with it, the founder of VUPEN decided to focus on only buying and selling premium exploits instead of developing them. His new firm, Zerodium, now wants to focus on getting unique iOS 9 exploits and is willing to pay $1 million for up to three such exploits. The amount is 10 times more than what the company usually pays for a mobile vulnerability. The reason Zerodium is willing to pay this much is in part because it must have also realized it would garner much attention from zero-day vulnerability developers, but also in part because iOS 9 comes with many security enhancements and patches, which make it much harder to exploit. The company had the following to say about its motives for the new exploit prize: ?Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play." Zerodium wanted an exploit that can beat the iOS 9 zero-day mitigations such as ASLR, sandboxes, rootless, code signing and bootchain. It also wants it to work on the latest version of iOS 9 at the time of delivery, and it should be able to allow installation of an arbitrary app such as Cydia. The company also required that the exploit worked silently, without any interaction from the user other than loading a web page in Safari or Chrome, or receiving a media file in an SMS or MMS. The announcement should get malware developers' attention, but also that of the media and governments, which are already working on an arrangement to increase the limitations they put on those who work with security vulnerabilities (which can also lead to negative consequences). If Zerodium is willing to pay up to $3 million for three zero-day iOS 9 exploits, that could also mean that it already has one or multiple buyers that are willing to pay them back even more for these exploits. The likely candidates could be either other governments or criminal organizations. The NSA, for instance, is known for buying such exploits regularly, and was even willing to pay "billions" for something that could break into Skype's former ultra-secure P2P architecture a few years ago. Of course, since then, Microsoft has already completely replaced Skype's P2P architecture with one that is more centralized and more mobile-friendly, but also more wiretap-friendly. Now that Zerodium has made this announcement, it could also make Apple's security engineers even more vigilant about the security architecture of iOS, and they may work even harder to fix whatever flaws it may have left in it. The data of hundreds of millions of iOS 9 users could be at risk. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 22 07:53:39 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Sep 2015 08:53:39 -0400 Subject: [Infowarrior] - Is ICANN the net's FIFA? Message-ID: The internet is run by an unaccountable private company. This is a problem The US government?s plan to give up authority over Icann may create the web?s answer to Fifa ? when problems arise, no one will have the power to intervene Emily Taylor Monday 21 September 2015 11.07 EDT http://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government What if instead of organising a football competition every four years, Fifa took on management of the internet? Leaving aside the arrests and bribery allegations, the organisation might look a bit like the Internet Corporation for Assigned Names and Numbers ( Icann), the private California company responsible for overseeing the running of the internet. The scary thing about Fifa is that, when things go wrong, no one else has the power to intervene. It was thought that 30 September 2015 was supposed to be a significant date in internet governance. The US government was going to hand over key responsibilities to the internet community ? but that date will be missed, because Icann?s board looks set to oppose plans to make itself more accountable. If Icann?s board can override the consensus of its own community, it casts doubt on the viability of the entire Icann model, and exposes the flakiness of the way essential internet resources are governed. What is Icann? You may never have heard of Icann, a Californian not-for-profit, but your online life is influenced by its decisions. Icann coordinates domain names and internet protocol (IP) addresses, the internet?s essential protocols. You might think it?s a bit of a risk to leave this important work in the hands of a Californian private company. You?d expect that there would be a government in the background, just in case the power and money went to everyone?s heads ? and you?d be right. The US government has been Icann?s final backstop of authority since the organisation was created in 1999. How to replace the US government? The government?s ultimate control over Icann has been controversial for many countries for many years. This is strange to anyone who understands how little the government actually does, because the role is essentially clerical ? yet having it there as ultimate authority is enormously significant. In March 2014, the US government announced that it intended to step back from its role. It tasked the Icann community with finding a suitable replacement by 30 September 2015. Icann?s ?community? includes governments, business, domain industry and civil society, and its bottom-up policy development is called (in the jargon) ?multi-stakeholder governance?. Icann?s community of volunteers rose to the challenge. Hundreds of people endured thousands of hours of conference calls, fractious mailing lists and face-to-face meetings to produce ? just in time ? consensus recommendations. The problem with giving up power A key problem was how to improve Icann?s accountability. Its board represents the end of the line in accountability terms. Icann?s directors can?t be fired (except by each other), and they can alter Icann?s constitution. Such a concentration of power over globally critical resources ? internet naming and addressing ? represents a strategic risk and is vulnerable to capture. Failures of oversight and inbuilt conflicts are apparent from a quick look at Icann?s finances: double digit-percentage salary increases in 2012 and 2013; a trading loss in 2014. The domain name industry, nominally regulated by Icann, also provides its funding. This creates at least theoretical governance risks, and opportunities for corruption. The community?s solution is for Icann to become a membership organisation. I agree that this is the only outcome likely to deliver accountability. It?s feasible, it gives backstop power to the community and is a well understood model common to many non-profits. Unsurprisingly, Icann?s board ? turkeys being asked to vote for Christmas ? have not reacted well. During a three-hour conference call, like so many Yes Minister hopefuls, they expressed full support for the plans, while proposing minor tweaks that would deliver the opposite. The Icann board followed up by submitting its own comments to a process which will ultimately be decided ? yes ? by itself. The risks of failure Meanwhile, in a low-key statement the US government extended the target date for another year. So the initial opportunity to resolve a thorny internet governance problem by 30 September has been missed. If it drags on beyond the next US presidential elections, and a Republican candidate wins, the whole thing will be off. Jeb Bush has indicated he will halt Icann?s transition; what Donald Trump would do is anyone?s guess. But there?s much more at stake. Icann?s board ? as ultimate authority in this little company running global internet resources, and answerable (in fact, and in law) to no one ? does have the power to reject the community?s proposals. But not everything that can be done, should be done. If the board blunders on, it will alienate those volunteers who are the beating heart of multi-stakeholder governance. It will also perfectly illustrate why change is required. