From rforno at infowarrior.org Sun Sep 24 10:58:42 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Sep 2017 15:58:42 -0000 Subject: [Infowarrior] - =?utf-8?q?OT=3A__Mr=2E_President=3A_You_Represent?= =?utf-8?q?_All_of_Us=2E_Don=E2=80=99t_Divide_Us=2E_Bring_Us_Together?= Message-ID: (I can't help wondering if this is just another base-baiting diversion to try and get ahead of other 'bad' news for the administration that will break soon and consume the media -- ie the Russia investigation, LA senate race, continued lack of any major policy wins, that whole nuclear war thing, etc. --rick) Mr. President: You Represent All of Us. Don?t Divide Us. Bring Us Together Steve Kerr (As Told To Chris Ballard) 3 hours ago https://www.si.com/nba/2017/09/24/steve-kerr-warriors-donald-trump-white-house-stephen-curry We knew it was coming. After Steph spoke up at media day on Friday, we figured it was just a matter of time until the president responded. Then on Saturday morning my wife, Margot, woke me up. ?Here it is,? she said, and showed me Trump?s tweet. Our invitation, he wrote, ?has been withdrawn? because, ?going to the White House is considered a great honor for a championship team? and, ?Stephen Curry is hesitating.? First off, I?m pretty sure Steph wasn?t ?hesitating?. He made it clear he wouldn?t go. Second, as I joked to the media Saturday, it was like the president was trying to break up with us before we broke up with him. Regardless, it?s a shame. I?ve been fortunate enough to meet President Reagan, both Bushes, Clinton, and Obama. I didn?t agree with all of them, but it was easy to set politics aside because each possessed an inherent respect for the office, as well as the humility that comes with being a public servant in an incredible position of power, representing 300 million people. And that?s the problem now. In his tweet to Steph, Trump talked about honoring the White House but, really, isn?t it you who must honor the White House, Mr. President? And the way to do that is through compassion and dignity and being above the fray. Not causing the fray. Would we have gone? Probably not. The truth is we all struggled with the idea of spending time with a man who has offended us with his words and actions time and again. But I can tell you one thing: it wouldn?t have been for the traditional ceremony, to shake hands and smile for cameras. Internally, we?d discussed whether it?d be possible to just go and meet as private citizens and have a serious, poignant discussion about some of the issues we?re concerned about. But he?s made it hard for any of us to actually enter the White House, because what?s going on is not normal. It?s childish stuff: belittling people and calling them names. So to expect to go in and have a civil, serious discourse? Yeah, that?s probably not going to happen. Look, I?m a basketball coach and what I do obviously pales in comparison to what the president does. But our jobs are similar in at least one respect: If you want to be an NBA coach, you need to be prepared to be criticized. You kind of know that going in. If I coach poorly and we lose the game, I hear about it. That?s okay. It?s really where we coaches earn our money, accepting and dealing with criticism and keeping the ship moving forward. There has to be an inherent understanding when you enter into any public position of power that this is what happens. People are going to take shots at you and it?s incumbent upon you to absorb those shots. Maybe you respond diplomatically, but you maintain a level of respect and dignity. What you can?t do is just angrily lash out. Can you imagine if I lashed out at all my critics every day and belittled them? I?d lose my players, I?d embarrass ownership, I?d embarrass myself. Pretty soon I?d be out of a job. It?s a basic adult thing that you learn as you grow up: People aren't always going to agree with you. And that?s OK. Instead, we get Trump?s comments over the weekend about NFL players, calling them ?sons of bitches? for kneeling during the anthem. Those just crushed me. Crushed me. Just think about what those players are protesting. They?re protesting excessive police violence and racial inequality. Those are really good things to fight against. And they?re doing it in a nonviolent way. Which is everything that Martin Luther King preached, right? A lot of American military members will tell you that the right to free speech is exactly what they fight for. And it?s just really, really upsetting that the leader of our country is calling for these players to be ?fired.? The hard part is knowing what to do now. Margot and I talked for a long time Saturday morning about what to say publicly. I?ve probably been as critical of Trump as anybody but maybe it?s time to take a different course. There?s no need to get into a war of words. It?s about trying to hang on to the values that are important to us as an organization, a country, and, really, as human beings. The fact is we live in an amazing country, but it?s a flawed one. I consider myself unbelievably lucky to live here, so please spare me the ?If you don?t like it you can get out? argument. I love living here. I love my country. I just think it?s important to recognize that we as a nation are far from perfect, and it?s our responsibility to try to make it better. And one of the ways to do that is to promote awareness and understanding and acceptance. Not just acceptance but embracing our diversity, which when you get down to it is not only who we are but truly what makes us great. And it?s not happening. Remember, the president works for us, not vice versa. We elected him. He doesn?t just work for his constituents and his base. He works for every citizen. Once you take that office, you have to do what?s best for the entire country. Sure, you?re going to have policies that align with your party, but that?s not the point. Respectfully, Mr. Trump, the point is this: You?re the president. You represent all of us. Don?t divide us. Bring us together. From rforno at infowarrior.org Sun Sep 24 11:01:02 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Sep 2017 16:01:02 -0000 Subject: [Infowarrior] - 'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack Message-ID: <5329967E-8C94-4B1B-8BD0-F158A5486FA4@infowarrior.org> 'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack from the killed-by-apathy dept By this point, the half-baked security in most internet of things devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on. The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The flaws in the Medifusion 4000 infusion pump, manufactured by UK medical multinational Smiths Group, were discovered by security researcher Scott Gayou. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) -- and newborn babies. The flaws were severe enough to warrant a new warning from the Department of Homeland Security, which issued an advisory that, like similar past advisories, rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly: < - > https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml From rforno at infowarrior.org Sun Sep 24 18:46:34 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Sep 2017 23:46:34 -0000 Subject: [Infowarrior] - Russian hackers exploited a Google flaw the company has refused to fix Message-ID: <04D814BD-4A66-4562-8CD0-20B0096AFA0D@infowarrior.org> Russian hackers exploited a Google flaw the company has refused to fix Hacker team ?Fancy Bear? used a Google security flaw to attack journalists, and the tech giant has done nothing Matthew Sheffield2017-09-24T15:00:30Z?2017-09-24T15:00:30Z A hacking team reportedly linked to the Russian government has been utilizing a security flaw in a Google service to launch attacks on investigative journalists. The web giant has known about the vulnerability since November of last year but has still failed to fix it. The security bug lies within Google's implementation of a new internet standard it has been trying to promote called Accelerated Mobile Pages (AMP). Google has marketed AMP as a way of optimizing web pages for smartphones. Launched in late 2015, AMP is designed to provide simpler versions of websites that can load faster on the often slower data connections and microprocessors used by mobile devices. To further speed things up for smartphone users, Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages Google.com URLs. < - > http://www.salon.com/2017/09/24/russian-hackers-exploited-a-google-flaw-and-google-wont-fix-it/ From rforno at infowarrior.org Sun Sep 24 18:49:15 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Sep 2017 23:49:15 -0000 Subject: [Infowarrior] - But ... *his* emails! Message-ID: <519011C4-ED81-4BC7-B95E-560259071905@infowarrior.org> Kushner used private email account for some White House business By Carol D. Leonnig, Philip Rucker and Ellen Nakashima September 24 at 7:03 PM President Trump?s son-in-law and senior adviser Jared Kushner has used a private email account to conduct and discuss official White House business dozens of times, his lawyer confirmed Sunday. Kushner used the private account through his first nine months in government service, even as the president continued to criticize his opponent in the 2016 presidential election, Democrat Hillary Clinton, for her use of a private email account for government business. Kushner several times used his account to exchange news stories and minor reactions or updates with other administration officials. Kushner and his wife, Ivanka Trump, set up the private account before Donald Trump moved into the White House and Kushner was named a senior adviser to the president in January. Once in the White House, Kushner used his private account for convenience from time to time ? especially when he was traveling or using a personal laptop, according to two people familiar with his practice. A person who has reviewed the emails said many were quickly forwarded to his government account and none appear to contain classified information. Clinton offered a similar explanation in 2015 when it was revealed that she set up a private email account as her exclusive means of email communication when she was secretary of state. Clinton also said she opted for private email ?as a matter of convenience.? She insisted that she never shared classified information on her private account or tried to sidestep the federal law that requires that official government communications are preserved. She said nearly all of her communication was stored by the government because she was communicating with other officials on their government accounts. Kushner?s use of a private account was first reported Sunday by Politico.... < - > https://www.washingtonpost.com/politics/kushner-used-private-email-account-for-some-white-house-business/2017/09/24/917d9b6e-a161-11e7-b14f-f41773cd5a14_story.html From rforno at infowarrior.org Mon Sep 25 09:05:49 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 14:05:49 -0000 Subject: [Infowarrior] - What is the TaigaPhone? 'Surveillance-proof' device touted by Kaspersky Lab co-founder Message-ID: <84175870-C61A-4117-89B3-03EE857972E0@infowarrior.org> What is the TaigaPhone? 'Surveillance-proof' device touted by Kaspersky Lab co-founder Natalya Kaspersky said the handset is designed for corporate customers. By Jason Murdock September 25, 2017 13:00 BST http://www.ibtimes.co.uk/what-taigaphone-surveillance-proof-device-touted-by-kaspersky-lab-co-founder-1640709 A new smartphone created by Russia's InfoWatch, a collective of IT companies which started out life as a project of cybersecurity giant Kaspersky Lab, will reportedly offer anti-surveillance capabilities to enterprise customers who are concerned about snooping. The device, branded "TaigaPhone", will cost roughly 15,000 rubles ($260, ?192) and is being manufactured by Taiga Systems. The firm is a member of Moscow-based InfoWatch, which is owned and led by Natalya Kaspersky, one of Russia's most prominent entrepreneurs. "We have created it for the corporate market," Kaspersky said during a Moscow business forum Friday (22 September), as reported by the AFP agency. A release date was not confirmed, and the firm's website states the device is in the final stages of production. "Half of all data loss in Russia happens on mobile devices, we intend to fix that problem with the TaigaPhone," asserted company rep Grigoriy Vasilyev. InfoWatch said that the smartphone will keep users' data confidential, track the location of devices to reduce theft and prevent "information leakage." < - > From rforno at infowarrior.org Mon Sep 25 09:05:56 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 14:05:56 -0000 Subject: [Infowarrior] - =?utf-8?q?_Deloitte_hit_by_cyber-attack_revealing?= =?utf-8?q?_clients=E2=80=99_secret_emails?= Message-ID: <14B39ED2-FA87-413B-89F4-EF8C2B58A2B2@infowarrior.org> Deloitte hit by cyber-attack revealing clients? secret emails Nick Hopkins Monday 25 September 2017 08.00 EDT One of the world?s ?big four? accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal. Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn (?27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world?s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte?s clients have been told their information was ?impacted? by the hack. Deloitte?s internal review into the incident is ongoing. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016. The hacker compromised the firm?s global email server through an ?administrator?s account? that, in theory, gave them privileged, unrestricted ?access to all areas?. The account required only a single password and did not have ?two-step? verification, sources said. Emails to and from Deloitte?s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft?s equivalent to Amazon Web Service and Google?s Cloud Platform. < - > https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails From rforno at infowarrior.org Mon Sep 25 09:06:02 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 14:06:02 -0000 Subject: [Infowarrior] - OT: This is what the flag stands for, Mr. President Message-ID: <4388669D-8991-4853-8CCD-232F3BC779C0@infowarrior.org> This is what the flag stands for, Mr. President By Editorial Board September 24 at 7:25 PM https://www.washingtonpost.com/opinions/this-is-what-the-flag-stands-for-mr-president/2017/09/24/34be7726-a130-11e7-b14f-f41773cd5a14_story.html IN 1943, with the nation mobilized for war against fascism, schoolchildren in West Virginia were required each morning to salute the American flag. The purpose, seemingly unexceptionable ? and in fact not objected to by many ? was ?teaching, fostering and perpetuating the ideals, principles and spirit of Americanism.? However, to Jehovah?s Witnesses the flag was an ?image,? which, under their religious beliefs, their children were forbidden to salute. Students refused to do so and were expelled from school; parents were prosecuted; eventually, the case reached the Supreme Court. There, in West Virginia State Board of Education v.?Barnette, Justice Robert Jackson wrote for a 6-to-3 majority that the state could not compel children to salute the flag. Reversing a court decision from just three years earlier, Jackson wrote, in the midst of war, what remains one of the enduring statements of confidence in what truly makes America great. ?To believe that patriotism will not flourish if patriotic ceremonies are voluntary and spontaneous, instead of a compulsory routine,? he wrote, ?is to make an unflattering estimate of the appeal of our institutions to free minds.? What brings this to mind, of course, is President Trump?s latest bilious eruption. The first inclination, when he starts calling people ?sons of b-----s? and waxing nostalgic for days when more concussions were inflicted for the entertainment of football fans, is to look away. It?s embarrassing, after all, to have to explain to the children that we have a president who speaks so rudely. It?s playing into the diversion he may seek when he finds himself flummoxed by Kim Jong Un or Sen. John McCain (R-Ariz.). And shouldn?t we be worrying about more important things ? health care, tax reform, the inundation of Puerto Rico, the dangers of nuclear war? But then, when Mr. Trump tweets that players should ?stop disrespecting our Flag & Country,? it becomes clear: In some ways, there