From rforno at infowarrior.org Mon Feb 1 08:46:01 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Feb 2016 09:46:01 -0500 Subject: [Infowarrior] - Berkman Report Reframes Encryption Debate Message-ID: <6741AD63-3DD6-45AA-A6BF-ED723A3B0D0C@infowarrior.org> Reconciling Perspectives: New Report Reframes Encryption Debate January 31, 2016 https://cyber.law.harvard.edu/node/99280 The Berklett Cybersecurity Project of the Berkman Center for Internet & Society at Harvard University is pleased to announce the publication of a new report entitled ?Don?t Panic: Making Progress on the ?Going Dark? Debate.? The report examines the high-profile debate around government access to encryption, and offers a new perspective gleaned from the discussion, debate, and analyses of an exceptional and diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community. ?Many conversations on sensitive subjects of technology and security are productive because they?re among people who already agree,? said Prof. Jonathan Zittrain, faculty chair of the Berkman Center. ?The aim of this project is to bring together people who come from very different starting points and roles, and who very rarely have a chance to speak frankly with one another. We want to come away with some common insights that could help push the discussion into some new territory.? The report takes issue with the usual framing of the encryption debate and offers context and insights that widen the scope of the conversation to more accurately reflect the surveillance landscape both now and in the future. ?In this report, we?re questioning whether the ?going dark? metaphor used by the FBI and other government officials fully describes the future of the government?s capacity to access communications,? said Berkman Center fellow Bruce Schneier. ?We think it doesn?t. While it may be true that there are pockets of dimness, there other areas where communications and information are actually becoming more illuminated, opening up more vectors for surveillance.? ?There?s no question that the use of encryption impedes government surveillance of terrorists and criminals,? said Matthew Olsen, former Director of the National Counterterrorism Center. ?And we take seriously the concerns of the FBI and others about encryption. We looked forward to consider the overall trajectory of technology and surveillance, and identified points of consensus about the government?s ability to collect information necessary to protect the public.? Set within the recent implementation of encryption by various companies and the recent history of the government?s increasing concerns, the report outlines how market forces and commercial interests as well as the increasing prevalence of networked sensors in machines and everyday appliances point to a future with more opportunities for surveillance, not less. The group and report?s signatories include high-profile individuals who bring a spectrum of perspectives to the table. ?The sign-on from this set of participants is unique. These are people who were likely to disagree about many things in the debate, and yet we found common ground,? said Senior Researcher David O?Brien. About the Berklett Cybersecurity Project The Berkman Center for Internet & Society?s Berklett Cybersecurity Project convenes a diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community to explore and evaluate the roles and responsibilities of the U.S. government in promoting cybersecurity. This group is examining a wide range of topics including, among others, the ongoing encryption debate, public-private information sharing, and responsible disclosures of software vulnerabilities. The project is led by Professor Jonathan Zittrain, former National Counterterrorism Center Director Matthew Olsen, and cryptographer and civil liberties author Bruce Schneier. The name ?Berklett? is a portmanteau of ?Berkman? and ?Hewlett,? as in the William and Flora Hewlett Foundation, which generously supports the effort. More information at https://brk.mn/cybersecurity. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 2 13:58:18 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2016 14:58:18 -0500 Subject: [Infowarrior] - NSA plans major reorganization Message-ID: <7666C986-F509-47ED-8563-C4FA87E41E46@infowarrior.org> National Security Agency plans major reorganization By Ellen Nakashima February 2 at 12:21 PM https://www.washingtonpost.com/world/national-security/national-security-agency-plans-major-reorganization/2016/02/02/2a66555e-c960-11e5-a7b2-5a2f824b02c9_story.html The National Security Agency, the largest electronic spy agency in the world, is undertaking a major reorganization, merging its offensive and defensive organizations in the hope of making them more adept at facing the digital threats of the 21st century, according to current and former officials. In place of the Signals Intelligence and Information Assurance directorates, the organizations that historically have spied on foreign targets and defended classified networks against spying, the NSA is creating a Directorate of Operations that combines the operational elements of each. ?This traditional approach we have where we created these two cylinders of excellence and then built walls of granite between them really is not the way for us to do business,? said agency Director Michael S. Rogers, hinting at the reorganization ? dubbed NSA21 ? that is expected to be publicly rolled out this week. ?We?ve gotta be flat,? he told an audience at the Atlantic Council last month. ?We?ve gotta be agile.? Some lawmakers who have been briefed on the broad parameters consider restructuring a smart thing to do because an increasing amount of intelligence and threat activity is coursing through global computer networks. ?When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities ? between the acquisition of signals intelligence and the assurance of our own information ? is virtually nonexistent,? said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. ?What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.? But there have been rumblings of discontent within the NSA, which is based at Fort Meade, Md., as some fear a loss of influence or stature. Some advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger ?sigint? collection arm, which has about eight times as many personnel. The latter spies on overseas targets by hacking into computer networks, collecting satellite signals and capturing radio waves. ?The NSA21 initiative will ensure the National Security Agency continues to be the preeminent signals intelligence and information assurance organization in the world,? said Jonathan Freed, director of strategic communications at the NSA. ?These core missions are critical as we position NSA to face complex and evolving threats to the nation. Out of respect for our workforce, we cannot comment on any details or speculation before the plan is announced.? The change comes about a year after the CIA did its own revamping, ending divisions that have been in place for decades and creating new centers that team analysts with operators. The NSA?s new directorate of operations also will place analysts with operators. [CIA plans major reorganization and a focus on digital espionage] Rogers in a speech in December characterized the change as ?among the most comprehensive? at the NSA since the late 1990s. He began the effort about a year ago, giving a team of employees from across the agency what he called the ?director?s charge.? Among the major questions they were asked were: How can the agency better innovate? And how ?do we inculcate collaboration and integration? in operations? For instance, said one former U.S. official familiar with the plan, both information assurance and foreign intelligence gathering rely on similar processes for data analysis and depend on each other. ?But the challenge is they are very much two different cultures,? the official said. ?Unless you?ve worked on both sides of the house, you don?t inherently trust each other.? The Information Assurance Directorate (IAD) seeks to build relationships with private-sector companies and help find vulnerabilities in software ? most of which officials say wind up being disclosed. It issues software guidance and tests the security of systems to help strengthen their defenses. But the other side of the house at NSA, which looks for vulnerabilities that can be exploited to hack a foreign network, is much more secretive. ?You have this kind of clash between the closed environment of the sigint mission and the need of the information assurance team to be out there in the public and be seen as part of the solution,? said a second former official. ?I think that?s going to be a hard trick to pull off.? Richard George, a former technical director for the IAD, said he saw how techniques that the defense side developed have helped the offense and vice versa. ?It?s got to be really useful to have those groups closer together where they?ll be sharing ideas and techniques more frequently,? said George, now a senior cyber adviser at Johns Hopkins University?s Applied Physics Lab. Former NSA director Michael V. Hayden undertook one of the other major reorganizations, creating the Signals Intelligence Directorate (SID) in 2000 by merging two directorates ? Operations and Technology. He said he opted not to fold in the IAD,. ?From the outside perspective,? he said, ?I needed an organization that was, and was seen to be, committed to defense.? At the time, he added, IAD needed to be strengthened and adapted to the cyber age. ?Keeping it separate allowed me more direct visibility into that,? he said. ?That said, as the cyber mission matured, the operational and technological aspects of the SID and IAD missions merged more and more.? By 2005, as cyber threats were growing, Hayden decided to create a new organization that would enable the agency to leverage the intelligence it was getting from spying on overseas networks to help it defend against intrusions into the government?s classified networks. The National Threat Operations Center (NTOC) was an experiment in combining offense and defense. ?It was wildly successful,? the first former official said. NTOC dispelled the myth, the official said, that one person cannot operate under two sets of legal authorities ? offensive and defensive. ?I can actually sit at my desk and one minute be using sigint data and authorities .?.?. and the next minute I could be using IA data and authorities and my mission is not changing,? the official said. ?You need checks and balances. You need to know what authority you?re using at any given time, but it?s possible.? Still, some congressional aides briefed on the broad outlines of the plan have expressed concern about mixing funding for intelligence activities and funding for cybersecurity activities. One area where the sigint side is ahead of information assurance is in using big data analytic tools to manipulate large volumes of information quickly. ?What we want to do is take advantage of that knowledge, to apply it as needed to the IA analysis,? the first former official said. Under the reorganization plan, there also will be separate directorates of Capabilities and of Research. ?One of the fundamental tenets you?ll see us outline as we try to position NSA for .?.?. the environment I think we?re going to see five, 10 years from now is a much more integrated approach to doing business,? Rogers said at the Atlantic Council. ?I don?t like these stovepipes of SID and IAD. I love the expertise. And I love when we work together. But I want the integration to be at a much lower level, and much more foundational.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 2 16:52:55 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2016 17:52:55 -0500 Subject: [Infowarrior] - The Intercept admits reporter fabricated stories and quotes Message-ID: <2780B4AF-6813-4A47-AEAD-77337DAB7FF8@infowarrior.org> A Note to Readers Betsy Reed Feb. 2 2016, 1:25 p.m. https://theintercept.com/2016/02/02/a-note-to-readers/ The Intercept recently discovered a pattern of deception in the actions of a staff member. The employee, Juan Thompson, was a staff reporter from November 2014 until last month. Thompson fabricated several quotes in his stories and created fake email accounts that he used to impersonate people, one of which was a Gmail account in my name. An investigation into Thompson?s reporting turned up three instances in which quotes were attributed to people who said they had not been interviewed. In other instances, quotes were attributed to individuals we could not reach, who could not remember speaking with him, or whose identities could not be confirmed. In his reporting Thompson also used quotes that we cannot verify from unnamed people whom he claimed to have encountered at public events. Thompson went to great lengths to deceive his editors, creating an email account to impersonate a source and lying about his reporting methods. We have published corrections and editor?s notes to the affected pieces, and we will publish further corrections if we identify additional problems. We are retracting one story in its entirety. We have decided not to remove the posts but have labeled them ?Retracted? or ?Corrected,? based on our findings. We have added notes to stories with unconfirmed quotes. We apologize to the subjects of the stories; to the people who were falsely quoted; and to you, our readers. We are contacting news outlets that picked up the corrected stories to alert them to the problems. Thompson wrote mostly short articles on news events and criminal justice. Many of these articles relied on publicly available sources and are accurate; others contain original reporting that held up under scrutiny. Thompson admitted to creating fake email accounts and fabricating messages, but stood by his published work. He did not cooperate in the review. The Intercept deeply regrets this situation. Ultimately, I am accountable for everything we publish. The best way we can see to maintain the trust of readers is to acknowledge and correct these mistakes, and to focus on producing journalism we are proud of. Retracted: Retracted: Dylann Roof?s Cousin Claims Love Interest Chose Black Man Over Him Corrected: Corrected: Footage of Police Violence Puts Heat on Chicago Officials Corrected: Black Lives Matter Activists Blocked From Entering Trump Campaign Rally Corrected: St. Louis Grapples ? and Fails to Grapple ? With the Matter of Murdered Black Women Corrected: St. Louis Residents Fight to Keep Spy Agency From Taking Their Homes Contact the author: Betsy Reed?betsy.reed@?theintercept.com -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 3 09:20:50 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Feb 2016 10:20:50 -0500 Subject: [Infowarrior] - Bose's new beat Message-ID: Bose's new beat Bose has always taken great pride in its technical innovations and the quality of its products. But new CEO Bob Maresca is betting on a new approach to get Bose to the next level: Telling people what this secretive company is all about. < - > http://www.cnet.com/news/bose-behind-the-scenes/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 3 18:03:34 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Feb 2016 19:03:34 -0500 Subject: [Infowarrior] - Countries Sign The TPP... Whatever Happened To The 'Debate' We Were Promised Before Signing? Message-ID: <871A897A-453E-4ADD-80A0-D35AD70E350F@infowarrior.org> Countries Sign The TPP... Whatever Happened To The 'Debate' We Were Promised Before Signing? from the now-the-ratification-fight dept https://www.techdirt.com/articles/20160203/15151133510/countries-sign-tpp-whatever-happened-to-debate-we-were-promised-before-signing.shtml About an hour ago, representatives from 12 different nations officially signed the Trans Pacific Partnership (TTP) agreement in Auckland, New Zealand. The date, February 4th (New Zealand time) is noteworthy, because it's 90 days after the official text was released. There was a 90 day clock that was required between releasing the text and before the US could actually sign onto the agreement. The stated purpose of this 90 day clock was in order to allow "debate" about the agreement. Remember, the entire agreement was negotiated in secret, with US officials treating the text of the document as if it were a national security secret (unless you were an industry lobbyist, of course). So as a nod to pretend "transparency" there was a promise that nothing would be signed for 90 days after the text was actually released. So... uh... what happened to that "debate"? It didn't happen at all. The TPP was barely mentioned at all by the administration in the last 90 days. Even during the State of the Union, Obama breezed past the TPP with a quick comment, even though it's supposedly a defining part of his "legacy." But there's been no debate. Because there was never any intent for an actual debate. The 90 day clock was just something that was put into the process so that the USTR and the White House could pretend that there was more "transparency" and that they wouldn't sign the agreement until after it had been looked at and understood by the public. Of course, the signing is a totally meaningless bit of theater. The real fight is over ratification. The various countries need to ratify the TPP for the agreement to go into effect. Technically, the TPP will enter into force 60 days after all signers ratify it... or, if that doesn't happen, within two years if at least six of the 12 participant countries ratify it and those six countries account for 85% of the combined gross domestic product of the 12 countries. Got that? In short, this means that if the US doesn't ratify it, the TPP is effectively dead. The US needs a majority of both houses of Congress to approve it, similar to a typical bill. And that's no sure thing right now. Unfortunately, that's mainly because a group of our elected officials are upset that the TPP doesn't go far enough in helping big businesses block competition, but it's still worth following. Inevitably, there will be some debate during the ratification process, though there are enough rumors suggesting that no one really wants to do it until after the Presidential election, because people running for President don't want to reveal that they're happy to sell out the public's interest to support a legacy business lobbyist agenda. But, even that debate will likely be fairly limited and almost certainly will avoid the real issues, and real problems, with the TPP. Either way, today's symbolic signing should really be an exclamation point on the near total lack of transparency and debate in this process. The 90 day window was a perfect opportunity to have an actual discussion about what's in the TPP and why there are problems with it, but the administration showed absolutely no interest in doing so. And why should it? It already got the deal it wanted behind closed doors. But, at least it can pretend it used these 90 days to be "transparent." -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 4 06:02:42 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Feb 2016 07:02:42 -0500 Subject: [Infowarrior] - UN: Assange confinement is arbitrary detention Message-ID: <2B6B9BFC-EE5C-4557-8B4D-01FE9539A916@infowarrior.org> Julian Assange confinement is arbitrary detention, UN panel rules David Crouch http://www.theguardian.com/media/2016/feb/04/julian-assange-wikileaks-arrest-friday-un-investigation A United Nations panel has ruled that Julian Assange?s three-and-a-half year confinement in the Ecuadorean embassy amounts to ?arbitrary detention?, the Guardian understands, leading his lawyers to call for the Swedish extradition request to be dropped immediately. Assange had appealed to the UN working group on arbitrary detention in 2014, arguing that he was illegally confined to the embassy because he risks arrest if he leaves. The Wikileaks founder sought asylum from Ecuador in July 2012 to avoid extradition to Sweden to face questioning over rape and sexual assault allegations. The panel?s findings were disclosed to the Swedish and British governments on 22 January, and will be published tomorrow. Four key questions answered on why the WikiLeaks founder is still holed up in an embassy in London and what could happen on Friday Assange?s Swedish lawyer, Per Samuelson, said if the WGAD found in his favour, ?there is only one solution for Marianne Ny [the Swedish prosecutor seeking Assange?s extradition], and that is to immediately release him and drop the case. If he is regarded as detained, that means he has served his time, so I see no other option for Sweden but to close the case.? His lawyers also demanded assurances from the UK that Assange would not be arrested and subjected to potential extradition to the US, which he fears. The British Foreign Office said it would not pre-empt the panel?s findings, but said in a statement: ?We have been consistently clear that Mr Assange has never been arbitrarily detained by the UK but is, in fact, voluntarily avoiding lawful arrest by choosing to remain in the Ecuadorean embassy. ?An allegation of rape is still outstanding and a European arrest warrant in place, so the UK continues to have a legal obligation to extradite Mr Assange to Sweden.? Anna Ekberg, a spokesperson for the Swedish foreign ministry, said it would not comment ahead of the formal publication on Friday. Assange has said that if the panel finds against him, he will voluntarily leave the embassy and accept arrest, ?as there is no meaningful prospect of further appeal. However, should I prevail and the state parties be found to have acted unlawfully, I expect the immediate return of my passport and the termination of further attempts to arrest me.? It is not clear if Assange has any knowledge of the findings of the UN investigation, which concluded on 4 December. The Metropolitan police have said they will make ?every effort? to arrest the WikiLeaks founder should he leave the embassy, and it is not clear if the panel findings will have any bearing on this position. Sign up to The Guardian Today, Australia edition and get today?s must-reads delivered straight to your inbox each day Outside the embassy on Thursday there was one police car and a growing media presence. A source familiar with the UN working group told the Guardian that if the Swedish or British governments ignored its decision, ?it would make it very difficult for them to make use of UN human rights council decisions in the future to bring pressure on other countries over human rights violations ? the ruling sends a strong political message?. Assange has not been charged with any offence, but has been sought for questioning in Sweden in relation to sexual assault allegations made against him by two women. The appeal was a last-ditch legal attempt by Assange to get a ruling that his detention is arbitrary and unlawful. It rests on a challenge to the European extradition system, his inability to access the benefit of the grant of asylum by Ecuador, and what he argues is his long-term detention. The submission to the UN was launched with little fanfare. Assange said in a statement that the UN encourages the adjudicators to carry out its task with ?discretion, objectivity and independence? and that the UK and Swedish governments had submitted their responses to the working group on arbitrary detention confidentially. In a statement issued by WikiLeaks on Twitter, Assange said: ?Should the UN announce tomorrow that I have lost my case against the United Kingdom and Sweden, I shall exit the embassy at noon on Friday to accept arrest by British police as there is no meaningful prospect of further appeal. ?However, should I prevail and the state parties be found to have acted unlawfully, I expect the immediate return of my passport and the termination of further attempts to arrest me.? How the saga of a trip to Sweden, an arrest warrant and refuge in an Ecuadorian embassy unfolded The ultimatum issued by Assange will come as a surprise to many observers, coming at the end of a a lengthy diplomatic wrangle between Sweden and Ecuador to allow him to be questioned at the Ecuadorian embassy by Swedish prosecutors. An agreement was finally reached late last year, and the South American nation?s foreign minister, Ricardo Pati?o, told the Ecuadorean radio station Publica that the country was accepting Sweden?s request to interrogate Assange ?as long as the sovereignty of the Ecuadorian state and the laws in the constitution are respected?. Permission had been granted by the British authorities in June. Per E Samuelsson, Assange?s Swedish lawyer, said his client still hoped to clear his name. ?If he is regarded detained I take it for granted that Marianne Ny and Swedish authorities will respect that decision and instantly cancel the decision to keep Mr Assange in custody,? he told the Guardian. ?This does not mean that the question of interrogation will be over. We still want an interrogation to take place so that Mr Assange can clear his name and show everyone that he is innocent. ?The difference is that he will no longer be in custody in absentia and thus be able to use his asylum outside of the embassy. If Assange is regarded as detained he has already served the time so to speak so Marianne Ny should drop the case altogether.? The WikiLeaks founder had raised repeated concerns about Swedish demands that he be questioned in person over the allegations, due to fears he may be extradited to the United States. A grand jury investigation is still believed to be under way in the US following WikiLeaks? publication of the Afghan war diary and United States diplomatic cables. Swedish authorities have come under scrutiny for their approach to questioning him. It was only in January 2016 that a deal was finally struck by prosecutors with Ecuadorian officials to allow Assange to be questioned at the embassy in London. Swedish authorities said in August 2015 they were ceasing their inquiries into two counts of alleged sexual molestation and one count of alleged unlawful coercion, with the offences reaching their statute of limitations. A further allegation of rape is still the subject of inquiries. Assange first entered the Ecuadorian embassy in 2012 after mounting a series of legal challenges in the UK to an extradition warrant from Sweden. The Metropolitan police recently halted permanent patrols outside the embassy, which had been in place since Assange arrived, because they were ?no longer proportionate?. Metropolitan police officers had maintained a constant watch of the embassy in Knightsbridge, close to luxury department store Harrods, at a cost of at least ?11.1m to the public purse, according to figures released by Scotland Yard in June last year. Covert surveillance is still in place, and in October police rejected a request from the Ecuadorian embassy that Assange be allowed ?safe passage? out of the London embassy to a hospital for an MRI scan reccommended by his doctor. The Foreign Office said it would not seek to deny Assange medical treatment but the Metropolitan police reiterated it would arrest the WikiLeaks founder if he left the embassy. A Met spokesman said: ?The operation to arrest Julian Assange does, however, continue and should he leave the embassy the MPS will make every effort to arrest him.? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 4 06:06:46 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Feb 2016 07:06:46 -0500 Subject: [Infowarrior] - The insanity for MPs to read TPP Message-ID: <2043CE0C-EB98-4409-9860-4BE91B0001CE@infowarrior.org> A Tiny Cell With An Omnipresent Guard, Visitors Just Twice A Day: TAFTA/TTIP's German Transparency Room https://www.techdirt.com/articles/20160202/09533933492/tiny-cell-with-omnipresent-guard-visitors-just-twice-day-tafta-ttips-german-transparency-room.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 4 17:51:05 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Feb 2016 18:51:05 -0500 Subject: [Infowarrior] - Firefox 44 Deletes Fine-Grained Cookie Management Message-ID: Rick's Reaction: [witholds comment to keep this a PG post] Firefox 44 Deletes Fine-Grained Cookie Management (mozilla.org) 69 Posted by timothy on Thursday February 04, 2016 @05:39PM from the like-my-cookies-smooth dept. ewhac writes: Among its other desirable features, Firefox included a feature allowing very fine-grained cookie management. When enabled, every time a Web site asked to set a cookie, Firefox would raise a dialog containing information about the cookie requested, which you could then approve or deny. An "exception" list also allowed you to mark selected domains as "Always allow" or "Always deny", so that the dialog would not appear for frequently-visited sites. It was an excellent way to maintain close, custom control over which sites could set cookies, and which specific cookies they could set. It also helped easily identify poorly-coded sites that unnecessarily requested cookies for every single asset, or which would hit the browser with a "cookie storm" ? hundreds of concurrent cookie requests. Mozilla quietly deleted this feature from Firefox 44, with no functional equivalent put in its place. Further, users who had enabled the "Ask before accept" feature have had that preference silently changed to, "Accept normally." The proffered excuse for the removal was that the feature was unmaintained, and that its users were, "probably crashing multiple times a day as a result" (although no evidence was presented to support this assertion). Mozilla's apparent position is that users wishing fine-grained cookie control should be using a third-party add-on instead, and that an "Ask before accept" option was, "not really nice to use on today's Web." http://tech.slashdot.org/story/16/02/04/2221204/firefox-44-deletes-fine-grained-cookie-management -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 4 20:49:30 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Feb 2016 21:49:30 -0500 Subject: [Infowarrior] - =?utf-8?q?The_British_want_to_come_to_America_?= =?utf-8?q?=E2=80=94_with_wiretap_orders_and_search_warrants?= Message-ID: <8F52CAF0-1413-4AA2-9597-4703CA97AA32@infowarrior.org> The British want to come to America ? with wiretap orders and search warrants By Ellen Nakashima and Andrea Peterson February 4 at 7:00 PM If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies like Facebook or Google with a wiretap order for the on-line chats of British suspects in a counterterrorism investigation. The transatlantic allies have this month quietly begun negotiations on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. The British would also be able to serve orders to obtain stored data, such as emails. The previously undisclosed talks are driven by what the two sides and tech firms say is an untenable situation in which foreign governments such as the United Kingdom cannot quickly obtain data for domestic probes because it happens to be held by companies in the United States. The two countries recently concluded a draft negotiating document, which will serve as the basis for the talks. The text has not been made public but a copy was reviewed by The Post. The British would not be able to directly obtain the records of Americans, if a U.S. citizen or resident surfaced in an investigation. And it would still have to follow U.K. legal rules to obtain warrants. Any final agreement will need Congressional action, through amendments to surveillance laws such as the Wiretap Act and the Stored Communications Act.... < - > https://www.washingtonpost.com/world/national-security/the-british-want-to-come-to-america--with-wiretap-orders-and-search-warrants/2016/02/04/b351ce9e-ca86-11e5-a7b2-5a2f824b02c9_story.html -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 5 07:35:34 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Feb 2016 08:35:34 -0500 Subject: [Infowarrior] - Is Apple intentionally bricking iPhones? (Error 53) Message-ID: <81D6D989-0B85-4ECA-AF37-39A2224EE072@infowarrior.org> ?Error 53? fury mounts as Apple software update threatens to kill your iPhone 6 Miles Brignall http://www.theguardian.com/money/2016/feb/05/error-53-apple-iphone-software-update-handset-worthless-third-party-repair Thousands of iPhone 6 users claim they have been left holding almost worthless phones because Apple?s latest operating system permanently disables the handset if it detects that a repair has been carried out by a non-Apple technician. Relatively few people outside the tech world are aware of the so-called ?error 53? problem, but if it happens to you you?ll know about it. And according to one specialist journalist, it ?will kill your iPhone?. The issue appears to affect handsets where the home button, which has touch ID fingerprint recognition built-in, has been repaired by a ?non-official? company or individual. It has also reportedly affected customers whose phone has been damaged but who have been able to carry on using it without the need for a repair. But the problem only comes to light when the latest version of Apple?s iPhone software, iOS 9, is installed. Indeed, the phone may have been working perfectly for weeks or months since a repair or being damaged. After installation a growing number of people have watched in horror as their phone, which may well have cost them ?500-plus, is rendered useless. Any photos or other data held on the handset is lost ? and irretrievable. Tech experts claim Apple knows all about the problem but has done nothing to warn users that their phone will be ?bricked? (ie, rendered as technologically useful as a brick) if they install the iOS upgrade. Freelance photographer and self-confessed Apple addict Antonio Olmos says this happened to his phone a few weeks ago after he upgraded his software. Olmos had previously had his handset repaired while on an assignment for the Guardian in Macedonia. ?I was in the Balkans covering the refugee crisis in September when I dropped my phone. Because I desperately needed it for work I got it fixed at a local shop, as there are no Apple stores in Macedonia. They repaired the screen and home button, and it worked perfectly.? He says he thought no more about it, until he was sent the standard notification by Apple inviting him to install the latest software. He accepted the upgrade, but within seconds the phone was displaying ?error 53? and was, in effect, dead. When Olmos, who says he has spent thousands of pounds on Apple products over the years, took it to an Apple store in London, staff told him there was nothing they could do, and that his phone was now junk. He had to pay ?270 for a replacement and is furious. ?The whole thing is extraordinary. How can a company deliberately make their own products useless with an upgrade and not warn their own customers about it? Outside of the big industrialised nations, Apple stores are few and far between, and damaged phones can only be brought back to life by small third-party repairers. ?I am not even sure these third-party outfits even know this is a potential problem,? he says. Olmos is far from the only one affected. If you Google ?iPhone 6? and ?error 53? you will find no shortage of people reporting that they have been left with a phone that now only functions as a very expensive paperweight. How can a company deliberately make its own product useless with an upgrade, and not warn customers about it? Posting a message on an Apple Support Communities forum on 31 December, ?Arjunthebuster? is typical. He/she says they bought their iPhone 6 in January 2015 in Dubai, and dropped it the following month causing a small amount of damage. They carried on using the phone, but when they tried to install iOS 9 in November ?error 53? popped up. ?The error hasn?t occurred because I broke my phone (it was working fine for 10 months). I lost all my data because of this error. I don?t want Apple to fix my screen or anything! I just want them to fix the ?error 53? so I can use my phone, but they won?t!? Could Apple?s move, which appears to be designed to squeeze out independent repairers, contravene competition rules? Car manufacturers, for example, are not allowed to insist that buyers only get their car serviced by them. Apple charges ?236 for a repair to the home button on an iPhone 6 in the UK, while an independent repairer would demand a fraction of that. You may have been delighted to get that smartphone for Christmas, but using it to send a smiley face will not make you happy when your bill arrives California-based tech expert Kyle Wiens, who runs the iFixit website, says this is a major issue. ?The ?error 53? page on our website has had more than 183,000 hits, suggesting this is a big problem for Apple users,? he told Guardian Money. ?The problem occurs if the repairer changes the home button or the cable. Following the software upgrade the phone in effect checks to make sure it is still using the original components, and if it isn?t, it simply locks out the phone. There is no warning, and there?s no way that I know of to bring it back to life.? He says it is unclear whether this is a deliberate move to force anyone who drops their phone to use Apple for a repair. ?All along, Apple?s view is that it does not want third parties carrying out repairs to its products, and this looks like an obvious extension of that,? he says. ?What it should do is allow its customers to recalibrate their phone after a repair. Only when there is a huge outcry about this problem will it do something.? The Daily Dot website features an article by tech writer Mike Wehner headlined ?Error 53 will kill your iPhone and no one knows what it is?. He relates how his own iPhone 6 Plus was left ?effectively dead to the world?. Only when there is a huge outcry about this problem will Apple do something Meanwhile, an article by tech writer Reuben Esparza, published in November by iCracked, a phone repair service, states: ?When pressed for more information about the error, few, if any Apple employees could offer an explanation. There was no part they would replace, no software fix, and no way to access the phone?s memory. The fix was a new iPhone.? It continues: ?Though still largely a mystery to most, we now know that error 53 is the result of a hardware failure somewhere within the home button assembly.? A spokeswoman for Apple told Money (get ready for a jargon overload): ?We protect fingerprint data using a secure enclave, which is uniquely paired to the touch ID sensor. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the pairing is re-validated. This check ensures the device and the iOS features related to touch ID remain secure. Without this unique pairing, a malicious touch ID sensor could be substituted, thereby gaining access to the secure enclave. When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.? She adds: ?When an iPhone is serviced by an unauthorised repair provider, faulty screens or other invalid components that affect the touch ID sensor could cause the check to fail if the pairing cannot be validated. With a subsequent update or restore, additional security checks result in an ?error 53? being displayed ? If a customer encounters an unrecoverable error 53, we recommend contacting Apple support.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 5 09:33:32 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Feb 2016 10:33:32 -0500 Subject: [Infowarrior] - Opinion: How NSA reorganization could squander remaining trust Message-ID: Opinion: How NSA reorganization could squander remaining trust The Christian Science Monitor http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0204/Opinion-How-NSA-reorganization-could-squander-remaining-trust The coming reorganization of the National Security Agency may be a smart move for the agency but it'll hurt America's long-term national security interests. At a recent talk at the Washington think tank Atlantic Council, NSA director Adm. Michael Rogers said he wanted to better integrate the agency's Information Assurance Directorate ? its defensive arm that protects US systems and information ? and the Signals Intelligence Directorate ? the offensive branch that carries out spying operations. The reorganization is needed, he said, because with these two separate divisions "we created these two amazing cylinders of excellence and then we built walls of granite between them." As a veteran of the NSA, I suspect this reorganization will be good for the agency. But it is unlikely to create an agency that is more open, more trusted, or more able to work with America's true cyber defenders in the private sector. There are significant reasons to believe that what may help the NSA will be bad for the US ? or actually anyone who uses the Internet. The NSA's cyberdefense team, widely seen the best in the US government (and maybe the world), needs to work publicly, openly, and internationally. But if further integrated with NSA's spies, it will be forever compromised. The Information Assurance Directorate is respected for its technical skills, but many critics and observers see it as tainted because of what Edward Snowden ? a former NSA contractor who turned government leaker ? revealed about the agency's signals division. Get Monitor cybersecurity news and analysis delivered straight to your inbox. The clearest example of that tarnish is evidence that the NSA intentionally weakening a cryptographic standard, handicapping all of our security for a better chance to breach adversaries. That meant that the needs of the spies were prioritized over those meant to defend the rest of us. And that's something that will likely continue in the reorganized agency. Who in Silicon Valley or Europe will be able to trust that kind of organization? Even with a separate information division, many companies and privacy advocates were convinced the newly passed information sharing act was simply another vector for passing along data to NSA's digital spies. With the two parts of the agency more integrated, such concerns will be even harder to dismiss. Likewise, if a multinational company calls NSA now for technical help, as Google and Sony have done in the past, can executives really assure their boardrooms that their corporate data won't end up in a spy's database? Gen. Michael Hayden, one of Rogers's predecessors, specifically kept the Information Assurance Directorate separate, as he "needed an organization that was, and was seen to be, committed to defense." The separation within the agency, from this perspective, isn't about creating stovepipes but building a firewall to protect our privacy and the information division's independence. In fact, the technologists and cyberdefenders in Information Assurance have long needed to be integrated less with secretive the agency's spies, and more with other parts of the government and the private sector. A better option would have been splitting off Information Assurance as the core of a truly independent and robust cyber department or agency. That option is now closed. Once the cards are shuffled into the deck, they will be all but impossible to separate. Jason Healey is senior research scholar at Columbia University?s School of International and Public Affairs and senior fellow at the Atlantic Council. He began his career as a US Air Force signals intelligence officer in Alaska, NSA, and the Pentagon. Follow him on Twitter @Jason_Healey. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 5 13:06:19 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Feb 2016 14:06:19 -0500 Subject: [Infowarrior] - Maryland AG: If You Don't Want To Be Tracked, Turn Off Your Phone Message-ID: <5E3EF871-69AC-43B2-A769-510768A58808@infowarrior.org> Maryland Attorney General: If You Don't Want To Be Tracked, Turn Off Your Phone Written by Joshua Kopstein http://motherboard.vice.com/read/maryland-attorney-general-if-you-dont-want-to-be-tracked-turn-off-your-phone February 4, 2016 // 03:39 PM EST The state attorney general of Maryland is taking an alarmingly aggressive stance on the use of controversial cell phone trackers known as cell site simulators, or StingRays, arguing in court that a suspect volunteered to be tracked simply by leaving his phone on. In a brief filed earlier this week, Maryland attorney general Brian E. Frosh challenged a Baltimore court's decision in the case of Kerron Andrews, who was targeted by a cell site simulator, the once-secret surveillance device used by police and federal agents to track phones en-masse by impersonating cellphone towers, often without warrants. Andrews, who faces multiple counts of attempted murder, had asked the court to dismiss the charges, citing Fourth Amendment concerns over the use of the surveillance device. But the state argued that because cell phones constantly reveal their locations to carriers by pinging nearby cell towers, Andrews ?voluntarily shared this information with third parties,? including the police, merely by keeping his phone on. In other words, if you don't shut off your phone, you're asking to be tracked. ?While cell phones are ubiquitous, they all come with 'off' switches,? the state responded in the brief. ?Because Andrews chose to keep his cell phone on, he was voluntarily sharing the location of his cell phone with third parties.? The argument is a terrifying but not unprecedented escalation of previous rulings regarding cell phone location privacy. In the past, courts?usually relying on legal precedents established well before cell phones existed?have held that no one has a reasonable expectation of privacy when data is ?given? to third parties, even if that data is sent unwittingly or as part of the normal functioning of a device or service. In other words, if you don't shut off your phone, you're asking to be tracked ?The government has indeed repeatedly argued that there is no [reasonable expectation of privacy] in cell phone location information, in court and out,? Nathan Wessler, a staff attorney with the ACLU's speech, privacy and technology project, told Motherboard in an email. ?In cases involving historical cell site location information, the government has danced around this argument, arguing that phone users give up their expectation of privacy in their location information merely by making and receiving calls.? Now the state of Maryland is saying that simply having a cell phone switched on is enough to nullify that protection, something which police, prosecutors and courts have hinted at before. ?Andrews ? was quite aware that he was bringing his own cell phone into the house. And he was quite capable of turning it off,? the state wrote. ?The issue is whether Andrews can claim an objectively reasonable expectation of privacy in information which he was voluntarily broadcasting to third parties at all times.? One flaw in this argument is that it?s possible to track phones even when they appear to be off. Malware reportedly used by the FBI and NSA can put a device into a low-power state when it?s switched off, allowing it to continue reporting its location to nearby towers. And since most phones no longer have removable batteries, there?s no way to be certain you?re not being tracked unless you invest in a good quality Faraday pouch. It isn't the first time a court has heard this kind of argument. In a 2013 DEA case, a New York magistrate judge said that ?given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective location of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off.? The judge went on to claim that ?the newsworthiness of cell phone tracking as a concept has waned, confirming that geolocation has moved from the unfamiliar to the commonplace.? Conversely, the Florida Supreme Court ruled in 2014 that ?requiring a cell phone user to turn off their cell phone ? places an unreasonable burden on the user to forego necessary use of his cell phone, a device now considered essential by much of the populace.? ?In the government?s view, the only way to protect ourselves against warrantless tracking of our locations is to turn our cell phones into inert paperweights,? Wessler, the ACLU attorney, told Motherboard. ?But this would come at a significant cost, as having a functioning cell phone has become necessary to full participation in the civic, social, and economic life of the nation.? He continued: ?Because Stingrays force phones to transmit information to the government that they would not otherwise transmit to the government, gather information about countless innocent bystanders, and probe the interiors of homes and other private spaces, a warrant is required.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 8 08:01:13 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Feb 2016 09:01:13 -0500 Subject: [Infowarrior] - NFL Edging Towards Claiming A Trademark On 'The Big Game' Again Message-ID: NFL Edging Towards Claiming A Trademark On 'The Big Game' Again https://www.techdirt.com/articles/20160205/13584533536/nfl-edging-towards-claiming-trademark-big-game-again.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 8 08:01:08 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Feb 2016 09:01:08 -0500 Subject: [Infowarrior] - Distrust of US surveillance threatens data deal Message-ID: <38D978EF-35EE-48BF-97D4-A2093B4882C2@infowarrior.org> Distrust of US surveillance threatens data deal Katie Bo Williams http://thehill.com/policy/cybersecurity/268467-distrust-of-us-surveillance-threatens-data-deal European privacy regulators are putting U.S. surveillance practices under the microscope, this time with a crucial transatlantic data deal hanging in the balance. Legal and privacy advocates say European nations are poised to strike down the deal if they decide the U.S. hasn't done enough to reform its spying programs. The new test comes after the European Commission and the Commerce Department ? after months of tense negotiations ? reached a deal this week permitting Facebook, Google and thousands of other companies to continue legally handling Europeans? personal data. Critics though have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European court, where privacy is considered a fundamental right under the EU Charter. A working group of 28 EU nations? data protection authorities ? domestic entities separate from the Commission that will be in charge of enforcing the new agreement ? may now cast the deciding vote. The group is spending the next few months picking through the so-called Privacy Shield agreement to determine if it adequately protects the personal data of European citizens. ?The Commission has said, ?We?re satisfied. We believe them. We believe the U.S. has substantially changed its practices,? and they are no longer going off the [Edward] Snowden revelations in the media,? said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S. ?Whether the working group will go along with it is another question.? The privacy advocate whose complaint against Facebook brought down the Privacy Shield?s 15-year-old predecessor agreement is already questioning the new deal?s validity. ?With all due respect ... a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,? Max Schrems of Austria said in a statement Tuesday. The United States has been fighting against the perception that it tramples on civil liberties after ex-National Security Agency contractor Edward Snowden revealed the breadth of the agency?s snooping. One sticking point in the Privacy Shield negotiations was over the scope of an exception allowing surveillance for national security purposes. In announcing the deal, Commission officials insisted that the U.S. had provided ?detailed written assurances? that surveillance of Europeans? data by intelligence agencies would be subject to appropriate limitations. ?The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,? Andrus Ansip, Vice President for the Digital Single Market on the European Commission, said Tuesday. The U.S. has also agreed to create an office in the State Department, to address complaints from EU citizens who feel their data has been inappropriately accessed by intelligence authorities. Complicating the working group?s approval of the deal is the hodgepodge of competing regulators in Europe. Each nation has an agency in charge of its own country?s regulation. Some countries ? such as Germany ? are seen as tougher on privacy than others, like France or the U.K. While some countries consider U.S. privacy protections to be satisfactory, in others they are seen as woefully inadequate. Defenders of U.S. intelligence practices often point to France and the U.K., arguing they are equally intrusive with their citizens' data. A recent public report ?pretty clearly documented that the protections are patchy, vary hugely and are nonexistent in some of the countries,? Foster noted. Privacy advocates dismiss those arguments. ?You cannot pick the worst member state, like the U.K., and claim you are ?equivalent? to that,? Schrems said Tuesday. ?First, this is not a price [sic] you want to win, secondly you have to meet the standards of the European Court of Justice, EU law and the EU Charter of Fundamental Rights ? not the standard of the worst member state.? The U.S. has made significant reforms to federal spying powers under the Obama administration. The Privacy and Civil Liberties Oversight Board ? a small bipartisan watchdog ? on Friday said the government has begun addressing each of the nearly two-dozen recommendations it made following Snowden's revelations. ?[I]mportant measures have been taken to enhance the protection of Americans? privacy and civil liberties and to strengthen the transparency of the government?s surveillance efforts, without jeopardizing our counterterrorism efforts,? the five-member board said. But whether European countries believe those changes are sufficient to sign off on the Privacy Shield is uncertain. Each of the EU?s 28 member states must approve the deal before it can be finalized. ?A lot of this is going to come down to whether the data protection authorities are persuaded by the U.S.?s portrayal of the cumulative protections given to European citizens and the cumulative carving back on the NSA surveillance programs,? Foster said. If the European working group is not satisfied with the assurances from the Commerce Department, the consequences could be dire. Businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014. The most likely outcome, experts say, would be a patchwork of country-to-country regulations that would make it extremely expensive for companies to comply. Legislative changes in the U.S. seem unlikely. Congress is close to passing a privacy law considered crucial to getting seeing the Privacy Shield approved. But the bill ? which gives EU citizens the right to sue in U.S. courts over the misuse of personal data ? has sparked controversy on Capitol Hill. Some lawmakers are expressing frustration that the EU has used the threat of enforcement action against U.S. companies to push Congress to make more concessions. ?It?s been hard enough to get the Judicial Redress Act passed ? if they?re going to make more demands on Congress, there won?t be a lot of willing listeners here,? Sen. Chris Murphy (D-Conn.) told The Hill on Thursday. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 8 10:09:30 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Feb 2016 11:09:30 -0500 Subject: [Infowarrior] - Hacker Plans to Dump Alleged Details of 20, 000 FBI, 9, 000 DHS Employees Message-ID: <2B516E01-43C3-4241-9824-5935CE47A369@infowarrior.org> Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees Written by Joseph Cox http://motherboard.vice.com/read/hacker-plans-to-dump-alleged-details-of-20000-fbi-9000-dhs-employees February 7, 2016 // 05:40 PM EST A hacker, who wishes to remain anonymous, plans to dump the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees, Motherboard has learned. The hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published. On Sunday, Motherboard obtained the supposedly soon-to-be-leaked data and called a large selection of random numbers in both the DHS and FBI databases. Many of the calls went through to their respective voicemail boxes, and the names for their supposed owners matched with those in the database. At one point, Motherboard reached the operations center of the FBI, according to the person on the other end. One alleged FBI intelligence analyst did pick up the phone, and identified herself as the same name as listed in the database. A DHS employee did the same, but did not feel comfortable confirming his job title, he said. A small number of the phones listed for specific agents or employees, however, went through to generic operator desks in various departments. One FBI number that Motherboard dialled did go through to a voicemail box, but the recorded message seemed to indicate it was owned by somebody else. This also applied to two of the DHS numbers. After several calls, Motherboard was passed through to the State and Local desk at the National Operations Centre, part of the DHS. That department told Motherboard that this was the first they had heard about the supposed data breach. The job titles included in the data cover all sorts of different departments: contractors, biologists, special agents, task force officers, technicians, intelligence analysts, language specialists, and much more. The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter). ?I clicked on it and I had full access to the computer.? From there, he tried logging into a DoJ web portal, but when that didn't work, he phoned up the relevant department. ?So I called up, told them I was new and I didn't understand how to get past [the portal],? the hacker told Motherboard. ?They asked if I had a token code, I said no, they said that's fine?just use our one.? The hacker says he then logged in, clicked on a link to a personal computer which took him to an online virtual machine, and entered in the credentials of the already hacked email account. After this, the hacker was presented with the option of three different computers to access, he claimed, and one was the work machine of the person behind the originally hacked email account. ?I clicked on it and I had full access to the computer,? the hacker said. Here the hacker could access the user's documents, as well as other documents on the local network. The databases of supposed government workers were on a DoJ intranet, the hacker claimed. It is not fully clear when the hacker intends to dump the databases. The hacker also said that he downloaded around 200GB of files, out of 1TB that he had access to. ?I HAD access to it, I couldn't take all of the 1TB,? he said. He claimed that some of the files' contents included military emails, and credit card numbers. This supposed data was not provided to Motherboard. This is just the latest in a series of hacks targeting US government employees. Back in October, hackers claiming a pro-Palestine political stance broke into the email account of CIA Director John Brennan. This was followed by a prank, in which calls to the Director of National Intelligence James Clapper would be forwarded to the Free Palestine Movement. The Department of Justice did not respond to Motherboard's request for comment, and the FBI was not reachable. Motherboard provided a copy of the apparent DHS data to the National Infrastructure Coordinating Center (NICC) which is part of the DHS, but it declined to comment. A DHS public affairs officer did not immediately respond to Motherboard's request for comment. Update 8 February 2016: After the publication of this article, a Twitter account with a pro-Palestinian message published the apparent details of the 9,000 DHS employees. The account also tweeted a screenshot supposedly from the Department of Justice computers that the hacker claimed to have accessed. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 10:24:46 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 11:24:46 -0500 Subject: [Infowarrior] - McCain enters the crypto war Message-ID: <73343351-715A-4151-834E-330ACEC99D14@infowarrior.org> McCain pushes for encryption legislation in fight against ISIS Katie Bo Williams http://thehill.com/policy/cybersecurity/268613-mccain-pushes-for-encryption-legislation-in-fight-against-isis Sen. John McCain (R-Ariz.) is calling for legislation that would require tech firms to build their products in such a way that they can crack open encrypted content in response to legal requests from authorities. "By taking advantage of widely available encryption technologies, terrorists and common criminals alike can carry out their agendas in cyber safe havens beyond the reach of our intelligence agency tools and law enforcement capabilities. This is unacceptable," the Senate Armed Services chairman writes in a Bloomberg op-ed. McCain?s proposal would not dictate ?what those systems should look like.? Instead, it would require ?technological alternatives? to end-to-end encryption, which prevents even the manufacturer from accessing communications. ?This would allow companies to retain flexibility to design their technologies to meet both their business needs and our national security interests,? McCain said. The proposal comes with lawmakers increasingly divided on the need for legislation to address encryption technology. The top two members of the House Intelligence Committee said last week that they have not made any decisions about endorsing a bill regulating encryption standards. ?I don?t think we?re any closer to a consensus on that than we were, I think, six months ago,? Rep. Adam Schiff, the committee?s top Democrat, said at a Christian Science Monitor breakfast. ?Or if there is a consensus, it is that a legislative solution, I think, is very unlikely.? Following the deadly terrorist attacks on San Bernardino, Calif. and Paris, fears that terrorists were using encryption technology to plan attacks beyond the reach of U.S. surveillance sparked a number of lawmakers to call for new legislation. Senate Intelligence Committee Chairman Richard Burr (R-N.C.) is working on a bill with his committee?s ranking member, Sen. Dianne Feinstein (D-Calif.), that would force companies to decrypt data under court order. But tech companies and cryptologists have pushed back, arguing that providing any guaranteed access to law enforcement opens up the day-to-day functions of the Internet ? like banking ? to hackers. ?There have been people that suggest that we should have a backdoor. But the reality is if you put a backdoor in, that backdoor's for everybody, for good guys and bad guys,? Apple CEO Tim Cook said in a December interview with ?60 Minutes.? Last fall, Apple rejected a court order to turn over communications sent using its iMessage feature, citing its encryption system. McCain alluded to those concerns, but insisted ?this is not the end of the analysis.? ?We recognize there may be risks to requiring such access, but we know there are risks to doing nothing,? McCain writes. He compared his proposal to wiretap laws enacted in the 1990s that required telecommunications providers to ?enable law enforcement officials to conduct electronic surveillance pursuant to court order,? but did not dictate the technology?s design. Some lawmakers have taken a more measured approach. House Homeland Security Committee Chairman Michael McCaul (R-Texas) and Sen. Mark Warner (D-Va.) ? worry that a bill like Burr?s and Feinstein?s offering would weaken encryption. They?re pushing legislation that would establish a national committee to study the topic first, then present potential suggestions to Congress about how police could get at encrypted data without endangering Americans? privacy or security. McCain echoed FBI Director James Comey, who in recent months has sought to recast the question of how to provide access to encrypted data as a business challenge, not a technological one. ?We have to encourage companies and individuals who rely on encryption to recognize that our security is threatened, not encouraged, by technologies that place vital information outside the reach of law enforcement,? McCain wrote. ?Developing technologies that aid terrorists like Islamic State [in Iraq and Syria] is not only harmful to our security, but it is ultimately an unwise business model.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 10:25:09 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 11:25:09 -0500 Subject: [Infowarrior] - =?utf-8?q?House_to_Vote_on_Bill_to_Require_NSF_Sc?= =?utf-8?q?ience_to_Serve_the_=E2=80=9CNational_Interest=E2=80=9D?= Message-ID: <7FF718DF-87D3-4524-8D09-67270E343445@infowarrior.org> Note the chair of the House 'science' committee is someone who routinely lets party ideology trump scientific objectivity. He's pretty much doing this because he/his party is offended by things like federal funding for climate change, etc. (via IP) Begin forwarded message: > From: "FYI" > Subject: House to Vote on Bill to Require NSF Science to Serve the ?National Interest? > Date: February 9, 2016 at 9:55:39 AM EST > To: "farber at central.cis.upenn.edu" > Reply-To: "FYI" > > > Number 13: February 9, 2016 > House to Vote on Bill to Require Science to Serve the "National Interest" > > The House is poised to consider stand-alone legislation sponsored by House Science Committee Chairman Lamar Smith that would require recipients of National Science Foundation grant funding to justify research as ?in the national interest,? based on a definition related to NSF?s mission and founding charter. > This Wednesday afternoon the House is slated to consider legislation that would require National Science Foundation (NSF) grantees to provide written justification for how their science is serving a congressionally-sanctioned definition of the national interest. The ?Scientific Research in the National Interest Act,? which the House Science Committee has already approved and the full House passed as a section of the ?America COMPETES Reauthorization Act of 2015,? is still controversial among members of Congress and in the national scientific community. > > The bill?s sponsor, chairman of the House Science Committee Lamar Smith (R-TX), says the bill is necessary to ?ensure that our investments fund the highest quality basic research in science that serves our nation?s interest.? Leaders of the scientific community have expressed serious concerns, saying it infringes on the nation?s ?gold standard? scientific merit review process and arguing that science delivers the best societal outcomes when it operates largely independent of political direction. > > Smith seeks greater transparency and accountability for science > > Smith introduced his science in the national interest legislation last July, asserting the policy as a needed step for transparency and accountability and that taxpayer-funded research should serve society. In defending his legislation in the Winter 2016 edition of Issues in Science and Technology, Smith wrote: > > ?We owe it to American taxpayers and the scientific community to ensure that every grant funded is worthy and in the national interest. ? In recent years?NSF has seemed to stray from its created purpose and has funded a number of grants that few Americans would consider to be in the national interest. ? In carrying out that duty, my committee has questioned why NSF spent $700,000 of taxpayer money on a climate change musical, $220,000 to study animal photos in National Geographic magazine, or $50,000 to study lawsuits in Peru from 1600 to 1700, among dozens of examples. There may be good justifications for such work, but NSF has an obligation to the public to provide those explanations.? > > > Following a heated debate in October, Smith won his committee?s approval for the bill in a voice vote, but only after facing vocal opposition. Ph.D.-physicist-turned-congressman Rep. Bill Foster (D-IL), Rep. Zoe Lofgren (D-CA) and Rep. Donna Edwards (D-MD) spoke in opposition to the bill in committee, and bipartisan support remains thin. Of the bill?s co-sponsors, two are Democrats while 20 are Republicans. > > NSF-funded scientific studies singled out, investigated > > For years, Smith and other members of Congress have singled out and pilloried specific research grants they believe are not proper uses of taxpayer resources. Often the targets are identified through compendiums compiled to highlight excessive or wasteful federal spending, like last year?s ?Wastebook: The Farce Awakens? released by Sen. Jeff Flake (R-AZ) and ?Federal Fumbles? by Sen. James Lankford (R-OK). > > Smith has used his oversight role over NSF to elevate accusations of waste in federally funded science to full blown investigations. At least four times during the summer of 2014, House Science Committee staffers visited NSF headquarters in Arlington, Va., to audit the agency?s scientific merit review process for a number of grants. The staffers examined primary documents related to the awarding of over 20 NSF grants, looking for signs of improper decision making or other flaws in the merit review process. > > Legislation defines science in the national interest > > Smith first introduced the science in the national interest language as a section of his 2013 and 2014 ?Frontiers in Innovation, Research, Science, and Technology Act? and again as part of his 2015 ?America COMPETES Authorization Act,? which the House passed in May 2015. Smith?s language, now being offered as stand-alone legislation, would require NSF to certify each grant or cooperative agreement it awards is ?worthy of Federal funding? and ?in the national interest.? > > An explicit definition of national interest is included in the legislation: > > ?[A grant is in the national interest if it has] the potential to achieve?(A) increased economic competitiveness in the United States; (B) advancement of the health and welfare of the American public; (C) development of an American STEM workforce that is globally competitive; (D) increased public scientific literacy and public engagement with science and technology in the United States; (E) increased partnerships between academia and industry in the United States; (F) support for the national defense of the United States; or (G) promotion of the progress of science for the United States.? > > > In Smith?s view, this definition is in line with NSF?s founding mission ?to promote the progress of science; to advance the national health, prosperity, and welfare; and to secure the national defense; and for other purposes.? Smith believes his bill would bring NSF in line with the original intent of the National Science Foundation Act of 1950 that established the agency. > > Impact of legislation on NSF grant making process uncertain > > While national interest criteria imposed by statute would be new for NSF, Smith?s legislation may not change the NSF proposal process in practice. The science agency already requires all grantees to address not only the "intellectual merit" but also the "broader impacts" of their proposed research, with the broader impacts criterion explicitly including benefits to society. Daniel Sarewitz, Professor of Science and Society at Arizona State University, testified before the House Science Committee in 2013 that the national interest requirement would just add a "meaningless level of rubber-stamping to the grant approval process.? > > Also, NSF policy has already moved in the direction of Smith?s bill in recent years. In Dec. 2014, NSF Director France C?rdova announced new grant making guidelines that were a nod to Smith?s concerns. The guidelines require that all proposal abstracts state clearly and in non-technical terms how the research proposed will serve the national interest. In testimony before the House Science Committee in Jan. 2015, C?rdova indicated she believes that the new NSF grant making policies are compatible and consistent with Smith?s philosophy. > > NSB, Foster express concerns, defend NSF merit review process > > Some leaders in the scientific community have pushed back against science in the national interest legislation, which they see as an infringement on a scientific merit review process that is widely respected and has succeeded in delivering benefits for the American people for decades. The NSB, which is the governing body of NSF, issued a statement in April 2014 voicing the board?s concerns about the proposed new requirements, warning of a detrimental impact on scientific freedom and leadership. > > The statement read: > > ?We?do not see a need to impose new, more inflexible, legislated requirements on NSF and our science and engineering communities. We are concerned that the proposed new legislative requirements might discourage visionary proposals or transformative science at a time when advancing the decades-long U.S. leadership in science and technology is a top priority.? > > > The NSB also argued that science has delivered economic prosperity and security for the nation for decades and never before has it required direction from Congress on what science to prioritize in order to contribute effectively to society. > > During last year?s committee business meeting, Foster warned that the new requirements in the bill would impose additional administrative burden on scientists who already face significant grant and other administrative paperwork. He came out strongly against the bill: > > ?We all claim to bemoan the loss of American scientific competitiveness, and then we turn around and consider a bill that would only add rigid and time consuming bureaucratic requirements that stifle the exact kind of curiosity driven research that has made us a world leader. The NSF merit review process is known as the gold standard for a reason. And the claim that this bill would somehow restore accountability and merit to this process carries with it the presupposition that the system is broken. As a scientist who has watched the operation of the peer review and merit review process throughout my career, I do not share this belief. And so I urge my colleagues to oppose this bill.? > > > The scientific community will be watching the outcome of the ?Scientific Research in the National Interest Act? as it reaches a vote on the House floor on Wednesday afternoon. As it already approved the language as a section of a larger bill last spring, the House could very well approve it again. Despite setbacks and push back Smith has encountered in recent years, he seems as determined as ever and has made this a priority for his tenure as chairman. > > Contact > > Michael S. Henry > Government Relations Division > American Institute of Physics > mhenry at aip.org > 301-209-3094 > Subscribe to FYI > > If this was forwarded to you, you can subscribe to FYI by clicking here > > For permission to use text from this e-mail, please contact Michael S. Henry. > > For more science policy news, visit FYI's website. > > If you wish to manage your preferences and alert subscriptions, please click here. > If you no longer wish to receive email from FYI, please click here to unsubscribe. > > A publication of the American Institute of Physics 2015 > One Physics Ellipse, College Park, MD 20740 > > > David Farber > Alfred Fitler Moore Professor Emeritus at the University of Pennsylvania > Adjunct Professor of Internet Studies SCS and EPP at CMU > Senior Policy Fellow of Internet Studies ? University of Delaware -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 10:25:21 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 11:25:21 -0500 Subject: [Infowarrior] - Draft bill seeks to improve U.S. military cyber warfare capabilities Message-ID: (c/o LB) http://www.scmagazine.com/draft-bill-seeks-to-improve-us-military-cyber-warfare-capabilities/article/471965/ Jeremy Seth Davis, Senior Reporter February 08, 2016 Draft bill seeks to improve U.S. military cyber warfare capabilities Draft legislation seeks to improve the Pentagon?s ability to quickly develop and acquire process cyber warfare technologies. Draft legislation proposed by Sen. Mark Kirk (R-Ill.) seeks to improve the Pentagon's ability to quickly develop and acquire process cyber warfare technologies. The Electronic Warfare Enhancement Act (S. 2486), co-sponsored by Sen. Kirsten Gillibrand (D-NY), would streamline the defense procurement process for cyber warfare technologies by including electronic warfare technologies within the Secretary of Defense's Rapid Acquisition Authority (RAA). The draft also proposes to create an exception to a requirement (Section 181, Title 10) that the defense secretary review acquisition programs. The proposal comes as the U.S. struggles to play catch-up to Russia's growing cyber capabilities. The U.S. military, for example, lags behind the electronic attack, jamming communications, radar and command-and-control nets used by Russia in the Ukraine and Syria to jam drones and block battlefield communications. According to National Defense, the US Army is working on stronger jamming systems, expected to be available in 2023. Last week, SCMagazineUK.com learned that Russia's Ministry of Defense is planning to spend $200 to $250 million per year to further improve its cyber-offensive capabilities. The proposed legislation would provide the U.S. military with more options in response to situations such as dealings with Russia, wrote Robert Stasio, a Truman National Security Fellow and previously CEO of Ronin Analytics, LLC, in an email to SACMagazine.com. The bill could also expand non-lethal options, he noted. Kirk, a first-term senator, is a military veteran who served as a Navy Reserve intelligence officer. On Friday, he visited a Northrop Grumman facility in Illinois ? where he is currently running for re-election ? to plug the proposed legislation. Northrop Grumman says it is the largest defense contractor in Illinois, employing over 2,200 workers at its locations in Rolling Meadows, Ill. ?It is critical that the United States military dominates the offensive and defensive ends of electronic warfare,? Kirk said, in a statement. ?This bill will give DoD and industry leaders the tools to quickly develop critical electronic warfare technology for the warfighter.