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 22 10:55:05 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Sep 2015 11:55:05 -0400 Subject: [Infowarrior] - India withdraws controversial encryption policy draft Message-ID: (cue a Martin Printz 'HA-HA!" --rick) Bowing to public pressure, govt withdraws draft encryption policy ? HT Correspondent, Hindustan Times, New Delhi ? Updated: Sep 22, 2015 20:54 IST http://www.hindustantimes.com/india-news/bowing-to-public-pressure-govt-withdraws-draft-encryption-policy/article1-1392348.aspx Bowing to pressure from the public, the government on Tuesday withdrew a draft policy that sought to control secured online communication, including through mass-use social media and web applications such as WhatsApp and Twitter. Communications and information technology minister Ravi Shankar Prasad announced the government?s decision at a news conference, saying the draft National Encryption Policy will be reviewed before it is again presented to the public for their suggestions. ?I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,? Prasad said. He said the draft would be re-released, but did not say when it would be made public. ?Experts had framed a draft policy...This draft policy is not the government?s final view,? he added. ?There were concerns in some quarters. There were some words (in the draft policy) that caused concern.? The draft will be reviewed and experts will be asked to specify to whom the policy will be applicable, Prasad said. He did not say when the new draft will be made public. Those using social media platforms and web applications fell outside the scope of an encryption policy, Prasad said. Several countries have felt the need for an encryption policy because of the boom in e-commerce and e-governance, he remarked. ?Cyber space interactions are on the rise. There are concerns about security. We need a sound encryption policy,? he said. Before Prasad announced the withdrawal of the draft policy, the government had issued an addendum early on Tuesday to keep social media and web applications like WhatsApp, Twitter and Facebook out of its purview. Secure banking transactions and password protected e-commerce businesses too will be kept out of the ambit of the proposed policy, the addendum said. The climb down by the government came following a storm of protests from users who objected to any stringent state controls on the use of email, social media accounts and apps. According to the original draft, users of apps such as WhatsApp and Snapchat would be required to save all messages for up to 90 days and be able to produce them if asked by authorities. Experts told Hindustan Times the draft policy, if implemented in its current form, could compromise the privacy of users and hamper the functioning of several multi-national service providers in India. Nikhil Pahwa, editor of the MediaNama website that tracks cyber issues and tech news, said there were several problems even with the addendum to the draft policy. ?The usage of the phrase ?currently in use? renders the policy vague: Firstly, when is 'currently'?" he questioned in a post on his website. "Will a new service that uses a different kind of encryption to protect its users, still be covered? Why should users be 'restricted to encryption currently in use'? Why should services like Whatsapp, Facebook and Twitter define our security standards?" said Pahwa, who also volunteers for savetheinternet.in. Pranesh Prakash, policy director for The Centre for Internet and Society, tweeted that even the addendum ?does not clarify anything, but further muddles the encryption policy?. Social media users called the draft ?draconian? and ?delusional?, and Congress leader Manish Tewari too attacked the Union government. ?The encryption policy (draft) is a snooping and spying orgy. After net chats, the government may want you to keep a video record of what you do in your bedroom for 90 days,? the Congress spokesperson told reporters. The draft policy had been posted online last week to seek suggestions from the public. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 22 15:30:10 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Sep 2015 16:30:10 -0400 Subject: [Infowarrior] - Lenovo: Caught installing more spyware? Message-ID: <4F312196-292D-497D-956A-313C22EE4AE1@infowarrior.org> Lenovo collects usage data on ThinkPad, ThinkCentre and ThinkStation PCs Computerworld | Sep 22, 2015 9:25 AM PT http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 22 20:01:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Sep 2015 21:01:37 -0400 Subject: [Infowarrior] - 'Happy Birthday' song copyright is not valid, judge rules Message-ID: (Couldn't happen to a nicer company! --rick) 'Happy Birthday' song copyright is not valid, judge rules Los Angeles Times http://www.latimes.com/local/lanow/la-me-ln-happy-birthday-song-lawsuit-decision-20150922-story.html In a stunning reversal of decades of copyright claims, a federal judge has ruled that Warner/Chappell Music does not hold a valid copyright claim to the "Happy Birthday To You," song. Warner had been enforcing its copyright claim since it paid $15 million to buy Birch Tree Group, the successor to Clayton F. Summy Co., which owned the original copyright. Royalties on the song bring in about $2 million a year for Warner, according to some estimates. Interested in the stories shaping California? Sign up for the free Essential California newsletter >> Judge George H. King ruled Tuesday afternoon that a copyright filed by the Summy Co. in 1935 granted only the rights to specific arrangements of the music, not the actual song itself. "Because Summy Co. never acquired the rights to the Happy Birthday lyrics," wrote Judge George H. King, "Defendants, as Summy Co.'s purported successors-in-interest, do not own a valid copyright in the Happy Birthday lyrics." This article will be updated. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 23 06:29:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Sep 2015 07:29:12 -0400 Subject: [Infowarrior] - The Crisis of the Now: Distracted and Diverted Message-ID: <77639D0F-9B6C-4BFE-9E9C-2C74D0FA51C8@infowarrior.org> (You certainly can replace 'police state' with any number of other things that modern society should be concerned about, such as "state of society" or "state of things" ... but aside from that, the items raised, and quotes used, are spot-on. --rick) The Crisis of the Now: Distracted and Diverted from the Ever-Encroaching Police State By John W. Whitehead September 22, 2015 ?When a population becomes distracted by trivia, when cultural life is redefined as a perpetual round of entertainments, when serious public conversation becomes a form of baby talk, when, in short, a people become an audience and their public business a vaudeville act, then a nation finds itself at risk: culture-death is a clear possibility.??Author Neil Postman < - > http://rutherford.org/publications_resources/john_whiteheads_commentary/the_crisis_of_the_now_distracted_and_diverted_from_the_ever_encroachin -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 23 06:33:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Sep 2015 07:33:17 -0400 Subject: [Infowarrior] - CIA formally embraces cyber on 1 October Message-ID: <305566E2-0F95-4BB6-959E-7310677EE25C@infowarrior.org> CIA details agency?s new digital and cyber espionage focus Michael Cooney http://www.networkworld.com/article/2985246/security/cia-details-agency-s-new-digital-and-cyber-espionage-focus.html Network World | Sep 22, 2015 10:22 AM PT It seems like it might be about 10 years too late to the party but come October 1, the Central Intelligence Agency will ad a new directorate that will focus on all things cyber and digital espionage. The CIA?s Deputy Director David Cohen to a Cornell University audience last week that once the new Directorate of Digital Innovation (DDI) is up and running ?it will be at the center of the Agency?s effort to inject digital solutions into every aspect of our work. It will be responsible for accelerating the integration of our digital and cyber capabilities across all our mission areas?human intelligence