is nothing more important than his misguided understanding of how to truly respect the flag. Some NFL players have been participating in a fraught, challenging debate about race, policing and criminal justice, and Mr. Trump is offended by this. His response: fire the players who don?t share his views. Demand conformity and uniformity. He?s not alone, of course. If he were, Colin Kaepernick would probably have a job by now. But the response to Mr. Trump?s ugly tweets and threats, from players and team owners, reflects an encouraging consensus that the real way to respect the American flag is to respect the diversity of opinion it protects. As games began on Sunday, players, coaches and owners kneeled, linked arms and made statements in others ways. ?Our players have exercised their rights as United States citizens in order to spark conversation and action to address social injustice,? San Francisco 49ers owner Jed York said Saturday. ?We will continue to support them in their peaceful pursuit of positive change in our country and around the world.? What?s offensive here is not what Mr. Trump thinks about Mr. Kaepernick. At this point, honestly, who cares? But when the president uses his bully pulpit to declare some speech legitimate and some beyond the pale; when his response to protest is to question patriotism rather than engage on the issue of unequal policing ? then it is Mr. Trump who ?disrespects our Flag & our Country.? As Justice Jackson wrote three-quarters of a century ago, ?If there is any fixed star in our constitutional constellation, it is that no official, high or petty, can prescribe what shall be orthodox in politics, nationalism, religion, or other matters of opinion, or force citizens to confess by word or act their faith therein.? From rforno at infowarrior.org Mon Sep 25 09:06:04 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 14:06:04 -0000 Subject: [Infowarrior] - Australia to create national space agency Message-ID: <4DE56A09-27BA-4DFE-BD1B-379B9644F479@infowarrior.org> Australia to create national space agency https://www.yahoo.com/news/australia-create-national-space-agency-015318142.html Sydney (AFP) - Australia on Monday committed to creating a national space agency as it looks to cash in on the lucrative and fast-evolving astronautical sector. The announcement came at a week-long Adelaide space conference attended by the world's top scientists and experts including SpaceX chief Elon Musk. It brings Canberra -- which already has significant involvement in national and international space activities -- into line with most other developed nations, which already have dedicated agencies to help coordinate the industry and shape development. "The global space industry is growing rapidly and it's crucial that Australia is part of this growth," acting science minister Michaelia Cash said in statement. "A national space agency will ensure we have a strategic long-term plan that supports the development and application of space technologies and grows our domestic space industry." According to the government, the global space sector -- encompassing innovation, defence, and telecommunications -- has been growing annually since the late 1990s at almost 10 percent, driving revenue each year of US$323 billion. Thousands of the world's top scientists and space experts are attending the week-long International Astronautical Congress in Adelaide. SpaceX chief Musk is set to give an update on his ambitious vision of establishing a Mars colony. Also among those presenting is defence giant Lockheed Martin, which is working with NASA on plans to reach the Red Planet. Lee Spitler, from Macquarie University's astronomy department in Sydney, said Australia's space industry currently operated "as a grassroots movement across a small number of companies, university groups and the defence sector". "It will help bring to the forefront all the great work that has been going on in Australia in the space sector, and increase the potential for our country to play a key role in the international space scene in the future," said Spitler. Australia's commitment to an agency follows the government in July ordering a review of the country's space industry capability, with a fuller strategy to underpin the work of the new body to be unveiled next year. This year marks the 50th anniversary of Australia launching its first satellite, the only country at the time to achieve the feat after the United States and Russia. It has played a vital part in many space missions in the decades since then, with its Deep Space Communication Complex outside Canberra one of only three sites in the world capable of tracking NASA's deep space assets. Australian National University's Penny King, who worked on the Mars "Curiosity Rover", mission, said the agency would improve opportunities for local scientists. "Australians will be on the world stage, asking questions such as: How can we best care for Earth? How should we look for life beyond Earth? Where should we go?," she said. From rforno at infowarrior.org Mon Sep 25 09:06:06 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 14:06:06 -0000 Subject: [Infowarrior] - Facebook reportedly discovered it had been infiltrated by Russian government hackers months before the election Message-ID: <7E85AF01-0B5B-4D1D-B671-A22F3A9BBD3D@infowarrior.org> Facebook reportedly discovered it had been infiltrated by Russian government hackers months before the election ? Natasha Bertrand ? Sep. 24, 2017, 8:47 PM Members of a hacking group connected to Russia's military intelligence unit, the GRU, began creating fake Facebook accounts to amplify stolen emails as early as June 2016, people familiar with the company's investigation into Russia's use of the platform told The Washington Post. The Post's report comes weeks after Facebook announced that inauthentic accounts linked to Russia were able to use the platform to spread fake news and purchase $100,000 worth of political ads during the election. The accounts linked to the GRU's hacking group, called APT28, or Fancy Bear, reportedly set up an account called DCLeaks and one under the moniker Guccifer 2.0 that helped spread the emails stolen from the Democratic National Committee in late 2015. Cybersecurity experts believe Fancy Bear was also behind the DNC hack. Facebook contacted the FBI at the time, according to the Post, but determined upon examining the accounts further that they were financially motivated and did not seem linked to a foreign government. < - > http://www.businessinsider.com/facebook-russia-election-2017-9 From rforno at infowarrior.org Mon Sep 25 09:07:44 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 14:07:44 -0000 Subject: [Infowarrior] - Apple's iPhone X could be the ultimate privacy killer Message-ID: Apple's iPhone X could be the ultimate privacy killer By Adam Levin, opinion contributor ? 09/25/17 09:40 AM EDT 1 http://thehill.com/opinion/technology/352201-apples-iphone-x-could-be-the-ultimate-privacy-killer The odds you don?t know already know about Apple?s latest attempt at market domination ? the iPhone X ? are about even with the possibility that President Trump will stop using hand gestures when explaining something. That said, it is quite possible that you have not yet heard why the iPhone X should worry you. ?In its continuing war on inconvenience,? Andy Greenberg of Wired wrote, Apple is poised to ?give an unproven biometric security technology its biggest field test yet.? The most notable change?never mind the iPhone X?s screen size, resolution and configuration?is its use of facial recognition as a security feature and the death of the home button. And it really isn?t an exaggeration to say this is a field test of sorts. Now, I certainly don?t want to knock Apple, especially given noteworthy, pro-consumer privacy stances taken by the company. CEO Tim Cook bravely refused to help authorities access the San Bernardino shooter?s iPhone over privacy concerns?specifically taking the stance that deciding when to provide assistance and when not to help law enforcement is too slippery a slope for a publicly traded company vested with zero legal authority over such matters. With the obvious caveat that no Silicon Valley company is ethically spotless in the land of data monetization, Apple is more privacy true-believer than not when compared to its cohorts in the corporate sector. To be clear: This doesn?t mean to say that Apple isn?t in the information business, because it is. But in general, under Tim Cook?s leadership, the company has been sensitive to the issue of consumer privacy. And this is precisely why the latest iPhone whizzbang?or privacy field test, if you will?is puzzling, because the use of facial recognition technology raises serious questions about security and privacy. Granted, the particular technology driving Face ID, for the time being, seems difficult to spoof without a fair amount of expensive equipment and buckets of technical acuity, but in the world of hacking exploits, all things crack with the application of enough time and pressure. In the meantime: How will Face ID data be stored? Apple has used Secure Enclave to store biometric data in the past, but most cybersecurity experts agree that the safest place to store biometric data is locally, i.e., only on the device that it?s being used to access. If the data is stored on a server but is not encrypted, what safeguards are in place to prevent a third party from using the Face ID data for other purposes?whether those purposes are ?enterprising? or outright illegal? Why not avoid the danger of data compromise, and restrict FR data to the device it unlocks? Will Face ID reliably work on people of all ethnicities? Anyone of a certain age will remember the public relations problem that Eastman Kodak had because their color film didn?t accurately capture people with darker skin. And not to be too macabre, but in the event of an accident or a face-swelling allergy attack, how will Face ID know you?re you? Get ready for viral stories about the failure of the Face ID feature, because they?re coming. What about the Fourth Amendment? The problem of theft or issues surrounding privacy rights of suspects and criminal defendants seem like immediate ?real world? concerns as these devices are about to hit the streets. In theory, had the San Bernardino shooter been using the iPhone X, the phone could have been opened. What are the legal implications of that? Could police access your phone by pointing it at your face? Would they be able to use anything they found inside? What about a mugger? Could you be robbed with nothing more than your own phone pointed at your head? What else will facial recognition be able to do? In a perfect world, we?d have some assurances that Apple is not going to use facial recognition data to improve product design or even create services like FindFace (an app that allows Russian consumers to identify strangers who have profiles on popular social networking site), and if they plan to do these things, are lawmakers poised make sure consumers have a way to opt out? If Sen. Al Franken?s (D-Minn.) comments are any indication (and I believe they are), the legislative branch is ready to meet this particular challenge. The bigger issue from a security standpoint is the question of overall efficacy. Biometric authentication is flawed. It doesn?t matter what kind we?re talking about. Facial recognition can be tricked. Voice prints can be stolen. Fingerprints can be copied, and even retina scans have been defeated by hackers. I know what you?re thinking: Body weight (alone, or in combination with shoe size yoked to any or all of the aforementioned metrics) is the answer. Go ahead and invent the device that makes it happen. (And yes, I realize you weren?t actually thinking that.) As for Apple, the company is thinking the right thoughts, but we?re not where we need to be to make something like Face ID safe. For the time being, the increase in convenience comes with a parallel increase in our attackable surface. As I?ve written elsewhere, good security should incorporate something you have (like an ID card or a token generator), something you know (like a password or a phrase), and something you are (biometric identifiers like iris scans and fingerprints). Strong authentication requires at least two different identifiers. While the best solution is probably still using numeric passwords, an even more secure environment could be created using 2-factor authentication that required both Face ID and a six or greater digit numeric code. But then that wouldn?t be convenient, would it? Adam K. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com, and a former director of the New Jersey Division of Consumer Affairs. He is also the author of "Swiped," which debuted at #1 on the Amazon Bestsellers Hot New Releases List. From rforno at infowarrior.org Mon Sep 25 14:48:29 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 19:48:29 -0000 Subject: [Infowarrior] - Ex-NSA hacker drops macOS High Sierra zero-day hours before launch Message-ID: (ZDNet just had to say 'ex-NSA' to make a more sensational headline. Who cares where they're from? --rick) Ex-NSA hacker drops macOS High Sierra zero-day hours before launch The vulnerability lets an attacker steal the contents of a Keychain ? without needing a password. By Zack Whittaker for Zero Day | September 25, 2017 -- 16:43 GMT (09:43 PDT) | Topic: Security http://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/ Just hours before Apple is expected to roll out the new version of its desktop and notebook operating system, macOS High Sierra, a security researcher dropped a zero-day. Patrick Wardle, a former NSA hacker who now serves as chief security researcher at ?Synack, posted a video of the hack -- a password exfiltration exploit -- in action. Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password. He tweeted a short video demonstrating the hack. Wardle created a "keychainStealer" app demonstrating an exploit for the vulnerability, which according to the video, can expose passwords to websites, services, and credit card numbers when a user is logged in. That exploit could be included in a legitimate-looking app, or be sent by email. In his tweet, Wardle suggested that Apple should launch a macOS bug bounty program "for charity." Right now, Apple only has a bug bounty for iPhones and iPads, which pays up to $200,000 for high-end secure boot firmware exploits. It's the second zero-day that Wardle found for the operating system this month -- the first shows how the new software's secure kernel extension loading feature is vulnerable to bypass. Apple did not respond to a request for comment at the time of writing. From rforno at infowarrior.org Mon Sep 25 15:20:24 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 20:20:24 -0000 Subject: [Infowarrior] - My Comments on the breach at [$COMPANY_NAME$] Message-ID: <9ED972ED-71CB-4184-8F1D-8C7FA6FDCA4C@infowarrior.org> Wish I'd thought of this.... --rick http://www.ranum.com/security/computer_security/editorials/generator/index.html My Comments on the breach at [$COMPANY_NAME$] I heard about the breach at [$COMPANY_NAME$] and the [$BREACH_QUANTITY$] [$DATA_TYPE$ one of "credit card", "patient record", "social security number", "user login", "hashed passwords", "national security secrets", "Hollywood star's 'selfies'"] compromised. Of course this is a serious matter and is the largest since [$YESTERDAY_DATE$] The people at [$COMPANY_NAME$] have not yet released details, which is appropriate given an incident response of this magnitude. I understand that they have the [$RESPONDER_NAME$ multiple of "FBI", "NSA", "CIA", "Mandiant", "army of consultants", "Keystone Kops"] involved and have issued a press release. My guess is that the attackers were able to initially breach the target using a [$ATTACK_TYPE$ one of "phishing attack", "brilliantly clever targeted phishing attack", "piece of custom malware", "cat with a WiFi interface implanted in its head", "SQL injection attack", "basic website vulnerability", "army of ninjas", "variant of Stuxnet"] which is [$UNEXPECTED$ one of "totally unexpected", "the way it usually happens", "innovative", "obscure as hell", "bloody typical"] form of attack that is often used by [$USUAL_SUSPECTS$ multiple