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 10:25:31 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 11:25:31 -0500 Subject: [Infowarrior] - FACT SHEET: Cybersecurity National Action Plan Message-ID: <14BABA16-CB30-454C-9B6F-729AC40A396E@infowarrior.org> For Immediate Release February 09, 2016 FACT SHEET: Cybersecurity National Action Plan Taking bold actions to protect Americans in today?s digital world From the beginning of his Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation, and for more than seven years he has acted comprehensively to confront that challenge. Working together with Congress, we took another step forward in this effort in December with the passage of the Cybersecurity Act of 2015, which provides important tools necessary to strengthen the Nation?s cybersecurity, particularly by making it easier for private companies to share cyber threat information with each other and the Government. But the President believes that more must be done ? so that citizens have the tools they need to protect themselves, companies can defend their operations and information, and the Government does its part to protect the American people and the information they entrust to us. That is why, today, the President is directing his Administration to implement a Cybersecurity National Action Plan (CNAP) that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security. .... < - > https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 14:55:14 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 15:55:14 -0500 Subject: [Infowarrior] - UK's Intelligence And Security Committee Heavily Criticizes Investigatory Powers Bill Message-ID: <5FCC9D85-C473-4D7C-9D84-4F7C6C425C59@infowarrior.org> UK's Intelligence And Security Committee Heavily Criticizes Investigatory Powers Bill http://www.tomshardware.com/news/uk-isc-criticizes-ip-bill,31163.html#xtor=RSS-181 The Intelligence and Security Committee (ISC), which is responsible for overseeing all the intelligence agencies in the UK, including the GCHQ, MI5 and MI6, issued a scathing review of the government?s Investigatory Powers Bill (IPB), calling it inconsistent, overly broad in its definitions, and lacking serious privacy protections. The criticism comes after another Parliamentary committee criticized the bill for many of the same shortcomings. Lack Of Transparency The first criticism is that the bill doesn?t even achieve one of its primary goals, which was to consolidate all the other scattered surveillance bills in the UK. This is also a problem for transparency, because it?s not clear how the surveillance powers will be used in all cases. The ISC recommended last year that the previous legal framework should be replaced by a new Act of Parliament, wherein all the capabilities and how they can be used can be specified. The ISC strongly believes that this bill should enable higher transparency, as the lack of transparency was one of the main reasons why the intelligence agencies were involved in large controversies over the past few years in the first place. If the transparency is there, then it will be easier to verify in exactly what type of actions the intelligence agencies engage. No Universal Privacy Protections The Committee criticized the government for specifying privacy protections only for certain sensitive professions (journalists, lawyers, etc.), but the bill doesn?t include universal privacy protections that apply in all situations. The ISC believes there should be an additional part in the bill that covers this. The Committee actually seems surprised that after all of the Snowden revelations, which made many people much more aware of their privacy, the IPB doesn?t take privacy more seriously. ?One might have expected an overarching statement at the forefront of the legislation, or to find universal privacy protections applied consistently throughout the draft Bill. However, instead, the reader has to search and analyse each investigatory power individually to understand the privacy protections which may apply. This results in a lack of clarity which undermines the importance of the safeguards associated with these powers,? said the Intelligence and Security Committee. Although the Investigatory Powers Bill seems to have been built around the surveillance powers and then with some privacy protections tacked on, the ISC thinks it should?ve been written the other way around -- the privacy protections should?ve been the backbone of the bill, with certain clear exceptions for surveillance where needed. The Committee also said that terrorist attacks shouldn?t be used as an excuse to unnecessarily override fundamental privacy rights. Bulk Hacking Too Broad The ISC thinks that the ?Bulk Equipment Interference? (another word for hacking), and ?Bulk Personal Datasets and Communications Data,? are defined too broadly and aren?t clear enough. Some of the intelligence capabilities for ?property interference,? given by Intelligence Services Act 1994, were not brought into the IPB, which means they remain ?secret? and without proper safeguards. The Committee recommended that all IT operations are brought under the provisions of the new legislation. The bill includes provisions for Targeted and Bulk Equipment Interference, but Targeted EI seems to cover targets as broad as another country?s intelligence agency. Therefore, the ISC is not convinced that the Bulk EI is necessary at all. The head of the GCHQ also couldn?t properly explain why Bulk EI may be necessary now or in the future. The Intelligence Committee recommended that all Bulk EI provisions are removed from the bill. The ISC also found it ?curious? that the bill says that the Targeted EI requires only a ?warrant? (from the Home Secretary) when the surveillance is done within the UK, but the warrant becomes ?optional? when the surveillance happens abroad. However, the Committee believes this is a mistake, because if the warrant becomes optional, then the agents will never ask for it. It recommended that a warrant should be necessary for a Targeted EI whenever it is practical to obtain one. Agencies Too Reliant On Bulk Surveillance In the Investigatory Powers Bill, there are two types of Bulk Personal Datasets: the Specific BPD, which requires approval from the Home Secretary, and the Class BPD, which does not. An example of Class BPD would be ?travel data.? The intelligence agencies told the Committee that, more often than not, the requests will be for Class BPDs and not Specific BPDs. The ISC said that class authorizations should be kept at an absolute minimum and they should be subject to greater safeguards. Although the agencies said it would be too much work to ask for individual warrants, the Committee thinks that privacy rights are too important to be dismissed as easily as the agencies do it. It also said the intelligence agencies shouldn?t be too reliant on bulk surveillance, which provides too much unnecessary data. The ISC recommended that the provisions for Class Bulk Personal Datasets should be completely removed from the bill. The Committee also found that the provisions for bulk surveillance of communications data were inconsistent and unclear. The bill leaves it up to the intelligence agencies to define their own policies for collection of communications in bulk. The ISC believes that this shouldn?t be left up to the agencies, and the policies should be included in the IPB, as law. Other Criticism The bill includes language that allows the Secretary of State to issue warrants for both ?national security? reasons and for ?economic well-being, if relevant to national security.? However, the ISC believes the latter is redundant, if it?s indeed covered by national security. It also couldn?t get a straight answer from the intelligence agencies as to why that clause would be necessary. The Committee asked the government to be more clear in what it means by ?operational purpose? when the intelligence agencies request bulk surveillance warrants. The IPB currently provides a loophole for the agencies to spy on a UK person for five days without needing any warrant. The ISC recommended that there should be additional safeguards, such as allowing mandatory retrospective scrutiny by the Judicial Commissioners. It also said the five-day grace period should be reduced to two working days. Six month-long ?thematic? warrants should also be shortened to one month. Although, for instance, in the U.S., the Senate Intelligence Committee was quick to defend the NSA?s mass surveillance actions in light of Snowden?s revelations, it?s refreshing to see that the UK Intelligence Committee actually wants to put strong safeguards in the new Investigatory Powers Bill that takes privacy rights as a given. The Committee believes that the government should take its time to do the bill right this time, before proposing another draft. Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 15:10:05 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 16:10:05 -0500 Subject: [Infowarrior] - US intelligence chief: we might use the internet of things to spy on you Message-ID: <6D622323-D657-499D-A8D8-F3D4BFC96E12@infowarrior.org> (c/o several ppl) US intelligence chief: we might use the internet of things to spy on you Sam Thielman http://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities. As increasing numbers of devices connect to the internet and to one another, the so-called internet of things promises consumers increased convenience ? the remotely operated thermostat from Google-owned Nest is a leading example. But as home computing migrates away from the laptop, the tablet and the smartphone, experts warn that the security features on the coming wave of automobiles, dishwashers and alarm systems lag far behind. In an appearance at a Washington thinktank last month, the director of the National Security Agency, Adm Michael Rogers, said that it was time to consider making the home devices ?more defensible?, but did not address the opportunities that increased numbers and even categories of connected devices provide to his surveillance agency. However, James Clapper, the US director of national intelligence, was more direct in testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the United States. ?In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,? Clapper said. Clapper did not specifically name any intelligence agency as involved in household-device surveillance. But security experts examining the internet of things take as a given that the US and other surveillance services will intercept the signals the newly networked devices emit, much as they do with those from cellphones. Amateurs are already interested in easily compromised hardware; computer programmer John Matherly?s search engine Shodan indexes thousands of completely unsecured web-connected devices. Online threats again topped the intelligence chief?s list of ?worldwide threats? the US faces, with the mutating threat of low-intensity terrorism quickly following. While Clapper has for years used the equivocal term ?evolving? when asked about the scope of the threat, he said Tuesday that Sunni violent extremism ?has more groups, members, and safe havens than at any other point in history?. The Islamic State topped the threat index, but Clapper also warned that the US-backed Saudi war in Yemen was redounding to the benefit of al-Qaida?s local affiliate. Domestically, ?homegrown extremists? are the greatest terrorist threat, rather than Islamic State or al-Qaida attacks planned from overseas. Clapper cited the San Bernardino and Chattanooga shootings as examples of lethal operations emanating from self-starting extremists ?without direct guidance from [Isis] leadership?. US intelligence officials did not foresee Isis suffering significant setbacks in 2016 despite a war in Syria and Iraq that the Pentagon has pledged to escalate. The chief of defense intelligence, Marine Lt Gen Vincent Stewart, said the jihadist army would ?probably retain Sunni Arab urban centers? in 2016, even as military leaders pledged to wrest the key cities of Raqqa and Mosul from it. Contradicting the US defense secretary, Ashton Carter, Stewart said he was ?less optimistic in the near term about Mosul?, saying the US and Iraqi government would ?certainly not? retake it in 2016. The negative outlook comes as Carter met on Tuesday with his fellow defense chiefs in Brussels to discuss increasing their contributions against Isis. On the Iran nuclear deal, Clapper said intelligence agencies were in a ?distrust and verify mode?, but added: ?We have no evidence thus far that they?re moving toward violation.? Clapper?s admission about the surveillance potential for networked home devices is rare for a US official. But in an overlooked 2012 speech, the then CIA director David Petraeus called the surveillance implications of the internet of things ?transformational ? particularly to their effect on clandestine tradecraft?. During testimony to both the Senate armed services committee and the intelligence panel, Clapper cited Russia, China, Iran, North Korea and the Islamic State as bolstering their online espionage, disinformation, theft, propaganda and data-destruction capabilities. He warned that the US?s ability to correctly attribute the culprits of those actions would probably diminish with ?improving offensive tradecraft, the use of proxies, and the creation of cover organizations?. Clapper suggested that US adversaries had overtaken its online capabilities: ?Russia and China continue to have the most sophisticated cyber programs.? The White House?s new cybersecurity initiative, unveiled on Tuesday, pledged increased security for nontraditional networked home devices. It tasked the Department of Homeland Security to ?test and certify networked devices within the ?Internet of Things?.? It did not discuss any tension between the US?s twin cybersecurity and surveillance priorities. Connected household devices are a potential treasure trove to intelligence agencies seeking unobtrusive ways to listen and watch a target, according to a study that Harvard?s Berkman Center for Internet and Society released last week. The study found that the signals explosion represented by the internet of things would overwhelm any privacy benefits by users of commercial encryption ? even as Clapper in his testimony again alleged that the growth of encryption was having a ?negative effect on intelligence gathering?. The report?s authors cited a 2001 case in which the FBI had sought to compel a company that makes emergency communications hardware for automobiles ? similar by description to OnStar, though the company was not named ? to assist agents in Nevada in listening in on conversations in a client?s car. In February 2015, news reports revealed that microphones on Samsung ?smart? televisions were ?always on? so as to receive any audio that it could interpret as an instruction. ?Law enforcement or intelligence agencies may start to seek orders compelling Samsung, Google, Mattel, Nest or vendors of other networked devices to push an update or flip a digital switch to intercept the ambient communications of a target,? the authors wrote. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 9 16:40:31 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2016 17:40:31 -0500 Subject: [Infowarrior] - Warner Music Settles 'Happy Birthday' Lawsuit for $14 Million Message-ID: <09F9CFB5-3E70-47B0-A512-ED3959B4307A@infowarrior.org> Warner Music Settles 'Happy Birthday' Lawsuit for $14 Million By Jon Blistein http://www.rollingstone.com/music/news/warner-music-settles-happy-birthday-lawsuit-for-14-million-20160209 Warner Music's publishing wing Warner/Chappell has settled a lawsuit challenging its hold on "Happy Birthday to You" for $14 million, paving the way for the song to finally enter the public domain, according to The Hollywood Reporter. The settlement comes after United States District Judge George H. King ruled in September that Warner/Chappell's copyright on the song was invalid. The rights to "Happy Birthday" had previously changed hands frequently before Warner/Chappell scooped it up in 1988 and began aggressively charging royalties for its use in TV shows and movies. King, however, decided that their copyright was not valid because the original 1935 copyright of "Happy Birthday" applied only to a specific piano arrangement. In addition, "Happy Birthday to You" borrows its melody from "Good Morning to All," the 1893 song, which has long been in the public domain. At the time, however, King did not declare "Happy Birthday" to be in the public domain. Warner/Chappell was mulling a challenge to the ruling and a new trial delving into the history of the song ? written by sisters Patty Smith Hill and Mildred Hill ? was scheduled to begin in December when the two sides reached an agreement. Furthermore, the settlement only stipulates a proposed final judgement and official order that would make the song free for all. A hearing on the settlement is scheduled for March. Warner/Chappell had expected to hold on to the rights to "Happy Birthday" until 2030, during which time it was estimated the song would bring in between $14 million and $16.5 million. By settling, the publishing giant was also able to avoid a trial to determine whether it should be punished for collecting fees on the song for over 25 years. It's estimated Warner/Chappell has collected more than $50 million in licensing fees. The initial class action suit against Warner/Chappell was brought by filmmaker Jennifer Nelson, who was making a documentary about "Happy Birthday" when she was slapped with a $1,500 licensing fee. Lawyers for the plaintiffs will seek a third of the $14 million fee, while the rest will be divided among those who paid the proper fees for "Happy Birthday" in the past and met the other criteria of the proposed class. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 10 07:06:35 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2016 08:06:35 -0500 Subject: [Infowarrior] - =?utf-8?q?Hacked_Toy_Company_VTech=E2=80=99s_TOS_?= =?utf-8?q?Now_Says_It=E2=80=99s_Not_Liable_for_Hacks?= Message-ID: Hacked Toy Company VTech?s TOS Now Says It?s Not Liable for Hacks Written by Lorenzo Franceschi-Bicchierai Staff Writer February 9, 2016 // 11:30 AM EST Last Friday, parents and kids who own the internet-connected toys made by VTech finally received some much-awaited news: The company?s app store and learning portal was back online after being shut down for more than two months following the embarrassing data breach that exposed the personal data of more than 6 million children. ?After further strengthening our data protection, the Learning Lodge? service is now back online,? VTech?s president King Pang wrote in an email to customers, which a parent shared with Motherboard. ?We are committed to the privacy and protection of the information you entrust with VTech.? What Pang didn?t say in the email, however, is that VTech seems to be trying to skirt any responsibility for a future hack, deflecting the blame to its own customers. In its Terms and Conditions for the Learning Lodge, VTech now includes the following ominous language in all-caps: ?YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES.? It?s unclear when this language was added, but the document says it was updated on December 24 of last year. (VTech did not respond to a request for comment on the Terms and Conditions but said ?key functions? of the Learning Lodge came back online on January 23.) But security and privacy experts are concerned that this could be an attempt to skirt lawsuits in case of a future data breach?and they believe consumers should be aware of the move to avoid liability, especially considering that VTech is now getting in the house monitoring business. Rik Ferguson, the vice president of security research at Trend Micro, said the clause is ?outrageous, unforgivable, ignorant, opportunistic, and indefensible,? and likened it to ?weasel words.? Despite this surprising change?a British law professors told me he?s ?never seen a clause like that before??legal experts doubt the provision has any real value. < - > http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 10 07:34:02 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2016 08:34:02 -0500 Subject: [Infowarrior] - Opera looks to be sold to Chinese consortium for $1.2 billion Message-ID: <97C1E313-35E9-4D98-92FA-9E52D0759F66@infowarrior.org> Opera looks to be sold to Chinese consortium for $1.2 billion by Rahil Bhagat / February 10, 20161:16 AM PST http://www.cnet.com/news/opera-to-be-sold-to-chinese-consortium-for-1-2-billion/#ftag=CAD590a51e Norway-based Opera Software has received a $1.2 billion acquisition offer from a group of Chinese companies, and has indicated it intends to accept. The company on Wednesday said its board is unanimously recommending shareholders approve the takeover, which will give the browser-maker a stronger push into China under new stewardship. The Chinese consortium in question includes Chinese Internet security company Qihoo 360, Internet-firm Beijing Kunlun (who invested roughly $93 million into Grindr earlier in the year) and investment funds Golden Brick and Yonglian. According to Opera, the $1.2 billion figure is a premium of approximately 56 per cent when compared to Opera's stock during the last 30 trading days. Despite claiming 350 million users, the company's browser has struggled in the oversaturated western market. China could be a profitable venture for Opera, thanks in part to Google's Chrome browser not coming preinstalled on Android phones there there like it is elsewhere, but doing business in the country without local partners is nigh impossible. Through the partnership, Opera will be able to leverage the networks of Kunlun and Qihoo 360 to better penetrate the Chinese market. "There is strong strategic and industrial logic to the acquisition of Opera by the Consortium," said Lars Boilesen, CEO of Opera. "We believe that the Consortium, with its breadth of expertise and strong market position in emerging markets, will be a strong owner of Opera." Opera, founded over 20 years ago in 1995, was one of the first proper online businesses, releasing its namesake browser in 1997. Though it was never top dog, there has always been a strong, loyal following for its light, speedy software. The company also made one of the first true mobile browsers, which was one of the best in the early days of Android. In recent years, Opera has been mainly focusing on its advertising and data compression technology, Opera Max. At this point, the company still needs the go-ahead of its shareholders and government entities before the buyout can be finalised. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 10 14:12:55 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2016 15:12:55 -0500 Subject: [Infowarrior] - NSA's reorg announced Message-ID: <48FF6E22-8F14-4E22-8F6F-67E69A79A8A5@infowarrior.org> 8 Feb 2016 - NSA21: Facing Threats to the Nation and Future Challenges with Innovation, Integration, and a Focus on Talent https://www.nsa.gov/public_info/speeches_testimonies/08feb16.shtml The National Security Agency has launched a comprehensive campaign to ensure NSA maintains its position as the world's preeminent foreign signals intelligence and information assurance organization. The vision and framework for this initiative, known as NSA21 ? meaning NSA in the 21st Century ? was unveiled to the Agency on Feb. 4 by ADM Michael S. Rogers, Director, National Security Agency. NSA21 is the result of an effort by the NSA workforce who, together with the Agency's leaders at all levels, collectively sought to answer a critical question ADM Rogers asked early in his tenure: "How do we ensure the same or higher level of success five to ten years into the future?" Foreign threats to our national security are complex and evolving. As it has done throughout its history, NSA regularly assesses its processes and structure to make sure the Agency is optimized to defend the nation. In other words, NSA is always dedicated to staying ahead of current and anticipated threats. The launch of NSA21 is the beginning of a forward-leaning, decisive response. It is a two-year plan to position the Agency to meet increasingly complicated challenges stemming from the proliferation of asymmetric threats to national security, the rapid evolution of the global communications network, fast-growing demand for NSA's products and services, and the continuing evolution of our cyber mission. Drawing on the results of workforce surveys, focus groups, and hundreds of interviews with internal and external stakeholders, NSA21 centers on three key themes: ? People ? Our workforce is our most important asset. We will invest in and enhance career-development and leadership programs. ? Integration ? To achieve mission success, NSA21 will ensure we continue to operate as a cohesive global enterprise. As our workforce evolves, so will the way we build a keen sense of unity at NSA in order to allow each and every employee to strongly identify with the Agency and its mission. ? Innovation ? It has been in NSA's DNA since our founding 63 years ago. We will harness the innovative spirit of our world-class workforce to overcome current and future mission challenges. Six new directorates, taking shape over the coming months, will provide a renewed operating framework and address the three themes and implement related initiatives. The directorates are in the areas of Workforce and Support Activities, Business Management and Acquisition, Engagement and Policy, Operations, Capabilities, and Research. NSA's core missions of foreign signals intelligence and information assurance remain unchanged. The "new structure will enable us to consolidate capabilities and talents to ensure that we're using all of our resources to maximum effect to accomplish our mission, and to make sure that each of you has the opportunity to grow and develop in your career at NSA," ADM Rogers said in his workforce address. Thwarting terrorists. Enhancing cybersecurity. Protecting the warfighter. Containing, controlling, and protecting strategic weapons. At NSA, it's an around-the-clock mission. And it is not getting any easier. The Agency is embarking on this comprehensive, integrated campaign to be primed for success over the next decade and beyond. "A chance like this, to take part in building something this important, doesn't come along every day. I feel privileged to be working on it with you. I'm excited about the possibilities that NSA21 will open for us as we move forward," ADM Rogers said as he wrapped up his message to the workforce. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 10 14:48:36 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2016 15:48:36 -0500 Subject: [Infowarrior] - =?utf-8?b?V2FQbyDigJhCYW5kaXRv4oCZIFRvb2wgT3B0?= =?utf-8?q?imizes_Content_For_Clicks?= Message-ID: Washington Post?s ?Bandito? Tool Optimizes Content For Clicks System promotes version of a story with most popular headline, images Jack Marshall Feb. 8, 2016 2:34 p.m. ET http://www.wsj.com/articles/washington-posts-bandit-tool-optimizes-content-for-clicks-1454960088 The Washington Post is experimenting with technology to automatically optimize articles on its website for maximum readership. A new internally-developed tool, dubbed ?Bandito,? allows editors to enter different article versions with varying headlines, images and teaser text into its content management system. The technology then detects which version readers are clicking or tapping on more, and automatically serves that version more frequently on the homepage and other areas of the Post?s site. Publishers frequently use so-called A/B tests to compare different versions of articles and to establish which headlines and images appeal to readers, but the Post?s tool is particularly interesting because it automatically implements changes based on the information it collects. This allows editors to essentially ?set and forget? the tool, the company said, which makes the process more efficient. ?We have terrifically reported stories and I just want to best explain to readers why they should be interested,? said Eric Rich, editor of The Washington Post?s Universal News Desk. Bandito was built in-house at the Post and is evidence of the influence its owner, Jeff Bezos, is having on the company. In the more than two years since Mr. Bezos bought the Post from the Graham family for $250 million, the billionaire Amazon.com Inc. founder has made his mark by championing technological experimentation, and a focus on customer experience and data-driven decision making. According to Mr. Rich, the tool is now driving editorial staffers to present articles in ways they may not have considered previously. For example, it?s helped them understand that images with human faces often result in more clicks than those without, and that headlines beginning with the word ?how? often drive greater readership. The first iteration of the tool optimizes content based purely on the number of clicks articles receive, but the company plans to soon factor in other metrics also, including how much time readers spend with articles after they click. ?This isn?t just about clicks. Clickbait works for a while, but not long-term,? said Sam Han, engineering director of data science at the Washington Post. ?Engagement is a better metric to focus on, but we?re not going to optimize just to that. We?ll find a good balance.? According to Mr. Han, the company plans to develop the tool to help power other features of the site, such as its video players, and to further optimize content for different types of users. For example, it plans to optimize for international audiences versus domestic readers, and for desktop users versus mobile users. Bandito may even begin to factor in other more detailed information about Post readers into its decision-making, such as whether or not a user is an existing subscriber, and types of content they?ve engaged with in the past. ?We will be more careful in that area because of privacy, and because we need to be sure we?re providing right-leaning and left-leaning content equally,? Mr. Han said, in reference to articles of a political nature. Beyond regular editorial content, the Post said it also plans to use the tool to help boost the readership of sponsored posts created by its BrandStudio ad division. Instead of working with vendors to power features on its site, Mr. Rich said the company sees advantages to building its own tools. ?We?re building everything in-house now. We control what we?re making; we can make it to specifications we understand and can iterate and evolve,? he said. ?I don?t have to call a vendor and rely on customer support. I have the engineer sitting 40 feet away from me.? Write to Jack Marshall at Jack.Marshall at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 11 10:46:04 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Feb 2016 11:46:04 -0500 Subject: [Infowarrior] - Gravitational Waves Discovered at Long Last Message-ID: <839A048D-4426-4FB5-B65E-0E0D50AF7ABC@infowarrior.org> Gravitational Waves Discovered at Long Last | Quanta Magazine Ripples in space-time caused by the violent mergers of black holes have been detected, 100 years after these ?gravitational waves? were predicted by Albert Einstein?s theory of general relativity and half a century after physicists set out to look for them. The landmark discovery was reported today by the Advanced Laser Interferometer Gravitational-Wave Observatory (Advanced LIGO) team, confirming months of rumors that have surrounded the group?s analysis of its first round of data. Astrophysicists say the detection of gravitational waves opens up a new window on the universe, revealing faraway events that can?t be seen by optical telescopes, but whose faint tremors can be felt, even heard, across the cosmos. ?We have detected gravitational waves. We did it!? announced David Reitze, executive director of the 1,000-member team, at a National Science Foundation press conference today in Washington, D.C. Gravitational waves are perhaps the most elusive prediction of Einstein?s theory, one that he and his contemporaries debated for decades. According to his theory, space and time form a stretchy fabric that bends under heavy objects, and to feel gravity is to fall along the fabric?s curves. But can the ?space-time? fabric ripple like the skin of a drum? Einstein flip-flopped, confused as to what his equations implied. But even steadfast believers assumed that, in any case, gravitational waves would be too weak to observe. They cascade outward from certain cataclysmic events, alternately stretching and squeezing space-time as they go. But by the time the waves reach Earth from these remote sources, they typically stretch and squeeze each mile of space by a minuscule fraction of the width of an atomic nucleus. Perceiving the waves took patience and a delicate touch. Advanced LIGO bounced laser beams back and forth along the four-kilometer arms of two L-shaped detectors ? one in Hanford, Wash., the other in Livingston, La. ? looking for coincident expansions and contractions of their arms caused by gravitational waves as they passed. Using state-of-the-art stabilizers, vacuums and thousands of sensors, the scientists measured changes in the arms? lengths as tiny as one thousandth the width of a proton. This sensitivity would have been unimaginable a century ago, and struck many as implausible in 1968, when Rainer Weiss of the Massachusetts Institute of Technology conceived the experiment that became LIGO. ?The great wonder is they did finally pull it off; they managed to detect these little boogers!? said Daniel Kennefick, a theoretical physicist at the University of Arkansas and author of the 2007 book Traveling at the Speed of Thought: Einstein and the Quest for Gravitational Waves. The detection ushers in a new era of gravitational-wave astronomy that is expected to deliver a better understanding of the formation, population and galactic role of black holes ? super-dense balls of mass that curve space-time so steeply that even light cannot escape. When black holes spiral toward each other and merge, they emit a ?chirp?: space-time ripples that grow higher in pitch and amplitude before abruptly ending. The chirps that LIGO can detect happen to fall in the audible range, although they are far too quiet to be heard by the unaided ear. You can re-create the sound by running your finger along a piano?s keys. ?Start from the lowest note on the piano and go to middle C,? Weiss said. ?That?s what we hear.? < - > https://www.quantamagazine.org/20160211-gravitational-waves-discovered-at-long-last/ From rforno at infowarrior.org Thu Feb 11 12:20:41 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Feb 2016 13:20:41 -0500 Subject: [Infowarrior] - Encryption Is Worldwide: Yet Another Reason Why a US Ban Makes No Sense Message-ID: <7C713FBA-D216-46FD-BDD5-1D68D42C0845@infowarrior.org> Encryption Is Worldwide: Yet Another Reason Why a US Ban Makes No Sense Author: Kim