collection, all-source analysis, open source intelligence, and covert action.? ?On October 1st, ten new CIA Mission Centers will cover every issue we face?six focused on regions, like Africa and the Near East; and four focused on functional issues, such as terrorism and weapons proliferation. Each center will pull together all the tremendous talents and skills previously stove-piped into separate groups, promoting collaboration among Agency specialists in operations, collection, analysis, technical capabilities, and support,? Cohen stated. ? Cohen listed a number of areas that the directorate will focus on such as:The DDI will also help inform analysis by developing and deploying sophisticated IT tools that will help our analysts conduct research by revealing potential linkages between and among data in our holdings. One of the real challenges of modern intelligence analysis is the sheer volume of information that is collected by our intelligence community, Cohen said. ? The DDI will help our clandestine officers maintain effective cover in the modern, digital world. For our case officers, the cyber age is very much a double-edged sword. While digital footprints may enable us to track down a suspected terrorist, this ?digital dust? -- credit card transactions; car rentals; internet searches and purchases -- can also leave our officers vulnerable. From the standpoint of a clandestine officer seeking to create and maintain her cover?perhaps the most fundamental element of espionage?this can pose a real challenge. We must find ways to protect the identity of our officers who increasingly have a digital footprint from birth. Likewise, since having no digital trail can raise suspicions too, we also have to figure out how to create digital footprints to support cover identities. Within this digital world, the DDI, collaborating with other components in the Agency, will work to ensure that our officers can continue to operate clandestinely, Cohen stated. ? The DDI also will be deeply involved in our efforts to defend the Agency against foreign cyber attacks. As I am sure you are all aware, cyber attacks against the U.S. government?like those against businesses, universities, and organizations all across the country?are increasing in frequency, scale, sophistication, and severity of impact. One of the DDI?s key responsibilities is developing the policies; technologies and protocols to better defend the Agency against these attacks. Its cyber threat analysts, who are experts in hackers? tools and techniques, work with highly classified intelligence on the plans, intentions and capabilities of an ever-expanding assortment of malicious cyber actors, Cohen said.+More on Network World: CIA: A world without Google Maps or satellites? ? The DDI will oversee the efforts of the CIA?s Open Source Enterprise, a unit dedicated to collecting, analyzing and disseminating publicly available information of intelligence value. The fact is, information does not have to be secret to be valuable. More and more, information relevant to US intelligence requirements is openly available on foreign web sites and in social media. Knowing what?s out there for the taking allows us to better focus our risky and expensive human collection efforts on the key national security questions that cannot be answered in any other way. And combining open source information with clandestinely acquired intelligence can help paint a much clearer picture of the world than either open source or clandestinely acquired information could alone. ? Open-source information can offer its own valuable intelligence insights. Take, for example, ISIL?s use of social media. As I?m sure you are all aware, ISIL is a prolific, and quite proficient, user of social media. While this allows ISIL to spread its malevolent propaganda and reach out to potential recruits, it also provides us with useful intelligence. But ISIL?s tweets and other social media messages publicizing their activities often produce information that, especially in the aggregate, provides real intelligence value. The DDI will oversee CIA?s open-source collection efforts to ensure that we make full use of this rich data set, Cohen said. ? DDI also will be responsible for the Agency?s cadre of data scientists. Housed in our new mission centers, these DDI data scientists will develop and deploy customized IT tools to help our analysts make connections in the data and test the analytic calls they make. Given the variety, complexity and volume of data we take in, this calls for some of the most sophisticated and cutting-edge programming and ?big data? analysis being performed anywhere today. ? The DDI will rapidly identify, transition, and deploy the best digital technologies from the private sector to bolster CIA mission execution in all areas. Building on our experience with In-Q-Tel, the highly successful technology incubator CIA established about 15 years ago, the DDI will expand our direct outreach to commercial digital entities through the establishment of a DDI business portal in Silicon Valley. This team?s mission will be to identify cutting-edge technology that the Agency could use in its highly secure environment, and accelerate the integration of these solutions across our missions, Cohen said. +More on Network World: The top technologies the CIA thinks are hot+ Michael Cooney ? Online News Editor Cooney is an Online News Editor and the author of the Layer 8 blog, Network World's daily home for the not-just-networking news. He has been working with Network World since 1992. You can reach him at mcooney at nww.com. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 23 07:07:44 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Sep 2015 08:07:44 -0400 Subject: [Infowarrior] - Martin Shkreli Lowers Drug Price, Is Still an A--hole Message-ID: Martin Shkreli Lowers Drug Price, Is Still an Asshole Samantha Allen After raising the price of a life-saving drug by 5,000 percent and becoming the most hated man on the Internet, Martin Shkreli says he?ll lower the cost. Don?t be fooled. Well, that was fast. A matter of days since becoming the most-hated man in America for jacking up the price of the drug Daraprim by over 5,000 percent, Turing Pharmaceuticals CEO Martin Shkreli told NBC news that he would lower the price to a more reasonable level, albeit without specifying the new cost. But even in lowering the price of Daraprim, which is used to treat the parasitic disease toxoplasmosis, a parasitic disease that can be particularly harmful for pregnant women and immunocompromised patients, Shkreli is still trying to paint himself as guileless. At this point, his denial is almost superhuman. < - > http://www.thedailybeast.com/articles/2015/09/23/martin-shkreli-lowers-drug-price-is-still-an-asshole.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 23 07:37:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Sep 2015 08:37:03 -0400 Subject: [Infowarrior] - USAF Requires Airmen to Praise Troubled Stealth Fighter Message-ID: <39DC2A5A-9FFD-493E-BA7E-DEA2D23DD15C@infowarrior.org> USAF Requires Airmen to Praise Troubled Stealth Fighter Public affairs guidance demands F-35 plaudits September 22, 2015 David Axe 19 http://warisboring.com/articles/u-s-air-force-requires-airmen-to-praise-troubled-stealth-fighter/ In an eight-page document marked ?not for public release,? the U.S. Air Force commands its airmen to say positive things about Lockheed Martin?s problem-prone F-35 Joint Strike Fighter. ?Articulate the capabilities of the aircraft and explain it is a capability warfighters must have (explain why we need the F-35),? the self-described public affairs ?guidance? demands. The document is circulating at a critical time for the 20-year, $400-billion effort to develop and build as many as 2,400 F-35s for the Air Force, Navy and Marine Corps plus hundreds more for foreign air arms. In late July, we published a scathing internal Air Force memo detailing the complex, overweight F-35?s repeated defeats in mock