of "China", "North Korea", "CIA", "NSA", "Anonymous", "brotherhood of blades", "Bavarian Illuminati", "Trilateral commission", "hackers who have read 'Hacking Exposed'", "any complete newbie"] Until I know more about it, I can't really guess about the details. However, this illustrates the basic issues in information security, which is that organizations don't appear to have effective responses to basic malware and/or phishing attacks, and have aggregated critical data into central locations on their networks where it is accessible. Once an attacker gets inside, it is pretty easy for them to escalate privileges, find out where the data is, and exfiltrate it. Organizations with critical data should segregate it off their network, perform regular vulnerability audits and remediation, maintain detailed system logs, and use two factor authentication for administrator access. If it's a large organization, Big Data also helps, but I am not sure how. From rforno at infowarrior.org Mon Sep 25 16:32:51 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Sep 2017 21:32:51 -0000 Subject: [Infowarrior] - Appeals Court Tells Patent Trolls' Favorite Judge He Can't Just Ignore The Supreme Court To Keep Patent Cases In Texas Message-ID: Appeals Court Tells Patent Trolls' Favorite Judge He Can't Just Ignore The Supreme Court To Keep Patent Cases In Texas from the not-how-it-works dept A few weeks ago, we noted that Judge Rodney Gilstrap, a judge in East Texas who is infamous for handling approximately 25% of all patent cases in the entire country, appeared to be ignoring the Supreme Court in an effort to keep all those patent cases in his own docket. You see, earlier this year, in an important case, the Supreme Court said that the proper venue for a patent lawsuit to be brought should be where the defendant "resides" rather than just wherever they "do business." Previously, patent trolls had said that the lawsuits could be brought wherever a company did business -- which, with internet firms, meant anywhere -- allowing them to file in their favorite court in East Texas. The Supreme Court said "that's not what the law says." But Gilstrap tried, somewhat creatively, to twist himself around those rules, by arguing that all sorts of other factors could be used to determine "residence" -- basically including (again) if you had any connection to that jurisdiction at all -- and thus continue to allow East Texas to be an acceptable venue. We listed out those factors in the earlier post, but don't need to do so again, because the Court of Appeals for the Federal Circuit has already weighed in and said "nope, that's not how it works." The ruling is pretty straightforward. Basically, it says "when we say a defendant has to reside in that venue, we mean it." < - > https://www.techdirt.com/articles/20170921/17090738264/appeals-court-tells-patent-trolls-favorite-judge-he-cant-just-ignore-supreme-court-to-keep-patent-cases-texas.shtml From rforno at infowarrior.org Mon Sep 25 19:35:57 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 00:35:57 -0000 Subject: [Infowarrior] - At Least 6 White House Advisers Used Private Email Accounts Message-ID: <71E28A75-A126-4B1E-B850-B17761552148@infowarrior.org> But --- what about HER emails?? --rick At Least 6 White House Advisers Used Private Email Accounts By MATT APUZZO and MAGGIE HABERMANSEPT. 25, 2017 WASHINGTON ? At least six of President Trump?s closest advisers occasionally used private email addresses to discuss White House matters, current and former officials said on Monday. The disclosures came a day after news surfaced that Jared Kushner, the president?s son-in-law and adviser, used a private email account to send or receive about 100 work-related emails during the administration?s first seven months. But Mr. Kushner was not alone. Stephen K. Bannon, the former chief White House strategist, and Reince Priebus, the former chief of staff, also occasionally used private email addresses. Other advisers, including Gary D. Cohn and Stephen Miller, sent or received at least a few emails on personal accounts, officials said. Ivanka Trump, the president?s elder daughter, who is married to Mr. Kushner, used a private account when she acted as an unpaid adviser in the first months of the administration, Newsweek reported Monday. Administration officials acknowledged that she also occasionally did so when she formally became a White House adviser. The officials spoke on the condition of anonymity because they were not authorized to discuss the matter with reporters. Officials are supposed to use government emails for their official duties so their conversations are available to the public and those conducting oversight. But it is not illegal for White House officials to use private email accounts as long as they forward work-related messages to their work accounts so they can be preserved. During the 2016 presidential race, Mr. Trump repeatedly harped on Hillary Clinton?s use of a private account as secretary of state, making it a centerpiece of his campaign and using it to paint her as untrustworthy. ?We must not let her take her criminal scheme into the Oval Office,? Mr. Trump said last year. His campaign rallies often boiled over with chants of ?Lock her up!? The F.B.I. closed its investigation into Mrs. Clinton?s handling of classified information and recommended no charges. But even after becoming president, Mr. Trump has prodded the Justice Department to reinvestigate. While the private email accounts spurred accusations of hypocrisy from Democrats, there are differences. Mrs. Clinton stored classified information on a private server, and she exclusively used a private account for her government work, sending or receiving tens of thousands of emails. The content and frequency of the Trump advisers? emails remain unknown, but Trump administration officials described the use of personal accounts as sporadic. The emails have not been made public. ?All White House personnel have been instructed to use official email to conduct all government related work,? Sarah Huckabee Sanders, the White House press secretary, said Monday in response to questions about the emails. ?They are further instructed that if they receive work-related communication on personal accounts, they should be forwarded to official email accounts.? The acknowledgment of private email use came as the White House is responding to a wide-ranging Justice Department request for documents and emails as part of the special counsel investigation into Russian election meddling. The use of private emails has the potential to complicate that effort, but the White House said it was confident in its process. ?I am dealing with honorable professionals and getting what I need,? said Ty Cobb, the White House lawyer leading the response to the investigation. ?I am doing all I can to ensure the special counsel receives the materials they request.? It is not clear why even sporadic use continued after a campaign in which email habits became a source of controversy. A former administration official noted, though, that in many cases, people received emails to their personal accounts. In some instances, officials used their private accounts to talk with reporters. Most of Mr. Trump?s aides used popular commercial email services like Gmail. Mr. Kushner created a domain, IJKFamily.com, in December to host his family?s personal email. That domain was hosted by GoDaddy on a server in Arizona, records show. < - > https://www.nytimes.com/2017/09/25/us/politics/private-email-trump-kushner-bannon.html From rforno at infowarrior.org Mon Sep 25 19:38:10 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 00:38:10 -0000 Subject: [Infowarrior] - Twitter pledges to update public policies after Trump threatens North Korea Message-ID: <193ECAB6-4DA2-48AC-9AE2-6F2C63BF3F75@infowarrior.org> Twitter pledges to update public policies after Trump threatens North Korea by Jacob Kastrenakes Sep 25, 2017, 6:54pm EDT https://www.theverge.com/2017/9/25/16364048/twitter-pledges-to-update-public-policies-after-trump-threatens-north-korea Twitter didn?t act to remove President Donald Trump?s tweet threatening North Korea in part because it is newsworthy, the company said today. Twitter says it will update its public guidance on what factors may lead to a tweet being pulled from the platform ? or allowed to stay on it ? to include a consideration of newsworthiness, as part of an effort to make the rules clearer to users. ?This has long been internal policy, and we'll soon update our public-facing rules to reflect it,? the company?s public policy account wrote this afternoon. ?We need to do better on this, and will.? Everything Trump tweets is newsworthy There?s been controversy since the 2016 primaries over whether Twitter should ban Trump?s account or hide some of his tweets, which often insult other individuals. Twitter hasn?t done anything, but the issue roiled up again today after North Korea said it saw the US President?s tweet as a ?clear declaration of war.? For a platform that has long claimed its rules apply to all users, no matter who they are, a perceived declaration of war seemed like it might just cross the line. Twitter?s answer, however, basically implies that Trump?s account will never be censored. Anything the President tweets is newsworthy, which means that none of his tweets can be pulled from the platform. This kind of problem ? minus the war threats ? isn?t entirely unique to Twitter. Facebook has run into this issue from the other side: it was criticized last year for banning an iconic war photo because it otherwise violated the site?s terms of service. Facebook ultimately backtracked and decided to consider the ?history and global importance? of the photo and suggested, to some extent, that consideration would extend to other posts. Twitter?s newsworthiness standard makes plenty of sense, but it could present the platform with some issues. It?ll have to start deciding who else?s tweets qualify as newsworthy. It?ll also have to take this into consideration when a private individual?s tweet blows up ? is that tweet suddenly newsworthy too? Twitter implies that it?s been factoring this in all along, but now that it?s planning to lay this out in a public-fa From rforno at infowarrior.org Tue Sep 26 06:00:57 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 11:00:57 -0000 Subject: [Infowarrior] - People Are Worried About DHS Plans To Gather Social Media Info Message-ID: <952F7EB8-3068-4D66-AE6F-6D67F7D84FC1@infowarrior.org> US Plans to Collect Social Media Info From Permanent Residents, Naturalized Citizens By Catalin Cimpanu ? September 26, 2017 ? 06:15 AM https://www.bleepingcomputer.com/news/government/us-plans-to-collect-social-media-info-from-permanent-residents-naturalized-citizens/ The US Department of Homeland Security (DHS) published documents on Monday that detail a plan for collecting extra information on all US immigrants, including not only permanent residents but also previously naturalized citizens. According to a notice of modification to the 1974 Privacy Act System of Records, the DHS wants to collect extra information such as "social media handles, aliases, associated identifiable information, and search results." The data will be used to expand the DHS' database on US immigrants with new information that would allow for easier tracking of immigrants, but also Americans who obtained official citizenship years or decades before. Document is a consequence of the San Bernardino shooting Experts believe the DHS has taken this step as a direct consequence of the San Bernardino shooting that was carried out by Syed Farook and Tashfeen Malik. The latter was a former Pakistani citizen who obtained US citizenship after getting married to Farook, a Chicago native whose parents also immigrated from Pakistan. The US believes that by gathering such data from immigrants it would be able to prevent similar future incidents. The DHS would not require passwords from the targeted user group, but the collected information is more than enough to create accurate profiles on immigrants and their circle of friends. In December 2016, US Customs started collecting similar social media details from foreigners from certain countries entering the US. This new DHS document is different because it covers people already in the US, some of whom have been living in the country for years. Document went largely unnoticed The DHS notice, first spotted by BuzzFeed, is open to a comment period that ends in 22 days, on October 18, when the notice is scheduled to enter into effect. The document's publication went largely unnoticed as President Trump signed a new travel ban into effect on the same day, setting new travel restrictions for people entering the US from Chad, Iran, Libya, North Korea, Somalia, Syria, Venezuela, and Yemen. The new travel ban comes to replace a previous travel ban currently stuck in courts that was aimed at people traveling to the US from Iran, Syria, Libya, Somalia, Yemen, and Sudan. From rforno at infowarrior.org Tue Sep 26 06:40:18 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 11:40:18 -0000 Subject: [Infowarrior] - iPhone 8: glass back 'very difficult' to repair and costs more than screen to replace Message-ID: <077345C8-A97B-4643-B983-590ADF731F69@infowarrior.org> iPhone 8: glass back 'very difficult' to repair and costs more than screen to replace Apple?s ?most durable glass ever in a smartphone? claim likely to be put to the test with first iPhone 8 accidents, but repairs won?t be cheap, reports say https://www.theguardian.com/technology/2017/sep/25/iphone-8-glass-back-apple-repair-cost-screen-replace-accident From rforno at infowarrior.org Tue Sep 26 06:43:21 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 11:43:21 -0000 Subject: [Infowarrior] - Scientific Publishers Want Upload Filter To Stop Academics Sharing Their Own Papers Without Permission Message-ID: Scientific Publishers Want Upload Filter To Stop Academics Sharing Their Own Papers Without Permission from the where-there's-a-gate,-there's-got-to-be-a-gatekeeper dept Back in March of this year, Techdirt wrote about ResearchGate, a site that allows its members to upload and share academic papers. Although the site says it is the responsibility of the uploaders to make sure that they have the necessary rights to post and share material, it's clear that millions of articles on ResearchGate are unauthorized copies according to the restrictive agreements that publishers typically impose on their authors. As we wrote back then, it was interesting that academic publishers were fine with that, but not with Sci-Hub posting and sharing more or less the same number of unauthorized papers. Somewhat belatedly, the International Association of Scientific Technical and Medical Publishers (STM) has now announced that it is not fine with authors sharing copies of their own papers on ResearchGate without asking permission. In a letter to the site from its lawyers (pdf), the STM is proposing what it calls "a sustainable way to grow and to continue the important role you play in the research ecosystem". Here's what it wants ResearchGate ("RG") to do: < - > https://www.techdirt.com/articles/20170921/09215938257/scientific-publishers-want-upload-filter-to-stop-academics-sharing-their-own-papers-without-permission.shtml From rforno at infowarrior.org Tue Sep 26 08:27:51 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 13:27:51 -0000 Subject: [Infowarrior] - Equifax C.E.O. Richard Smith has 'retired' Message-ID: ("Retired" vs resigned .... I wonder what kind of "retirement" package/bonus he's getting. --rick) Equifax C.E.O. Richard Smith Is Out After Huge Data Breach By STACY COWLEY SEPT. 26, 2017 https://www.nytimes.com/2017/09/26/business/equifax-ceo.html The chairman and chief executive of Equifax, Richard F. Smith, retired on Tuesday in the aftermath of a major data breach that exposed the personal information of as many as 143 million people, the credit reporting agency said. Two other top Equifax executives ? the chief information officer and the chief security officer ? stepped down on Sept. 14. Equifax, based in Atlanta, said this month that hackers had exploited an unpatched flaw in its website software to extract names, Social Security numbers, birth dates, addresses and other information about millions of people. The company faced a blistering outcry from lawmakers and the public for failing to protect the sensitive data and for a response that many found lackluster. A website Equifax created to provide information on the breach was initially plagued by problems, and the company struggled to keep up with a deluge of questions from confused and alarmed consumers. Three Equifax executives, including its chief financial officer, John W. Gamble Jr., sold $1.8 million in company shares in the days after the breach was discovered ? but before it was publicly disclosed. (Equifax has said the executives were unaware of the breach at the time of their stock sales.) Mr. Smith, 57, had been the chairman and chief executive of Equifax Inc. since 2005. He joined the company after a 22-year career at General Electric that included top executive positions in the conglomerate?s insurance, leasing and asset-management divisions. Before the data breach at Equifax, Mr. Smith was widely admired on Wall Street for developing new products and increasing sales. Equifax had revenue of $3.1 billion last year, up from $1.4 billion the year he took over Federal authorities, led by the F.B.I., have opened a criminal investigation into the cyberattack on Equifax. More than 30 state attorneys general have begun investigations into the breach, and federal lawmakers from both parties have requested information from Equifax and called for hearings on what went wrong. The Massachusetts attorney general filed a lawsuit against Equifax on Sept. 19 sept 19 seeking civil damages and other payments. Mr. Smith had agreed to testify next month before the House Energy and Commerce Committee. From rforno at infowarrior.org Tue Sep 26 08:35:24 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 13:35:24 -0000 Subject: [Infowarrior] - OT: Excellent op-ed by Gen Mike Hayden Message-ID: Michael Hayden: In Trump versus NFL, standing up for free speech By Gen. Michael Hayden, opinion contributor ? 