Zetter. http://www.wired.com/2016/02/encryption-is-worldwide-yet-another-reason-why-a-us-ban-makes-no-sense/ If a handful of lawmakers in the US and abroad have their way, encrypted communication would either be outlawed or come pre-fitted with government-friendly backdoors?insert your friendly government?s name here. There have been proposed bans in at least two states here, and now there?s a proposed federal ban on those state bans. Some of the smartest minds in cryptography have explained at length why backdoors are a bad idea because they make us all inherently less secure. But legislated backdoors make no sense for yet another reason: the criminals, terrorists, pedophiles and others whom governments hope to target would simply use encryption products made in countries that don?t require mandatory portals. A new worldwide survey of encryption products, compiled by noted cryptographer Schneier and colleagues Kathleen Seidel and Saranya Vijayakumar, shows just how rich the worldwide catalogue of encryption products is for anyone seeking alternatives. Mapping Encryption Worldwide They found 865 hardware and software encryption products available from 55 countries, including the US. Nearly two-thirds (about 540) are made outside the US. They range from virtual private networks, which provide a secured encrypted tunnel for remotely accessing systems over the Internet; email and messaging encryption apps; file and disk encryption; voice encryption and password managers. They also run the gamut from large-scale commercial products made by companies like Microsoft and Cisco to open-source products written by developers in multiple countries to labor-of-love products written by solitary, committed developers. The US is the country with the most encryption offerings at 304. These include BitLocker, Microsoft?s disk encryption tool; Bitmail, a free email encryption software; the Jabber and Pidgin messaging tools; the password manager LastPass; and even the popular Snapchat, which is encrypted, though its implementation is not perfect. Not surprisingly, Germany, the former land of the Stasi spies, takes second place on the list with 112 products. Both Germany and the Netherlands (which has 20 encryption products on the list) have publicly disavowed backdoors. Germany?s offerings include TorChat and Diaspora, two free tools for encrypting messages, and GnuPG another free program for encrypting email for Mac users. Any mandatory backdoor will be ineffective simply because the marketplace is so international. Schneier, et al The UK, where lawmakers have proposed a ban on encryption products that don?t have backdoors, is the third top provider of encryption apps and tools, with 54 products. They include CelCrypt, a paid tool for encrypting Windows and Android phones and Blackberry communications; Cryptkeeper, a free disk encryption tool; and Hide My Ass, a free proxy for anonymizing your web activity. A number of small countries have a place on the leader board with a single encryption offering?Belize, Chile, Cyprus, Estonia, Tanzania, and Iraq are among them. The researchers didn?t endeavor to determine how secure or how well-implemented the products are; they simply compiled any known encryption programs and products. ?Our survey demonstrates that ? [a]nyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead: to encrypt their hard drives, voice conversations, chat sessions, VPN links, and everything else,? the researchers write in a paper published today (.pdf). This is not new. A similar survey conducted in 1999 by researchers from George Washington University found 805 hardware and software encryption products available from about three dozen countries back then. Very few encryption products make an appearance on both lists, underscoring the changes and advances that encryption algorithms and methods have undergone in 17 years. The conclusion that Schneier and his colleagues draw is clear: ?Any mandatory backdoor will be ineffective simply because the marketplace is so international. Yes, it will catch criminals who are too stupid to realize that their security products have been backdoored or too lazy to switch to an alternative, but those criminals are likely to make all sorts of other mistakes in their security and be catchable anyway. The smart criminals that any mandatory backdoors are supposed to catch?terrorists, organized crime, and so on?will easily be able to evade those backdoors.? Any laws mandating encryption backdoors will overwhelmingly affect the innocent users of those products, they note, while having little effect on the rogue parties for which the backdoors are intended. This doesn?t even address the home-grown encryption products that these groups could develop on their own to evade surveillance. America?s Encryption Is Not Better Anyone in the US who turns to ready-made, backdoor-free encryption products offered elsewhere will not have to sacrifice quality, Schneier and his team note. Non-US encryption systems, for example, use the same kinds of strong encryption that US systems use in general. ?Cryptography is very much a worldwide academic discipline,? they note, ?as evidenced by the quantity and quality of research papers and academic conferences from countries other than the US. Both recent NIST encryption standards?AES and SHA-3?were designed outside of the US, and the submissions for those standards were overwhelmingly non-US.? And problems with implementing encryption are universal, whether in the US or elsewhere. ?The seemingly endless stream of bugs and vulnerabilities in US encryption products demonstrates that American engineers are not better [than] their foreign counterparts at writing secure encryption software,? they note. For this survey, the researchers compiled their list from suggestions submitted by readers of Schneier?s blog, Schneier on Security, and his Crypto-Gram newsletter. Others were gleaned through online searches, app stores, GitHub and other sources. The list isn?t complete. The researchers will continue to add products as they uncover more. They were able to identify the country of origin for most of the encryption services they listed, though sometimes it took a little work to identify the country. They hit a dead-end with at least sixteen, for which they could not assign a country at all. This highlights another weakness with backdoor mandates: it can be difficult to pinpoint authorship of products, particularly in the case of open-source projects where multiple contributors from multiple countries?some of them anonymous contributors?are involved or where someone has deliberately obscured their true locale by using a shell company registered in the British Virgin Islands, St. Kitts or Nevis?notorious havens for those who want to hide their identity. And sometimes the country of origin can change. Developers who don?t like the laws in one country can simply pick up shop and relocate, as Silent Circle did in 2014 when it moved from the US to Switzerland. In the end, backdoor mandates have a number of loopholes that can easily undermine them, eliminating their intended effect, while having the unintended effect of making everyone less secure. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 11 17:49:16 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Feb 2016 18:49:16 -0500 Subject: [Infowarrior] - TSA touts new academy for agent training Message-ID: TSA touts new academy for agent training Keith Laing http://thehill.com/policy/transportation/269180-tsa-touts-new-academy-for-airport-security-agents Transportation Security Administration Administrator Peter Neffenger is touting a new training academy for airport security personnel as his agency tries to rebound from embarrassing revelations about failed security tests. Neffenger said in an interview with The Hill that the new facility, which cost $12 million and is located near Brunswick, Ga., will help the TSA to better train new hires and veteran members of its more than 40,000-member workforce in one place. "Before when you came into TSA, you trained at one of 75 to 80 airports around the country," he said of the new training facility, which opened in January. "You trained largely in a classroom looking at pictures of what you might doing." With the new facility, Neffenger said the TSA would "get someone who is a little closer to being a finished performer when they show up" at the end of their training. The new TSA training academy is located at an existing Federal Law Enforcement Training Center in Glynn County, Ga., where mock airport facilities were built to train TSA workers in situations that will better mirror their experiences at U.S. security checkpoints. Neffenger said new hires who report to the facility, which holds up to 192 trainees, will go through a two-week course that will include "hands-on practicums" on equipment that is used at operational TSA checkpoints. "The purpose is to engage you in a sense of belonging to something important," he said. The TSA has been under fire with lawmakers since a report from the the Homeland Security Department?s inspector general documented a series of undercover sting operations in which agents tried to pass through security with prohibited items; much of its findings remain classified. The undercover agents made it through security in nearly all the tests ? 67 of 70 ? including one instance in which a TSA screener failed to find a fake bomb even after the undercover agent set off a magnetometer. The screener reportedly let the agent through with the fake bomb taped to his back, having missed it during a pat-down. Neffenger vowed to make "necessary changes" to improve the agency after the failed bomb tests when he took over as TSA chief last summer. He said this week as he was preparing to visit the southeast Georgia training facility for the first time andthat the release of the report about the failures has allowed him to have a "fuller conversation" with lawmakers about the TSA needs. Still, he said he wishes there would have been a different starting point for the discussion. "I would have liked it if the report did not become public because it took on a tenor that went beyond the findings, but it allowed us to have an open and honest conversation," he said of talks with members of committees that oversee the TSA in Congress. "When you have a loss of confidence, you have to acknowledge it," Neffenger said. "You don't run for it." Neffenger, who is a retired Coast Guard vice admiral, compared the new training academy to some of the facilities he encountered when he was started out in the service. He said TSA agents would benefit from knowing their classmates were at other airports around the country when they moved on from their training to work at specific security checkpoints. Funding for the new TSA Academy was included in the massive government spending bill that was passed by Congress at the end of 2015. The facility is staffed by 40 permanent trainers and a rotation of about 40 TSA agents who come in from the field to teach classes to new hires. Neffenger said he hopes to see a reduction in the turnover among the TSA's workforce as the academy training takes hold. "We have a higher than I'd like to see attrition rate," he said. Neffenger said he is confident the new academy will be a contributor to the "strong excellence of this organization." He said he has found there was a "disproportionate focus" on moving people through airport security lines quickly before he took over the agency in 2015. "We were focusing on moving people through rather than stopping people who shouldn't get through," he said. "It's not that I don't care about cues," Neffenger continued. "It's just not the screeners' job to worry about cues. That's up the food chain ... I said to them, focus on your mission." Neffenger said he was looking forward to visiting the new hires who are already training at the new academy this week. "I want to see the facility now that's been built out," he said. "I always like to meet with people who are on the front lines." -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 12 10:44:51 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2016 11:44:51 -0500 Subject: [Infowarrior] - OT: Friday Funny Message-ID: Because we all need a chuckle to end the week. -- rick Nigerian astronaut lost in space needs $3m to get home http://boingboing.net/2016/02/12/nigerian-astronaut-lost-in-spa.html -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 16 10:17:52 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2016 11:17:52 -0500 Subject: [Infowarrior] - Prof. Steven Bellovin Named First Technology Scholar by the Privacy and Civil Liberties Oversight Board Message-ID: <56EFBAE7-DA87-4A0E-89AA-C71351856C26@infowarrior.org> Prof. Steven Bellovin Named First Technology Scholar by the Privacy and Civil Liberties Oversight Board http://engineering.columbia.edu/bellovin-named-first-technology-scholar-privacy-and-civil-liberties-oversight-board Computer Science Professor Steven Bellovin has been appointed the first Technology Scholar by the Privacy and Civil Liberties Oversight Board (PCLOB). A nationally recognized expert in technology and network security, Bellovin has examined technology and its privacy implications throughout his career. ?I?m delighted to be joining PCLOB,? says Bellovin. ?Modern intelligence agencies rely heavily on technology; many of their collection and analysis systems are based on software. My role will be to help the Board members understand these mechanisms and their implications.? Bellovin has taught computer science at Columbia since 2005. During more than 20 years at Bell Labs and AT&T Labs Research, he focused on network security firewalls, protocol failures, routing security, and cryptographic protocols. He is a member of the National Academy of Engineering and the Computer Science and Telecommunications Board of the National Academies. He has served on the Science and Technology Advisory Committee of the U.S. Department of Homeland Security, the Technical Guidelines Development Committee of the U.S. Election Assistance Commission, and as Chief Technologist of the Federal Trade Commission. He also has authored numerous publications and has received awards and national recognition for his work. He holds a BA from Columbia University and an MS and PhD in Computer Science from the University of North Carolina at Chapel Hill. In announcing the appointment, PCLOB Chairman David Medine said, ?I am pleased that Professor Bellovin will be joining our team as our first Technology Scholar. His vast knowledge and significant expertise in both the private and public sectors will be of great benefit to our agency?s mission to ensure that the federal government?s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.? The PCLOB is an independent agency within the executive branch established by the Implementing Recommendations of the 9/11 Commission Act of 2007. The bipartisan, five-member Board is appointed by the President and confirmed by the Senate. The PCLOB?s mission is to ensure that the federal government?s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 16 19:53:31 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2016 20:53:31 -0500 Subject: [Infowarrior] - Judge: Apple must help US hack San Bernardino killer's phone Message-ID: <9734F420-B10A-4460-9F4C-9A4B0D2CA451@infowarrior.org> (good luck with that? --rick) Judge: Apple must help US hack San Bernardino killer's phone By TAMI ABDOLLAH and ERIC TUCKER Feb. 16, 2016 7:55 PM EST WASHINGTON (AP) ? A U.S. magistrate has ordered Apple to help the Obama administration hack into an iPhone belonging to one of the shooters in San Bernardino, California. The ruling by Sheri Pym on Tuesday requires Apple to supply highly specialized software the FBI can load onto the phone to cripple a security encryption feature that erases data after too many unsuccessful unlocking attempts. Federal prosecutors told the judge they can't access a county-owned work phone used by Syed Farook because they don't know his passcode. By default, Apple has encrypted its iPhones to allow them only to be accessed using a passcode. Farook and his wife, Tashfeen Malik, killed 14 people in a Dec. 2 shooting at a holiday luncheon for Farook's co-workers. The couple later died in a police gun battle. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 16 20:16:24 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2016 21:16:24 -0500 Subject: [Infowarrior] - Judge: Apple must help US hack San Bernardino killer's phone In-Reply-To: <9734F420-B10A-4460-9F4C-9A4B0D2CA451@infowarrior.org> References: <9734F420-B10A-4460-9F4C-9A4B0D2CA451@infowarrior.org> Message-ID: Here's the court order ... https://assets.documentcloud.org/documents/2714005/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf -- It's better to burn out than fade away. > On Feb 16, 2016, at 8:53 PM, Richard Forno wrote: > > (good luck with that? --rick) > > Judge: Apple must help US hack San Bernardino killer's phone > > By TAMI ABDOLLAH and ERIC TUCKER > Feb. 16, 2016 7:55 PM EST > > WASHINGTON (AP) ? A U.S. magistrate has ordered Apple to help the Obama administration hack into an iPhone belonging to one of the shooters in San Bernardino, California. > > The ruling by Sheri Pym on Tuesday requires Apple to supply highly specialized software the FBI can load onto the phone to cripple a security encryption feature that erases data after too many unsuccessful unlocking attempts. > > Federal prosecutors told the judge they can't access a county-owned work phone used by Syed Farook because they don't know his passcode. > > By default, Apple has encrypted its iPhones to allow them only to be accessed using a passcode. > > Farook and his wife, Tashfeen Malik, killed 14 people in a Dec. 2 shooting at a holiday luncheon for Farook's co-workers. The couple later died in a police gun battle. > > -- > It's better to burn out than fade away. > From rforno at infowarrior.org Wed Feb 17 09:04:59 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2016 10:04:59 -0500 Subject: [Infowarrior] - Apple CEO Responds to Judge's Order Message-ID: <1DDC1F86-328D-4737-A328-15F4AE0832A3@infowarrior.org> February 16, 2016 http://www.apple.com/customer-letter/ A Message to Our Customers The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake. The Need for Encryption Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going. All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data. Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us. For many years, we have used encryption to protect our customers? personal data because we believe it?s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business. The San Bernardino Case We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government?s efforts to solve this horrible crime. We have no sympathy for terrorists. When the FBI has requested data that?s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we?ve offered our best ideas on a number of investigative options at their disposal. We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software ? which does not exist today ? would have the potential to unlock any iPhone in someone?s physical possession. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control. The Threat to Data Security Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case. In today?s digital world, the ?key? to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge. The government suggests this tool could only be used once, on one phone. But that?s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks ? from restaurants and banks to stores and homes. No reasonable person would find that acceptable. The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers ? including tens of millions of American citizens ? from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them. A Dangerous Precedent Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority. The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by ?brute force,? trying thousands or millions of combinations with the speed of a modern computer. The implications of the government?s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone?s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone?s microphone or camera without your knowledge. Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government. We are challenging the FBI?s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications. While we believe the FBI?s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect. Tim Cook -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 17 09:06:50 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2016 10:06:50 -0500 Subject: [Infowarrior] - my thoughts on .... Apple ordered to help FBI bypass iPhone security Message-ID: <07313082-0F9D-4F65-B884-D760DC51B6BB@infowarrior.org> Apple ordered to help FBI bypass iPhone security By Richard Forno on February 17, 2016 at 6:59 am https://cyberlaw.stanford.edu/blog/2016/02/apple-ordered-help-fbi-bypass-iphone-security As I've said many times over the years, on matters of technology policy and Internet security, sometimes I wonder if the US government ever left the 1990s. Last evening a federal magistrate directed Apple to work with the FBI in facilitating their access to the seized iPhone of one of the San Bernadino attackers. The text of the court order is here. Although it does not direct Apple to break the encryption per se, it asks the company to disable features that make it more difficult to brute force the device security capabilities -- such as the function that disables (er, self-destricts) the device after multiple attempts to enter a PIN number. While that sounds innocuous enough, it is likely such access cannot be granted on a device-by-device basis upon demand by law enforcement, although some technologists believe it possible. Rather, unless Apple demonstrates the technical, economical, or temporal infeasability of complying with the judge's order or gets the order lifted, the consequence may well be an update/patch to IOS that would implement that proverbial "backdoor" feature that certain law enforcement officials -- specifically, FBI Director James Comey -- allege is needed to protect the country, citizens, and (think of the) children from Any Number of Evil-Sounding Things That May or May Not Be True(tm). By contrast, NSA Director Admiral Mike Rogers has already stated publicly there is no need for such backdoors or law enforcement access, and that strong Internet security features are more of a benefit than risk to society -- despite that perennial and selectively sensational hand-wringing by prominent law enforcement and/or intelligence officials. Meaning, we can't discount the notion that Comey's quest for such access is little more than a turf battle between the FBI and NSA over computing capabilities, something that surveillance maximalists in Congress are only too happy to support. Wired's Kim Zetter notes that this request suggests the FBI is confident in its ability to brute-force passwords and PIN numbers. Perhaps that's true --- although I can't help wonder if the FBI would otherwise be forced to delegate such duties to more computer-savvy organizations such as the NSA, potentially under a secret cybersecurity cooperation agreement relying on the controversial practice of parallel construction. (Conspiracy theory? Maybe.) Apple CEO Tim Cook has already responded to the issue in an open letter to customers, reiterating their defense of strong product security and condemning government's renewed attempts to weaken encryption and/or mandate backdoors to customer data. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 17 09:49:55 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2016 10:49:55 -0500 Subject: [Infowarrior] - Pro-encryption lawmaker Ted Lieu: San Bernardino iPhone court order sets a bad precedent Message-ID: <21EBB961-39A7-41A7-8455-922AF4824529@infowarrior.org> Pro-encryption lawmaker Ted Lieu: San Bernardino iPhone court order sets a bad precedent http://www.dailydot.com/politics/apple-iphone-encryption-ted-lieu-fbi-court-order/ -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 17 13:48:44 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2016 14:48:44 -0500 Subject: [Infowarrior] - Apple encryption case risks influencing Russia and China, privacy experts say Message-ID: Apple encryption case risks influencing Russia and China, privacy experts say Spencer Ackerman http://www.theguardian.com/technology/2016/feb/17/apple-fbi-encryption-san-bernardino-russia-china Authoritarian governments including Russia and China will demand greater access to mobile data should Apple lose a watershed encryption case brought by the FBI, leading technology analysts, privacy experts and legislators have warned. Apple?s decision to resist a court order to unlock a password-protected iPhone belonging to one of the San Bernardino killers has created a worldwide privacy shockwave, with campaigners around the world expecting the struggle to carry major implications for the future of mobile and internet security. They warned that Barack Obama?s criticism of a similar Chinese measure last year now risked ringing hollow. Senator Ron Wyden of Oregon, a leading legislator on privacy and tech issues, warned the FBI to step back from the brink or risk setting a precedent for authoritarian countries. ?This move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russia and China a blueprint for forcing American companies to create a backdoor?? Wyden told the Guardian. ?Companies should comply with warrants to the extent they are able to do so, but no company should be forced to deliberately weaken its products. In the long run, the real losers will be Americans? online safety and security.? Wyden, an Oregon Democrat on the Senate intelligence committee, said the FBI was using an ?unprecedented reading of a nearly 230-year old law? that put ?at risk the foundations of strong security for our people and privacy in the digital age. ?If upheld, this decision could force US technology companies to actually build hacking tools for government against their will, while weakening cybersecurity for millions of Americans in the process,? Wyden said. Should the FBI prevail, and Apple create what is functionally a custom-built version of its mobile operating system, governments around the world ?will see this as a blank check of legitimacy?, said human rights lawyer Carly Nyst, who called the Apple showdown ?groundbreaking?. In a defiant statement late on Tuesday, Apple CEO Tim Cook said the FBI had no way to ensure that the effect of its access would stay in US government hands. ?The technique could be used over and over again, on any number of devices? once Apple builds it, Cook warned. US-based tech firms have long dealt with efforts by countries worldwide to undermine user security in the name of law enforcement and national security ? terms that vary widely with government prerogative. China in particular has fought with Apple over the iPhone, in a struggle that echoes the FBI?s latest move. Chinese state media in 2014 labeled the iPhone a national security threat for collecting location data from users and compromising ?state secrets?. The accusation, coming after leaks from whistleblower Edward Snowden revealed the National Security Agency had hacked Chinese tech giant Huawei, prompted Cook to defend the devices? security features. ?Apple has never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will,? Cook said at the time. The Obama administration and US security services consider Chinese-aided data breaches to comprise a major national security threat, which has prompted privacy advocates to voice alarm that US government actions to undermine encryption will backfire as foreign hackers exploit mandated vulnerabilities. The impact of the mutual distrust between Washington and Beijing can be seen in China?s new cybersecurity and counter-terrorism bill, passed last December. The far-reaching law mandates that internet firms and telecos doing business in China provide law enforcement with decryption keys in terrorism cases. Analysts and foreign firms are waiting to see how far China goes in enforcing the controversial measure, particularly in light of Apple?s standoff with the FBI. Last March, Obama personally objected to the Chinese law as a draconian measure that would force US firms to ?turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.? Obama said he had personally raised the issue with Xi Jinping, his Chinese counterpart. ?Imagine how hollow these objections will ring if a US court can order what China was trying to compel by statute,? said Greg Nojeim of the Center for Democracy and Technology. ?The fact that such requests may be forthcoming from authoritarian countries if Apple is forced to comply with US law enforcement requests is reason enough why the Apple position should be respected,? said Christopher Wolf, the director of the privacy and information management practice at the law firm Hogan Lovells. ?At the moment, Apple is not responding to foreign law enforcement [demands to] unlock devices. It?s a matter of time until China, Russia Bahrain, take your pick, come knocking too,? said Eric King, director of the UK-based Don?t Spy On Us coalition. But it is not just the US authorities which are opening a path for others to undermine privacy. King and others have warned that the UK?s proposed investigatory powers bill would represent a ?snooper?s charter?, giving the government broad authority to water down encryption standards and, once armed with a warrant, force a firm to turn over encrypted communications. Foreign firms like Apple are concerned that the bill?s extraterritorial claims could ?force them to re-architecture systems like iMessage and build in a backdoor,? King said, underscoring that concerns about government access to communications data are not limited to authoritarian states. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Feb 17 19:19:02 2016 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2016 20:19:02 -0500 Subject: [Infowarrior] - Google CEO Finally Chimes In on FBI Encryption Case, Says He Agrees with Apple Message-ID: Google CEO Finally Chimes In on FBI Encryption Case, Says He Agrees with Apple Alissa Walker Today 7:12pm http://gizmodo.com/google-ceo-finally-chimes-in-on-fbi-encryption-case-sa-1759769257 -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 09:39:34 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 10:39:34 -0500 Subject: [Infowarrior] - MOTSS: Another WH cyber panel formed Message-ID: <140E5A0C-C18C-4781-855D-BBECC86FA24A@infowarrior.org> Obama creates cyber panel, says long-term vigilance needed http://federalnewsradio.com/cybersecurity/2016/02/obama-selects-former-adviser-to-lead-cybersecurity-efforts/ WASHINGTON (AP) ? President Barack Obama on Wednesday appointed his former national security adviser, Tom Donilon, to lead a new commission on cybersecurity that will make detailed recommendations on how the nation should better protect itself against computer attacks. Donilon will serve as chairman of the Commission on Enhancing National Cybersecurity. Obama will appoint former IBM chief executive Sam Palmisano to serve as vice chairman. Their task, Obama said, is to produce a report by Dec. 1 that will guide future presidents on the infrastructure necessary to confront long-term computer challenges. Obama said the Internet has brought incredible opportunity and wealth, but it also means ?that more and more of our lives are being downloaded.? ?Right now, we are not as well organized as we need to be to make sure that we?re dealing with all these threats in an effective way,? Obama said. Obama issued an executive order establishing the bipartisan commission earlier this month. It comes as federal agencies are facing ever-more sophisticated attacks. Among the most serious breaches in the past year occurred when hackers gained access to the personal information of more than 22 million U.S. federal employees, retirees, contractors and others, and millions of sensitive and classified documents maintained by the Office of Personnel Management. Fingerprint images belonging to some 5.6 million people were stolen. The commission that Donilon and Palmisano will lead will consist of up to 12 members and make detailed recommendations dealing with the public and private sectors. Many companies have long had such officials in place to deal with cyber intruders. Obama said Donilon will come at the job from a national security perspective, while Palmisano brings perspective from the private sector and non-profits. Obama said the commission will examine several challenges, including how to keep huge government databases secure, how to provide timely information to the public about best practices to keep their information safe, and how the government can improve its procurement process and attract the best computer personnel. ?The American people understand this is a problem ? and it?s only going to grow,? Obama said. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 11:05:54 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 12:05:54 -0500 Subject: [Infowarrior] - The FCC just took the first big step toward changing the cable box business Message-ID: The FCC just took the first big step toward changing the cable box business Colin Lecher http://www.theverge.com/2016/2/18/11046948/fcc-cable-box-set-top-vote In a three-to-two vote, the FCC has decided to move ahead with a proposal that could drastically change the cable set-top box industry. The decision may have far-reaching consequences for how cable customers watch TV ? ultimately allowing them to go through third parties for their set-top systems, rather than being tied to the same company they use for cable service. Proposal will now enter a comment period The proposed rule changes will now move into a comment period ? where businesses and customers will be able to weigh in ? ahead of revisions and a final vote, still some months away. FCC Chairman Tom Wheeler first announced the proposed rule changes last month, and it's been met by criticism from a cable industry that has long kept the keys to the castle. Cable companies have argued that the future may leave the cable box behind entirely ? focused, instead, on apps ? and that the FCC is driving innovation from the wrong direction. Wheeler argues that if any company can build a box that can communicate with any TV service, those companies will be able to get started building cable boxes rather than having to work out other deals first. The competition, the Chairman argues, will drive down costs and improve device options for consumers. He said at the assembled meeting that "consumers have no choice today," and that the proposed rules did not make major changes for consumers. "It only creates the opportunity for them to have choice." "While the cost of other technologies have fallen as competition increased, the cost of a set-top box has risen at more than three times the rate of inflation for American paid-TV subscribers over that same period," FCC Commissioner Mignon Clyburn said at the meeting, in support of the proposed rules. She noted that more than $200 per year was spent on set-top box rentals. Commissioner Ajit Pai said new rules changed "one complex regulatory scheme for another" Commissioner Ajit Pai opposed the proposal, arguing that the decision would simply be changing "one complex regulatory scheme for another." "I know that the current set-top marketplace is the product of an intrusive regulatory regime," Pai said. "This is not complex," Wheeler said, before the vote. "The law mandates it, technology allows it, the industry at one time proposed something similar to it, and consumers deserve a break and a choice." -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 11:57:45 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 12:57:45 -0500 Subject: [Infowarrior] - Sneaky Change to the TPP Drastically Extends Criminal Penalties Message-ID: (Accidental or Intentional? My bet is Intentional. --rick) https://www.eff.org/deeplinks/2016/02/sneaky-change-tpp-drastically-extends-criminal-penalties Sneaky Change to the TPP Drastically Extends Criminal Penalties When the text of the Trans-Pacific Partnership (TPP) was first released in November last year, it included provisions dictating the kinds of penalties that should be available in cases of copyright infringement. Amongst those provisions, the following footnote allowed countries some flexibility in applying criminal procedures and penalties to cases of willful copyright infringement on a commercial scale: < -- > How could this happen, when the TPP had supposedly already been finalized when the original text was released in November? The answer is that the original text had not been ?legally scrubbed.? The legal scrubbing process, which was ongoing from November until the re-release of the text last month, was meant to be a process in which lawyers, trade ministry staff, and translators, go over the deal word-by-word, to ensure that it is legally consistent and free of unintended errors or loopholes. It is most certainly not an opportunity for the negotiators to make any substantive changes to the text. Since the change highlighted above is unarguably a substantive change, the only basis for the change to be made during legal scrubbing would be if it were an error. But is it an error? We don't know for sure?though EFF has contacted the USTR for clarification, and we will update this post if we receive an answer. But logically, the original text doesn't seem to have been an error, because there seems to be no rational basis why countries should be allowed to limit the availability of ex officio action, but not to similarly limit the availability of the other criminal remedies. Think about it. What sense is there in sending someone to jail for an infringement that causes no harm to the copyright holder, whether they complain about it or not? And why should it matter that the copyright holder complains about something that didn't affect them anyway? Surely, if the copyright holder suffers no harm, then a country ought to be able to suspend the whole gamut of criminal procedures and penalties, not only the availability of ex officio action. This is no error?or if it is, then the parties were only in error in agreeing to a proposal that was complete nonsense to begin with. But most likely, this is an underhanded attempt to renegotiate the Trans-Pacific Partnership before its ink is even dry. In an agreement that was an undemocratic power grab from the outset, this devious move marks the lowest point to which the negotiators have yet sunk. It gives us all even more reason, as if any were needed, to demand that our representatives refuse to ratify this dreadful agreement. https://www.eff.org/deeplinks/2016/02/sneaky-change-tpp-drastically-extends-criminal-penalties -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 16:48:49 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 17:48:49 -0500 Subject: [Infowarrior] - =?utf-8?q?Here_we_go=2E=2E=2E=2ESenate_Panel_Chie?