dogfights with a much older F-16, one of the planes the JSF is supposed to replace. A few weeks later, Gen. Hawk Carlisle, the head of the Air Force?s Air Combat Command, admitted that the heavy, single-engine F-35 is not maneuverable ? this despite the Air Force and Lockheed repeatedly promising that the JSF would at least match planes such as the F-16 in air-to-air combat. The F-35 has also suffered engine fires and problems with its sensors and software. The JSF is years behind schedule and each plane costs tens of millions of dollars more than the government originally promised. ?Debunk false narratives and inaccuracies reflected in news media reporting,? the public affairs document orders, and goes on to specifically mention the dogfight report we published in July. Download ?F-35 Public Affairs Guidance? here. ?The F-35 is designed to be comparable to current tactical fighters in terms of maneuverability, but the design is optimized for stealth and sensor superiority,? the document claims. ?News reports on the F-35?s performance against an F-16 was an early look at the F-35?s flight control authority software logic, and not an assessment of its ability in a dogfight situation.? That?s not true. ?The evaluation focused on the overall effectiveness of the aircraft in performing various specified maneuvers in a dynamic environment,? wrote the F-35 test pilot in the mock dogfight with the F-16. The tester specifically complained about the JSF?s energy-inefficient design, which tweaks to software can?t fix. ?The F-35 was at a distinct energy disadvantage,? thus limiting its ability to dogfight, the pilot explained. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 23 07:59:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Sep 2015 08:59:14 -0400 Subject: [Infowarrior] - EU-U.S. Data Sharing Deal Can't Be Trusted, Top Court Aide Says Message-ID: <29B0B69F-55EA-43B3-9B6F-504DED05143C@infowarrior.org> bloomberg.com EU-U.S. Data Sharing Deal Can't Be Trusted, Top Court Aide Says Stephanie Bodoni http://www.bloomberg.com/news/articles/2015-09-23/eu-u-s-data-sharing-deal-can-t-be-trusted-top-court-aide-says American spies have almost unfettered access to information about European users of Facebook Inc. and other social media thanks to an illegal trans-Atlantic pact on data-transfers, an adviser to the EU?s top court warned on Wednesday. Secret U.S. orders forcing technology companies to hand over personal data linked to EU citizens can?t continue under an ?invalid? data-transfer accord struck 15 years ago, Advocate General Yves Bot of the Luxembourg-based tribunal said in a non-binding opinion. The EU court follows such advice in a majority of cases. EU citizens ?who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies,? said Bot. National data privacy watchdogs have the power, ?where appropriate,? to suspend the transfer of such data to servers located in the U.S., including in the case concerning the data of European Facebook users, he said. Unwarranted Interference The EU Court of Justice should scrap the 2000 Safe Harbor decision because it doesn?t protect citizens from the 28-nation bloc enough from an ?unwarranted interference? with their rights and a ?large-scale collection of personal data,? he said. The EU-U.S. data-sharing accord gives U.S. intelligence services ?wide-ranging? access to EU citizens? data that ?must be considered to be particularly serious, given the large number of users concerned and the quantities of data transferred,? said Bot. Those factors and ?the secret nature? of the U.S. agencies? access to such data via the servers of companies based in the U.S. ?make the interference extremely serious.? The EU?s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU?s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S. Too Lax Bot criticized the European Commission for having neither ?suspended nor adapted? the decision even though ?it was aware of shortcomings? all along. The commission has been in negotiations with the U.S. for two years in a bid to address its concerns with the Safe Harbor decision of too lax sharing of people?s personal data. The Brussels-based EU executive arm said it ?has been working tirelessly with the U.S. on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon,? according to an e-mailed statement Wednesday. Austrian privacy activist Max Schrems triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook?s Irish unit illegally handed over data to U.S. spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company. Facebook, like other tech giants Google Inc. and Yahoo! Inc., have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don?t willingly turn over data to the government. NSA Surveillance If followed by the court, it would mean that Facebook?s European branch in Ireland ?would be barred from processing its data in the U.S., but would have to process its data in a place where those data are not subject to NSA mass-surveillance,? Herwig Hofmann, a lawyer representing Schrems, told reporters at the EU court today. All U.S. companies would have to follow the same rules, he said. Facebook ?operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment," said spokeswoman Sally Aldous. "We have repeatedly said that we do not provide ?backdoor? access to Facebook servers and data to intelligence agencies or governments,? she said. All U.S. companies that are certified under Safe Harbor -- there are more than 4,000 such companies -- will be affected by the EU court?s decision, which should follow in the next four to six months. DigitalEurope, a trade group that represents companies such as Apple Inc., Google Inc. and Microsoft Corp., said it is ?concerned about the potential disruption to international data flows if the court follows today?s opinion,? according to a statement by John Higgins, its director general. ?If the safe harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to U.S. companies that are subject to mass surveillance laws,? said Schrems in an e-mailed statement. ?This may have major commercial downsides for the U.S. tech industry.? The case is: C-362/14, Maximillian Schrems v. Data Protection Commissioner. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 23 10:06:17 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Sep 2015 11:06:17 -0400 Subject: [Infowarrior] - OPM: 5.6m fingerprints stolen, not 1.1 as first thought Message-ID: <5B219E4F-37B2-4590-9754-23ACB82DBF9F@infowarrior.org> The incident just keeps on giving..... https://www.opm.gov/news/releases/2015/09/cyber-statement-923/ FOR IMMEDIATE RELEASE Wednesday, September 23, 2015 Contact: Office of Communications Tel: (202) 606-2402 Statement by OPM Press Secretary Sam Schumach on Background Investigations Incident As part of the government?s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million. This does not increase the overall estimate of 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals. Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area ? including the FBI, DHS, DOD, and other members of the Intelligence Community ? will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach. As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them. In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis. OPM and our partners across government are working to protect the safety and security of the information of Federal employees, service-members, contractors, and others who provide their information to us. Together with our interagency partners, OPM is committed to delivering high-quality identity protection services to impacted individuals. The interagency team will continue to review the impacted data to enhance its quality and completeness, and to monitor for any misuse of the data. The U.S. Government will continue to evaluate the coverage being provided and whether any adjustments are needed in association with this incident. - end - Our mission is to Recruit, Retain and Honor a World-Class Workforce to Serve the American People. OPM supports U.S. agencies with personnel services and policy leadership including staffing tools, guidance on labor-management relations and programs to improve work force performance. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 24 08:33:54 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Sep 2015 09:33:54 -0400 Subject: [Infowarrior] - RIAA CEO: Piracy Notices Are Costly & Increasingly Pointless Message-ID: RIAA CEO: Piracy Notices Are Costly & Increasingly Pointless - TorrentFreak By Andy https://torrentfreak.com/riaa-ceo-piracy-notices-are-costly-increasingly-pointless-150924/ The CEO and chairman of the RIAA says that the current notice and takedown anti-piracy process is both costly and increasingly pointless. Cary Sherman says the safe harbor provisions of the DMCA have forced labels into a "never-ending game" of whack-a-mole while sites under its protection effectively obtain a discount music licensing system. It?s no secret that the major record labels and their Hollywood counterparts are less than satisfied with the framework designed to facilitate the removal of infringing content on the Internet. The DMCA and its European equivalent allow rightsholders to send notices to service providers which mandate the removal of allegedly infringing content in a timely manner. While some sites, The Pirate Bay for example, completely ignore takedown notices, most other services such as Google are quick to comply. Nevertheless, the burden remains on copyright holders to not only report infringing content when it appears on a site, but to also keep reporting it when the same content reappears time and time again. Under the law, providers only have to keep responding to complaints in order to avoid liability, but copyright holders complain that the process is exhausting. Once content is taken down it should stay down, they argue. In a Forbes op-ed discussing the value of content in the digital age, RIAA chairman and CEO Cary Sherman has again been highlighting the problems his members face, describing the current enforcement system as ?seriously antiquated? and criticizing those who take advantage of it. ?Unfortunately, while the system worked when isolated incidents of infringement occurred on largely static web pages ? as was the case when the [DMCA] was passed in 1998 ? it is largely useless in the current world where illegal links that are taken down reappear instantaneously,? Sherman says. ?The result is a never-ending game that is both costly and increasingly pointless.? But while dedicated piracy sites are clearly a thorn in the side of the RIAA, Sherman doesn?t limit his criticism to services that operate on the boundaries of the law. Although they remain unnamed, the music group CEO also appears to take aim at user-generated content sites such as YouTube and Soundcloud. ?Compounding the harm is that some major online music distributors are taking advantage of this flawed system. Record companies are presented with a Hobson?s choice: Accept below-market deals or play that game of whack-a-mole,? Sherman says. These kinds of allegations are not new. In April, IFPI chief executive Frances Moore accused YouTube of effectively gaming copyright law in order to avoid fair licensing negotiations with rightsholders. ?We want to ensure that services that make our content available, including by curating and monetizing it, are licensed on the same basis,? IFPI told TorrentFreak. While platforms such as Spotify and Deezer are fully licensed by the labels, the RIAA suggests that others prefer to leverage illicit user uploads instead. While their response to DMCA notices keeps them safe, they are in effect obtaining Spotify-style licensing deals at a fraction of the price. ?The notice and takedown system ? intended as a reasonable enforcement mechanism ? has instead been subverted into a discount licensing system where copyright owners and artists are paid far less than their creativity is worth,? Sherman says. In a twist on historical accusations that the music industry failed to innovate quickly enough during the last decade, Sherman says that it?s those taking advantage of a ?broken? takedown system that are now living in the past. ?While the music industry has embraced new technology and business models, the beneficiaries of this broken system cling to this antiquated law that was enacted at the turn of the century, well before the modern Internet and today?s most advanced (and unimagined) technologies,? the RIAA chief concludes. For the world?s largest music labels the future must now offer a modified copyright regime in which ?take down? means ?stay down? ? or face the consequences. Wary of liability, companies like Google are likely to fight that all the way. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 24 14:28:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Sep 2015 15:28:56 -0400 Subject: [Infowarrior] - OT: Amen to that. Message-ID: <821D142B-6810-4BCA-9C53-C88264EEAB4C@infowarrior.org> (Not that I think they'll take his message to heart, but still. --rick) Pope Francis teaches Congress how to disagree without demonizing, converse without condemning By Petula Dvorak September 24 at 10:20 AM https://www.washingtonpost.com/local/pope-francis-teaches-congress-how-to-to-disagree-without-demonizing-converse-without-condemning/2015/09/24/1f7faf7e-62b2-11e5-b38e-06883aacba64_story.html The gentle takedown of our elected leaders began almost the second Pope Francis started speaking Thursday morning at the majestic U.S. Capitol, where polarization and ugly rhetoric have become a twisted badge of honor. ?Your own responsibility as members of Congress is to enable this country, by your legislative activity, to grow as a nation,? Pope Francis started. ?You are the face of its people, their representatives. You are called to defend and preserve the dignity of your fellow citizens in the tireless and demanding pursuit of the common good, for this is the chief aim of all politics.? ?Whaaa?? some of our most pugnacious lawmakers may have wondered. Politics isn?t about retweets and Fox News zingers and MSNBC shoutfests? And that?s when we all watched our elected officials ? the folks so bent on destroying each other they?re ready to shut down the entire government in the name of political gamesmanship ? being reminded of what their jobs actually are. ?A political society endures when it seeks, as a vocation, to satisfy common needs by stimulating the growth of all its members, especially those in situations of greater vulnerability or risk,? he said. ?Legislative activity is always based on care for the people. To this you have been invited, called and convened by those who elected you.? Does that put it in perspective, oh demigods of dysfunction? Members of Congress, the pope is telling you that you?re not elected to preserve your party?s power, to forward your team?s agenda, to score one for your side. You did not join a gang when you were elected to office. You were invited to care for the people. Nice, Pope Francis. We get it now, your magic. This pope draws a Muslim family to the White House parade route at 5 a.m. Wednesday, smiling and waving wildly as his popemobile drove by six hours later. They were texting photos they got of him to all their friends and told me how he waved right at them. He brings three gay folks dressed like sparkly, drag queen nuns ? members of a radical activist group called the Sisters of Perpetual Indulgence ? all the way from Georgia to thank him for opening the door to tolerance. And he makes Democrats, Republicans and presidential contenders who have fueled the mean-spirited insanity that is Washington politics stop for a moment, look at each other and, just maybe, wonder if they?re doing this all wrong. ?Who am I to judge?? the 78-year-old Argentine pontiff famously said, when addressing the explosive topic of homosexuality and its place in the church. Here?s a guy who can speak on immigration, abortion, clergy sexual abuse, climate change and homelessness and still