09/26/17 09:00 AM EDT 10 The views expressed by contributors are their own and not the view of The Hill http://thehill.com/opinion/white-house/352419-michael-hayden-in-trump-versus-nfl-standing-up-for-free-speech When I became director of CIA, I kept my Steelers season tickets. It really wasn?t a hard choice. My wife and I and the security detail willingly braved the Pennsylvania Turnpike for the nine-hour round trip to Pittsburgh since, no matter what was going on in Washington, when we settled into our seats at Heinz Field all that mattered for three hours was what happened between those white lines. It?s been that way on fall Sundays for me for more than 60 years. Until Sunday, when the ugly side of American politics intruded into my fall eden. I blame some of that on Colin Kaepernick, the former San Francisco 49ers quarterback who last year began to protest social injustice and police brutality by sitting or taking a knee during the pre-game national anthem. His comments on America were a bit more dystopian than I thought was warranted, and I wasn?t enthusiastic about turning a unifying and celebratory moment for most Americans into a venue for protest. Still, this is a big country with a big heart and the issues he raised were both real and sincerely held. It didn't take much to just let this ride, even after some other NFL players joined in. Everything seemed to be within the tolerances of normal American political discourse and, certainly, American free speech. Until last Friday. And then President Trump, before a red-hot Alabama crowd of his political base, decided to treat the ?SOBs? who wouldn't stand for the anthem the way he has previously treated other groups like Mexicans (murderers and rapists), intelligence professionals (Nazis), immigrants (deeply unfair), refugees (dangerous), and Muslims (they hate us). When in political stress, attack the ?other? ? those dark forces that allegedly threaten our way of life ? and pay no attention to the lack of legislative progress on ObamaCare or anything else, a careening crisis with a nuclear North Korea, or the destruction of civilized life on an island territory of the United States. For extra measure, the president claimed that the NFL was ruining the game with recent rule changes to prevent or reduce player injury: ?Today, if you hit too hard, 15 yards, throw him out of the game!? To paraphrase Abraham Lincoln, President Trump does not instinctively appeal to ?the better angels of our nature.? The NFL ? players, coaches, staff, ownership and league office ? had to make decisions quickly. Sunday?s kickoffs were less that 40 hours away when the president walked off that stage in Huntsville. Nearly half of the NFL would be getting on planes in less than 12 hours. There were tough choices to make: respect for the flag, respect for the anthem, respect for your teammates, respect for justice, respect for your fans, respect for free speech. The president had created what logicians call a false dilemma, that support for free speech or for team mates equated to disrespect for flag, anthem or country. And he did it for political advantage. My Steelers rejected the false dilemma. They concentrated on unity and focus. They were in Chicago to play football. Head coach Mike Tomlin said, ?We're not going to play politics. We're football players, we're football coaches. We're not participating in the anthem today, not to be disrespectful to the anthem, but to remove ourselves from the circumstance.? So the team did not go out onto the field for ?The Star-Spangled Banner.? Several coaches (including Tomlin) did go out to represent the organization. Alejandro Villanueva ? starting left tackle, West Point graduate, decorated Army ranger ? broke consensus slightly to appear at the mouth of the runway with his hand over his heart, but several players have already said they understood Villanueva?s unique circumstances. Pittsburgh is a patriotic town. There was a lot of anger about the Steelers not showing up. But I believe that everyone on the Steelers did the right thing. They were dealt a bad hand and played it as best they could. Or, more accurately, they tried not to play. And the dealer here was President Trump. A week ago, a handful of NFL players protested in one form or another. On Sunday, three full teams did not go out for the anthem, almost all players and coaches locked arms, and more than 200 in the NFL knelt, sat or otherwise demonstrated their displeasure. And, to be specific, their displeasure was largely with President Trump and what he had said about them, their teammates and their rights. Forced again to defend the indefensible, White House spokesperson Sarah Huckabee Sanders on Monday said that the president?s Huntsville stand was about ?honoring the men and women who fought to defend? the flag. As a 39-year military veteran, I think I know something about the flag, the anthem, patriotism, and I think I know why we fight. It?s not to allow the president to divide us by wrapping himself in the national banner. I never imagined myself saying this before Friday, but if now forced to choose in this dispute, put me down with Kaepernick. Gen. Michael Hayden is a former director of the CIA and the National Security Agency. From rforno at infowarrior.org Tue Sep 26 08:44:50 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Sep 2017 13:44:50 -0000 Subject: [Infowarrior] - Amateur Radio Volunteers Aiding Storm-Ravaged Puerto Rico, US Virgin Islands Message-ID: (It's amazing how useful 'old school' technology can be when times are tough. --rick) Amateur Radio Volunteers Aiding Storm-Ravaged Puerto Rico, US Virgin Islands 09/25/2017 http://www.arrl.org/news/amateur-radio-volunteers-aiding-storm-ravaged-puerto-rico-us-virgin-islands Puerto Rico and the US Virgin Islands both suffered substantial damage from Hurricane Maria, although Puerto Rico took the bigger hit, and it is there that Amateur Radio has begun to fill a huge telecommunications gap. According to the FCC, service is out for 96% of the cellular telephone sites in Puerto Rico ? and it?s out completely for sites in 78 Puerto Rico counties. In the US Virgin Islands, the overall percentage is 66%. ?The situation in Puerto Rico is very devastating across all the island,? Puerto Rico SM Oscar Resto, KP4RF, said over the weekend. ?Communications via land phone or mobiles are almost null.? Repeaters are down, he said, and hams have been using the 2-meter simplex frequency of 146.52 MHz, although he hoped to have a few local ham radio repeaters ?working partially with damaged antennas.? With police repeaters also down, law enforcement has been using 2 meters as well. American Red Cross Headquarters suffered the loss of its emergency generator due to flooding. A temporary ARC headquarters has Internet and cell service, he said. Over the weekend, the American Red Cross (ARC) asked the ARRL for assistance in recruiting 50 radio amateurs who can help record, enter, and submit disaster-survivor information into the ARC Safe and Well system. That request was fulfilled today. In the nearly 75-year relationship between ARRL and ARC, this is the first time such a request for assistance on this scale has been made. Resto said radio amateurs have also been assisting Puerto Rico?s Electric Power Authority (Autoridad de Energ?a El?ctrica) using 146.52 MHz to dispatch line crews and coordinate fuel deliveries for the authority?s offices at the Monacillo Control Center and at several power plants. ?The power system is fully shut down for all the island,? he said. Drinking water and proper sanitation facilities are also in very short supply. Resto said Puerto Rico needs ?everything?solar panels, repeaters, and most important, transmission lines and antennas. Some base or mobile VHF/UHF radios, a 1 to 2 kW power generator.? Fuel for generators as well as vehicles is running low on Puerto Rico, however. Radio amateurs in Puerto Rico have been operating a brisk and busy ad hoc health-and-welfare traffic nets on 7.175 and 14.270 MHz, as has the Salvation Army Team Emergency Network (SATERN) on 14.265 MHz. Nets are handling only outgoing traffic. Resto said checking on individuals? welfare typically requires attempting to visit them in person, since telecommunications are down nearly everywhere. Gerry Hull, W1VE, reports that Herb Perez, KK4DCX, in San German, had been operating 6 to 8 hours a day, working dozens of operators, taking numbers and calling families. ?I?ve done at least 200 messages with him,? said Hull, who has also been active on the SATERN net. Another station in Puerto Rico was operating from solar power. ?Calls to family are very emotional,? he told ARRL. ?I am getting all kinds of calls day and night for people desperate to hear about family in Puerto Rico, but hams cannot provide inbound traffic.? He directs them to the Red Cross website to submit inquiries. ?Lots of contesters are helping with their big stations,? he said. US Virgin Islands Section Manager Fred Kleber, K9VV, said the USVI are in much better shape than Puerto Rico. ?They really got slammed hard,? he said. Kleber said he still has antennas that were not destroyed by the storm and that he can hit Puerto Rico on 2 meters from his location. He also has announced plans to deploy some 20 mesh wireless network nodes in the US Virgin Islands. ?We have used every trick in our comms bag of tricks to make stuff work,? Kleber said. Kleber said pictures in the news and social media don?t do justice to the wholesale devastation, which Caribbean radio amateurs also must deal with at their homes and in their communities. He told ARRL late last week that trees, power poles, transformers, and telephone lines are down all over, debris is blocking roadways, and it takes a long time to get anywhere. He and others have been staffing the emergency communications center 24/7. From rforno at infowarrior.org Wed Sep 27 20:47:57 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Sep 2017 01:47:57 -0000 Subject: [Infowarrior] - Equifax Will Offer Free Credit Locks for Life, New CEO Says Message-ID: <5A9180F7-F2E1-4EDB-B825-85DD27F34F4F@infowarrior.org> Equifax Will Offer Free Credit Locks for Life, New CEO Says By Jennifer Surane September 27, 2017, 5:57 PM EDT September 27, 2017, 7:30 PM EDT https://www.bloomberg.com/news/articles/2017-09-27/equifax-will-offer-free-credit-freezes-for-life-new-ceo-says Equifax Inc. will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free. The service will be introduced by Jan. 31, Chief Executive Officer Paulino do Rego Barros Jr. wrote in a Wall Street Journal op-ed Wednesday, a day after taking the helm. The company will also extend the sign-up period for TrustedID Premier, the free credit-monitoring service it?s offering all U.S. consumers, he said. ?The service we are developing will let consumers easily lock and unlock access to their Equifax credit files,? Barros wrote. ?You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.? Barros was named interim CEO on Tuesday, less than three weeks after Equifax disclosed that hackers accessed sensitive data for 143 million U.S. consumers. Former CEO Richard Smith will appear before Congress next week, and lawmakers have demanded more information on how the breach happened, while faulting the company?s efforts to alert victims and help them safeguard their finances. ?We compounded the problem with insufficient support for consumers,? Barros wrote in an op-ed posted online by the Wall Street Journal. ?Answers to key consumer questions were too often delayed, incomplete or both. We know it?s our job to earn back your trust.? TransUnion?s Service TransUnion, a rival credit-reporting company, also offers a free credit lock called TrueIdentity ?and we have for some time,? company spokesman David M. Blumberg said in an emailed statement. He said the service allows customers lock or unlock credit reports online or using an app. A representative for Experian Plc, another rival, didn?t immediately return a message seeking comment. Enabling consumers to easily turn off credit locks could help lenders including Synchrony Financial and Ally Financial Inc., Vincent Caintic, an analyst at Stephens Inc., wrote in a note Wednesday. ?We think this will alleviate concerns that consumers freezing their credit access from the bureaus will slow loan origination growth and increase customer acquisition costs,? Caintic said. ?We have been most concerned about credit cards, particularly those applied at the point of sale, as well as auto lending at dealerships.? Equifax?s free services are likely to hit fees at its global consumer solutions unit. That division produced $402.6 million in revenue in 2016, or 13 percent of the company?s total, in part from monitoring products such as Equifax Complete, ID Patrol, Credit Watch and Score Watch. The unit also sells credit information to resellers who offer their own monitoring services to individuals. From rforno at infowarrior.org Wed Sep 27 20:52:55 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Sep 2017 01:52:55 -0000 Subject: [Infowarrior] - Equifax CEO to collect $90 million: report Message-ID: <8B84E66E-762B-4B70-8214-17207C974737@infowarrior.org> Equifax CEO to collect $90 million: report By Jacqueline Thomsen - 09/27/17 09:09 PM EDT 27 http://thehill.com/policy/technology/352807-equifax-ceo-to-collect-90-million-report Equifax CEO Richard Smith will collect roughly $90 million in the coming years after he resigned over the company?s massive privacy breach. Smith, who announced his retirement Tuesday, will collect about $72 million this year and $17.9 million in coming years, according to Fortune. This reportedly adds up to about 63 cents for each customer who was potentially exposed in the company?s data breach. Smith is one of three Equifax executives to leave the company after the data breach. Chief information officer David Webb and chief security officer Susan Mauldin both resigned last week. Equifax revealed earlier this month that it had suffered a massive data breach that affected up to 143 million U.S. customers. The impacted data is believed to include birth dates and credit card numbers. Company executives are under scrutiny following reports that they dumped stock before announcing the breach. The Justice Department announced last week that