= =?utf-8?q?f_Plans_Bill_to_Criminalize_Firms_That_Don=E2=80=99t_Decipher_E?= =?utf-8?q?ncrypted_Messages?= Message-ID: <9BB9F949-21E2-4325-9B32-E22917AF43B1@infowarrior.org> Senate Panel Chief Plans Bill to Criminalize Firms That Don?t Decipher Encrypted Messages By Damian Paletta Feb. 18, 2016 4:56 p.m. ET http://www.wsj.com/articles/senate-intel-committee-chairman-working-on-encryption-bill-1455832584 WASHINGTON?Senate Intelligence Committee Chairman Richard Burr (R., N.C.) is working on a proposal that would create criminal penalties for companies that don?t comply with court orders to decipher encrypted communications, four people familiar with the matter said, potentially escalating an issue that is dividing Washington and Silicon Valley. A U.S. magistrate judge on Tuesday ordered Apple Inc. to help the Federal Bureau of Investigation circumvent a passcode-protection system on a phone used by Syed Rizwan Farook, one of two terrorists who killed 14 people at a holiday party in San Bernardino, Calif., in December. Apple has refused to comply with the order. Mr. Burr hasn?t finalized plans for how legislation would be designed, and several people familiar with the process said there hasn?t been an agreement among any other lawmakers to pursue criminal penalties. It?s also unclear whether Mr. Burr could marshal bipartisan support on such an issue during an election year that has divided Washington in recent months. The bill could be written in a way that modifies the Communications Assistance for Law Enforcement Act, a 1994 law that compels telecommunications companies to construct their systems so they can comply with court orders. A number of companies and developers have in recent years designed encryption tools that are very easy to use and virtually impossible to decipher if used correctly. A popular form of encryption, known as ?end to end,? allows only the sender and receiver of a message to see it, and the companies say they are irretrievable once sent. Some law-enforcement officials and lawmakers have said companies should design a way to retrieve these messages if a court order is obtained. But privacy advocates, a number of lawmakers and numerous technology firms have said any effort to create one-time access to encrypted messages would allow foreign countries, hackers and others to steal information using the same tools. Mr. Burr has spent months pressuring technology companies to work more closely with law enforcement and others to prevent encryption tools from being used to plan and carry out crimes. He warned technology firms that they need to consider changing their ?business model? in the wake of the widening use of encrypted communications. He said last week that he?s heard complaints from district attorneys and federal prosecutors that the use of encryption by suspected criminals has made it difficult, and in some cases impossible, to retrieve evidence. ?District attorneys have come to me because they are beginning to get to a situation where they can?t prosecute cases,? Mr. Burr said at a hearing last week. ?This is town by town, city by city, county by county, and state by state...It?s something we need to take seriously.? In December, he joined with Sen. Dianne Feinstein (D., Calif.) in proposing a bill that would require social-media companies to report online terrorist activity. That bill hasn?t advanced so far, but several technology companies have announced plans to step up efforts to prevent the spread of extremist messages. Write to Damian Paletta at damian.paletta at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 17:00:40 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 18:00:40 -0500 Subject: [Infowarrior] - =?utf-8?q?Upgrade_Your_iPhone_Passcode_to_Defeat_?= =?utf-8?q?the_FBI=E2=80=99s_Backdoor_Strategy?= Message-ID: Upgrade Your iPhone Passcode to Defeat the FBI?s Backdoor Strategy Micah Lee https://theintercept.com/2016/02/18/passcodes-that-can-defeat-fbi-ios-backdoor/ YESTERDAY, APPLE CEO TIM COOK published an open letter opposing a court order to build the FBI a ?backdoor? for the iPhone. Cook wrote that the backdoor, which removes limitations on how often an attacker can incorrectly guess an iPhone passcode, would set a dangerous precedent and ?would have the potential to unlock any iPhone in someone?s physical possession,? even though in this instance, the FBI is seeking to unlock a single iPhone belonging to one of the killers in a 14-victim mass shooting spree in San Bernardino, California, in December. It?s true that ordering Apple to develop the backdoor will fundamentally undermine iPhone security, as Cook and other digital security advocates have argued. But it?s possible for individual iPhone users to protect themselves from government snooping by setting strong passcodes on their phones ? passcodes the FBI would not be able to unlock even if it gets its iPhone backdoor. The technical details of how the iPhone encrypts data, and how the FBI might circumvent this protection, are complex and convoluted, and are being thoroughly explored elsewhere on the internet. What I?m going to focus on here is how ordinary iPhone users can protect themselves. The short version: If you?re worried about governments trying to access your phone, set your iPhone up with a random, 11-digit numeric passcode. What follows is an explanation of why that will protect you and how to actually do it. If it sounds outlandish to worry about government agents trying to crack into your phone, consider that when you travel internationally, agents at the airport or other border crossings can seize, search, and temporarily retain your digital devices ? even without any grounds for suspicion. And while a local police officer can?t search your iPhone without a warrant, cops have used their own digital devices to get search warrants within 15 minutes, as a Supreme Court opinion recently noted. The most obvious way to try and crack into your iPhone, and what the FBI is trying to do in the San Bernardino case, is to simply run through every possible passcode until the correct one is discovered and the phone is unlocked. This is known as a ?brute force? attack. For example, let?s say you set a six-digit passcode on your iPhone. There are 10 possibilities for each digit in a numbers-based passcode, and so there are 106, or 1 million, possible combinations for a six-digit passcode as a whole. It is trivial for a computer to generate all of these possible codes. The difficulty comes in trying to test them. One obstacle to testing all possible passcodes is that the iPhone intentionally slows down after you guess wrong a few times. An attacker can try four incorrect passcodes before she?s forced to wait one minute. If she continues to guess wrong, the time delay increases to five minutes, 15 minutes, and finally one hour. There?s even a setting to erase all data on the iPhone after 10 wrong guesses. This is where the FBI?s requested backdoor comes into play. The FBI is demanding that Apple create a special version of the iPhone?s operating system, iOS, that removes the time delays and ignores the data erasure setting. The FBI could install this malicious software on the San Bernardino killer?s iPhone, brute force the passcode, unlock the phone, and access all of its data. And that process could hypothetically be repeated on anyone else?s iPhone. (There?s also speculation that the government could make Apple alter the operation of a piece of iPhone hardware known as the Secure Enclave; for the purposes of this article, I assume the protections offered by this hardware, which would slow an attacker down even more, are not in place.) Even if the FBI gets its way and can clear away iPhone safeguards against passcode guessing, it faces another obstacle, one that should help keep it from cracking passcodes of, say, 11 digits: It can only test potential passcodes for your iPhone using the iPhone itself; the FBI can?t use a supercomputer or a cluster of iPhones to speed up the guessing process. That?s because iPhone models, at least as far back as May 2012, have come with a Unique ID (UID) embedded in the device hardware. Each iPhone has a different UID fused to the phone, and, by design, no one can read it and copy it to another computer. So the FBI is stuck using your iPhone to test passcodes. And it turns out that your iPhone is kind of slow at that: iPhones intentionally encrypt data in such a way that they must spend about 80 milliseconds doing the math needed to test a passcode, according to Apple. That limits them to testing 12.5 passcode guesses per second, which means that guessing a six-digit passcode would take, at most, just over 22 hours. You can calculate the time for that task simply by dividing the 1 million possible six-digit passcodes by 12.5 seconds. That?s 80,000 seconds, or 1,333 minutes, or 22 hours. But the attacker doesn?t have to try each passcode; she can stop when she finds one that successfully unlocks the device. On average, it will only take 11 hours for that to happen. But the FBI would be happy to spend mere hours cracking your iPhone. What if you use a longer passcode? Here?s how long the FBI would need: ? seven-digit passcodes will take up to 9.2 days, and on average 4.6 days, to crack ? eight-digit passcodes will take up to three months, and on average 46 days, to crack ? nine-digit passcodes will take up to 2.5 years, and on average 1.2 years, to crack ? 10-digit passcodes will take up to 25 years, and on average 12.6 years, to crack ? 11-digit passcodes will take up to 253 years, and on average 127 years, to crack ? 12-digit passcodes will take up to 2,536 years, and on average 1,268 years, to crack ? 13-digit passcodes will take up to 25,367 years, and on average 12,683 years, to crack It?s important to note that these estimates only apply to truly random passcodes. If you choose a passcode by stringing together dates, phone numbers, social security numbers, or anything else that?s at all predictable, the attacker might try guessing those first, and might crack your 11-digit passcode in a very short amount of time. So make sure your passcode is random, even if this means it takes extra time to memorize it. (Memorizing that many digits might seem daunting, but if you?re older than, say, 29, there was probably a time when you memorized several phone numbers that you dialed on a regular basis.) Nerd tip: If you?re using a Mac or Linux, you can securely generate a random 11-digit passcode by opening the Terminal app and typing this command: python -c 'from random import SystemRandom as r; print(r().randint(0,10**11-1))' It?s also important to note that we?re assuming the FBI, or some other government agency, has not found a flaw in Apple?s security architecture that would allow them to test passcodes on their own computers or at a rate faster than 80 milliseconds per passcode. Once you?ve created a new 11-digit passcode, you can start using it by opening the Settings app, selecting ?Touch ID & Passcode,? and entering your old passcode if prompted. Then, if you have an existing passcode, select ?Change passcode? and enter your old passcode. If you do not have an existing passcode, and are setting one for the first time, click ?Turn passcode on.? Then, in all cases, click ?Passcode options,? select ?Custom numeric code,? and then enter your new passcode. Here are a few final tips to make this long-passcode thing work better: ? Within the ?Touch ID & Passcode? settings screen, make sure to turn on the Erase Data setting to erase all data on your iPhone after 10 failed passcode attempts. ? Make sure you don?t forget your passcode, or you?ll lose access to all of the data on your iPhone. ? Don?t use Touch ID to unlock your phone. Your attacker doesn?t need to guess your passcode if she can push your finger onto the home button to unlock it instead. (At least one court has ruled that while the police cannot compel you to disclose your passcode, they can compel you to use your fingerprint to unlock your smartphone.) ? Don?t use iCloud backups. Your attacker doesn?t need to guess your passcode if she can get a copy of all the same data from Apple?s server, where it?s no longer protected by your passcode. ? Do make local backups to your computer using iTunes, especially if you are worried about forgetting your iPhone passcode. You can encrypt the backups, too. By choosing a strong passcode, the FBI shouldn?t be able to unlock your encrypted phone, even if it installs a backdoored version of iOS on it. Not unless it has hundreds of years to spare. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 17:03:14 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 18:03:14 -0500 Subject: [Infowarrior] - Lawmakers Speak Out On Apple; Some Wisely, Some Ignorantly Message-ID: <6F1C6681-3797-4B88-A16B-5AA657103C8D@infowarrior.org> Lawmakers Speak Out On Apple Being Forced To Create Backdoors; Some Wisely, Some Ignorantly https://www.techdirt.com/articles/20160218/09520333642/lawmakers-speak-out-apple-being-forced-to-create-backdoors-some-wisely-some-ignorantly.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 18 19:12:16 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2016 20:12:16 -0500 Subject: [Infowarrior] - =?utf-8?q?FBI_Won=E2=80=99t_Explain_Its_Bizarre_N?= =?utf-8?q?ew_Way_of_Measuring_Its_Success_Fighting_Terror?= Message-ID: FBI Won?t Explain Its Bizarre New Way of Measuring Its Success Fighting Terror Jenna McLaughlin Feb. 18 2016, 6:18 p.m. https://theintercept.com/2016/02/18/fbi-wont-explain-its-bizarre-new-way-of-measuring-its-success-fighting-terror/ -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 10:01:30 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 11:01:30 -0500 Subject: [Infowarrior] - =?utf-8?q?Secret_Memo_Details_U=2ES=2E=E2=80=99s_?= =?utf-8?q?Broader_Strategy_to_Crack_Phones?= Message-ID: <5D5E6813-CA7F-4637-AEB0-E989423F66F6@infowarrior.org> Secret Memo Details U.S.?s Broader Strategy to Crack Phones Michael Riley http://www.bloomberg.com/news/articles/2016-02-19/secret-memo-details-u-s-s-broader-strategy-to-crack-phones Silicon Valley celebrated last fall when the White House revealed it would not seek legislation forcing technology makers to install ?backdoors? in their software -- secret listening posts where investigators could pierce the veil of secrecy on users? encrypted data, from text messages to video chats. But while the companies may have thought that was the final word, in fact the government was working on a Plan B. In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered agencies across the U.S. government to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, including Apple Inc.?s iPhone, the marquee product of one of America?s most valuable companies, according to two people familiar with the decision. The approach was formalized in a confidential National Security Council ?decision memo,? tasking government agencies with developing encryption workarounds, estimating additional budgets and identifying laws that may need to be changed to counter what FBI Director James Comey calls the ?going dark? problem: investigators being unable to access the contents of encrypted data stored on mobile devices or traveling across the Internet. Details of the memo reveal that, in private, the government was honing a sharper edge to its relationship with Silicon Valley alongside more public signs of rapprochement. On Tuesday, the public got its first glimpse of what those efforts may look like when a federal judge ordered Apple to create a special tool for the FBI to bypass security protections on an iPhone 5c belonging to one of the shooters in the Dec. 2 terrorist attack in San Bernardino, California that killed 14 people. Apple Chief Executive Officer Tim Cook has vowed to fight the order, calling it a ?chilling? demand that Apple ?hack our own users and undermine decades of security advancements that protect our customers.? The order was not a direct outcome of the memo but is in line with the broader government strategy. White House spokesman Josh Earnest said Wednesday that the Federal Bureau of Investigation and Department of Justice have the Obama administration?s ?full? support in the matter. The government is ?not asking Apple to redesign its product or to create a new backdoor to their products,? but rather are seeking entry ?to this one device,? he said. Security specialists say the case carries enormous consequences, for privacy and the competitiveness of U.S. businesses, and that the National Security Council directive, which has not been previously reported, shows that technology companies underestimated the resolve of the U.S. government to access encrypted data. ?My sense is that people have over-read what the White House has said on encryption,? said Robert Knake, a senior fellow at the Council of Foreign Relations who formerly served as White House Director of Cybersecurity Policy. ?They said they wouldn?t seek to legislate ?backdoors? in these technologies. They didn?t say they wouldn?t try to access the data in other ways.? ?Backdoors? refer to security holes that are intentionally inserted into software to create the equivalent of a skeleton key for law enforcement -- what wiretapping systems are for telephone lines, for instance. The problem with backdoors in computer networks is they create vulnerabilities for any hacker to find. What the court is ordering Apple to do, security experts say, does not require the company to crack its own encryption, which the company says it cannot do in any case. Instead, the order requires Apple to create a piece of software that takes advantage of a capability that Apple alone possesses to modify the permanently installed ?firmware? on iPhones and iPads, changing it so that investigators can try unlimited guesses at the terror suspect?s PIN code with high-powered computers. Once investigators get the PIN, they get the data. Knake said that the Justice Department?s narrowly crafted request shows both that FBI technical experts possess a deep understanding of the way Apple?s security systems work and that they have identified potential vulnerabilities that can provide access to data the company has previously said it can?t get. In this case, the government wants Apple?s help in exploiting such weaknesses. But experts say they could find ways to do it themselves, and the NSC ?decision memo? could lead to more money and legal authorization for a smorgasbord of similar workarounds. National Security Council spokesman Mark Stroh declined to comment on the memo. But he provided a statement from a senior Obama administration official: ?We should not preemptively conclude that technical and policy options to address this challenge are out of reach. While creating mechanisms for accessing encrypted information does create vulnerabilities, there may be technical and process steps that can be implemented to limit such risks.? The memo was approved by the NSC?s Deputies Committee, according to the people familiar with it. While the deputies? committee changes depending on the subject matter, it typically includes at least a dozen sub-cabinet level officials, among them the deputy attorney general, the vice chairman of the joint chiefs of staff, and the deputy national security adviser. Such memos can have lasting impact. A similar decision memo was used in the early years of the Iraq war to address the problem of Improvised Explosive Devices, which were then killing hundreds of U.S servicemen. The response ultimately led to new anti-IED technology and expanded intelligence capabilities to disrupt the cells building and planting the bombs. Silicon Valley and Washington have had a decades-long distrust of each other over encryption, stemming from a failed Clinton administration push in the 1990s for a government backdoor in telecommunications networks. In that case, the National Security Agency developed a technology called the Clipper Chip, which the White House approved as a government standard. Security experts assailed it as insecure and a violation of privacy. Security experts say the U.S.?s insistence on finding ways to tap into encrypted data comes in direct conflict with consumers? growing demands for privacy. ?The government?s going to have to get over it,? said Ken Silva, former technical director of the National Security Agency and currently a vice president at Ionic Security Inc., an Atlanta-based data security company. ?We had this fight 20 years ago. While I respect the job they have to do and I know how hard the job is, the privacy of that information is very important to people.? In addition to the demands against Apple, the FBI will almost certainly seek more money and expanded legal authorization to track suspects and access encrypted data, without the involvement of companies that make the technologies, several experts say. Intelligence services already have sophisticated tools for cracking encryption, and the White House?s efforts will likely lead to broader use of those techniques across the government, even in ordinary criminal investigations that don?t involve foreign intelligence or national security. The workarounds could involve trying to force companies like Apple to develop their own tools to help law enforcement or enlisting government hackers to find previously unknown software vulnerabilities that enable the decryption of large amounts of data flowing across networks. Apple infuriated law enforcement when it announced in 2014 that it would encrypt data stored on users? iPhones and iPads with a PIN code that the company could not access, even if ordered to by a judge. Prior to that decision, the FBI and local police agencies routinely sent seized devices to Apple to extract data relevant to their investigations. To security experts, creating hacking tools -- capabilities to gain access to encrypted data -- is simply a matter of money and focused effort. ?My guess is you could spend a few million dollars and get a capability against Android, spend a little more and get a capability against the iPhone. For under $10 million, you might have capabilities that will work across the board,? said Jason Syversen, a former manager of advanced cyber security programs at the Defense Advanced Research Projects Agency (DARPA), and now the CEO and co-founder of Siege Technologies in Manchester, New Hampshire. This week?s federal court order undermines years of effort by Apple to design a system that makes accessing encrypted data impossible without the participation of the phone?s legitimate user. Company officials appeared to believe the enhanced encryption would remove Apple from the efforts of any government to sabotage the security of their customers. Instead, federal agents have detailed in a public document several ways in which that encryption can be bypassed. ?Apple has two options now: They can go back to the judge and say this isn?t possible. Or they can service the warrant,? said James Lewis, a senior cyber security fellow at the Center for Strategic and International Studies in Washington. ?I don?t think they can say it?s not possible, because it looks like it is.? -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 10:03:28 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 11:03:28 -0500 Subject: [Infowarrior] - Original 1977 Star Wars 35mm print has been restored and released online Message-ID: <48731E76-155F-4A37-992B-BB2D090031F8@infowarrior.org> Original 1977 Star Wars 35mm print has been restored and released online by Mark Walton (UK) - Feb 18, 2016 8:34am EST http://arstechnica.com/the-multiverse/2016/02/original-1977-star-wars-35mm-print-has-been-restored-and-released-online/ There's no Jabba, no CGI, and Han most definitely shoots first. A restored HD version of the original Star Wars Episode IV: A New Hope 35mm print has appeared online. While this isn't the first time that attempts have been made to restore Star Wars to its original theatrical version?that's the one without the much-maligned CGI effects and edits of later "special" editions?it is the first to have been based entirely on a single 35mm print of the film, rather than cut together from various sources. The group behind the release, dubbed Team Negative 1, is made up of Star Wars fans and enthusiasts who spent thousands of dollars of their own cash to restore the film without the blessing of creator George Lucus, or franchise owner Disney. Lucas has famously disowned the original theatrical version of Star Wars, telling The Today Show back in 2004: The special edition, that?s the one I wanted out there. The other movie, it?s on VHS, if anybody wants it. ... I?m not going to spend the?we?re talking millions of dollars here, the money and the time to refurbish that, because to me, it doesn?t really exist anymore. It?s like this is the movie I wanted it to be, and I?m sorry you saw half a completed film and fell in love with it. Lucasfilm later claimed that the original negatives of Star Wars were permanently altered for the special edition releases, making restoration next to impossible. How Team Negative 1 got its hands on a 35mm print of the 1977 release of the movie is a mystery. But for fans who don't want to see ropey CGI, a pointless Jabba the Hutt scene, and know for a fact that Han shoots first, this restored version of the film?even with some pops, scratches, and colour issues?is the one to watch. The only official digital release of the original theatrical print was made back in 2006 as an extra feature on the DVD special edition. Unfortunately, those transfers?which were made from the same source as the 1995 Laserdisc release?weren't anamorphic, and only featured compressed Dolby 2.0 audio. That's not to mention that the transfer itself used an aggressive form of digital noise reduction, which erased some of the finer details of the film. The only issue with Team Negative 1's version of the film is that it isn't exactly legal. That said, it isn't hard to track down online. While that might be a bit too risky for some, Team Negative 1 believes that plenty of people will want to watch its "Silver Screen" restoration. "We know that anyone under 30 kind of prefers the clean, sharp, detailed look," Team Negative 1 told Movie Mezzanine. "Then the older crowd, the retro crowd, is like, 'give me the grain and give me the matte boxes and give me a little weave in the picture.' It's kind of like CD vs. vinyl." -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 14:53:20 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 15:53:20 -0500 Subject: [Infowarrior] - =?utf-8?q?Update=3A_Senate_Panel_Chief_Decides_Ag?= =?utf-8?q?ainst_Plan_to_Criminalize_Firms_That_Don=E2=80=99t_Decipher_Enc?= =?utf-8?q?rypted_Messages?= Message-ID: (Wondering why.....this is quite a turnraound in less than 24 hours. ---rick) Senate Panel Chief Decides Against Plan to Criminalize Firms That Don?t Decipher Encrypted Messages By Damian Paletta Updated Feb. 18, 2016 9:37 p.m. ET http://www.wsj.com/articles/senate-intel-committee-chairman-working-on-encryption-bill-1455832584 WASHINGTON?Senate Intelligence Committee Chairman Richard Burr (R., N.C.) has decided against a proposal circulating quietly on Capitol Hill to create criminal penalties for companies that decline to comply with court orders to decipher encrypted communications, a spokeswoman said Thursday night. The issue of how to pressure companies on encryption matters has become inflamed in Washington in recent days. Several people familiar with the matter previously said Mr. Burr was considering criminal provisions as part of the proposal. A U.S. magistrate judge on Tuesday ordered Apple Inc. to help the Federal Bureau of Investigation circumvent a passcode-protection system on a phone used by Syed Rizwan Farook, one of two terrorists who killed 14 people at a holiday party in San Bernardino, Calif., in December. Apple has refused to comply with the order. Mr. Burr has signaled he is studying whether to propose legislation that would tighten rules about encryption, though he hasn?t made any decision about how a bill would be designed. It?s also unclear whether Mr. Burr could marshal bipartisan support on such an issue during an election year that has divided Washington in recent months. But any proposal by Mr. Burr would not include criminal penalties for rejecting court orders about encryption, according to his spokeswoman. ?Chairman Burr is not considering criminal penalties in his draft encryption proposals,? his spokeswoman said. Some analysts have mulled whether encryption rules could be imposed by modifying the Communications Assistance for Law Enforcement Act, a 1994 law that compels telecommunications companies to construct their systems so they can comply with court orders. A number of companies and developers have in recent years designed encryption tools that are very easy to use and virtually impossible to decipher if used correctly. A popular form of encryption, known as ?end to end,? allows only the sender and receiver of a message to see it, and the companies say they are irretrievable once sent. Some law-enforcement officials and lawmakers have said companies should design a way to retrieve these messages if a court order is obtained. But privacy advocates, a number of lawmakers and numerous technology firms have said any effort to create one-time access to encrypted messages would allow foreign countries, hackers and others to steal information using the same tools. Apple CEO Tim Cook said the company will oppose a federal judge's order to help the Justice Department unlock a phone used by a suspect in the San Bernardino attack, which killed 14 people. Photo: AP Mr. Burr has spent months pressuring technology companies to work more closely with law enforcement and others to prevent encryption tools from being used to plan and carry out crimes. He warned technology firms that they need to consider changing their ?business model? in the wake of the widening use of encrypted communications. He said last week that he?s heard complaints from district attorneys and federal prosecutors that the use of encryption by suspected criminals has made it difficult, and in some cases impossible, to retrieve evidence. ?District attorneys have come to me because they are beginning to get to a situation where they can?t prosecute cases,? Mr. Burr said at a hearing last week. ?This is town by town, city by city, county by county, and state by state...It?s something we need to take seriously.? In December, he joined with Sen. Dianne Feinstein (D., Calif.) in proposing a bill that would require social-media companies to report online terrorist activity. That bill hasn?t advanced so far, but several technology companies have announced plans to step up efforts to prevent the spread of extremist messages. Write to Damian Paletta at damian.paletta at wsj.com -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 15:01:36 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 16:01:36 -0500 Subject: [Infowarrior] - US files motion to compel against Apple Message-ID: <87717071-7E45-4B6C-98B0-14D83C0D2E4A@infowarrior.org> U.S. Slams Apple?s Cook for Refusing to Help in Terror Probe Edvard Pettersson edpettersson February 19, 2016 ? 2:00 PM EST Updated on February 19, 2016 ? 3:00 PM EST http://www.bloomberg.com/news/articles/2016-02-19/u-s-files-new-request-to-force-apple-to-help-in-iphone-probe The U.S. fired back at Apple Inc. Chief Executive Officer Tim Cook after he publicly refused to cooperate with a judge?s order to aid law enforcement in unlocking a terrorist?s iPhone. On Friday, the government again asked the court to compel Apple to obey the judge?s order to help in opening the phone used by Syed Rizwan Farook, who died in a shootout with law enforcement in San Bernardino, California, after a massacre that killed 14 people. Apple?s resistance is ?based on its concern for its business model and public brand marketing strategy,? the government said in a filing in federal court in Riverside, California. Apple ?is not above the law.? Clearly frustrated with Apple?s intransigence, the government submitted its demand a week before Apple?s deadline to respond to the judge?s earlier order. Advancing its case in the courts of both law and public opinion, the Justice Department essentially said the company has placed its profits and popularity ahead of the public?s safety. Prosecutors expanded on their initial request while picking apart Apple?s defense, as explained in a letter Cook published on the company?s website earlier this week. Cook refused to comply with the judge?s initial order, saying it would create a ?back door? to its devices and calling the order a ?chilling? attack on civil liberties. The U.S. countered Cook?s arguments Friday, saying ?the assistance ordered is not a ?back door? or a ?hack? to all of Apple?s encryption software.? Citing the urgency of this investigation, the Justice Department said it?s seeking the ruling because Apple has made it ?patently clear? that it will fight the earlier order. Prosecutors want Apple to provide customized software that will prevent the data on the phone from being deleted after 10 attempts to input the passcode. The software also must enable agents to send electronic passcodes to the phone, rather than manually typing them in. The software would allow agents to automatically enter multiple passcodes to get around the encryption standards. ?At no point has Apple ever said that it does not have the technical ability to comply with the order,? the Justice Department said in the filing. ?On this point, Apple?s silence speaks volumes.? Kristin Huguet, a spokeswoman for Apple, didn?t answer a call seeking comment. The U.S. said Apple?s stance threatened ?the most fundamental investigative tool of all?: a search warrant. ?Unless this court enforces the order requiring Apple?s assistance, the warrant will be meaningless,? prosecutors said. Apple has until Feb. 26 to file its response to the original order. A hearing is set for March 22. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 15:03:51 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 16:03:51 -0500 Subject: [Infowarrior] - =?utf-8?q?JIE=3A_=E2=80=98Building_the_Fort_Knox_?= =?utf-8?q?of_Network_Security=E2=80=99?