inspire tens of thousands of adoring fans to flock to see him and act like unhinged teens who just got a selfie with Taylor Swift. He hits our third-rail issues but still leaves folks feeling all rainbows and unicorns. And it?s not because he?s soft on issues. The pope says lots of pretty controversial things. The victims of the church?s sexual abuse scandal ? and many others, myself included ? were appalled by the way he congratulated U.S. bishops Wednesday for ?their courage? on that front, but didn?t address their culpability or the impact of those crimes on the victims. [Advocates for clergy sex abuse victims call Pope Francis?s remarks ?a slap in the face?] But we?re not appalled by the pontiff, because he shows us it?s possible to disagree without demonizing, converse without condemning. Eloquence, not bombast. And somewhere along the line, our country has forgotten that. ?He exudes humility, love and compassion, which are values sorely lacking in today?s world,? a 65-year-old retiree named Kerry Kemp told my colleague DeNeen L. Brown on Wednesday. ?He?s the anti-Trump.? In a race-to-the-bottom presidential campaign, Trump has called undocumented Mexicans ?rapists? and dismissed the heroism of Sen. John McCain, who spent five years as a POW during Vietnam. He sounds right at home in a political environment in which talk radio hosts label women as ?sluts? and congressmen compare President Obama to Adolph Hitler. And we Americans tolerate ? even encourage ? this brand of nasty, mean-spirited discourse. Instead of listening to one another respectfully, we get all tribal on big, complex issues, taking sides like it?s all a big football game, one side versus the other, labels, camps, polarization, black-and-white, ignoring the gray. This, Pope Francis told Congress, is our folly. He said to our elected leaders ? the masters of the dark art of division ? that the temptation to pit people against one another is ?the simplistic reductionism which sees only good or evil; or, if you will, the righteous and sinners.? ?The contemporary world, with its open wounds which affect so many of our brothers and sisters, demands that we confront every form of polarization which would divide it into these two camps,? he said. ?We know that in the attempt to be freed of the enemy without, we can be tempted to feed the enemy within.? Hear that, Trumpsters? We have folks analyzing what the pope has said and gaming where he stands. Is he a liberal? He talked about climate change and the poor, that?s on THAT side. But then again, he?s not moving on abortion or same-sex marriage. Is he a conservative? That?s on THAT side. That kind of categorization is missing the point. And it?s tearing us apart. ?Our response must instead be one of hope and healing, of peace and justice,? he told Congress, asking them to summon the courage to resolve our complex issues without such stridency. ?We must move forward together, as one, in a renewed spirit of fraternity and solidarity, cooperating generously for the common good.? And if that message doesn?t make it to Congress, we can listen to what he says. At our kitchen tables and living rooms, at Thanksgiving, on Facebook chats and in the voting booth we can be inspired by the way Pope Francis speaks. And we can always remember, ?Who are we to judge?? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Sep 24 14:37:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Sep 2015 15:37:19 -0400 Subject: [Infowarrior] - Schneier: Living in code yellow world Message-ID: <03EB07C6-FB42-4090-808A-258AF4FCA957@infowarrior.org> Living in code yellow world by Schneier Elena Scotti/FUSION September 22, 2015 7 a.m. http://fusion.net/story/200747/living-in-code-yellow/ In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the ?combat mind-set.? Here is his summary: In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept. In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it. In Orange you have determined upon a specific adversary and are prepared to take action which may result in his death, but you are not in a lethal mode. In Red you are in a lethal mode and will shoot if circumstances warrant. Cooper talked about remaining in Code Yellow over time, but he didn?t write about its psychological toll. It?s significant. Our brains can?t be on that alert level constantly. We need downtime. We need to relax. This is why we have friends around whom we can let our guard down and homes where we can close our doors to outsiders. We only want to visit Yellowland occasionally. Since 9/11, the US has increasingly become Yellowland, a place where we assume danger is imminent. It?s damaging to us individually and as a society. I don?t mean to minimize actual danger. Some people really do live in a Code Yellow world, due to the failures of government in their home countries. Even there, we know how hard it is for them to maintain a constant level of alertness in the face of constant danger. Psychologist Abraham Maslow wrote about this, making safety a basic level in his hierarchy of needs. A lack of safety makes people anxious and tense, and the long term effects are debilitating. The same effects occur when we believe we?re living in an unsafe situation even if we?re not. The psychological term for this is hypervigilance. Hypervigilance in the face of imagined danger causes stress and anxiety. This, in turn, alters how your hippocampus functions, and causes an excess of cortisol in your body. Now cortisol is great in small and infrequent doses, and helps you run away from tigers. But it destroys your brain and body if you marinate in it for extended periods of time. Not only does trying to live in Yellowland harm you physically, it changes how you interact with your environment and it impairs your judgment. You forget what?s normal and start seeing the enemy everywhere. Terrorism actually relies on this kind of reaction to succeed. Here?s an example from The Washington Post last year: ?I was taking pictures of my daughters. A stranger thought I was exploiting them.? A father wrote about his run-in with an off-duty DHS agent, who interpreted an innocent family photoshoot as something nefarious and proceeded to harass and lecture the family. That the parents were white and the daughters Asian added a racist element to the encounter. At the time, people wrote about this as an example of worst-case thinking, saying that as a DHS agent, ?he?s paid to suspect the worst at all times and butt in.? While, yes, it was a ?disturbing reminder of how the mantra of ?see something, say something? has muddied the waters of what constitutes suspicious activity,? I think there?s a deeper story here. The agent is trying to live his life in Yellowland, and it caused him to see predators where there weren?t any. I call these ?movie-plot threats,? scenarios that would make great action movies but that are implausible in real life. Yellowland is filled with them. Last December former DHS director Tom Ridge wrote about the security risks of building a NFL stadium near the Los Angeles Airport. His report is full of movie-plot threats, including terrorists shooting down a plane and crashing it into a stadium. His conclusion, that it is simply too dangerous to build a sports stadium within a few miles of the airport, is absurd. He?s been living too long in Yellowland. That our brains aren?t built to live in Yellowland makes sense, because actual attacks are rare. The person walking towards you on the street isn?t an attacker. The person doing something unexpected over there isn?t a terrorist. Crashing an airplane into a sports stadium is more suitable to a Die Hard movie than real life. And the white man taking pictures of two Asian teenagers on a ferry isn?t a sex slaver. (I mean, really?) Most of us, that DHS agent included, are complete amateurs at knowing the difference between something benign and something that?s actually dangerous. Combine this with the rarity of attacks, and you end up with an overwhelming number of false alarms. This is the ultimate problem with programs like ?see something, say something.? They waste an enormous amount of time and money. Those of us fortunate enough to live in a Code White society are much better served acting like we do. This is something we need to learn at all levels, from our personal interactions to our national policy. Since the terrorist attacks of 9/11, many of our counterterrorism policies have helped convince people they?re not safe, and that they need to be in a constant state of readiness. We need our leaders to lead us out of Yellowland, not to perpetuate it. Schneier is the CTO of Resilient Systems, Inc, and a fellow at the Berkman Center for Internet and Society at Harvard Law School. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 25 06:59:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Sep 2015 07:59:46 -0400 Subject: [Infowarrior] - =?utf-8?q?Snowden_dump=3A_From_Radio_to_Porn=2C_B?= =?utf-8?q?ritish_Spies_Track_Web_Users=E2=80=99_Online_Identities?= Message-ID: <60491FBD-619D-44BC-A0FD-8255F5212EBC@infowarrior.org> Profiled: From Radio to Porn, British Spies Track Web Users? Online Identities Ryan Gallagher Sep. 25 2015, 5:40 a.m. THERE WAS A SIMPLE AIM at the heart of the top-secret program: Record the website browsing habits of ?every visible user on the Internet.? Before long, billions of digital records about ordinary people?s online activities were being stored every day. Among them were details cataloging visits to porn, social media and news websites, search engines, chat forums, and blogs. The mass surveillance operation ? code-named KARMA POLICE ? was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom?s electronic eavesdropping agency, Government Communications Headquarters, or GCHQ. The revelations about the scope of the British agency?s surveillance are contained in documents obtained by The Intercept from National Security Agency whistleblower Edward Snowden. Previous reports based on the leaked files have exposed how GCHQ taps into Internet cables to monitor communications on a vast scale, but many details about what happens to the data after it has been vacuumed up have remained unclear. Amid a renewed push from the U.K. government for more surveillance powers, more than two dozen documents being disclosed today by The Intercept reveal for the first time several major strands of GCHQ?s existing electronic eavesdropping capabilities. < -- > https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Sep 25 15:19:10 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Sep 2015 16:19:10 -0400 Subject: [Infowarrior] - FISC gets its first outside adversarial advocate Message-ID: Secret Surveillance Court Picks First Outsider To Get a Look In Jenna McLaughlin Sep. 25 2015, 2:00 p.m. https://theintercept.com/2015/09/25/secret-surveillance-court-picks-first-outsider-get-look/ The shadowy Foreign Intelligence Surveillance Court has appointed its first ?friend of the court? to add an outsider?s perspective to the highly secretive process of approving surveillance requests from the government. Preston Burton, a criminal defense attorney known for his work with accused spies, is the first of at least five amici curiae the court must appoint due to a provision in the USA Freedom Act, the surveillance-reform legislative package passed in June. Groups like the Center for Democracy and Technology had pressed Congress to include language about amici, or independent experts, to provide the court with unbiased understanding of the complex technical and civil-liberty issues that come before it. The role of the amici is fairly limited, however. They will only be brought in on ?certain matters? that may present ?a novel or significant interpretation of the law.? The FISA Court does not necessarily have to share classified information with the amici, and has the authority to determine whether or not information they present is ?relevant.? Burton is best known for representing famous clients, including Monica Lewinsky, the so-called D.C. Madam, and several former FBI, CIA, and DIA agents accused of being spies for foreign countries. It?s unclear why he was chosen to represent the public?s interest in this way. In 2006, Washingtonian described him as ?still the man to see if you?re a spy.? One factor could be that in espionage cases, defense attorneys are required to have security clearances ? something that is also required of amici for the FISA Court. By contrast, most civil liberties activists don?t have security clearances, and wouldn?t accept the non-disclosure prohibitions that go along with them. Judge Michael Mosmon, the author of the order, wrote that Burton is ?well qualified to assist in the Court in considering the issue specified herein.? Reached by The Intercept, Burton said he doesn?t comment on matters that are pending in court. Some privacy advocates are wary. ?Without an institutional base and with all the secrecy obligations at FISA there is a very serious risk of ?capture,?? wrote Jeramie Scott, national security counsel for the Electronic Privacy Information Center. ?He will need to be extremely independent to safeguard all of the interests that role requires.? Photo caption: Preston Burton in his office. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Sep 26 17:07:02 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Sep 2015 18:07:02 -0400 Subject: [Infowarrior] - Jericho on 'Compassion Fatigue' Message-ID: <8D1AD42C-5C20-4AE9-8E5F-AB5A2CFD366D@infowarrior.org> Compassion Fatigue in an industry largely devoid of compassion. September 26, 2015 by jerichoattrition in InfoSec and tagged Psychology A few days ago, Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation for his insight because he has a considerable following and they read about it there first. In this case, it wasn?t so much that Schneier?s piece was new information (he did quote and cite a 1989 reference on the topic that was new to me), it was that he flirted with a much more interesting topic that is somewhat aligned with his point. < - > https://jerichoattrition.wordpress.com/2015/09/26/compassion-fatigue-in-an-industry-largely-devoid-of-compassion/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 28 12:08:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Sep 2015 13:08:50 -0400 Subject: [Infowarrior] - =?utf-8?q?The_Big_Secret_That_Makes_the_FBI?= =?utf-8?q?=E2=80=99s_Anti-Encryption_Campaign_a_Big_Lie?= Message-ID: The Big Secret That Makes the FBI?s Anti-Encryption Campaign a Big Lie Jenna McLaughlin Sep. 28 2015, 10:47 a.m. To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy. But that?s just not true. In the rare cases in which an investigation may initially appear to be blocked by encryption ? and so far, the FBI has yet to identify a single one ? the government has a Plan B: it?s called hacking. Hacking ? just like kicking down a door and looking through someone?s stuff ? is a perfectly legal tactic for law enforcement officers, provided they have a warrant. And law enforcement officials have, over the years, learned many ways to install viruses, Trojan horses, and other forms of malicious code onto suspects? devices. Doing so gives them the same access the suspects have to communications ? before they?ve been encrypted, or after they?ve been unencrypted. Government officials don?t like talking about it ? quite possibly because hacking takes considerably more effort than simply asking a telecom provider for records. Robert Litt, general counsel to the Director of National Intelligence, recently referred to potential government hacking as a process of ?slow uncertain one-offs.? But they don?t deny it, either. Hacking is ?an avenue to consider and discuss,? Amy Hess, the assistant executive director of the FBI?s Science and Technology branch, said at an encryption debate earlier this month. The FBI ?routinely identifies, evaluates, and tests potential exploits in the interest of cyber security,? bureau spokesperson Christopher Allen wrote in an email. < - > https://theintercept.com/2015/09/28/hacking/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 28 14:44:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Sep 2015 15:44:41 -0400 Subject: [Infowarrior] - Apple: Drone Strikes Are Offensive, Farts and Poop Are Cool Message-ID: <1CD2E85B-69EC-48AC-9EE9-46321F4DC995@infowarrior.org> Apple: Drone Strikes Are Offensive, Farts and Poop Are Cool http://gawker.com/apple-kills-drone-strike-news-app-for-being-too-crude-1733402994 -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Sep 28 15:16:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Sep 2015 16:16:53 -0400 Subject: [Infowarrior] - Rightscorp's Copyright Trolling Phone Script Message-ID: <74088D99-3E99-4295-BF71-9780EFDB3208@infowarrior.org> (the script is worth reading, to understand the depths of their depravity and fear-mongering. ---rick) Rightscorp's Copyright Trolling Phone Script Tells Innocent People They Need To Give Their Computers To Police https://www.techdirt.com/articles/20150925/18032032365/rightscorps-copyright-trolling-phone-script-tells-innocent-people-they-need-to-give-their-computers-to-police.