it was investigating the executives who sold the stock before announcing the breach. The Federal Trade Commission (FTC) is also investigating the breach. Lawmakers have similarly cracked down on the credit agency. Smith will testify before the House's Financial and Energy and Commerce committees over the breach. From rforno at infowarrior.org Thu Sep 28 08:46:53 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Sep 2017 13:46:53 -0000 Subject: [Infowarrior] - As Scrutiny Of Social Networks Grows, Influence Attacks Continue In Real Time Message-ID: <5CF9BDDE-8ACD-485E-8D43-01DDC949F5C6@infowarrior.org> As Scrutiny Of Social Networks Grows, Influence Attacks Continue In Real Time September 28, 20175:01 AM ET Philip Ewing Twitter officials are expected to meet with Senate Intelligence Committee investigators. Staffers want to know about the use of fake accounts, bots and trolls to influence the trends and topics on the social platform. This week brought a slate of fresh examples of ways in which users ? some of them demonstrably Russian, others not ? continue to try to use Facebook, Twitter and other platforms to jam a crowbar into existing American political divisions and wrench them further apart. Oklahoma's Republican Sen. James Lankford cited the ongoing national debate over free speech and protest in the National Football League, which has set players who want to call attention to police brutality ? and are demonstrating by kneeling during the national anthem ? against President Trump and cultural conservatives. "We watched, even this weekend, the Russians and their troll farms, their Internet folks, start hashtagging out 'take a knee' and also hashtagging out 'boycott the NFL,' " Lankford said at a hearing of the Senate Homeland Security Committee on Wednesday. "They were taking both sides of the argument this past weekend and pushing them out from their troll farms as much as they could to just raise the noise level in America and make a big issue seem like an even bigger issue as they're trying to push divisiveness in the country," he said. That's the very same modus operandi that Senate Intelligence Committee investigators and others have detected in Russian influence-mongers' use of Facebook last year. < - > http://www.npr.org/2017/09/28/554024047/as-scrutiny-of-social-networks-grows-influence-attacks-continue-in-real-time From rforno at infowarrior.org Thu Sep 28 16:06:13 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Sep 2017 21:06:13 -0000 Subject: [Infowarrior] - How Can 'Star Trek: The Next Generation' Possibly Be 30? Message-ID: September 28, 2017 1:31pm PT by Aaron Couch, Graeme McMillan How Can 'Star Trek: The Next Generation' Possibly Be 30? http://www.hollywoodreporter.com/heat-vision/star-trek-next-generation-how-can-it-be-30-1044124 Thirty years ago Thursday, the crew of the Enterprise D zoomed into TV sets across the country. Star Trek: The Next Generation achieved the impossible by becoming a worthy successor to the crew led by Kirk (William Shatner) and Spock (Leonard Nimoy) two decades earlier, thanks in large part to inventive writing an a loveable ensemble cast headed by Patrick Stewart. In honor (and in shock) of the big birthday, Heat Vision's Graeme McMillan and Aaron Couch are reporting for duty to share what the show means to them. McMillan: Star Trek: The Next Generation turning 30 is one of those anniversaries that I think I'd rather ignore. I remember watching the series when it was first coming out! (Although, in the U.K., I watched the first episodes on video because they weren't on the BBC for years after they were shown in the U.S.; it was the CBS All Access of its time.) It was "my" Star Trek, and I loved everything about it ? even the parts that I knew were actively not very good. (Wesley, "Justice," I'm looking at you.) I was just so ready for new Trek that I was willing to accept anything. Aaron, you're younger and have more taste than me; did you have a more discerning palette when you first encountered it? Couch: The first episode I remember seeing was "Skin of Evil," the one where Tasha Yar is killed by a black goo alien ... and it gave me nightmares. The episode first aired in 1988, when I was three, and I think I caught it around that time. McMillan: You were three in 1988? Now I really feel old. Couch: I didn't start watching TNG in earnest until a few years later when it hit its prime with "Best of Both Worlds" and those episodes. It was my dad's job to program the VCR to tape the show, which aired at 9 p.m. or something in Kansas City, and then we'd watch them the next day. Even when my parents split up and my dad moved out, we'd often watch them "together" over the phone. I was obsessed with Picard, more so than Kirk and Spock, whom I discovered a little after TNG thanks to VHS copies of the original crew's movies. I wasn't old enough to recognize any of the flaws of TNG (the perhaps not-so-great Mark Twain episodes were among my favorites at the time), but I did know enough to recognize when things were particularly good. I knew "Family" was great, even as a kid. It was surprising to see a character actually have to deal with the aftermath of something, and I knew Picard having a breakdown in the mud with his brother was something special. McMillan: I loved "Family," and the way it made "Best of Both Worlds" feel even more special and meaningful! I just finished a re-watch of the entire series, and a couple of things really stood out for me. Firstly, how amazingly dated it is ? the costuming and sets scream 1980s in a way that I'd seemingly blanked out ? and secondly, how? okay it is. There's a consistency of quality (through the sixth season, at least; that last year is ropey) that makes the show reliably entertaining, if lacking the peaks of something like Deep Space Nine or the original show. That's not to say there weren't great episodes, because there were... but it's as if, even when they were making the show, they were looking at it as the TV equivalent of comfort food. That does makes it easy to binge, mind you. Couch: I've never gone back and re-watched the entire series. I generally just watch the best of the best again and again, so I have a definite warm and fuzzy view of the show. It's remained the touchstone show for me and some of my closest friends in that there's still a shorthand there for certain episodes. When I got married a few weeks ago, the photographer needed me to laugh, and it wasn't totally working. Then he asked my groomsman to help, and one of them shouted "Picard in a blue uniform!" which he knows just cracks me up ? and it worked. McMillan: I cannot tell you how much I love that story, not least because I have no idea why Picard in a blue uniform is funny. But it's weird to me that, as big as TNG was at the time, it feels somewhat absent from Trek as it exists today. Both the new Star Trek movies and Star Trek: Discovery have returned to the era of the original series, and both go for very different tones, but neither are the "responsible adult-ism" of TNG. The closest thing to TNG right now is Fox's The Orville, and that's not even a Star Trek show. As what's probably the most successful era of Trek to date, shouldn't it be better represented in the franchise's current state? Is this the consistent-but-rarely-spectacular thing coming back to cause trouble? Couch: That's a good point that TNG doesn't seem to be that present in new Trek. In a lot of ways, the TNG crew were the adults ? especially Picard. Kirk was always a little more immature, and that's particularly apparent in the J.J. Abrams Trek movies, where each movie it seems he has to learn again how to be a responsible captain. I'd like to see a little more of the TNG maturity get re-injected back into Trek. Then there's always the question people ask (with varying degrees of horror): will Next Gen be rebooted? I doubt it, and I hope not. McMillan: I literally can't imagine how they'd do that. Who would even play each character? It seems even stranger than recasting the original series, somehow. Okay, now that we're sort of on the topic, as a closer: Who's your favorite character in the show? Throughout the years, I feel like I've cycled through almost everyone in the core cast. Well, except Riker, of course. I have standards. Couch: As a kid, Picard, Data, Geordi, Worf and Riker all vied for the top spots. As an adult, Picard. Duh. McMillan: I have never seen you order tea, but now I want you to do it by just demanding, "tea, Earl Grey, hot." (That last bit always amused me. Who'd want cold Earl Grey?) From rforno at infowarrior.org Thu Sep 28 16:06:18 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Sep 2017 21:06:18 -0000 Subject: [Infowarrior] - =?utf-8?q?American_Red_Cross_Asks_ARRL=E2=80=99s_?= =?utf-8?q?Assistance_with_Puerto_Rico_Relief_Effort?= Message-ID: <78785228-D534-42AD-B39A-9B45EE6EEED4@infowarrior.org> American Red Cross Asks ARRL?s Assistance with Puerto Rico Relief Effort 09/24/2017 http://www.arrl.org/news/american-red-cross-asks-arrl-s-assistance-with-puerto-rico-relief-effort The American Red Cross (ARC) has asked the ARRL for assistance with relief efforts in Puerto Rico. ARC needs up to 50 radio amateurs who can help record, enter, and submit disaster-survivor information into the ARC Safe and Well system. In the nearly 75-year relationship between ARRL and ARC, this is the first time such a request for assistance on this scale has been made. ARRL now is looking for radio amateurs who can step up and volunteer to help our friends in Puerto Rico. Requirements ? There are very specific requirements and qualifications needed for this deployment. ? Due to the nature of this deployment you will need to process in as ARC volunteers. This includes passing a background check. The ARC has indicated that it will cover all expenses for transportation, lodging, and feeding while on deployment. ARC will also provide liability coverage for volunteers. The only out-of-pocket expense to the volunteer would be personal items purchased during deployment. ? ARRL and ARC will require training for volunteers being deployed. ARC will provide general deployment training and advanced training in working in austere environments. ARRL will provide to ARC training on Amateur Radio equipment and modes to be used, reporting guidelines, and operating guidelines. ? Deployment will be for up to 3 weeks. Qualifications ? General class Amateur Radio license or higher ? Familiarity with WinLink, HF voice, and VHF simplex communications ? Strong technical skills ? Ability to work under difficult conditions ? Ability to deploy for up to 3 weeks ? Ability to work as part of a team Helpful Skills ? Spanish language skills ? Previous experience in disaster response ? Previous or current work as a Red Cross volunteer ? Previous experience with shelter operations If you feel that you meet these qualifications and would like to be considered for this deployment, please contact ARRL Emergency Preparedness Manager Mike Corey, KI1U (860-594-0222), who will make the introduction of qualified volunteers to ARC. From rforno at infowarrior.org Fri Sep 29 05:37:45 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Sep 2017 10:37:45 -0000 Subject: [Infowarrior] - DOJ demands Facebook information from 'anti-administration activists' Message-ID: DOJ demands Facebook information from 'anti-administration activists' By Jessica Schneider, CNN Updated 6:24 AM ET, Fri September 29, 2017 http://www.cnn.com/2017/09/28/politics/facebook-anti-administration-activists/index.html Washington (CNN)Trump administration lawyers are demanding the private account information of potentially thousands of Facebook users in three separate search warrants served on the social media giant, according to court documents obtained by CNN. The warrants specifically target the accounts of three Facebook users who are described by their attorneys as "anti-administration activists who have spoken out at organized events, and who are generally very critical of this administration's policies." One of those users, Emmelia Talarico, operated the disruptj20 page where Inauguration Day protests were organized and discussed; the page was visited by an estimated 6,000 users whose identities the government would have access to if Facebook hands over the information sought in the search warrants. In court filings, Talarico says if her account information was given to the government, officials would have access to her "personal passwords, security questions and answers, and credit card information," plus "the private lists of invitees and attendees to multiple political events sponsored by the page." These warrants were first reported by LawNewz.com. Facebook has not responded to a request for comment about whether it has, or plans to, comply with the search warrants. The American Civil Liberties Union, representing the three Facebook users, filed a motion to quash the warrants Thursday. "What is particularly chilling about these warrants is that anti-administration political activists are going to have their political associations and views scrutinized by the very administration they are protesting," said ACLU attorney Scott Michelman. Facebook was initially served the warrants in February 2017 along with a gag order which barred the social media company from alerting the three users that the government was seeking their private information, Michelman said. However, Michelman says that government attorneys dropped the gag order in mid-September and agreed that Facebook could expose the existence of these warrants, which has prompted the latest court filings. Michelman, however, says all court filings associated with the search warrant, and any response from Facebook, remain under seal. The Justice Department is not commenting on these search warrants, but government attorneys have issued a similar search warrant to the web provider DreamHost seeking wide-ranging information about visitors to the website disruptj20.org, which provided a forum for anti-Trump protestors. In that case, DOJ modified its initial search warrant seeking millions of IP address for the visitors who merely clicked on the disruptj20.org website. But DC Superior Court Judge Robert Morin largely granted prosecutors' request to collect a vast set of records from the company, which will include emails of the users who signed up for an account associated with the website, and membership lists. In addition to the account of Talarico and her disruptj20 page, the search warrant also seeks all information about the personal accounts of Lacy MacAuley and Legba Carrefour. Carrefour is a self-described political activist and pushed back against the search warrant in court filings, saying that his Facebook account "contains a significant amount of private material concerning my personal life." Carrefour denied that he was involved in any of the riots in Washington, DC, on Inauguration Day, but acknowledged that he has "participated in or helped to organize dozens of demonstrations and events of various types in service of political causes." From rforno at infowarrior.org Tue Sep 12 20:07:29 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Sep 2017 01:07:29 -0000 Subject: [Infowarrior] - House panel strikes deal on surveillance reforms Message-ID: <2008E9E0-28DE-4399-BDBA-93869F391F14@infowarrior.org> House panel strikes deal on surveillance reforms By Katie Bo Williams - 09/12/17 08:31 PM EDT 5 A bipartisan group of House lawmakers have struck a deal on a controversial spy law due to sunset at the end of the year, setting up a fight with the Trump administration over potential limits to the National Security Agency?s warrantless surveillance program. Three key members of the House Judiciary Committee ? chairman Bob Goodlatte (R-Va.), ranking member John Conyers (D-Mich.) and Rep. Jim Sensenbrenner (R-Wis.) ? have privately agreed to support extending the law through 2023, The New York Times reports. But as part of that extension, according to congressional officials who spoke to the Times on the condition of anonymity, the lawmakers have agreed to push for some limits to the law. Among those limits: Requiring FBI agents to obtain a warrant before sifting through the program?s database of intercepted messages for data about American criminal suspects, a