= Message-ID: <36DDE335-4C59-412C-A5E3-F9E4D504980A@infowarrior.org> JIE: ?Building the Fort Knox of Network Security? http://federalnewsradio.com/govtechworks-articles/2016/02/jie-building-the-fort-knox-of-network-security/ Statistically, breaking into the Defense Department?s digital networks isn?t that easy. There were 30 million ?known malicious cyber intrusions? between September 2014 and June 2015, but less than 0.1 percent actually penetrated the Pentagon?s cyber defenses, according to Defense Secretary Ashton Carter, in a Sept. 30 memo to senior Pentagon staff. But though miniscule in percentage terms, the aggregate number of successful attacks looms large: 30,000 successful intrusions in just 10 months. That?s got to change, Carter said in a Sept. 28 memo to the military?s senior leaders. Now, penetrating defense networks is about to get much harder. Over the next three years, the military will deploy a series of sophisticated gateways to better protect its vast network from external attack, according to Army Col. Scott Jackson, who oversees construction of the Joint Informational Environment or JIE. ?We?re trying to build the Fort Knox of [network] security,? Jackson said. Central to the JIE will be 49 Joint Regional Security Stacks, through which all digital traffic must flow between the Pentagon?s networks and the Internet. These digital checkpoints will feature multiple security layers and examine every data packet entering or leaving the military?s network. Once fully in place in late 2017 or early 2018, Jackson said, reaching the network should be a lot harder. Devices within each security stack will automatically block most attempted intrusions, while filtering others for further analysis. Packet capture technology will examine the data bits that enter and exit the network, making copies of some for detailed analysis off line. Segregating and Analyzing Incoming Data Rules embedded in security stack software will prevent unauthorized persons and bots from logging in. User profiles will match up with user access rights. For example, Jackson said, ?No Army person should be trying to log on as an Air Force administrator.? Data will be segregated by user types and traffic flows. Simply gaining access to the network will not be enough, as users will also need credentials to access individual systems and data on the network. The system will work like a safe deposit vault in a bank, Jackson said. If an attacker manages to break into the bank (or network), he will still ?have to start drilling locks? on the deposit boxes (or individual systems) to get anything of value. ?We?re making it way harder than it is right now.? Plans call for 24 Joint Regional Security Stacks to process unclassified network traffic and 25 more to process classified traffic, said Army Chief Information Officer (CIO) Lt. Gen. Robert Ferrell. Limiting the network?s on-ramps and off-ramps focuses the location of potential attacks. Those 49 security stacks reduce ?our network?s surface attack area ? the part of the network vulnerable to cyber intrusion ? from over 1,000 access points to less than 50, dramatically improving network security,? Ferrell told the House Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities in February. In essence, the JIE will be a single joint network with one shared infrastructure, one set of standards and one security architecture, connecting everyone on the DoD network, Ferrell said, adding without it, ?we have too many disparate networks, too many vulnerabilities and too many barriers that prevent collaboration with partners.? The first Joint Regional Security Stack is in operation today at Joint Base San Antonio, with three more stacks scheduled to become operational this month. ?Then over the next six months, that number should begin to grow rapidly,? Jackson said. Of the 24 stacks for unclassified traffic, 11 will be in the U.S., with the rest overseas. All should be installed by early 2018 and tested and certified by 2019, Jackson said. The Joint Regional Security Stacks, developed by the Army, are intended to replace individual solutions developed by each service. For the Army, that means replacing the ?top-level architecture stacks? used at Army installations, said Army Brig. Gen Randy Taylor, director of architecture, operations, networks and space in the Army CIO. JRSS is ?a standardized network structure,? explained Air Force CIO Frank Konieczny, speaking at the DefenseOne Summit Nov. 2. Each service will ?migrate a different way,? he said, acknowledging that the process will be ?messy? at times, because it touches so many existing programs. ?We all have to move everything,? he said, referring to the four military services. He added for the Air Force, ?we already have gateways, which support some of those functions of the JRSS and we will be transferring our gateways to [those] capabilities.? The Marine Corps is more reticent. According to C4ISRNet.com, Marine Corps CIO Brig. Gen. Dennis Crall expressed concerns about the underlying concept of operations for JIE at an Armed Forces Communications and Electronics Association (AFCEA) event Nov. 13, saying until the concept of operations and software are mature, Marine participation is no more than ?a definite maybe.? The 18-inch wide racked security stacks each old security tools including firewalls, intrusion detection and prevention systems and packet capture equipment to handle incoming and outgoing network traffic. The security stacks also house multiprotocol label switching equipment, technology that speeds up the flow of network traffic by using path labels instead of network addresses to determine the route data packets will take from their origin to their destination. Path labels speed traffic by eliminating the need for each router along the delivery route to look up the destination network address before sending each packet on to the next router. MPLS also better manages the mix of high priority and low priority traffic, enabling each circuit to carry more traffic. Strong Network JRSS will establish a common set of defenses for the military network. Today there are hundreds of bases, each with its own network security setup, Jackson said. Some are strong, others not so. When security is regionalized, all access points to military networks will be protected to the same level. No one?s security will decrease, he said, but in many locations, it will increase. Moving to regional security stacks also increases network situational awareness. Security managers will be able to see all traffic coming and going on DOD networks.? If suspicious activity is spotted in one location, operators will be able to see whether it is also happening elsewhere. Right now each service, and in many cases each base, post, camp or station, may see abnormal behavior, Jackson said. ?But determining if it is malicious behavior? rather than malfunctioning equipment ?is difficult when hundreds of different cyber defenders are looking at their little piece of cyberspace,? Jackson said. ?JRSS provides the global visibility to quickly determine if an event is malicious or not.? Consolidating network security into 49 regional centers also means the military?s best cyber defenders can be concentrated in fewer locations. Much of what JRSS will do will be automated. For example, intrusion prevention systems will compare network traffic to a database of known attack ?signatures? ? like digital ?most-wanted photos,? Jackson said. When the intrusion prevention software sees a known malicious signature, it will automatically block the attack. But human intervention will be required for other attacks. Intrusion detection software can spot suspicious activity and sound an alarm, but just as a burglar alarm won?t stop a brick from being thrown through a window, Jackson said, intrusion prevention requires security personnel to take defensive action. Although JRSS is expected to substantially improve Defense Department network security, there remain some security problems JRSS can?t solve. Jackson said the event that brought down an email system used by the Joint Chiefs of Staff last summer was a ?sophisticated? attack apparently launched from Russia, and ?the result of a phishing attack,? Jackson said. Someone opened a phony email that introduced malware into the system. ?Each of us, as network users and providers, has an individual responsibility to protect the Department of Defense information network.? William Matthews is a veteran defense and technology journalist. He has written for Defense News, Army Times, Navy Times, Federal Computer Week, Army Magazine and numerous other publications. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 18:41:52 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 19:41:52 -0500 Subject: [Infowarrior] - Apple, FBI, and the Burden of Forensic Methodology Message-ID: <7A85B796-1BEF-4A0D-85E1-000EF2902B93@infowarrior.org> Apple, FBI, and the Burden of Forensic Methodology http://www.zdziarski.com/blog/?p=5645 -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 18:42:40 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 19:42:40 -0500 Subject: [Infowarrior] - Dissecting And Dismantling The Myths Of The DOJ's Motion To Compel Apple To Build A Backdoor Message-ID: <131D22FF-C03A-4846-91A5-E5EBEA06C218@infowarrior.org> Dissecting And Dismantling The Myths Of The DOJ's Motion To Compel Apple To Build A Backdoor from the dishonest-doj dept While everyone's waiting for Apple's response (due late next week) to the order to create a backdoor that would help the FBI brute force Syed Farook's work iPhone, the DOJ wasted no time in further pleading its own case, with a motion to compel. I've gone through it and it's one of the most dishonest and misleading filings I've seen from the DOJ -- and that's saying something. Let's dig in a bit: < - > https://www.techdirt.com/articles/20160219/15165433654/dissecting-dismantling-myths-dojs-motion-to-compel-apple-to-build-backdoor.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 19 18:44:26 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2016 19:44:26 -0500 Subject: [Infowarrior] - Apple ID linked to terrorist's iPhone 5c changed while device was in government hands Message-ID: <60F849B6-91B2-4709-A78B-F203F92E10E0@infowarrior.org> Apple ID linked to terrorist's iPhone 5c changed while device was in government hands, Apple says [u] By Mikey Campbell Friday, February 19, 2016, 03:26 pm PT (06:26 pm ET) http://appleinsider.com/articles/16/02/19/apple-id-linked-to-terrorists-iphone-5c-was-changed-while-in-government-hands-apple-says- In response to a Department of Justice motion to compel Apple's cooperation in the unlocking of an iPhone 5c used by one of the San Bernardino terrorists, company executives on Friday revealed the Apple ID passcode linked to that device was changed while the handset was in government hands, effectively blocking attempts to retrieve an iCloud backup. The Apple ID used to sync Syed Ryzwan Farook's iPhone 5c with Apple's iCloud was modified less than 24 hours after the device was impounded by the government, BuzzFeed News reports. Apple says the San Bernardino County Department of Public Health, the phone's owner and Farook's former employer, changed the account passcode. If the passcode was not changed, FBI officials might have been able to procure a backup of the data it is currently attempting to suss out of the phone itself, the company said. The most recent backup was logged six weeks prior to the San Bernardino attack. It is not known whether Farook intentionally shut off iCloud backups or simply ran out of storage space. Further, Apple has been conducting "regular" discussions with government entities since early January regarding methods by which data from Farook's iPhone 5c may be recovered. According to the report, Apple proposed four different options for data recovery, none of which involved building a software backdoor into iOS. Apple first discovered that the passcode had been changed in attempting one of the suggested workarounds. The method, seemingly involving the offloading of a backup to iCloud before recovering it from Apple's servers, leveraged an iPhone convenience feature in which the device automatically connects to a known Wi-Fi network. Apple engineers were unable to complete the process due to the updated Apple ID passcode. The implications of this new development could damage the government's case. The DOJ on Friday filed a motion to force Apple's compliance in aiding the FBI's data extraction efforts, a task that now requires the creation of a software backdoor. Apple does comply with valid law enforcement data requests, and has in the past handed over information related to criminal investigations gleaned from its servers. The DOJ itself notes prior cooperation in its Friday motion to compel. The company has not, however, been asked to create a forensics tool that would ostensibly break iOS encryption. The sticky situation could have been avoided if the associated Apple ID passcode was not changed, Apple says. Apple says the government opened the door to public scrutiny when it filed its motion to compel. The company proposed the FBI officials keep its requests sealed, but the agency decided to seek a court order demanding Apple's cooperation. Update: Apple executives confirmed San Bernardino county officials changed the passcode. This article has been updated to reflect the new information. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 20 14:52:24 2016 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 20 Feb 2016 15:52:24 -0500 Subject: [Infowarrior] - Which VPN Services Take Your Anonymity Seriously? 2016 Edition Message-ID: Which VPN Services Take Your Anonymity Seriously? 2016 Edition ? By Ernesto ? on February 20, 2016 VPN services have grown increasingly popular in recent years, but not all are completely anonymous. Some VPN services even keep extensive logs of users' IP-addresses for weeks. To find out which are the best VPNs, TorrentFreak asked several dozen providers about their logging policies, and more. Millions of people use a VPN service to browse the Internet securely and anonymously. Unfortunately, however, not all VPN services are as anonymous as they claim to be and some keep extensive logs of private information. To help VPN users to make an informed choice we decided to ask dozens of VPN services how they protect the privacy of their users. Today we present the fifth iteration of our annual VPN services ?logging? review. In addition to questions about logging policies we also asked VPN providers about various other privacy related issues. ? 1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, what information and for how long? 2. What is the registered name of the company and under what jurisdiction(s) does it operate? 3. Do you use any external visitor tracking, email providers or support tools that hold information of your users / visitors? 4. In the event you receive a takedown notice (DMCA or other), how are these handled? 5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened? 6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? 7. Which payment systems do you use and how are these linked to individual user accounts? 8. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide DNS leak protection and tools such as ?kill switches? if a connection drops? 9. Do you offer a custom VPN application to your users? If so, for which platforms? 10. Do you use your own DNS servers? 11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party? 12. What countries are your servers located in? ? What follows is the list of responses from the VPN services, in their own words. Providers who didn?t answer our questions directly or failed by logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value. < - > https://torrentfreak.com/vpn-anonymous-review-160220/ -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 20 16:37:57 2016 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 20 Feb 2016 17:37:57 -0500 Subject: [Infowarrior] - San Bernardino County Calls the FBI Liars Over Terrorist's iCloud Account Message-ID: <4FFC99BB-8409-44C6-8B9E-C00A71C32841@infowarrior.org> San Bernardino County Calls the FBI Liars Over Terrorist's iCloud Account Matt Novak http://gizmodo.com/san-bernardino-county-calls-the-fbi-liars-over-terroris-1760317923 Late last night a Twitter account associated with San Bernardino County said that it worked under the direction of the FBI to reset Syed Farook?s iCloud password. Why does that matter? Because it would make the FBI liars. As you probably know by now, the FBI has demanded that Apple break into the San Bernardino terrorist?s iPhone. Apple has refused, insisting that doing so would set a terrible precedent. But both the FBI and Apple are currently waging a fierce PR battle over one of the possible ways that information from the phone could?ve been retrieved in the early stages of the investigation: Hacking Farook?s iCloud password and causing his phone to push information to the cloud remotely. In a filing yesterday the FBI claimed that the owner of the phone, San Bernardino County, had been the one who bungled the auto-backup of the phone to iCloud. San Bernardino County was Farook?s employer because he worked for the local Department of Health. < - > http://gizmodo.com/san-bernardino-county-calls-the-fbi-liars-over-terroris-1760317923 -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Feb 20 18:06:40 2016 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 20 Feb 2016 19:06:40 -0500 Subject: [Infowarrior] - Judge Rules FBI Must Reveal Malware It Used to Hack Over 1, 000 Computers Message-ID: Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers Joseph Cox http://motherboard.vice.com/read/judge-rules-fbi-must-reveal-malware-used-to-hack-over-1000-computers-playpen-jay-michaud February 18, 2016 // 05:02 PM EST On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer. When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, ?Everything.? ?The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,? he continued. Fieman is defending Jay Michaud, a Vancouver public schools administration worker. Michaud was arrested after the FBI seized 'Playpen', a highly popular child pornography site on the dark web, and then deployed a network investigative technique (NIT)?the agency's term for a hacking tool. This NIT grabbed suspects' real IP address, MAC address, and pieces of other technical information, and sent them to a government controlled server. The case has drawn widespread attention from civil liberties activists because, from all accounts, one warrant was used to hack the computers of unknown suspects all over the world. On top of this, the defense has argued that because the FBI kept the dark web site running in order to deploy the NIT, that the agency, in effect, distributed child pornography. Last month, a judge ruled that the FBI?s actions did not constitute ?outrageous conduct.? "The order yesterday requires disclosure of all the code components." According to court documents in a related case, the FBI harvested approximately 1,300 IP addresses, and around 137 people have been charged so far. Motherboard found that the hacking campaign was global in scope, with computers in Greece, Chile and the UK being affected. Since September, Michaud's lawyers have been trying to get access to the NIT code. It wasn't until January that Vlad Tsyrklevitch, the defense's consulted expert, received the discovery. However, according to Tsyrklevitch, the code was apparently missing several parts. One of those was the section of the code ensuring that the identifier issued to Michaud's NIT-infection was truly unique, and another was the exploit itself used to break into his computer. ?This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud's computer, beyond the one payload that the Government has provided,? the lawyers write in an earlier filing. The code of NITs has been disclosed in the past. In a similar 2012 case called Operation Torpedo, the government provided details of its technique, which turned out to be a novel use of popular hacking-toolkit Metasploit. Specifically, the FBI used a Flash applet to make a direct connection over the internet, instead of routing the targets? traffic through Tor. Now, it looks like the defense in this latest case will receive its own answers. ?The order yesterday requires disclosure of all the code components,? Fieman told Motherboard on Thursday, but he didn?t say when his expert would be receiving the code itself. Peter Carr, a spokesperson for the Department of Justice, did not directly answer when asked whether the defense would be provided with the Tor Browser exploit. ?The court has granted the defense's third motion to compel, subject to the terms of the protective order currently in place,? Carr wrote to Motherboard in an email. -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 21 19:16:53 2016 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Feb 2016 20:16:53 -0500 Subject: [Infowarrior] - San Bernardino victims to oppose Apple on iPhone encryption Message-ID: (Note: the DOJ reached out to the victims a 'week' ago ... depending on what is meant by 'a week ago' that could well be prior to when it filed the motion last Tuesday, thus implying the DOJ legal roadmap for such public actions against Apple was planned well in advance as some have speculated. -- rick) Exclusive: San Bernardino victims to oppose Apple on iPhone encryption By Dan Levine http://www.reuters.com/article/us-apple-encryption-victims-exclusive-idUSKCN0VV00B Some victims of the San Bernardino attack will file a legal brief in support of the U.S. government's attempt to force Apple Inc to unlock the encrypted iPhone belonging to one of the shooters, a lawyer representing the victims said on Sunday. Stephen Larson, a former federal judge who is now in private practice, told Reuters that the victims he represents have an interest in the information which goes beyond the Justice Department's criminal investigation. "They were targeted by terrorists, and they need to know why, how this could happen," Larson said. Larson said he was contacted a week ago by the Justice Department and local prosecutors about representing the victims, prior to the dispute becoming public. He said he will file an amicus brief in court by early March. A Justice Department spokesman declined to comment on the matter on Sunday. Larson declined to say how many victims he represents. Fourteen people died and 22 others were wounded in the shooting attack by a married couple who were inspired by Islamic State militants and died in a gun battle with police. Entry into the fray by victims gives the federal government a powerful ally in its fight against Apple, which has cast itself as trying to protect public privacy from overreach by the federal government. An Apple spokesman declined to comment. In a letter to customers last week, Tim Cook, the company's chief executive, said: "We mourn the loss of life and want justice for all those whose lives were affected," saying that the company has "worked hard to support the government?s efforts to solve this horrible crime." The Federal Bureau of Investigation is seeking the tech company's help to access shooter Syed Rizwan Farook's phone by disabling some of its passcode protections. The company so far has pushed back, arguing that such a move would set a dangerous precedent and threaten customer security. The clash between Apple and the Justice Department has driven straight to the heart of a long-running debate over how much law enforcement and intelligence officials should be able to monitor digital communications. The Justice Department won an order in a Riverside, California federal court on Tuesday against Apple, without the company present in court. Apple is scheduled to file its first legal arguments on Friday, and U.S. Magistrate Judge Sheri Pym, who served as a federal prosecutor before being appointed to the bench, has set a hearing on the issue for next month. Larson once presided over cases in Riverside, and Pym argued cases in Larson's courtroom several times as a prosecutor while Larson was a judge, he said. Larson returned to private practice in 2009, saying at the time that a judge's salary was not enough to provide for his seven children. He said he is representing the San Bernardino victims for free. (Reporting by Dan Levine in Oakland, California; Editing by Sue Horton and Mary Milliken) -- It's better to burn out than fade away. From rforno at infowarrior.org Sun Feb 21 19:26:47 2016 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Feb 2016 20:26:47 -0500 Subject: [Infowarrior] - Sophos says: #nobackdoors! Message-ID: Sophos says: #nobackdoors! 19 Feb 2016 14 Cryptography Previous: Come on Ringo, .75 million followers deserve better [Chet Chat Podcast 232] by Paul Ducklin https://nakedsecurity.sophos.com/2016/02/19/sophos-says-nobackdoors/ Forget ransomware, forget the Internet of Things, forget all the other computer security stories of recent days? ?except for the red-hot topic of 2016, #nobackdoors. Simply put, IT backdoors are deliberately-programmed weaknesses that give you a way to sidestep computer security when it suits you. A bit like hiding a spare key to your house under the doormat, in case you lose your regular key while you?re out shopping. You know you?re making a mockery of the good-quality lock you bought to give you better security in the first place? ?but, hey, as long as no one thinks to look under the mat, you should be OK. Sadly, everyone knows to look under the doormat, so your well-chosen lock is as good as useless. That?s exactly the same risk that we face if we accept programmatic backdoors in computer security products. And it?s why, whenever we write about backdoors on Naked Security, our readers generally groan in collective dismay, leaving comments along the lines of, ?What were they thinking?? or ?Why did anyone ever imagine that could end well?? Why, indeed! Examples of tricks used to implement password backdoors include: ? Programming a hard-wired, ?secret? password into the authentication software so that there is always a guaranteed way in. ? Getting device vendors to generate two passwords for every unit sold. You get one of them, which you can change, but the vendor keeps the other one somewhere, and you can neither change it nor delete it. ? Deliberately weakening an encryption algorithm so that it?s just secure enough to stop an average attacker from cracking it, but just weak enough that a serious adversary, such as the NSA or the PLA, could crack it if needed. All of these approaches carry obvious and massive risks: ? Hard-wired passwords are like a key under the doormat. As soon as someone reveals the secret, all security bets are off. ? Vendor-stored passwords are simply an technological ?sword of Damocles? hanging over your head. At any time, some or all of the password database could be stolen in a data breach, sold off by crooked insiders, or acquired by court order. You simply can?t tell what security you have, if any. ? Weakened encryption systems get weaker over time as computers get faster. Cracking times fall year-by-year until they?re within reach of the average cybercrime gang, and ultimately even of a determined loner at home. In the plainly-spoken words of the Information Technology Industry Council: ?Weakening security with the aim of advancing security simply does not make sense.? We agree, and that?s why we?ve published our own #nobackdoors page right on the Sophos website. Standing up for #nobackdoors is especially important right now, as Apple prepares to fight a US court order that as good as demands the company to come up with a backdoor to allow the FBI to access a passworded iPhone that?s part of a serious criminal investigation. It?s a socially and emotionally charged case, because the FBI only wants to ?backdoor? a single iPhone, and it?s one that was used by Syed Rizwan Farook. Farook isn?t around to reveal the password himself: he was shot dead, along with his wife, after killing 14 people and seriously wounding 22 in a mass shooting in San Bernardino, California, on 2 December 2015. Nevertheless, Apple is determined to stand its ground, arguing that to create a programmatic backdoor, even in a dramatic case like this, would open a password-cracking Pandora?s Box. To backdoor one iPhone would effectively betray all of Apple?s many millions of law-abiding customers, and pave the way for similar writs against other American companies and their customers. Unsurprisingly, other American companies, including Google, WhatsApp and Microsoft, are backing Apple and saying, #nobackdoors. And so is Sophos, because weakening security with the aim of advancing security simply does not make sense. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 22 06:14:59 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2016 07:14:59 -0500 Subject: [Infowarrior] - FBI Director Comey pens op-ed over iPhone spat Message-ID: <271C2578-70A4-4B57-B961-5F5DC2456D80@infowarrior.org> While it doesn't really say anything, I'm presuming the Bureau is getting desperate for PR damage control when the FBI Director himself pens an op-ed about it while it's still an active investigation and court case. -- rick We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead James Comey https://www.lawfareblog.com/we-could-not-look-survivors-eye-if-we-did-not-follow-lead The San Bernardino litigation isn't about trying to set a precedent or send any kind of message. It is about the victims and justice. Fourteen people were slaughtered and many more had their lives and bodies ruined. We owe them a thorough and professional investigation under law. That's what this is. The American people should expect nothing less from the FBI. The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That's it. We don't want to break anyone's encryption or set a master key loose on the land. I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn?t. But we can't look the survivors in the eye, or ourselves in the mirror, if we don't follow this lead. Reflecting the context of this heart-breaking case, I hope folks will take a deep breath and stop saying the world is ending, but instead use that breath to talk to each other. Although this case is about the innocents attacked in San Bernardino, it does highlight that we have awesome new technology that creates a serious tension between two values we all treasure: privacy and safety. That tension should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living. It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before. We shouldn't drift to a place?or be pushed to a place by the loudest voices?because finding the right place, the right balance, will matter to every American for a very long time. So I hope folks will remember what terrorists did to innocent Americans at a San Bernardino office gathering and why the FBI simply must do all we can under the law to investigate that. And in that sober spirit, I also hope all Americans will participate in the long conversation we must have about how to both embrace the technology we love and get the safety we need. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 22 08:58:04 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2016 09:58:04 -0500 Subject: [Infowarrior] - =?utf-8?q?60_Minutes_does_John_Brennan=E2=80=99s_?= =?utf-8?q?job_for_him?= Message-ID: <284793A5-4F21-45AA-B4B0-C3B4FF6619AD@infowarrior.org> 60 Minutes does John Brennan?s job for him By Chava Gourarie, CJR February 17, 2016 http://www.cjr.org/hit_or_miss/60_minutes_fans_fear.php Fear is flammable, and on this week?s episode of 60 Minutes, host Scott Pelley seemed determined to kindle it. Pelley interviewed CIA Director John Brennan at CIA headquarters last Sunday about the security threats facing the United States in 2016, and the threat of ISIS in particular. Pelley opens the show with the claim that ISIS has, ?the manpower, the means, and the ruthlessness to attack the US,? Dun dun dun. Then Pelley sets out to prove his point with a series of leading questions, starting with his first, and punctuated throughout the 13-minute segment: ?Is ISIS coming here?? ?So you?re expecting an attack in the United States?? ?Does ISIS have chemical weapons?? ?Do they have the capabilities to bring them to the West?? ?What do you think our policy would be after an ISIS-directed attack in the United States?? As if that?s a foregone conclusion. Pelley is committing a double disservice here. Not only is he not providing context around the complex quandary of how the US should deal with ISIS, his questions inflate existing fears, implying that the ISIS threat in the US is imminent and inevitable. View More: Newsmakers News|Live News|More News Videos The consequences of this kind of societal terror are obvious. Over the last year, we?ve seen how quickly fear?legitimate or otherwise?becomes hate. And history shows that the more threatened Americans feel, the more willing they are to forgo certain civil liberties in exchange for the promise of protecting the nation. Look, for example, to the encryption debate currently broiling in the country. The intelligence community has been vigorously fighting for anti-encryption measures, while most members of the technology sector agree that doing so would only serve to make the country less safe. After the November Paris attacks, Brennan in part blamed the Snowden leaks and the ?technological capabilities? of terrorist groups (a euphemism for encrypted communications) for the failure to stop the attacks. ?I hope this will be a wake-up call,? he said at the global security forum. Pelley?s interview came several days after James Clapper, director of National Intelligence, updated the Senate Armed Services Committee on the range of threats facing the nation, a report otherwise known as the Worldwide Threat Assessment. Clapper referred to his opening statement as a ?litany of doom.? ISIS and the threat posed by encryption to cybersecurity both made the list, along with North Korea, Al Qaeda, and the migrant crisis in Europe. Few journalists pushed back. Most simply reported the key points made at the hearing. ?Journalists are just parroting a lot of the government?s claims,? says Jenna McLaughlin, a national security reporter at The Intercept. The threats facing the country, she says, from ISIS in particular, are ?definitely dangerous, but definitely overplayed.? The act of overplaying comes with its own brand of danger. Pelley?s questioning, sadly, is a perfect example. Marcy Wheeler, a national security blogger and frequent columnist, leveled three critiques at the Pelley-Brennan exchange. First, she argued, throughout the segment the duo conflate ISIS-inspired and ISIS-directed attacks. Pelley: ?Is ISIS coming here?? Brennan: ?I think ISIL does want to eventually find its ? its mark here.? When Pelley questions him further on whether he expects an attack on US soil, Brennan?s answers, ?I believe their attempts are inevitable.? But what does that actually mean? It?s a statement couched in unclear language ISIS will attempt an attack on American soil at the scale of 9/11, or is he suggesting the terrorist state will provide resources to radicalized Americans? While both scenarios may be legitimate threats, it?s important to distinguish between them, since they imply different consequences and require different means of counterattack. Wheeler also called out Pelley?s blanket acceptance of Brennan?s contentious line about the role of encryption in the Paris attacks. She also makes note of how Pelley inflates the issue of ISIS having access to chemical weapons. View More: Newsmakers News|Live News|More News Videos That ISIS has access to chemical weapons is not controversial. It was addressed in the threat assessment brief, and the Organization for the Prohibition of Chemical Weapons has confirmed that ISIS has used mustard gas in at least one instance, likely an August 2015 attack in Marea, Syria, which killed an infant. And according to Alastair Hay, a chemical weapons expert and professor of environmental toxicology at the University of Leeds, there is some indication that ISIS may be creating some of its own material, although that hasn?t been confirmed. ISIS getting its hands on chemical weapons is an understandably alarming thought, but the menace implied by the term is often far greater than the menace of the weapon itself, says New York Times reporter C.J. Chivers. ?Just saying ?chemical weapons? is like saying, BOO!? he says. ?It?s the journalist?s job to step back and provide context.? A long-time war correspondent and arms expert, Chivers has written several stories on chemical weapons in Syria, including a feature story on the family of Sidra, the infant killed last August in Marea. Chivers says that when he writes on the issue, he insists on including language contextualizing the threat fairly high up on his pieces. Doing so is a service to readers, who want to be informed, not agitated. Instead of doing that job and explaining to viewers that chemical weapons vary?and that some, like chlorine, have been used in Iraq since 2004, in IEDs and the like, and that these attacks are often non-lethal and inefficient?Pelley forges ahead. He leaves viewers with an unexamined statement from the CIA that says ISIS can now make small amounts of chlorine and mustard gas. None of the context, all the fear. Now several years into the surveillance debate, during which time the intelligence community has consistently put national security interests before civil liberties, sometimes at the expense of the latter, journalists should be cautious about taking the CIA?s word. Pelley, and 60 Minutes, not only lost an opportunity to force some truth, they threw a match into the tinderbox that is America today. Chava Gourarie is a CJR Delacorte Fellow. Follow her on Twitter at @ChavaRisa -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 22 15:12:46 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2016 16:12:46 -0500 Subject: [Infowarrior] - Apple's FBI Battle Is About the Gadgets We Haven't Even Thought of Yet Message-ID: <4B8798F3-63F5-412C-9066-73002901A73E@infowarrior.org> Apple's FBI Battle Is About the Gadgets We Haven't Even Thought of Yet By Evan Dashevsky Features Editor ? By Evan Dashevsky ? February 22, 2016 http://www.pcmag.com/article2/0,2817,2499828,00.asp Edward Snowden didn't reveal anything we didn't already know. At least, he didn't reveal anything that privacy advocates or the global intelligence community weren't already keenly aware of. What Snowden did do was become the public face of digital privacy advocacy backed by a trove of Orwellian PowerPoint slides. (It also didn't hurt that he's disarmingly eloquent and possesses boy-next-door good looks which just ooze aw shucks all over the place.) Snowden brought issues of near-unfettered digital surveillance front and center. And people got angry about the loss of their privacy! Or rather, people in the techblogosphere got pretty pissed off about it. The public, for their part, were only so-so outraged by the prospect of mass surveillance. In truth, most people just don't feel like they have any real need to fear surveillance. In fact, people have repeatedly shown that they value convenience far more than privacy. While the polls routinely reflect the public's overall meh-ness regarding government snooping (among U.S. citizens, at least), security issues they do care about inevitably arise when the government mandates backdoor vulnerabilities be hardwired into a technological ecosystem. While these backdoors are ostensibly constructed for "nobody but us" to get through (a concept that even has its own shorthand: NOBUS), history has shown that they will be discovered and utilized by hackers and other bad guys. And that leads us to Apple CEO Tim Cook's recent dust-up with the FBI. Cook has taken a startlingly bold stance for privacy in defiance of a judge's order to help the government break into the iPhone of one of the San Bernardino shooters. On its face, this fight appears to be a purely (and admirably) principled stand by the planet's largest publicly traded company. While Silicon Valley has lined up in support of Apple, the reaction from politicians and government officials has been overwhelmingly negative (occasionally bordering on absurdly dramatic). Meanwhile, support from the public?who this defiance is presumably in service of?has been painfully tepid. While there is no doubt some core principles influencing Cook's defiance, I can't help but think that there's a business-minded agenda in the mix as well. Similar to the way that executives at Facebook and Google are unquestionably earnest in their desire to connect billions in developing countries to the Internet, there also just happens to be an opportunity to make a buck if they are the ones who do the connecting. It would have been exceeding easy for Apple to capitulate to the judge's orders and help the government break into the phone ("sorry, our hands were tied!"), and therefore help infiltrate an unquestionably brutal and threatening fanatical organization. That decision might have drawn some condemnation from privacy advocates, but most people would have remained blissfully unaware that it ever happened. However, when Cook decided to fight the order in a very public way, it helped Apple become synonymous with privacy and security (which might stand in contrast to the rival Android ecosystem and its many, many security issues), not to mention willful non-compliance with authorities. Cynicism might dictate that this non-compliance is all about Apple wanting to sell more iPhones in the increasingly important, if quasi-totalitarian, Chinese market (or anywhere outside the U.S. for that matter). And that may be part of it, though Apple denies it. But I think it actually has to do with the products that Apple is preparing for the decade(s) to come. Machines are becoming far more personal. They're getting smaller and lighter; they are with us all day. In a relative blink of history, computers went from taking up entire rooms to being a thing we wrap around our wrists. And they're taking on more tasks all the time; increasingly personal tasks at that. They are handling our financial transactions, monitoring our bodies, and even conversing with us using real language. They are taking over the ways we interact our vehicles, and soon enough will take complete control of them. The line between software and meatware will only continue to blur. I have little reason to doubt that the scorching hot wearables space will?in the not crazy future?give way to implantables. That may seem like a sci-fi step too far for many, but mark my words, this is a thing that will happen. If we don't see a commercially available implantable electronic device by 2026, reach out to me, I'll owe you a coke. The transition isn't too hard to imagine. If there was a way for a tiny device to provide a steady stream of visual and audio (and possibly haptic) stimulation that was accessible hands-free at all times, wouldn't you want it? Sound crazy? Look around your local Starbucks and see how just about everybody has their faces buried in their phones?the fact that they have to actually hold it up with their hands is only an engineering barrier that has yet to be overcome. If getting a tiny device attached to your person was as routine and safe as getting one's ears pierced, a good part of the population would gladly sign up. When I hear doubts that this transition could ever happen (some within the very offices here at PCMag), I am reminded of conversations I had with my parents in the late 1990s when I was scolded (yes scolded!) for a needless and exuberant purchase of my first "cellular phone." You already have a phone at home and work, do you really need to have a phone on you at all times? Fast forward to today and I am routinely contacted (by cell phone) to help these same parents with their smartphone issues. Technology evolves, and people evolve with it. The future promises that technology is gonna get all up in your business. One thing to keep in mind with the coming storm of tech-all-up-in-your-business business is that consumers will only adopt these increasingly intimate devices if they feel secure. This is something that tech luminaries such as Mr. Cook are surely cognizant. The first time someone is injured when a self-driving car is commandeered by a bored hacker in Ukraine, people will stop using that brand of self-driving car. The same goes for the first time someone breaks into the fitness tracker being monitored by your doctor; the supposedly secure wireless payment platform; or yes, the implantable device you can't easily remove. Hackers and bad players have always been with the Internet. As technology drags both our minds and bodies further into The Matrix, consumers will only want to do business with companies that take the security of our most intimate selves very seriously. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 22 15:25:48 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2016 16:25:48 -0500 Subject: [Infowarrior] - Apple Hires Former Solicitor General, Who Lost Wife In 9/11, To Defend It Against FBI Message-ID: Apple Hires Former Solicitor General, Who Lost Wife In 9/11, To Defend It Against FBI from the if-you're-going-to-pull-emotional-strings-about-terror... dept Two can play at the "pull on the heart strings about losses due to terror" game apparently. While the FBI has rolled out the "but the poor victims of San Bernardino" argument for why it wants to force Apple into hacking the security of its own customers, Apple has countered with a big gun of its own: it has hired former Solicitor General Ted Olson to defend the company against the FBI in this case. Olson is a mega-star in legal circles. He's argued tons of cases before the Supreme Court, and of course, was Solicitor General under George W. Bush (whose election he helped ensure in representing him in Bush v. Gore). But... he's also well known because his wife, Barbara Olson, was onboard American Airlines Flight 77 that was one of the four hijacked planes during 9/11 (it was the one that crashed into the Pentagon). I'm sure that Apple hired Olson because of his legal and litigation skills. He's obviously extremely qualified for the job. But the fact that he also presents a sympathetic narrative concerning victims of terrorist attacks seems like an added bonus in a bizarre fight that seems to focus almost as much on the public perception of parading victims around, as it does around the actual legal issues. Olson already has been out in public arguing on behalf of Apple. I'd embed the video from ABC but (irony alert) they don't use HTTPS encryption, so I can't... However, Olson does note:... < - > https://www.techdirt.com/articles/20160222/11584133674/apple-hires-former-solicitor-general-who-lost-wife-9-11-to-defend-it-against-fbi.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 23 08:58:29 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2016 09:58:29 -0500 Subject: [Infowarrior] - DOJ Wants Apple to Extract Data From 12 Other iPhones Message-ID: <79B8301B-4A89-44C5-A9A3-CE724D8F3132@infowarrior.org> (Not calling anyone a liar, but ... you know. It's still *only* about Farook's phone, right? --rick) Justice Department Wants Apple to Extract Data From 12 Other iPhones Tuesday February 23, 2016 5:53 am PST by Joe Rossignol http://www.macrumors.com/2016/02/23/doj-vs-apple-12-court-orders/ The U.S. Department of Justice is pursuing additional court orders that would force Apple to help federal investigators extract data from twelve other encrypted iPhones that may contain crime-related evidence, according to The Wall Street Journal. The revelation comes nearly one week after a U.S. federal judge ordered Apple to assist the FBI with unlocking an iPhone belonging to suspected San Bernardino terrorist Syed Rizwan Farook. Apple strongly opposed the court order last week in an open letter to customers. The twelve cases are similar to the San Bernardino case in that prosecutors have sought to use the 18th-century All Writs Act to force Apple to comply, but none are related to terrorism charges and most involve older versions of iOS software. In the past, Apple has extracted data from iPhones under lawful court orders, but the company stopped storing encryption keys for devices running iOS 8 or later. As a result of this stronger protection, Apple cannot assist the FBI without circumventing iOS security and putting the privacy and safety of its customers at risk. Apple has acknowledged that creating a "government-ordered backdoor" is technically possible, but CEO Tim Cook said cooperating with the FBI would set a "very dangerous precedent." Apple said it has "done everything that's both within our power and within the law to help in this case," adding that it has "no sympathy for terrorists." The U.S. government previously said that investigators are only seeking access to a single iPhone related to the San Bernardino attacks, but Apple argued that the technique could be "used over and over again, on any number of devices" once created. "The only way to guarantee that such a powerful tool isn?t abused and doesn?t fall into the wrong hands is to never create it," the company said. The Apple-FBI dispute has fueled a public debate over the past week. Google, Facebook, Twitter and some campaigners have publicly backed Apple, while U.S. presidential candidate Donald Trump, Microsoft co-founder Bill Gates and some San Bernardino victims have sided with the FBI. Apple has until Friday, February 26 to file its first legal arguments in a California court. Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Feb 23 12:00:18 2016 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2016 13:00:18 -0500 Subject: [Infowarrior] - Who Sets the Rules of the Privacy and Security Game? Message-ID: <47D508B0-4E36-42B9-99D7-9361193CBBA6@infowarrior.org> Who Sets the Rules of the Privacy and Security Game? By Jennifer Granick Monday, February 22, 2016 at 2:13 PM https://www.justsecurity.org/29446/sets-rules-privacy-security-game/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 06:50:23 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 07:50:23 -0500 Subject: [Infowarrior] - FBI accused of emotional manipulation in Apple encryption case Message-ID: FBI accused of emotional manipulation in Apple encryption case Katie Bo Williams http://thehill.com/policy/cybersecurity/270666-fbi-accused-of-emotional-manipulation-in-apple-encryption-case The FBI is facing claims it deliberately selected the emotionally charged case of the San Bernardino terrorist?s iPhone to force a precedent on encryption policy. ?I think the FBI is being very selective here, and it has much more to do with the emotional value and public relations value of the case than it does with the FBI?s real need for the phone,? former White House counterterrorism and cybersecurity chief Richard Clarke told The Hill. Led by Director James Comey, the FBI has for months advocated different avenues for law enforcement to access locked communications with the appropriate court order. Technologists and privacy advocates have pushed back, insisting that impenetrable encryption is indispensable to online security and privacy. The latest salvo in an increasingly bitter fight came last week, when the agency asked federal judge Sheri Pym to issue a court order demanding Apple write a piece of software to disable certain security features on San Bernardino shooter Syed Rizwan Farook?s county-owned work phone. Farook, with wife Tashfeen Malik, killed 14 in the December massacre. Critics are suggesting the FBI?s choice was calculated. By pressing forward in a case with optics that seem cut and dry, they say, the agency could set a precedent that gives it the controversial guaranteed access Comey has been demanding. "It?s a brilliant tactic,? said Chris Finan, a former Obama administration cybersecurity adviser who now heads California-based financial tech firm Manifold Technology. ?They realize the public is going to be on their side.? Apple is opposing the order, arguing the FBI?s demand sets ?a dangerous precedent? that would eventually let the agency demand Apple build surveillance software to do everything from track a user?s location to turn on his or her iPhone microphone without consent. Comey has argued fiercely that the case impacts only Farook?s phone, but such claims appeared tenuous when it was revealed Tuesday that the Justice Department is pursuing about a dozen undisclosed court orders to force Apple to help authorities access locked iPhones. ?Give me a break. Of course it has precedential value,? Clarke said. ?Absolutely it sets a precedent,? Sen. Ron WydenRon WydenFBI accused of emotional manipulation in Apple encryption case Overnight Finance: Romney targets Trump on taxes Senators miss the mark on Israel settlement labeling MORE (D-Ore.), a staunch Capitol Hill advocate for digital rights, said Tuesday. Bolstering suppositions that the FBI?s choice was tactical are the deeply emotional terms it is using to appeal to the public. ?The San Bernardino litigation isn't about trying to set a precedent or send any kind of message. It is about the victims and justice,? Comey wrote in an impassioned op-ed published Sunday. ?We owe them a thorough and professional investigation under law.? Critics aren?t buying it ? not the agency?s insistence that the legal case is ?narrow,? nor its decision to ?drape itself in the flag of national security,? as one attorney described the FBI?s portrayal of the case. In what is now being portrayed as a premeditated move, the agency asked a lawyer representing victims of the attack to support its case two days before it asked Pym to issue the order, according to reports that surfaced Tuesday. Former federal judge Stephen Larson has told several publications that Eileen Decker, the U.S. attorney for the Central District of California, asked him personally if he was interested in representing the victims. Then, according to The Guardian, on Feb. 14, Decker asked Larson to file a brief supporting the government position on behalf of the victims. Larson agreed, and Decker requested and received the Apple court order from Pym two days later. There is also the question of the value of Farook?s phone. Two other phones used by the terrorists were destroyed before the attack. Farook left the disputed device, his work phone, lying casually in his vehicle. ?The possibility that there?s any information on this phone about an imminent attack is negligible or zero,? Clarke said. Clarke also noted that the impending court battle ? which could eventually go to the Supreme Court ? suggests the FBI isn?t too concerned with the contents of this particular device. ?I think that in some way demonstrates there?s no urgency here on the part of the FBI. They don?t really need this phone,? he said. Even Comey has allowed that the phone might be, in fact, worthless. ?Maybe the phone holds the clue to finding more terrorists. Maybe it doesn?t,? he wrote Sunday. ?But we can't look the survivors in the eye, or ourselves in the mirror, if we don't follow this lead.? Some lawmakers have come to the agency?s defense. Asked if the agency had singled out the San Bernardino case because it was so emotionally charged, Sen. Richard BurrRichard BurrFBI accused of emotional manipulation in Apple encryption case Apple working to strengthen iPhone security: report Lawmakers pitch encryption compromise MORE (R-N.C.) responded quickly and emphatically: ?No. No. No.? ?Any murder is emotionally charged,? said Sen. Dianne FeinsteinDianne FeinsteinFBI accused of emotional manipulation in Apple encryption case Lawmakers pitch encryption compromise Apple to argue Congress should settle phone battle MORE (D-Calif.). ?I am all but certain that the Justice Department would not do this ? I think they legitimately need the help.? Whether the Justice Department is winning the fight for public opinion remains to be seen. Two polls on the issue returned dramatically different results, depending on the wording of the question. And observers say that even if the FBI?s choice to stoke a public fight over this particular phone was strategic, it doesn?t change the technical facts of the case. ?They?ve got all the optics, but I think the government?s attempt to contextualize it and make an emotional appeal ? that?s all good press, but I don?t think that changes what?s at issue and what?s at stake,? said Scott Vernick, a partner at Fox Rothschild. David McCabe and Cory Bennett contributed -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 07:15:01 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 08:15:01 -0500 Subject: [Infowarrior] - SCO's last arguments in 'Who owns Linux?' case vs. IBM knocked out Message-ID: (Color me surprised, I thought this case was long-since done with! --rick) SCO's last arguments in 'Who owns Linux?' case vs. IBM knocked out Judgements in this case are like buses: none for ages, then two at once 10 Feb 2016 at 08:30, Darren Pauli http://www.theregister.co.uk/2016/02/10/scos_last_arguments_in_who_owns_linux_case_vs_ibm_knocked_out/ The end of the near-immortal ?Who owns Unix?? case looks to be near after a US judge knocked out the two remaining arguments with which the SCO group hoped to attack IBM. As we reported on Tuesday, Judge David Nuffer of the US District court found against SCO's attempt to work a breach of contract angle in its long-running dispute with IBM, which centres on SCO code that may or may not have made it into Linux and AIX. A new decision (PDF) and order (PDF) look to The Register's inexpert legal eye to put SCO out of the game. Both documents consider SCO's argument that IBM interfered with its business in ways that meant buyers saw Linux as an alternative to Unix. In the early noughties, SCO realised that Linux was becoming a thing and also that many Linux users employed SCO code. It therefore decided it would be a fine idea to licence the code, a plan the likes of Oracle and Intel didn't mind. But IBM didn't like SCO's and told the company as much. After a delay, SCO proceeded, whereupon the judgement says IBM said it would terminate its dealings with SCO and encourage its partners to do the same. The judgement finds that while IBM went in hard, it did not interfere with SCO's business relationships. The likes of Oracle and Computer Associates may have done less business with SCO, but not at IBM's bidding. SCO's overall strategy and the quality of its products, it's suggested, did it more damage than its rivals. Judge Nuffer also points out that SCO can't put a dollar figure on its losses, not a good look. The judge therefore concludes that the claim of interference is ?either wholly unsupported by the evidence or is not actionable because it is indirect interference or privileged market competition.? He therefore tosses out SCO's two claims regarding interference and in the order tells the two parties to sit down and agree on whether the dismissal of the claims is the right thing to do and, if so, to assign costs. Both parties have been given until February 26th to do that, and have been given a limit of 15 pages of argument to bring to a conference. There's the potential for that meeting to go badly, and IBM still has three live counterclaims, so the case isn't over. But we may be at the beginning of the end of this ancient saga. ? -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 07:36:31 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 08:36:31 -0500 Subject: [Infowarrior] - DHS Is Spilling a Lot of Secrets Message-ID: Homeland Security Is Spilling a Lot of Secrets Josh Rogin http://www.bloombergview.com/articles/2016-02-25/homeland-security-is-spilling-a-lot-of-secrets The Department of Homeland Security suffered over 100 "spills" of classified information last year, 40 percent of which came from one office, according to a leaked internal document I obtained. Officials and lawmakers told me that until the Department imposes stricter policies and sounder practices to better protect sensitive intelligence, the vulnerabilities there could be exploited. Not only does this raise the threat that hostile actors could get their hands on classified information, but may lead to other U.S. agencies keeping DHS out of the loop on major security issues. A spill is not the same as an unauthorized disclosure of classified information. A Homeland Security official explained that spills often include ?the accidental, inadvertent, or intentional introduction of classified information into an unclassified information technology system, or higher-level classified information into a lower-level classified information technology system, to include non-government systems.? Examples include: using a copier not approved for the level of classified information copied; failing to properly mark a classified product; transmitting classified information on an unclassified system like Gmail; or sending classified information to someone who, while having the proper level of clearance, is not authorized to read a section of information sent to them, the official said. There were 119 of these classified spills reported throughout the Homeland Security Department in fiscal year 2015, according to the internal document, which itself is unclassified. The section with the most spills by far was the Office of Intelligence and Analysis, headquartered at building 19 of the Nebraska Avenue Complex in Washington, led by retired General Francis Taylor. This office is composed mostly of intelligence analysts assigned to produce and review classified reports that are often the work of other intelligence agencies, including the Central Intelligence Agency and the Office of the Director of National Intelligence. One senior Homeland Security official told me that the intelligence and analysis office at DHS suffers from lax enforcement of the established policies and practices to protect classified information. This official said the numbers of classified spills in the internal report only represents those incidents that were officially reported, and the actual number is much higher. S.Y. Lee, a department spokesman, told me that DHS does not comment on reports of leaked information, but that the department is currently having mandatory employee training sessions on the handling of classified and sensitive information. ?We take any report of mishandling of information very seriously, and when violations are discovered, the Department takes immediate, appropriate actions to address the situation,? he said. ?DHS takes the protection of all our assets very seriously, and will continue to evolve our training and remediation efforts to address security needs and accountability to the American public.? Experts on government secrecy and classified information handling told me that the number of spills alone does not directly prove that there is a larger cultural or policy problem at DHS. But there is a history of carelessness with e-mail at the department, and this new finding combined with anecdotal reports of bad practices indicate that there should be more investigation the intelligence and analysis division in particular. ?At a minimum, this raises a question about what?s going on at this corner of the agency,? said Steven Aftergood, director of the program on government secretary at the Federation of American Scientists. ?If it is happening disproportionally in one part of the agency, that may mean that remedial measures are needed there, including security training, better oversight and similar steps.? Spillages are a normal part of the classification system at the DHS and elsewhere, and there are formal procedures for addressing them because it's understood that you cannot eliminate human error, he said. But if one intelligence shop is mishandling information from another part of the government, that could cause real problems in the interagency cooperation and intelligence-sharing. ?If they have a reputation as a shop with unreliable security, other agencies are going to think twice about sharing their most valuable information with Homeland Security,? Aftergood said. ?It can hurt other agencies and it can rebound on them. It?s bad all around and should be corrected.? Johannes B. Ullrich, dean of research for the SANS Technology Institute, said that it?s probable most of the classified spills were unintentional and the result of sloppiness more than anything else. But lax enforcement of policies meant to protect sensitive information also presents an opportunity for exploitation by malicious actors. ?If it?s accepted practice that you print documents and scan them in, for example, then it's much easier for an insider to take advantage of that,? he said. ?By reducing the unintentional spillage you make it easier to find the intentional ones.? The House Homeland Security Committee is currently pushing DHS to implement new systems for monitoring employees who handle classified information. Last November, the House passed the DHS Insider Threat and Mitigation Act, which was sponsored by Representative Peter King, chairman of the Homeland Security Committee's subcommittee on counterterrorism and intelligence. The bill would require Taylor, among other things, to develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns, and education and training programs related to potential insider threats to the department?s critical assets. The Senate Homeland Security Committee marked up a companion bill earlier this month. ?In recent years, the department has made progress installing limited monitoring technology, but much more needs to be done,? King said in a statement. ?Results from the existing systems demonstrate the need for more auditing and education for DHS employees.? Classified spills are a government-wide problem and there?s no way to know if the incidents at the DHS intelligence shop have been exploited. But unless that office and the government as a whole does a better job of protecting classified information, it?s just a matter of time before real damage is done to U.S. national security This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners. To contact the author of this story: Josh Rogin at joshrogin at bloomberg.net To contact the editor responsible for this story: Tobin Harshaw at tharshaw at bloomberg.net -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 10:44:41 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 11:44:41 -0500 Subject: [Infowarrior] - If you love Sheriff Joe's wingnuttery, you'll love this. Message-ID: Maricopa County Attorney bans employees from getting new iPhones, says Apple is 'on the side of terrorists' By Roger Fingas Thursday, February 25, 2016, 06:40 am PT (09:40 am ET) http://appleinsider.com/articles/16/02/25/maricopa-county-attorney-bans-employees-from-getting-new-iphones-says-apple-is-on-the-side-of-terrorists As a result of Apple's refusal to help the FBI unlock San Bernardino shooter Syed Farook's iPhone, the Maricopa County, Ariz. Attorney's Office has announced that it will not allow workers to choose Apple's handsets as upgrades or replacements. "Apple's refusal to cooperate with a legitimate law enforcement investigation to unlock a phone used by terrorists puts Apple on the side of terrorists instead of on the side of public safety," said County Attorney Bill Montgomery in a prepared statement. "Positioning their refusal to cooperate as having anything to do with privacy interests is a corporate PR stunt and ignores the 4th Amendment protections afforded by our Constitution." Montgomery added that prosecutors have regularly secured warrants to unlock encrypted smartphones, "including iPhones sold prior to the release of the iPhone 7." It's not immediately clear why the office chose to refer to an as yet-unannounced handset. Evidence obtained this way has allegedly proven "critical" in cases involving murder, drug trafficking, and other crimes. He suggested that Apple is concerned about "the potential for unauthorized access to an encryption key," and that if so, the problem should be dealt with in that context. In a TV interview aired Wednesday, Apple CEO Tim Cook argued that in the future, the company could theoretically be compelled to create tools for surveillance if orders under the All Writs Act stand. The Maricopa County iPhone ban may have relatively little impact, since the Attorney's Office says that it has 564 smartphones in all, of which 366 are iPhones. Montgomery concluded by saying that he can't do business with a company that interferes with an investigation into a terrorist attack. "If Apple wants to be the official smartphone of terrorists and criminals, there will be a consequence," he said. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 11:25:37 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 12:25:37 -0500 Subject: [Infowarrior] - CIA Director: It's the Media's Fault That Terrorists Are So Good at Encryption Message-ID: CIA Director: It's the Media's Fault That Terrorists Are So Good at Encryption Kate Knibbs http://gizmodo.com/cia-director-its-the-medias-fault-that-terrorists-are-1761257462 Uh oh. Has ISIS been reading Gizmodo.com for hot tips? Because intelligence leaders are blaming the press for encouraging ISIS and other terrorist organizations to ?go dark.? At a House Intelligence Committee hearing today on global threats, members of Congress spent ample time asking FBI Director James Comey what was up with the FBI and Apple. If I told you that a life-size Comey doll with a voice recording that rasped ?I?m not an expert? playing on a loop sat in for the FBI director, I?d definitely be lying?Comey was there. But he may as well have sent the doll. The oddest part came at the end, after everyone realized that Comey wasn?t actually going to say anything substantive. At that point, members of Congress asked CIA Director John Brenner and NSA Deputy Director Rick Ledgett about terrorists ?going dark? by using encryption technology. ?Going dark? has become an intelligence community slogan, a phrase to describe what happens when it has the legal means to search and intercept digital communications but can?t technically do it because of security protections. ?The ability of these terrorists to communicate with one another that makes it very difficult to uncover has been increasing. It?s very frustrating but very concerning,? Brennan said. ?They follow the press, they follow these discussions.? Ledgett poked his finger at the media even more explicitly. ?We track when our foreign intelligence targets talk about the security of their communication,? he said. ?And we see a growing number of them, because of what?s in the press about the value of encryption, moving towards that.? The implication of these statements?that media reports are somehow optimized to help terrorists be better at evading law enforcement?is a dangerous one. Yes, of course terrorists read. But Brenner and Ledgett?s statements situate media support for strong encryption on the side of terrorism. Neither intelligence leader recognized how members of their own communities might also benefit from media reports about encryption. In fact, neither Brennan or Ledgett bothered to acknowledge that their own agencies rely on encryption as a crucial security measure. Neither Brennan or Ledgett specified which reports were believed to be frequently dog-eared on ISIS squatters, but that doesn?t matter. Extremists are interested in privacy tools, and media reports on privacy tools. Saying that they read about which tools to use is just saying that any group with goals attempts to find information that will help achieve those goals. Implying that media reports are aiding and abetting the enemy?not to mention the notion that reports highlighting privacy protections are somehow devious?is just unfair and chilling. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 11:27:28 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 12:27:28 -0500 Subject: [Infowarrior] - Alternate Titles: Apple Now Looking To Close The Backdoor The FBI Discovered Message-ID: <6C9A6C79-9FA6-4924-94A7-B812885BA6D3@infowarrior.org> Interesting perspective but one that I can agree with. --rick Alternate Titles: Apple Now Looking To Close The Backdoor The FBI Discovered https://www.techdirt.com/articles/20160224/17543833705/alternate-titles-apple-now-looking-to-close-backdoor-fbi-discovered.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 11:42:07 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 12:42:07 -0500 Subject: [Infowarrior] - Editorial: Analysis of FBI's lack of credibility on iPhone issue Message-ID: (Good reading; I couldn't have put it better myself. --rick) Obama administration, FBI must act to restore US government's credibility in Apple's encryption debate By Daniel Eran Dilger Thursday, February 25, 2016, 09:10 am PT (12:10 pm ET) http://appleinsider.com/articles/16/02/25/obama-administration-fbi-must-act-to-restore-us-governments-credibility-in-apples-encryption-debate Actions by the leadership of the Federal Bureau of Investigation over the past month related to the San Bernardino encryption issue demonstrate a shocking level of dishonest and callous disregard for the nation's core principles of democracy. FBI director James B. Comey should issue a formal apology or resign his post, AppleInsider's Daniel Eran Dilger argues. The role of the FBI ? policing and solving a spectrum of federal crimes involving serial killers, terrorists, gangs that exploit children, government corruption and civil rights violations ? is far too important to be besmirched by a manifestly dishonest smear campaign against Apple, created to spook and fool the public into accepting the creation of dangerous new legal powers without any respect for the role of elected representatives. FBI director James Comey has a vast public record of desperately wanting to break encryption. It is now clear that virtually every material statement made by the FBI about the encryption issue was flat-out false. While there is some controversy involving differences of opinion on the proper role and reach of government, the FBI has an obligation to be honest and genuine in its public communications, and in this case it has been everything but. < - > http://appleinsider.com/articles/16/02/25/obama-administration-fbi-must-act-to-restore-us-governments-credibility-in-apples-encryption-debate -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 13:23:49 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 14:23:49 -0500 Subject: [Infowarrior] - Agenda for 3/1 House Encryption Hearing Message-ID: <0D3B1052-FE47-469A-A639-12628EE20D5F@infowarrior.org> http://judiciary.house.gov/index.cfm/hearings?ID=89431275-E911-4D5C-BD70-BFE3EF91AD86 Mar 01 2016 The Encryption Tightrope: Balancing Americans? Security and Privacy 2141 Rayburn House Office Building 1:00 PM By Direction of the Chairman Full Committee Witness Panel 1 ? The Honorable James B. Comey Director Federal Bureau of Investigation Witness Panel 2 ? Mr. Bruce Sewell Senior Vice President and General Counsel Apple, Inc. ? Ms. Susan Landau Professor Worcester Polytechnic Institute ? Mr. Cyrus R. Vance Jr. District Attorney New York County Permalink: http://judiciary.house.gov/index.cfm/2016/3/the-encryption-tightrope-balancing-americans-security-and-privacy -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 15:20:40 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 16:20:40 -0500 Subject: [Infowarrior] - Apple Files Motion To Vacate The Court Order To Force It To Unlock iPhone, Citing Constitutional Free Speech Rights Message-ID: (full filing is embedded in the article. --rick) Apple Files Motion To Vacate The Court Order To Force It To Unlock iPhone, Citing Constitutional Free Speech Rights http://techcrunch.com/2016/02/25/apple-files-motion-to-dismiss-the-court-order-to-force-it-to-unlock-iphone-citing-free-speech-rights/ -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Feb 25 20:43:41 2016 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2016 21:43:41 -0500 Subject: [Infowarrior] - Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts Message-ID: <63426846-6D44-4942-ADC3-15B0E9709D5F@infowarrior.org> Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts Charlie Savage WASHINGTON ? The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations. The change would relax longstanding restrictions on access to the contents of the phone calls and email the security agency vacuums up around the world, including bulk collection of satellite transmissions, communications between foreigners as they cross network switches in the United States, and messages acquired overseas or provided by allies. The idea is to let more experts across American intelligence gain direct access to unprocessed information, increasing the chances that they will recognize any possible nuggets of value. That also means more officials will be looking at private messages ? not only foreigners? phone calls and emails that have not yet had irrelevant personal information screened out, but also communications to, from, or about Americans that the N.S.A.?s foreign intelligence programs swept in incidentally. Civil liberties advocates criticized the change, arguing that it will weaken privacy protections. They said the government should disclose how much American content the N.S.A. collects incidentally ? which agency officials have said is hard to measure ? and let the public debate what the rules should be for handling that information. ?Before we allow them to spread that information further in the government, we need to have a serious conversation about how to protect Americans? information,? said Alexander Abdo, an American Civil Liberties Union lawyer. Robert S. Litt, the general counsel in the office of the Director of National Intelligence, said that the administration had developed and was fine-tuning what is now a 21-page draft set of procedures to permit the sharing. The goal for the final rules, Brian P. Hale, a spokesman for the office, said in a statement, is ?to ensure that they protect privacy, civil liberties and constitutional rights while enabling the sharing of information that is important to protect national security.? < - > http://www.nytimes.com/2016/02/26/us/politics/obama-administration-set-to-expand-sharing-of-data-that-nsa-intercepts.html -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Feb 26 13:48:37 2016 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Feb 2016 14:48:37 -0500 Subject: [Infowarrior] - Cyberattacks bigger than previously disclosed: IRS Message-ID: <93705DA0-4B34-4790-863B-6755D0F6F66B@infowarrior.org> Cyberattacks bigger than previously disclosed: IRS Everett Rosenfeld http://www.cnbc.com/2016/02/26/new-irs-cyberattack-total-is-more-than-twice-previously-disclosed-dj-citing-irs.html This story is developing. Please check back for further updates. Cyberattacks on taxpayer accounts affected more people than previously reported, the Internal Revenue Service said Friday. The IRS statement, originally reported by Dow Jones, revealed tax data for about 700,000 households might have been stolen: Specifically, a government review found potential access of about 390,000 more accounts than previously disclosed. In August, the IRS said that the number of potential victims stood at more than 334,000 ? more than twice the initial estimate of more than 100,000. "If somebody has all this information ? we may see [a] resurgence next year of fraudulent tax returns," Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, told CNBC in 2015. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 11:27:05 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 12:27:05 -0500 Subject: [Infowarrior] - Apple's GC statement released ahead of hearing Message-ID: http://www.businessinsider.com/apple-shares-argument-for-not-hacking-san-bernardino-iphone-2016-2 < - > Apple's top legal executive, Bruce Sewell, will testify before the House Judiciary Committee tomorrow and fight for Apple's position that it shouldn't be forced to create a back door into the iPhone for the FBI. < - > Thank you, Mr. Chairman. It's my pleasure to appear before you and the Committee today on behalf of Apple. We appreciate your invitation and the opportunity to be part of the discussion on this important issue which centers on the civil liberties at the foundation of our country. I want to repeat something we have said since the beginning ? that the victims and families of the San Bernardino attacks have our deepest sympathies and we strongly agree that justice should be served. Apple has no sympathy for terrorists. We have the utmost respect for law enforcement and share their goal of creating a safer world. We have a team of dedicated professionals that are on call 24 hours a day, seven days a week, 365 days a year to assist law enforcement. When the FBI came to us in the immediate aftermath of the San Bernardino attacks, we gave all the information we had related to their investigation. And we went beyond that by making Apple engineers available to advise them on a number of additional investigative options. But we now find ourselves at the center of an extraordinary circumstance. The FBI has asked a Court to order us to give them something we don?t have. To create an operating system that does not exist ? because it would be too dangerous. They are asking for a backdoor into the iPhone ? specifically to build a software tool that can break the encryption system which protects personal information on every iPhone. As we have told them ? and as we have told the American public ? building that software tool would not affect just one iPhone. It would weaken the security for all of them. In fact, just last week Director Comey agreed that the FBI would likely use this precedent in other cases involving other phones. District Attorney Vance has also said he would absolutely plan to use this on over 175 phones. We can all agree this is not about access to just one iPhone. The FBI is asking Apple to weaken the security of our products. Hackers and cyber criminals could use this to wreak havoc on our privacy and personal safety. It would set a dangerous precedent for government intrusion on the privacy and safety of its citizens. Hundreds of millions of law-abiding people trust Apple?s products with the most intimate details of their daily lives ? photos, private conversations, health data, financial accounts, and information about the user's location as well as the location of their friends and families. Some of you might have an iPhone in your pocket right now, and if you think about it, there's probably more information stored on that iPhone than a thief could steal by breaking into your house. The only way we know to protect that data is through strong encryption. Every day, over a trillion transactions occur safely over the Internet as a result of encrypted communications. These range from online banking and credit card transactions to the exchange of healthcare records, ideas that will change the world for the better, and communications between loved ones. The US government has spent tens of millions of dollars through the Open Technology Fund and other US government programs to fund strong encryption. The Review Group on Intelligence and Communications Technology, convened by President Obama, urged the US government to fully support and not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software. Encryption is a good thing, a necessary thing. We have been using it in our products for over a decade. As attacks on our customers? data become increasingly sophisticated, the tools we use to defend against them must get stronger too. Weakening encryption will only hurt consumers and other well-meaning users who rely on companies like Apple to protect their personal information. Today?s hearing is titled Balancing Americans? Security and Privacy. We believe we can, and we must, have both. Protecting our data with encryption and other methods preserves our privacy and it keeps people safe. The American people deserve an honest conversation around the important questions stemming from the FBI?s current demand: Do we want to put a limit on the technology that protects our data, and therefore our privacy and our safety, in the face of increasingly sophisticated cyber attacks? Should the FBI be allowed to stop Apple, or any company, from offering the American people the safest and most secure product it can make? Should the FBI have the right to compel a company to produce a product it doesn't already make, to the FBI?s exact specifications and for the FBI?s use? We believe that each of these questions deserves a healthy discussion, and any decision should be made after a thoughtful and honest consideration of the facts. Most importantly, the decisions should be made by you and your colleagues as representatives of the people, rather than through a warrant request based on a 220 year- old-statute. At Apple, we are ready to have this conversation. The feedback and support we're hearing indicate to us that the American people are ready, too. We feel strongly that our customers, their families, their friends and their neighbors will be better protected from thieves and terrorists if we can offer the very best protections for their data. And at the same time, the freedoms and liberties we all cherish will be more secure. Thank you for your time. I look forward to answering your questions. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 09:25:09 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 10:25:09 -0500 Subject: [Infowarrior] - The Broken System of Classifying Government Documents Message-ID: <0F260ADB-53B6-44BA-9BD8-FB909CDB26BB@infowarrior.org> The Broken System of Classifying Government Documents Abbe David Lowell http://www.nytimes.com/2016/02/29/opinion/the-broken-system-of-classifying-government-documents.html EVERY few years, a news event demonstrates how dysfunctional, arbitrary and counterproductive the country?s system of classifying information really is. Sometimes it?s an article or book about government conduct that causes hand-wringing among intelligence officials. Sometimes it?s a prosecution under the nearly 100-year-old Espionage Act for mishandling classified information, instead of for actual spying. Now we have calls for prosecuting Hillary Clinton because, when she was secretary of state, she had documents on her private email server that have since been declared top secret. Mrs. Clinton, along with others accused of mishandling classified information, argues that government information is ?overclassified? and that it is poorly labeled, making it impossible to know what is actually top secret. They are right. This debate might prove useful if it forces the government to deal with a bigger issue: the need for a saner system for classified information. Too much information is classified, and those restrictions last too long. Right now, there are thousands of people in the government who can classify information. Think about the reality: A person can put a ?classified? stamp on a document and ensure it is kept secret, or can leave it unclassified, subject to disclosure, and later be accused of having revealed something needing protection. No one risks any real penalty for using the stamp; the only punishment comes from not using it. The result is overclassification. One person?s decision may not be consistent with that of another. Many times, I?ve seen information in a document marked ?top secret? that is easily available on the Internet. Similarly there are numerous examples where the exact same paragraph is marked ?secret? in one document but left unclassified in another. Yet people have been prosecuted for disseminating such information, and at trial, the government blocks them from using the unclassified document as a defense. Moreover, the courts will not accept the argument that information should not have been classified in the first place. Given how almost random the decision to classify is, this is astounding. Classifications typically last 10 years. There is no real system for reviewing decisions, so information that was stale weeks after it was classified remains secret for years longer. The government may prosecute someone for discussing information that was classified long ago for a reason that is no longer valid. Here, too, the inappropriate length of classification is not a defense. Often, the motive for classifying something is to protect not that information, but its source. For example, a document states that Kim Jong-un of North Korea had a hamburger for lunch. That is not information that has to be protected, but that we know that he ate it reveals a source that needs protecting. This is where the classification system has to operate properly because real lives and methods are in peril. Yet this kind of information, in my experience, is typically not what is being protected. The laws used to charge improper dissemination of classified information also subject people to the most selective prosecution imaginable. Consider these real examples. A high-ranking official gives behind-the-scenes intelligence to a reporter in hopes of putting the administration in a good light. No one is charged. But a lower-ranking official tells a different reporter classified information calling attention to a Middle Eastern terrorist organization and is charged with a felony. The former head of the C.I.A. gives classified information, including code words for intelligence programs and war strategy, to a biographer with whom he is in a relationship and then lies about it. He is allowed to plead guilty to a misdemeanor. But a State Department analyst who speaks to a reporter about the threat of North Korea?s nuclear program, and then lies about it, is charged with a felony and serves 11 months in jail. In Mrs. Clinton?s case, people can reasonably assert that in using a private email server she thwarted open government rules or risked the possibility that sensitive information would be disclosed. But the idea that she violated laws about classified information is simply wrong. Any investigation based on after-the-fact determinations of classification would do nothing to protect national security and would distract from the need to reform classification laws. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 09:14:08 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 10:14:08 -0500 Subject: [Infowarrior] - New transatlantic data deal draws fire from privacy advocates Message-ID: New transatlantic data deal draws fire from privacy advocates By Katie Bo Williams - 02/29/16 09:34 AM EST http://thehill.com/policy/cybersecurity/271126-new-transatlantic-data-deal-draws-fire-from-privacy-advocates A new transatlantic data transfer deal will establish a last-resort arbitration panel to resolve complaints by individuals that U.S. companies have mishandled their data ? but will not allow EU citizens to claim financial damages. A draft text of the so-called Privacy Shield released early Monday also creates an ombudsman within the State Department to address complaints from Europeans that U.S. intelligence agencies have inappropriately accessed their personal data. The agreement, which has yet to be approved by the 28 EU member states, replaces a 2000 pact that allowed over 4,000 U.S. companies to legally handle European citizens? data. It was struck down by the European high court in October over privacy concerns, prompting a scramble from the U.S. and the European Commission to avoid a shutdown of transatlantic data transfers. Both of the new redress mechanisms are already being portrayed as relatively weak by privacy advocates in the EU. ?Doubtful if ?written assurances,? ?ombudsman? and patchy judicial redress rights #PrivacyShield meet standards set by [EU high court],? tweeted European Parliament member Sophie in ?t Veld. Individuals who believe a company has mishandled their data must exhaust three separate mechanisms as a means of redress before they have access to the arbitration panel. The panel can make binding decisions against U.S. companies, but the redress it can offer citizens must be ?non-monetary? ? meaning its authority is limited to correcting, returning or deleting the disputed personal data. ?These are the only powers of the arbitration panel with respect to remedies,? the text states. ?No damages, costs, fees, or other remedies are available.? The text of the new arrangement reveals a number of other updates to the original deal, including one section which is being interpreted to allow EU privacy regulators to unilaterally freeze transfers to the U.S. from their country. ?This means basically that there is no legal certainty for businesses that a ?Privacy Shield? certification ensures continuous data flows. Any national [data protection authority] can simply pull the plug under this system,? said Max Schrems, the privacy activist whose original complaint sunk the 2000 agreement. Schrems argued in a Monday statement that the new deal will not withstand court scrutiny ? nor will it get the approval of individual European privacy regulators, who are in the process of reviewing the text. ?They tried to put ten layers of lipstick on a pig, but I doubt the Court and the [data protection authority regulators] now suddenly want to cuddle with it,? Schrems said. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 08:51:34 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 09:51:34 -0500 Subject: [Infowarrior] - Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue Message-ID: Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue https://www.techdirt.com/articles/20160226/16551633728/leaked-details-new-congressional-commission-to-take-encryption-issue.shtml < - > So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields: ? Cryptography ? Global commerce and economics ? Federal law enforcement ? State and local law enforcement ? Consumer-facing technology sector ? Enterprise technology sector ? Intelligence community ? Privacy and civil liberties community That's actually... not a bad mix overall, though obviously who is appointed will make a huge difference in terms of whether or not we have a useful commission or one that will declare the impossible (and dangerous) possible. The commission will actually have subpoena authority, which is an interesting choice, and will, of course, hold a bunch of hearings. And it's expected to move pretty quickly: ? Commissioners must be appointed within 30 days of enactment (except for the ex officio). ? The Commission shall hold its first meeting within 60 days of enactment. ? The interim report is due within 6 months of the initial meeting. ? The final report is due within 12 months of the initial meeting. ? The Commission terminates within 60 days after the final report. Meanwhile, given that it's almost certain that the commission will not unanimously agree on anything, the final report needs to only be agreed upon by 11 of the 16 commissioners. And dissents will be published with the report as well. Even getting to 11 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you're still left with the 6 law enforcement and intelligence commissioners. One of them would have to be convinced to go along with the report. I mean, it is possible. Michael Hayden and Michael Chertoff have both been going around saying that strong encryption is good and backdoors are bad. So maybe you get someone like them to be one of the "intelligence community" folks on the commission -- but it's still an uphill battle. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 08:51:29 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 09:51:29 -0500 Subject: [Infowarrior] - =?utf-8?q?Inside_The_Obama_Administration?= =?utf-8?q?=E2=80=99s_Attempt_To_Bring_Tech_Companies_Into_The_Fight_Again?= =?utf-8?q?st_ISIS?= Message-ID: Inside The Obama Administration?s Attempt To Bring Tech Companies Into The Fight Against ISIS Sheera Frenkel http://www.buzzfeed.com/sheerafrenkel/inside-the-obama-administrations-attempt-to-bring-tech-compa#.gt1b3nx7e WASHINGTON, D.C. ? They flew in from New York, San Francisco, and Los Angeles to hole up in a windowless D.C. conference room for nearly five hours on Wednesday ? representatives of the country?s top tech and entertainment companies brainstorming with U.S. counterterrorism officials to tackle one tough question: how to stop the spread of ISIS online. The goal is a relatively uncontroversial one. The militant Islamist group has developed a keen propaganda machine and tech companies like Twitter have been going after accounts run by their supporters. But inside the conference room, as dozens of participants met and workshopped various tactics for battling ISIS?s seemingly inexhaustible PR machine, one thing became abundantly clear ? there remains, inside the U.S. government, a huge cognitive dissonance. The Department of Justice called the meeting in the midst of rising anti-Muslim sentiment across the country, fed by the campaign of Donald Trump, and yet failed to include more than a small handful of Muslims in the meeting. And while the meeting appealed for help from the tech community, tensions between Washington and Silicon Valley are at an all-time high as the FBI seeks to set a precedent by forcing Apple to help it break into a phone used by one of the San Bernardino shooters. The standoff between Apple and the FBI did not come up during the meeting, though the issues it involves are at the heart of the very things being discussed. As the role of technology in our lives continues its explosive growth, how will the balance between privacy and security play out in the new Silicon Valley-D.C. relationship? The tension wasn?t lost on participants. ?It?s a weird time to come out to the Valley and ask for help,? one tech executive told BuzzFeed News the week before flying out to the event. Among the handful of Arab participants who took part in Wednesday?s event, the questions raised felt even greater. ?They wanted to figure out how to fight ISIS online, how to understand the psychology of those who support ISIS, and they invited almost no one who speaks for those of us in the Arab world, and from Arab communities, who have everything to lose from ISIS?s growing popularity,? said one Arab attendee, who estimated that less than 10% of the attendants were of Middle Eastern descent. ?They don?t understand this community. That has been proven time and time again with their tone deaf messages. Why hold an event like this where there are ten white men outnumbering every Arab?? The lack of voices from the Middle East at the event was raised repeatedly, with one attendee garnering applause when they asked why ? in a discussion regarding ISIS?s appeal to young Arab-American Muslims ? there was no one speaking to their appeal from within that community. ?The lens we use to look at things like radicalization or race issues or any social issue improves dramatically when we have more people from that community involved,? one attendee texted BuzzFeed News after the event. Another attendee told BuzzFeed News by phone Thursday, ?They are asking the wrong questions.? The event was originally named ?the Madison Ave. Project? reflecting the marketing and branding experts the White House hoped to call in. It evolved into the ?Madison Valley Project? with the inclusion of tech companies, and finally the ?Madison Valleywood Project? with the inclusion of film and entertainment industry leaders. Like its name, few thought the various sectors could, and would, come together. Other media outlets, who were leaked a list of attendees, revealed that Microsoft, Facebook, Apple, Google, Mediacom, and Edelman were among those attending from Hollywood and Silicon Valley. In a statement, the Department of Justice noted that Assistant Attorney General for National Security John Carlin, U.S. Chief Technology Officer Megan Smith, and Senior Director for Counterterrorism on the National Security Council Staff Jen Easterly all took part in the meeting. ?The Administration is committed to taking every action possible to confront and interdict terrorist activities wherever they may occur, including in cyberspace,? read a statement about the event released by the Department of Justice on Wednesday. ?We are using this engagement and others to enlist the help of industry leaders and experts in our effort to ensure we bring the most innovative private and public sector thinking to all aspects of combating terrorism.? BuzzFeed News was invited to attend the event Wednesday, which took place at the Department of Justice with a reception afterwards, on the condition that it, like all in attendance, follow the Chatham House rule ? attendees are free to use the information from the discussion but not identify those attending or the specifics of what they said. All people quoted in this article were spoken to before or after the event, under the condition that their names and titles be withheld. It was unclear why no other press was invited. Most attendees were hopeful that something could be done to fight ISIS online, and saw current efforts to do so as lacking, with campaigns like the State Department?s message to potential militants ? ?Think Again, Turn Away? ? being called ?embarrassing? and ineffective. ?It?s a great thing for them to be doing but I felt like they were positioning it wrong,? said one attendee. ?It?s not just about ISIS communication online, it?s about why that communication is effective. Why Arabs, even those like us that are second- and third-generation Arabs in the West, feel isolated. The content to fight ISIS has to come from the Arab world. You need people who understand what we are feeling and why, who understand what the actual messages are that can then be spread by Silicon Valley companies and Hollywood and everyone else gathered up at the White House.? Yet it remained unclear, at the end of the meeting, how that anti-ISIS content would actually be produced ? or what role tech companies would play in promoting content that opposed the propaganda spread by ISIS. ?We aren?t in the business of making content ? someone else needs to be the one doing that at the start of the pipeline before we can get involved,? said one Google representative, who spoke to BuzzFeed by phone last week on condition of anonymity because he was not allowed to speak publicly about Google?s talks with the government. Over the last year, the government has stepped up its overtures to Silicon Valley, meeting with tech executives in January on the subject of combatting ISIS online. The Department of Defense has opened an office in the San Francisco area, and the State Department has recently appointed its first representative to Silicon Valley. Tech executives who have met with the Pentagon team told BuzzFeed News that some of their requests have been ?jarring.? In at least one case, the Pentagon spoke with several companies ? who asked not to be named as a condition of discussing the meeting with BuzzFeed News ? about tweaking their algorithms to promote certain types of content. Both Google and Facebook have made it clear that they would not make changes to their algorithms to bury results supportive of ISIS. ?That?s something that is always brought up in meetings. And it shows how little they understand us,? said the Google representative. ?This is a Pandora?s box we won?t open, because if we answer a request by the U.S. government to feature one search result over another, what?s to stop other countries from requesting the same? What?s to stop each country from tailoring the search results of their citizens to their agenda? It?s not a path we are willing to explore.? With much taken off the table, it was unclear, going forward, what concrete steps each party would take. When the hallways were emptied of guests and the final evaluations made, few were certain if there was any chance of success. At its core, said many attendees, the issue was the basic distrust the tech and entertainment companies have for the government, which has been amplified by the unprecedented attempt to force Apple to help the FBI break into an encrypted phone and the strong stance taken by tech companies including Google, Microsoft, and Facebook to stand behind Apple. ?It?s like you?ve been asked to partner up and dance with the bully at school who keeps trying to trip you in the hallways,? one attendee told BuzzFeed News after the event. ?And even though you want to learn to dance, there isn?t a lot of trust to build on.? An attendee from the government side told BuzzFeed News by phone, ?We need help, but it?s like, one part of government keeps fucking this up for other parts of government. We can?t seem to get it right.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 17:11:46 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 18:11:46 -0500 Subject: [Infowarrior] - NY Judge: US Cannot Make Apple Provide iPhone Data Message-ID: <90A9775D-72B2-419D-A636-CB507E634EC0@infowarrior.org> NY Judge: US Cannot Make Apple Provide iPhone Data ABC News http://abcnews.go.com/Technology/wireStory/schism-emerges-apple-case-san-bernardino-survivors-37292472 The U.S. Justice Department cannot force Apple to provide the FBI with access to a locked iPhone data in a routine Brooklyn drug case, a magistrate judge ruled Monday. U.S. Magistrate Judge James Orenstein's written decision gives support to the company's position in its fight against a California judge's order that it create specialized software to help the FBI hack into an iPhone linked to the San Bernardino terrorism investigation. Apple's filing to oppose the order by Magistrate Judge Sheri Pym in California is due by Friday. The San Bernardino County-owned iPhone 5C was used by Syed Farook, who was a health inspector. He and his wife Tashfeen Malik killed 14 people during a Dec. 2 attack that was at least partly inspired by the Islamic State group. Apple's opposition to the government's tactics has evoked a national debate over digital privacy rights and national security. Orenstein concluded that Apple is not obligated to assist government investigators against its will and noted that Congress has not adopted legislation that would achieve the result sought by the government. "How best to balance those interests is a matter of critical importance to our society, and the need for an answer becomes more pressing daily, as the tide of technological advance flows ever farther past the boundaries of what seemed possible even a few decades ago," Orenstein wrote. "But that debate must happen today, and it must take place among legislators who are equipped to consider the technological and cultural realities of a world their predecessors could not begin to conceive." A Justice Department spokesman said they were disappointed in the ruling and planned to appeal in the coming days. Apple and their attorneys said they were reading opinion and will comment later. In October, Orenstein invited Apple to challenge the government's use of a 227-year-old law to compel Apple to help it recover iPhone data in criminal cases. The Cupertino, California-based computer maker did, saying in court papers that extracting information from an iPhone "could threaten the trust between Apple and its customers and substantially tarnish the Apple brand." It followed up by declining to cooperate in a dozen more instances in four states involving government requests to aid criminal probes by retrieving data from individual iPhones. Federal prosecutors say Apple has stopped short of challenging court orders judicially, except in the cases before Orenstein and the California jurist who ruled about the San Bernardino shooter's phone. "Ultimately, the question to be answered in this matter, and in others like it across the country, is not whether the government should be able to force Apple to help it unlock a specific device; it is instead whether the All Writs Act resolves that issue and many others like it yet to come," Orenstein wrote. "For the reasons set forth above, I conclude that it does not." ??? Abdollah reported from Washington. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 17:19:40 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 18:19:40 -0500 Subject: [Infowarrior] - Pentagon admits it is 'looking to accelerate' cyber-attacks against Isis Message-ID: Pentagon admits it is 'looking to accelerate' cyber-attacks against Isis Spencer Ackerman http://www.theguardian.com/world/2016/feb/29/pentagon-admits-cyber-attacks-against-isis The Pentagon has acknowledged using its storehouse of new digital weapons to attack Islamic State communications networks, the first time that the US military has acknowledged doing so during an active war. Operators from the US Cyber Command, the young military command twinned to the National Security Agency, have launched assaults on nodes, overloading them with data, US defense chief Ashton Carter said on Monday. Carter told reporters the US was ?looking to accelerate? cyber-strikes he likened to the traditional disruption of enemy command networks. The US cyber-attacks, which Carter said complemented familiar methods of signal jamming over radio frequencies, seek to instill a loss of confidence in the security and efficacy of internal Isis communications. Analysts who have long tracked the development and incorporation of digital weapons into the US military arsenal considered Carter?s acknowledgment to be a milestone. ?The cyberwar seal has been broken in public?, said Peter W Singer of the New America Foundation. Thus far, the US has only acknowledged using digital weaponry in vague terms. Secrecy has surrounded their use, as the US cyber arsenal has seen operation as part of covert intelligence activities, rather than as a component of an ongoing war. Stuxnet, a worm that disrupts the functions of industrial centrifuges used in Iran?s nuclear program, is widely believed to have been jointly developed by the US and Israel. The Obama administration has never formally acknowledged possessing a broader panoply of cyber weapons aimed at the Iranian nuclear program, known as Olympic Games. The New York Times recently reported that the US prepared a campaign for their use, Nitro Zeus, in the event that a diplomatic effort to halt the program broke down. But the administration considered those online efforts alternatives to warfare. Against Isis, the US is using cyber weapons as a method of warfare alongside the airstrikes, indigenous force training and special operations raids that characterize the US campaign in Iraq and Syria. With Olympic Games, unlike Stuxnet, Singer said, ?the US military is making clear that it can and will carry out offensive cyber operations. Everyone knew we could do it and Isis as the target makes this less controversial, but it is still a big line to cross.? Carter and the chairman of the joint chiefs of staff, Marine Gen Joseph Dunford, declined to speak about the US cyber campaign in detail, but said it contributed the broader objectives of isolating the Isis capital of Mosul in Iraq and Raqqa in Syria. ?Conceptually, that?s the same thing we?re trying to do in the cyberworld,? Dunford said Monday. Both senior officials acknowledged a potential loss of intelligence coming from the assaults on Isis networks the US monitors, but expressed hope that they would press Isis fighters into using more interceptable modes of communications. In addition to overloading or defacing Isis?s web presence, known as a denial of service attack, and aiming to prevent the uploading or distribution of propaganda, particularly on social media, it is likely that the US Cyber Command is ?mapping the people behind networks, their connections and physical locations and then feeding that into targeting on the kinetic side ? injecting false info to create uncertainty?, Singer said. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Feb 29 19:36:33 2016 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Feb 2016 20:36:33 -0500 Subject: [Infowarrior] - Obama administration to renegotiate rules for 'intrusion software' Message-ID: <799509DA-9E8B-4100-9AB8-F06D2FAEA12F@infowarrior.org> Obama administration to renegotiate rules for 'intrusion software' Katie Bo Williams http://thehill.com/policy/cybersecurity/271204-obama-administration-to-renegotiate-international-anti-hacking-regs The Obama administration is telling lawmakers that it will seek to renegotiate certain portions of a 41-nation agreement designed to keep hacking tools out of the hands of repressive regimes. The reversal follows months of pressure from the technology community and lawmakers, who warned the vague definitions within the agreement would restrict companies? ability to use legitimate tools to test and fortify their own defenses. ?Today?s announcement represents a major victory for cybersecurity here and around the world,? said Rep. Jim Langevin (D-R.I.), who helped spearhead efforts to press the administration to renegotiate. In 2013, the State Department agreed to a series of amendments to the so-called Wassenaar Arrangement, a 41-nation agreement restricting the export of dual-use technologies in order to keep them out of the wrong hands. Those amendments expanded the list of restricted technologies to include so-called ?intrusion software? ? digital hacking and surveillance tools that the agreement?s crafters were concerned could be used by to crack down on journalists and dissidents. Following an interagency rulemaking process that included State, the Commerce Department and the Department of Homeland Security, the administration attempted to implement the agreement, but met with fierce pushback from both the security community and lawmakers. Critics argue that the arrangement defines ?intrusion software? too broadly, effectively outlawing legitimate cybersecurity tools needed to defend networks against hackers. Increasingly, lawmakers from both sides of the aisle have begun to argue the security community?s long-held stance that a regulatory solution is impossible and that State must return to the table to renegotiate the terms of the arrangement. ?While well-intentioned, the Wassenaar Arrangement?s ?intrusion software? control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products,? Langevin said Monday. The contentious language eventually led to a reported stalemate between the three agencies. Some in the security community, as well as some lawmakers, have complained that the State Department was dragging its feet by insisting that any changes to the language happen on the domestic regulatory level rather than through a renegotiation of the terms it agreed to in 2013. The agency appears to have given in to the pressure. The administration filed a proposal on Monday to eliminate the 2013 controls on the development of intrusion software, according to a congressional aide with knowledge of the proceedings. ?By adding the removal of the technology control to the agenda at Wassenaar, the Administration is staking out a clear position that the underlying text must be changed,? Langevin said. -- It's better to burn out than fade away.