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 29 06:37:49 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Sep 2015 07:37:49 -0400 Subject: [Infowarrior] - On Cyber, Has Beijing Outmaneuvered Washington? Message-ID: China-US Cyber Agreements: Has Beijing Outmaneuvered Washington? http://thediplomat.com/2015/09/china-us-cyber-agreements-has-beijing-outmaneuvered-washington/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 29 06:47:13 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Sep 2015 07:47:13 -0400 Subject: [Infowarrior] - Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee? Message-ID: Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee? James Bamford Sep. 28 2015, 10:01 p.m https://theintercept.com/2015/09/28/death-athens-rogue-nsa-operation/ -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Sep 29 08:13:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Sep 2015 09:13:59 -0400 Subject: [Infowarrior] - FBI and DEA under review for use of NSA mass surveillance data Message-ID: FBI and DEA under review for use of NSA mass surveillance data By Patrick Howell O'Neill Sep 29, 2015, 7:00am CT | Last updated Sep 29, 2015, 7:54am CT http://www.dailydot.com/politics/nsa-dea-fbi-snowden-doj-oig/ The Justice Department is investigating the FBI?s use of information taken directly from mass surveillance conducted by the National Security Agency (NSA)?s collection of telephone metadata. The yield of that NSA spying program was described by a judge as a ?staggering? amount of data when the agency's ability to collect it was struck down as illegal in court earlier this year. The program was resumed in June and will run until at least December. Another ongoing Justice Department investigation is examining the Drug Enforcement Administration (DEA)'s use of ?parallel construction." Parallel construction is a controversial investigative technique that takes information gained from sources like the NSA's mass surveillance, covers up or lies about the sources, and then utilizes them in criminal investigations inside the United States. The information was passed to other federal agencies like the Internal Revenue Service (IRS). The technique was described as ?decades old, a bedrock concept? by a DEA official. Critics at the Electronic Frontier Foundation (EFF) described the technique as "intelligence laundering" designed to cover up "deception and dishonesty" that ran contrary to the original intent of post-9/11 surveillance laws. Both the FBI and DEA, which operate under the jurisdiction of the Justice Department, are under review by the department?s Office of Inspector General (OIG). The details of the NSA?s mass metadata collection program were first publicly revealed in 2013 by contractor Edward Snowden. The DEA?s use of parallel construction was revealed by Reuters a few months later. The OIG is charged with identifying and investigating fraud, waste, abuse, and mismanagement. Although OIG reports cannot on their own force change, detailed information is always shared with Congress and often the public which can lead to the investigated party agreeing to the suggested changes and conclusions from the OIG or other entities. The NSA sent daily metadata reports to the FBI from at least 2006 to 2011, according to the director of national intelligence. The ongoing review will examine how the FBI processed the NSA?s information, how much information was passed along, and the results of the initiated investigations. The NSA?s mass collection of telephone metadata was thought to be authorized under Section 215 of the Patriot Act. Both the George W. Bush and Barack Obama administrations argued for and renewed authorization until the program expired in Congress earlier this year. The Justice Department?s Office of Inspector General is also investigating the FBI?s use of Patroit Act Section 215 from 2012 to 2014 that allowed it to obtain ?any tangible thing? from any business or entity as part of investigations against international terrorism or spying. A previous investigation revealed that every single Section 215 application submitted by the FBI to the secretive Foreign Intelligence Surveillance Court (FISA) was approved. That amount data collected was a ?staggering? amount of information, Judge Gerard E. Lynch wrote in his decision. ?Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 30 07:34:03 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Sep 2015 08:34:03 -0400 Subject: [Infowarrior] - GAO finds federal networks unprepared for cyberattacks Message-ID: Face, meet palm. I wonder if they at least changed the font on the report/recommendations before publishing? My sympathies to competent federal csos wherever they may be. --rick Government audit finds federal networks unprepared for cyberattacks by Mariella Moon | @mariella_moon | 43 mins ago http://www.engadget.com/2015/09/30/government-audit-federal-agencies/ The Government Accountability Office (GAO) has discovered that 24 federal agencies are unprepared to protect their networks in the face of cyberattacks. According to the results of a recent GAO audit, these agencies continue to have weaknesses when it comes to detecting unauthorized network access, managing software and hardware configuration and planning for operations in case of network disruption, among other things. The agency says these weaknesses put federal personnel's sensitive information at risk of being pilfered, just like what happened to the people whose identities were stolen when the Office of Personnel Management was hacked. Hackers got away with 30 years worth of data -- including 21.5 million Social Security Numbers -- from that attack. GAO is adamant that it "made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs" in the past. Unfortunately, the agencies were yet to implement those pointers by the time they were audited. Senator Tom Carper told The Hill, however, that the audits happened before the agencies could execute the changes required by the Federal Information Security Act and the Federal Information Technology Acquisition Reform Act. The results of this audit make it clearer why Homeland Security recently signed a lucrative contract with Raytheon recently to help federal agencies secure their networks and fend of cyberattacks. In addition, the Pentagon is working on an automated system that can detect unauthorized access before hackers can steal top secret info or do irreversible damage. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Sep 30 09:40:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Sep 2015 10:40:43 -0400 Subject: [Infowarrior] - Twitter releases guides for pols/candidates/agency use Message-ID: I've not read it yet, but wonder if "don't be an idiot" is included in their guidance. --rick Twitter for Government https://media.twitter.com/government -- It's better to burn out than fade away.