currently permissible practice derided by critics as the so-called ?back-door search loophole.? They also want to prohibit the agency from collecting emails that are about a foreign target but are neither to nor from that person. The NSA voluntarily halted such collection, known as ?about? surveillance, earlier this year, but wants to retain the authority to resume it. The committee is also expected to include a requirement that any executive branch official seeking to ?unmask? or reveal the identity of an American citizen in intelligence reports sign a certification avowing that they need the information for a legitimate national security purpose, according to the Times. The identifies are typically hidden to minimize privacy invasions. The arrangement is not yet public and is currently being crafted by Judiciary Committee staffers, the newspaper reported. The Trump administration opposes key details of the arrangement. Earlier this month, Attorney General Jeff Sessions and National Intelligence Director Dan Coats reiterated the administration's calls for the law to be extended permanently, with no sunset. ?Reauthorizing this critical authority is the top legislative priority of the Department of Justice and the Intelligence Community,? they wrote in a Sept. 7 letter to both Republican and Democratic leaders that was made public on Monday. The key provision of the law ? known as Section 702 of a 2008 package of amendments to the Foreign Intelligence Surveillance Act (FISA) ? is aimed at collecting data on foreign spies, terrorists and other targets. It allows the government to collect the emails and phone calls of foreigners abroad from American internet and phone companies ? without individual court orders and even when those foreigners communicate with Americans. Civil liberties advocates have long pushed for Congress to close the so-called backdoor search loophole allowing federal investigators to sift through Americans? information that has been ?incidentally? caught up in 702 collection. < - > http://thehill.com/policy/national-security/350387-house-judiciary-panel-strikes-deal-on-surveillance-reforms From rforno at infowarrior.org Tue Sep 12 20:42:53 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Sep 2017 01:42:53 -0000 Subject: [Infowarrior] - Equifax, Bowing to Public Pressure, Drops Credit-Freeze Fees Message-ID: <74F58079-6EDA-4E9A-A761-7609A584BCE4@infowarrior.org> Equifax, Bowing to Public Pressure, Drops Credit-Freeze Fees https://www.nytimes.com/2017/09/12/your-money/equifax-fee-waiver.html By RON LIEBER SEPT. 12, 2017 You howled in protest, and Equifax had no choice but to respond. On Monday, the company said on Twitter that it would waive all fees until Nov. 21 for people who want to freeze their Equifax credit files. It will also refund any fees that anyone has paid since Thursday, though the company would not say whether this would be automatic. Before the announcement on Monday, many of the people who tried to set up freezes after Equifax disclosed a breach of up to 143 million Social Security numbers, birth dates and other personal data discovered they had to pay Equifax for the privilege of protecting themselves from the breach. And they were not happy about it. It?s a logical reaction: You did not ask Equifax to vacuum up data about you, and then resell it to marketers and loan sellers. And it is not your fault that the company could not keep that data safe. So why should you pay for a freeze, which keeps new creditors from seeing your credit file and thus can keep thieves from applying for credit in your name? Somehow, that question did not occur to Equifax on Thursday, when it first announced the breach. It apparently thought a year of free credit monitoring would be enough to placate consumers. When I asked Equifax on Sunday why it was not making freezes free, Wyatt Jefferies, a spokesman, did not respond to that particular question. Here are just some of the other questions I?ve asked Equifax. I?m still waiting for replies. 1. Will temporarily lifting a freeze also be free until Nov. 21, or just placing a freeze? 2. Why not make freezes and the lifting of those freezes free permanently for everyone? 3. Failing that, why not make freezes and thaws free permanently for everyone whose data was stolen in this instance or, for that matter, anytime in the future? 4. Why not pay Experian and TransUnion, the two other large consumer-credit reporting agencies, to freeze the credit files connected to every victim of the most recent Equifax breach? After all, that breach makes people vulnerable to thieves who apply for credit in victims? names with lenders who check applicants? credit histories only with Experian or TransUnion. Equifax would not address that last one with me, but a reader named Kimberly Casey forwarded me an email exchange between her and Mr. Adams where he apologized and said that a service to ?lock? Equifax, Experian and TransUnion files simultaneously would be coming soon. The Fallout From the Equifax Breach That might be helpful, given the trouble that so many of you have had getting any of the company?s websites or phone systems to work in recent days. (Please, keep trying. It?s worth the protection.) But let?s hope they give this new service away for free, for life, to all individuals who had their data stolen in this instance and that the lock will work identically to a freeze and not involve giving up the right to sue the companies. I?ve asked Equifax repeatedly in recent days what phone number people should call to request a new PIN for thawing their freezes. On Sunday, Mr. Jefferies told me the company would stop issuing PINs based on the date the freeze was initiated and would instead issue new PINs to anyone who wanted to replace the old ones. It is not clear, however, exactly how consumers can do this. Another reader today told me that a phone representative for the company said that people were going to have to cancel old freezes, request new ones, go unprotected for days and wait for new PINs to show up in the mail. It should not be that complicated. Several of you have asked via email (lieber at nytimes.com, please keep the questions coming) and Twitter (@ronlieber) about TransUnion?s free TrueIdentity product, which the company is pushing on consumers who are considering a freeze. The company sure seems to want people to sign up for that product instead of freezing their files. It?s not clear whether the mechanism TransUnion says it uses to ?lock? files with that product provides the same protection as a freeze, or whether it is a lesser form of protection meant to shield TransUnion from some regulatory or legal perspective. A giant hat tip, however, to the person on Twitter who pointed out the company?s draconian terms and conditions. It is also unclear whether consumers? use of the TrueIdentity product would make it easier for TransUnion to continue selling those consumers? data (in the same way that Equifax and Experian do) than if they froze their files outright. I have repeatedly asked a TransUnion spokesman, David Blumberg, for clarification, but I have not received it yet. I?m also waiting for answers about whether TransUnion and Experian will make freezes free for a period as Equifax has now done (or forever, for everyone, as all three agencies should do). I reached out to Dann Adams, the president of Equifax?s global consumer solutions unit, to ask whether he would be resigning in the wake of the lackluster response to victims? outrage. He responded by email, using an exclamation point for emphasis: ?No, but for the record I am considering dropping my NYT subscription and picking up the Wash Post!? In a statement on Monday on a website that Equifax created to deal with the most recent breach, the company included this: ?We are listening to issues consumers have experienced and their suggestions. These are helping to further inform our actions, and we are now sharing regular updates on this website. Thank you for your continued patience and feedback as we continue to improve this process.? Translation: They fell short, far short, even though they had weeks to prepare themselves for the reaction. They know it. And the correct response from all of us is a full-throated roar that is anything but patient. From rforno at infowarrior.org Wed Sep 13 12:05:54 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Sep 2017 17:05:54 -0000 Subject: [Infowarrior] - Administration Sued Over Phone Searches at U.S. Border Message-ID: <90C698F6-1C31-47CF-92A2-02F563204316@infowarrior.org> Trump Administration Sued Over Phone Searches at U.S. Border By Erik Larson September 13, 2017, 12:25 PM EDT https://www.bloomberg.com/news/articles/2017-09-13/trump-administration-sued-over-phone-searches-at-u-s-border The Trump administration is increasingly allowing federal border agents to seize and search -- sometimes violently -- the mobile phones and laptops of U.S. citizens and lawful immigrants as they enter the country, two advocacy groups said in a lawsuit. The searches at airports and at the Canadian border are being carried out without warrants in violation of the Constitution?s First and Fourth Amendments, the American Civil Liberties Union and the Electronic Frontier Foundation said in complaint filed Wednesday in federal court in Boston. The groups represent 10 U.S. citizens and one immigrant -- among them a military veteran, a journalist and a NASA engineer, the rights groups said in a statement. Several of the citizens are Muslims or people of color. The lawsuit adds to a growing list of legal challenges to President Donald Trump?s immigration agenda, including a travel ban against several Muslim-majority countries and the halt to a federal program allowing undocumented immigrants who were brought to the U.S. as children to avoid deportation, known as Dreamers. ?The government cannot use the border as a dragnet to search through our private data,? ACLU attorney Esha Bhandari said in the statement. Physically Restrained The lawsuit names as defendants the acting heads of the Department of Homeland Security, Customs and Border Protection and Immigration and Customs Enforcement. Homeland Security spokesman David Lapan declined to comment. Messages to the press offices of the other agencies weren?t immediately returned. On its website, Customs and Border Protection states it has the authority to search ?all persons, baggage, and merchandise arriving in, or departing from, the United States.? One plaintiff, independent filmmaker Akram Shibly, declined to give his phone to Customs and Border Protection agents while he was returning to the U.S. after a social outing in the Toronto area in January, the rights groups said. The officers then physically restrained him and took his phone from his pocket, with one agent choking him and another holding his legs, according to the statement. ?I joined this lawsuit so other people don?t have to have to go through what happened to me,? said Shibly, who is from upstate New York. ?Border agents should not be able to coerce people into providing access to their phones, physically or otherwise.? Other plaintiffs in the case include: Massachusetts limousine driver Ghassan Alasaad and his wife Nadia Alasaad, a nursing student; Suhaib Allababidi, a Texas business owner whose security technology clients include the federal government; Sidd Bikkannavar, an optical engineer for NASA?s Jet Propulsion Laboratory in California; and journalist Jeremy Dupin. From rforno at infowarrior.org Wed Sep 13 15:43:43 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Sep 2017 20:43:43 -0000 Subject: [Infowarrior] - offs. Equifax had 'admin' as login and password in Argentina Message-ID: <6F1BAC33-1227-4F89-A2AA-CE4C6640189F@infowarrior.org> Equifax had 'admin' as login and password in Argentina http://www.bbc.com/news/technology-41257576 From rforno at infowarrior.org Wed Sep 13 18:21:57 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Sep 2017 23:21:57 -0000 Subject: [Infowarrior] - Kaspersky Lab Antivirus Software Is Ordered Off U.S. Government Computers Message-ID: <8013B939-6796-4B38-BBCF-605B7B6A0498@infowarrior.org> Kaspersky Lab Antivirus Software Is Ordered Off U.S. Government Computers By MATTHEW ROSENBERG and RON NIXONSEPT. 13, 2017 WASHINGTON ? The federal government moved on Wednesday to wipe from its computer systems any software made by a prominent Russian cybersecurity firm, Kaspersky Lab, that is being investigated by the F.B.I. for possible links to Russian security services. The concerns surrounding Kaspersky, whose software is sold throughout the United States, are longstanding. The F.B.I., aided by American spies, has for years been trying to determine whether Kaspersky?s senior executives are working with Russian military and intelligence, according to current and former American officials. The F.B.I. has also been investigating whether Kaspersky software, including its well-regarded antivirus programs, contain back doors that could allow Russian intelligence access into computers on which it is running. The company denies the allegations. The officials, all of whom spoke on the condition of anonymity because the inquiries are classified, would not provide details of the information they have collected on Kaspersky. But on Wednesday, Elaine C. Duke, the acting secretary of Homeland Security, ordered federal agencies to develop plans to remove Kaspersky software from government systems in the next 90 days. Wednesday?s announcement is the latest instance of the apparent disconnect between the Trump White House, which has often downplayed the threat of Russian interference to the country?s infrastructure, and front-line American law enforcement and intelligence officials, who are engaged in a perpetual shadow war against Moscow-directed operatives. Kaspersky?s business in the United States now appears to be the latest casualty in those spy wars. Best Buy, the electronics giant, announced last week that it was pulling Kaspersky Lab?s cybersecurity products from its shelves and website, and the Senate is voting this week on a defense-spending bill that would ban Kaspersky Lab products from being used by American government agencies, effectively codifying Wednesday?s directive into law. Kaspersky is considered one of the foremost cybersecurity research firms in the world, and has considerable expertise in designing antivirus software and tools to uncover spyware used by Western intelligence services. The company was founded by Eugene V. Kaspersky, who attended a high school that trained Russian spies, and later wrote software for the Soviet Army before going on to found Kaspersky Lab in 1997. He has insisted that neither he nor his company have active ties to the Russian military or intelligence services. Yet despite its prominence in the cybersecurity world, its origins in Russia have for years fueled suspicions about its possible ties to Russia?s intelligence agencies. Federal officials have warned private companies to avoid Kaspersky software, and earlier this year the firm was removed from two lists of approved vendors used by government agencies to purchase technology. < - > https://www.nytimes.com/2017/09/13/us/politics/kaspersky-lab-antivirus-federal-government.html From rforno at infowarrior.org Thu Sep 14 06:12:36 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Sep 2017 11:12:36 -0000 Subject: [Infowarrior] - NSA Spied on Early File-Sharing Networks, Including BitTorrent Message-ID: <6258619B-06D0-4639-A233-800CAF9C7444@infowarrior.org> NSA Spied on Early File-Sharing Networks, Including BitTorrent ? By Andy ? on September 14, 2017 https://torrentfreak.com/nsa-spied-on-early-file-sharing-networks-including-bittorrent-170914/ A document just published as part of the Edward Snowden leaks has revealed the NSA was actively monitoring file-sharing networks more than 12 years ago. Particular success was reported against both KaZaA and eDonkey, with the NSA managing to compromise the encryption on both while gaining access to sharers' computers and personal data including email addresses. In the early 2000s, when peer-to-peer (P2P) file-sharing was in its infancy, the majority of users had no idea that their activities could be monitored by outsiders. The reality was very different, however. As few as they were, all of the major networks were completely open, with most operating a ?shared folder? type system that allowed any network participant to see exactly what another user was sharing. Nevertheless, with little to no oversight, file-sharing at least felt like a somewhat private affair. As user volumes began to swell, software such as KaZaA (which utilized the FastTrack network) and eDonkey2000 (eD2k network) attracted attention from record labels, who were desperate to stop the unlicensed sharing of copyrighted content. The same held true for the BitTorrent networks that arrived on the scene a couple of years later. Through the rise of lawsuits against consumers, the general public began to learn that their activities on P2P networks were not secret and they were being watched for some, if not all, of the time by copyright holders. Little did they know, however, that a much bigger player was also keeping a watchful eye. According to a fascinating document just released by The Intercept as part of the Edward Snowden leaks, the National Security Agency (NSA) showed a keen interest in trying to penetrate early P2P networks. Initially published by internal NSA news site SIDToday in June 2005, the document lays out the aims of a program called FAVA ? File-Sharing Analysis and Vulnerability Assessment. ?One question that naturally arises after identifying file-sharing traffic is whether or not there is anything of intelligence value in this traffic,? the NSA document begins. ?By searching our collection databases, it is clear that many targets are using popular file sharing applications; but if they are merely sharing the latest release of their favorite pop star, this traffic is of dubious value (no offense to Britney Spears intended).? Indeed, the vast majority of users of these early networks were only been interested in sharing relatively small music files, which were somewhat easy to manage given the bandwidth limitations of the day. However, the NSA still wanted to know what was happening on a broader scale, so that meant decoding their somewhat limited encryption. ?As many of the applications, such as KaZaA for example, encrypt their traffic, we first had to decrypt the traffic before we could begin to parse the messages. We have developed the capability to decrypt and decode both KaZaA and eDonkey traffic to determine which files are being shared, and what queries are being performed,? the NSA document reveals. Most progress appears to have been made against KaZaA, with the NSA revealing the use of tools to parse out registry entries on users? hard drives. This information gave up users? email addresses, country codes, user names, the location of their stored files, plus a list of recent searches. This gave the NSA the ability to look deeper into user behavior, which revealed some P2P users going beyond searches for basic run-of-the-mill multimedia content. ?[We] have discovered that our targets are using P2P systems to search for and share files which are at the very least somewhat surprising ? not simply harmless music and movie files. With more widespread adoption, these tools will allow us to regularly assimilate data which previously had been passed over; giving us a more complete picture of our targets and their activities,? the document adds. Today, more than 12 years later, with KaZaA long dead and eDonkey barely alive, scanning early pirate activities might seem a distant act. However, there?s little doubt that similar programs remain active today. Even in 2005, the FAVA program had lofty ambitions, targeting other networks and protocols including DirectConnect, Freenet, Gnutella, Gnutella2, JoltID, MSN Messenger, Windows Messenger and??BitTorrent. ?If you have a target using any of these applications or using some other application which might fall into the P2P category, please contact us,? the NSA document urges staff. ?We would be more than happy to help.? Confirming the continued interest in BitTorrent, The Intercept has published a couple of further documents which deal with the protocol directly. The first details an NSA program called GRIMPLATE, which aimed to study how Department of Defense employees were using BitTorrent and whether that constituted a risk. The second relates to P2P research carried out by Britain?s GCHQ spy agency. It details DIRTY RAT, a web application which gave the government to ?the capability to identify users sharing/downloading files of interest on the eMule (Kademlia) and BitTorrent networks.? The SIDToday document detailing the FAVA program can be viewed here From rforno at infowarrior.org Thu Sep 14 06:20:05 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Sep 2017 11:20:05 -0000 Subject: [Infowarrior] - oped: Thank You for Calling Equifax. Your Business Is Not Important to Us Message-ID: Thank You for Calling Equifax. Your Business Is Not Important to Us Credit monitoring in the U.S. is a nightmare. It only took a massive public data breach to make that clear. By Pat Regnier and Suzanne Woolley September 14, 2017, 5:00 AM EDT https://www.bloomberg.com/news/features/2017-09-14/thank-you-for-calling-equifax-your-business-is-not-important-to-us You shouldn?t need to do a damn thing to keep your credit information safe. We?re all accustomed to the busywork of managing personal finances. You check your 401(k) retirement account, making sure your portfolio is carefully balanced. You scan your bank and credit card statements from time to time to verify the charges. These are things responsible people do. But there?s a good chance you?ve spent time recently on a chore you didn?t sign up for: finding out if hackers possibly stole information about you from Equifax Inc., one of the three big consumer-credit reporting companies in the U.S. On Sept. 7 it announced a data breach that may have put about 143 million people in the U.S. at risk, exposing names, addresses, birth dates, and Social Security numbers, details that could help identity thieves take out loans, apply for a credit card, or buy a new wardrobe in your name. (Equifax had no comment for this story.) The company has set up a web page where you can find out if you are potentially affected. If the answer is yes, you then have to decide what to do about it. Should you sign up for the free year of credit monitoring Equifax is offering? Set a fraud alert on your account? Activate something called a security freeze? Would any of these things really help? What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax. ?It?s not like when you get to choose your bank, or choose your credit card,? says Mike Litt, consumer program advocate at U.S. PIRG, a group that works for tougher consumer protection laws. No one specifically asked Equifax or its competitors, Experian Plc and TransUnion, to collect data about them. But unless you want to live off the financial grid, you have to accept that these companies you may know little about are keeping an eye on you and your reputation with creditors. This setup isn?t just infuriating?it partly explains why the hacking of just one company can make so many people so vulnerable. Credit reporting businesses have been built primarily to serve banks and credit card companies, not the consumers they monitor. But just as a lender benefits from having quick access to credit reports and scores, which lets them grant credit to perfect strangers, so does the impostor who comes to them looking to open an account. Consumers benefit from the credit reporting business, too: Maintaining a good profile makes it easy to get a loan or a card. You can apply in the time it takes to get a 20 percent discount at a Gap checkout counter. And lenders share consumers? interest in not getting ripped off. But that doesn?t mean the risks they face are the same. To a lender, the unpaid bill on a fraudulent credit card is just one bad loan in a massive portfolio?a cost of doing business. You, on the other hand, have only one identity and reputation. In the end the issue isn?t whether the financial-services industry cares about fraud. It?s really about control. Who ought to hold the keys to unlock your data, them or you? 143 million: Americans whose personal information may have been exposed in the Equifax breach from mid-May through July Consider the security freeze, the most effective way for anyone anxious about the Equifax hack to protect themselves. If you contact a credit reporting company and request a freeze, which you can do at each of the companies? websites, you?re telling it not to provide any information when a lender contacts it in the process of opening an account. That means if someone tries to use your name and Social Security number to get a fresh Mastercard, the application will probably be rejected, which prevents bogus plastic, and the resulting unpaid bills, from ending up on your report and damaging your credit. When you decide you?re in the market for a loan, you can contact the credit agency and lift the freeze. This approach amounts to grabbing the keys to your data and not giving them back. It?s an elegant solution in theory, and one the credit reporting industry had to be dragged into. In the early 2000s, groups including U.S. PIRG, Consumers Union, and AARP lobbied state legislatures to mandate freezes. Eventually enough states passed laws that the three companies offered freezes nationally. What a freeze costs depends on state law. It?s usually free to victims of identity theft, while those who are simply being cautious might pay from $3 to $10 to set a freeze, and a similar fee when they lift it. On Sept. 12, Equifax temporarily waived freeze fees. The charge accentuates the overall consumer unfriendliness of the process. You need to place a separate freeze with each of the credit reporting companies. (Although it was Equifax that was hacked, identity thieves might apply for credit at lenders using any of these services.) Then you get a PIN you?ll need to use?again, one for each company?when you want the freeze lifted. To put a freeze in place online, you?ll need to verify your identity by entering your Social Security number, which can be scary if you?re putting the freeze in place because you just found out your Social Security number could have been stolen. As the New York Times reported, people who set up freezes at Equifax immediately after the breach found that their PIN codes were made up of the date and time they put the freeze on?as opposed to random, unguessable numbers you?d want for a system meant to keep out crooks. (Equifax has since changed this.) Once a freeze is in place, you?ll have to remember where you stashed your PIN before you apply for a mortgage?or, for that matter, a job or rental apartment. The credit reporting companies? websites tend to push other security fixes that shut things down less drastically than a freeze. One is a fraud alert, which, instead of locking down your file, warns lenders that for the next 90 days they should take extra steps to verify the identity of anyone who claims to be you. And then there?s credit monitoring, a service that lets you see your credit report so you can spot potential problems. You may indeed see something: A 2012 study by the Federal Trade Commission found that about 20 percent of consumers who were asked to review their reports discovered an error that was fixed after they disputed it, and more than 10 percent found an error significant enough to affect their credit score. Monitoring also alerts you if an application has been placed for a new account in your name. Equifax, Experian, and TransUnion have turned monitoring into a business, charging as much as $25 a month for ?premium? services that include reports from all three companies. The price can also cover the ability to ?lock? credit, which as the companies describe it sounds similar to the state-mandated freeze. (TransUnion has a free monitoring and lock service, which works only with its own reports.) After announcing the data breach, Equifax offered those affected a free year of its service. But does anyone really want to pay money to make sure bad information doesn?t get into these companies? databases? You don?t pay extra at restaurants to keep rat poison out of the food. ?They spend all this time developing products to sell to consumers instead of making their systems more accurate,? says Chi Chi Wu, a staff attorney at the National Consumer Law Center. Wu says monitoring may be fine if it?s free, but she recommends freezes. By law, you can also request one free copy of your credit report per year from each company via annualcreditreport.com, and that?s worth doing, too. If 143 million people are exposed, Wu says, that would be about three-quarters of all the people who have credit reports. If everyone potentially affected were to request a freeze, it would be tantamount to the situation some consumer advocates would like to see: freezes as the default setting for credit files, with everyone?s credit data essentially off-limits unless the consumer says otherwise. As it stands, the hassles of freezes may make that solution less than appealing, but if it became the norm, companies would likely devise better ways to do it. For example, a free smartphone app might allow you to toggle on and off access to all three of your credit files. As Chris Jay Hoofnagle, who teaches privacy law at the University of California at Berkeley, has argued, such a shift could change the relationship between consumers and credit reporting companies. You wouldn?t be just another file they keep track of, but a person they need to work with and please. There are technical challenges to making such systems secure, but surmounting them could produce residual benefits. If the credit industry began prioritizing the security of consumers? credit files, it might also help to diminish the role of the Social Security number. Currently, the SSN is a key tool the financial system uses for both tracking and verifying consumers, and today it seems conspicuously low-tech. Whereas signing into Facebook on a new computer might require you to provide both a unique password and a one-time code sent via text to your phone, getting a new credit card might only entail giving your name, a few personal details, and a nine-digit number generated by a system that was set up to help administer old-age retirement benefits in 1936. 209,000: Consumers whose credit card numbers were accessed in the hack The SSN wasn?t built to promote security. Until 2011 it wasn?t even randomly generated but based in part on where you lived when it was issued. The number took on its supreme importance only gradually. In the 1930s it tidily solved a problem plaguing consumers?all those people out there with the same name. A history page on the Social Security website refers to a 1937 publication stating that ?the Fred Smiths of New York City have had so much trouble being identified by their creditors, the courts, and even their friends, that they have joined together in forming the ?Fred Smiths, Incorporated.??? In 1943, federal agencies were ordered to use the number as an identifier when setting up new record systems, but its use really took off in the 1960s, with the advent of computers. By 1973 government reports were warning that the SSN shouldn?t become a national identifier, but new regulations and legislation promoted its use in a wide array of sectors, including financial services. For a long time, people were casual about sharing their numbers. Colleges used Social Security numbers as student IDs, while a manufacturer once included a sample Social Security card in wallets it sold at Woolworth?s?a replica of a company secretary?s actual card. But as the SSN has spread, the associated risks have grown. Once your SSN has been compromised, it?s a hard problem to fix, in part because so many systems rely on it. While you can get a new number in cases of identity theft or abuse or if you are a victim of domestic violence, it?s not a simple process. In the case of ID theft, you must provide evidence of the number?s misuse and how it?s causing you continued, significant harm. The ultimate solution to the SSN problem may be neither a new kind of number nor a single magic password. ?The answer is layers,? says Eva Velasquez, chief executive officer of the Identity Theft Resource Center, a nonprofit that helps consumers who?ve been hit by fraud. So in addition to SSNs, you might start to see more use of what are now standard internet security protocols, such as a combination of security questions and one-time security codes sent via email or text message. These systems might go hand in hand with something like a default freeze?at the same time you are applying for credit at the store, you might also be getting an alert that someone wants to look at your credit file, and you?d go through an authentication process on your phone. 31 percent: Decline in the value of Equifax shares from Sept.? 7 to Sept.? 13 But such measures get back to the basic tension in the system?extra steps can slow things down when you?re trying to buy that new $999 iPhone on a monthly installment plan. ?When I talk to ID theft victims, they are more than willing to forgo some of the convenience,? says Velasquez. ?Because they know what the aftereffect is. One of the few silver linings we can see when you have these large-scale data breaches is that it does bring it to the front of our national consciousness, and we start having conversations about what our priorities are when it comes to our identities and our data.? Some of those conversations are happening in Washington now. As news of the Equifax breach hit, a committee in the House of Representatives was hearing testimony on a bill that would limit damages in some suits against credit reporting companies. The breach may slow the momentum on such bills and perhaps swing things the other way. At least six congressional committees are now examining Equifax. What seems clear is that the problem has become too big for so much of the responsibility to lie with consumers. There?s too much data out there to steal?before this summer?s Equifax breach, there were thefts from Yahoo!, Home Depot, Target, and even the government. Sure, it?s a good idea to be careful with your SSN, and a better idea to put on a fraud alert or a security freeze. But what you really need is more control?by default?of how your data are used. ?With Karen Weise and Elizabeth Dexheimer From rforno at infowarrior.org Thu Sep 14 11:12:01 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Sep 2017 16:12:01 -0000 Subject: [Infowarrior] - FTC probes Equifax hack, shares tumble Message-ID: <3A5AD667-0A95-4F02-BD42-C40D93C5F668@infowarrior.org> Federal Trade Commission probes Equifax hack, shares tumble Reuters Staff 2 Min Read http://www.reuters.com/article/us-equifax-cyber-ftc/federal-trade-commission-probes-equifax-hack-shares-tumble-idUSKCN1BP1VX WASHINGTON (Reuters) - The Federal Trade Commission said on Thursday it has opened an investigation into the massive data breach at Equifax Inc (EFX.N), in a rare public disclosure that sent shares tumbling to their lowest in more than two years. ?The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,? spokesman Peter Kaplan said in a brief email statement. Equifax shares fell 5 percent to $94.19 in heavy trading after earlier touching $89.59, their lowest since February 2015. In the first 15 minutes of trading, more than 4.7 million shares had crossed, nearly 10 times the stock?s daily average volume dating to 1980. The activity came on the heels of a record 17.5 million shares traded on Wednesday. Equifax representatives did not immediately respond to requests for comment on the FTC probe. Equifax disclosed the breach on Sept, 7, saying thieves may have stolen the personal information of 143 million Americans in one of the largest hackings ever. It learned of the hacking on July 29. Nearly 40 states have joined a probe of its handling of the breach. Equifax Chief Executive Officer Richard Smith, is expected to testify on Oct. 3 before a U.S. House of Representatives panel. From rforno at infowarrior.org Fri Sep 15 06:01:53 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 11:01:53 -0000 Subject: [Infowarrior] - Google stops challenging most US warrants for data on overseas servers Message-ID: Google stops challenging most US warrants for data on overseas servers Microsoft keeps up the challenges while Supreme Court remains silent. David Kravets - 9/14/2017, 5:50 PM Google has quietly stopped challenging most search warrants from US judges in which the data requested is stored on oversees servers, according to the Justice Department. The revelation, contained in a new court filing to the Supreme Court, comes as the administration of President Donald Trump is pressing the justices to declare that US search warrants served on the US tech sector extend to data stored on foreign servers. Google and other services began challenging US warrants for overseas data after a federal appeals court sided with Microsoft last year in a first-of-its-kind challenge. Microsoft convinced the New York-based 2nd US Circuit Court of Appeals?which has jurisdiction over Connecticut, New York, and Vermont?that US search-and-seizure law does not require compliance with a warrant to turn over e-mail stored on its servers in Ireland. Federal prosecutors were demanding the data as part of a US drug investigation. In the aftermath, courts outside the 2nd Circuit, which are not bound by the ruling, began rejecting the circuit's decision and dismissing fresh challenges by the ISPs, including those brought by Google, Yahoo, and Microsoft. In one instance, Google was even found in contempt of court (PDF) for refusing to comply with a District of Columbia federal judge's order to hand over data stored overseas. The Supreme Court has not decided whether to hear the government's challenge to the Microsoft decision, which has huge privacy ramifications for consumers and for the tech sector. The sector is being asked by the US government to comply with court orders that sometimes conflict with the laws of where the data is stored. < - > https://arstechnica.com/tech-policy/2017/09/feds-google-stops-challenging-most-us-warrants-for-data-on-overseas-servers/ From rforno at infowarrior.org Fri Sep 15 06:36:55 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 11:36:55 -0000 Subject: [Infowarrior] - Final Captains Log for Cassini Message-ID: <96278312-97CB-4592-980F-F6C7B60DD5D1@infowarrior.org> Captain's Log September 15, 2017 http://ciclops.org/?js=1 The end is now upon us. Within hours of the posting of this entry, Cassini will have burned up in the atmosphere of Saturn ... a kiloton explosion, spread out against the sky in a pyrrhic display of light and fire, a dazzling flash to signal the dying essence of a lone emissary from another world. As if the myths of old had foretold the future, the great patriarch will consume his child. At that point, that golden machine, so dutiful and strong, will enter the realm of history, and the toils and triumphs of this long march will be done. For those of us appointed long ago to undertake this journey, it has been a taxing 3 decades, requiring a level of dedication that I could not have predicted, and long breathless periods when we sprinted for the duration of a marathon. But in return, we were blessed to spend our lives working and playing in that promised land beyond the Sun. My imaging team members and I were especially blessed to serve as the documentarians of this historic epoch and return a stirring visual record of our travels around Saturn and the glories that we found there. This is our gift to the citizens of planet Earth. So, it is with both wistful, sentimental reflection and a boundless sense of pride in a commitment met and a job well done that I now turn to face this looming, abrupt finality. It is doubtful we will soon see a mission as richly suited as Cassini return to this ringed world and shoulder a task as colossal as we have borne over the last 27 years. To have served on this mission has been to live the rewarding life of an explorer of our time, a surveyor of distant worlds. We wrote our names across the sky. We could not have asked for more. I sign off now, grateful in knowing that Cassini?s legacy, and ours, will include our mutual roles as authors of a tale that humanity will tell for a very long time to come. Carolyn Porco Cassini Imaging Team Leader Director, CICLOPS Boulder, CO From rforno at infowarrior.org Fri Sep 15 06:49:38 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 11:49:38 -0000 Subject: [Infowarrior] - HP caught quietly DRM'ing its inkjets again Message-ID: https://gizmodo.com/one-year-after-bricking-third-party-ink-with-update-hp-1809073739 < - > Last September, HP decided to push out Keurig-like DRM, preventing customers from using certain printers after inserting third-party ink cartridges until they replaced them with official tanks from HP. After more than 10,000 people joined the Electronic Frontier Foundation to complain about it, HP eventually backed down, apologizing for not properly ?communicating about the authentication procedure to customers? and issuing an optional update to remove the ?security? feature. But according to ghacks.net, a new firmware update for HP Officejet printers released yesterday appears to be identical to the reviled DRM update released exactly one year ago. When you try to use third-party ink after installing the new/old firmware, you apparently run into an error that says ?One or more cartridges appear to be damaged. Remove them and replace with new cartridges.? Depending on how many cartridges your specific printer uses, it may be possible to insert one or two without getting an error. But it seems when all of the ink cartridge slots are filled up, the warning message will be displayed again. The new firmware reportedly affects printers from HP?s OfficeJet 6800 series, OfficeJet Pro 6200 series, OfficeJet Pro X 450 series, OfficeJet Pro 8600 series and more. We have reached out to HP for comment and will update this article if and when we hear back. < - > From rforno at infowarrior.org Fri Sep 15 08:41:28 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 13:41:28 -0000 Subject: [Infowarrior] - =?utf-8?b?4oCYU28gVW5oZWxwZnVs4oCZOiBQT1RVUyBT?= =?utf-8?q?parks_Anger_in_U=2EK=2E_Over_London_Terror_Tweets?= Message-ID: <81E8D23C-C24A-4CC4-922D-8D4C9CE123AD@infowarrior.org> ?So Unhelpful?: Trump Sparks Anger in U.K. Over London Terror Tweets By Thomas Penny September 15, 2017, 7:43 AM EDT September 15, 2017, 8:32 AM EDT Donald Trump is raising hackles in London again. Tweets from the U.S. president following a terrorist attack Friday prompted an immediate backlash. Among his critics was Nick Timothy, until recently one of British Prime Minister Theresa May?s most senior aides. Trump was accused of betraying intelligence details by saying those responsible for an explosion on an underground train ?are sick and demented people who were in the sights of Scotland Yard. Must be proactive!? < - > https://www.bloomberg.com/news/articles/2017-09-15/trump-sparks-anger-in-u-k-over-tweets-on-london-terror-attack From rforno at infowarrior.org Fri Sep 15 08:48:39 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 13:48:39 -0000 Subject: [Infowarrior] - Three advertising networks are powering fake news Message-ID: <7A2F9569-2492-40C4-9EA2-5B7E238C6ADD@infowarrior.org> These three advertising networks are powering fake news We looked at 100 fake news purveyors, and 84 of them use at least one of three advertising networks ALEX KAPLAN A Media Matters review of 100 websites that publish fake news found that 84 percent use at least one of three specific advertising networks for revenue. Much of the public criticism about the proliferation of fake news in the past year has focused on social media platforms like Facebook and Twitter. While those platforms are vital in driving traffic to purveyors of fake news, less attention has been devoted to the series of advertising networks that help fake news websites turn those clicks into money. Creating revenue streams for websites that post this sort of content gives them an incentive to spread misinformation. For example, CNN reported in September that fake news purveyors from Macedonia, where much of this type of content originates, get their ?profits ? primarily from ad services such as Google?s AdSense.? The review found that the examined fake news purveyors use three advertising networks far more than others: Google AdSense, Revcontent, and Content.ad. AdSense appeared on 41 fake news-purveying websites, Revcontent on 40, and Content.ad on 36. The websites don?t use these networks exclusively, often employing multiple advertising networks concurrently. < - > https://www.mediamatters.org/blog/2017/09/15/These-three-advertising-networks-are-powering-fake-news/217926 From rforno at infowarrior.org Fri Sep 15 09:12:01 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 14:12:01 -0000 Subject: [Infowarrior] - =?utf-8?q?POTUS_wants_to_=E2=80=9Ccut_off?= =?utf-8?q?=E2=80=9D_the_internet_in_response_to_terrorism?= Message-ID: (Only if we can shut off his internet, too. That would bring much stability & security to the world, too. --rick) President Trump wants to ?cut off? the internet in response to terrorism Caleb Chen https://www.privateinternetaccess.com/blog/2017/09/president-trump-wants-cut-off-internet/ President Donald Trump has called (in a tweet) to ?cut off? the internet following the September 15th London Tube bombing. The cited reason? Because it is a terrorist recruitment tool. The call to cut off internet access showcases President Trump?s utter lack of a handle on how the internet works ? which is deeply troubling. Just a few points for him to think about: The internet is also a very good counter terrorism recruitment tool, and also currently a prerequisite for tweets to spread far and wide. Here is Trump?s call for cutting off the internet in all of its ignorant glory: This isn?t the first time that Donald Trump has tweeted about his dream internet policy. Back in December of 2016, he even tweeted for Bill Gates to help him in banning the internet. In March of 2017, President Trump signed away American?s internet privacy protections. This bears repeating: Internet shutdowns are bad Even now, there are active internet shutdowns all around the world ? for instance in the small African country of Togo. Oftentimes, these internet shutdowns correspond with political events such as highly contested elections. Internet shutdowns have been cited as effective methods to curtail protests ? which is how it is used by the Indian government in the Jammu and Kashmir region. Sometimes, the internet disruptions only effect cell phones and mobile data, or social media traffic, without a complete internet shutdown. Could it happen in America? The United States has been working on an internet killswitch that could be used on cellular and internet service in emergencies ? though details on this killswitch are sparse. With the country?s leader calling to ?cut off? the internet ? the possibility of an internet shutdown in the United States just became that much more real. From rforno at infowarrior.org Fri Sep 15 09:39:54 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 14:39:54 -0000 Subject: [Infowarrior] - more on ... Re: Final Captains Log for Cassini In-Reply-To: <20170915100538.35599fbtxuuz4kz6@Engineering.Purdue.Edu> References: <96278312-97CB-4592-980F-F6C7B60DD5D1@infowarrior.org> <20170915100538.35599fbtxuuz4kz6@Engineering.Purdue.Edu> Message-ID: <6A03CC72-3078-42A7-9EC6-B314FB1B3CDC@infowarrior.org> > On Sep 15, 2017, at 10:05, Joe Cychosz <3ksnn64 at ecn.purdue.edu> wrote: > > The JPL site is quite interesting. The menu in the up right "grande finale" has other interesting Casini info. The time line is pretty cool. > > https://saturn.jpl.nasa.gov/the-journey/grand-finale-feature/ > > Joe From rforno at infowarrior.org Fri Sep 15 12:35:02 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 17:35:02 -0000 Subject: [Infowarrior] - Administration Says It's Classified If They Can Let The NSA Spy On Americans Message-ID: <9899B31B-D32B-487B-872D-41F3554270B4@infowarrior.org> Administration Says It's Classified If They Can Let The NSA Spy On Americans Senator Ron Wyden, as a member of the Senate Intelligence Committee, spent half a decade trying to get President Obama's Director of National Intelligence, James Clapper, to answer some fairly straightforward questions about NSA surveillance on Americans. As you may recall, this got so bad that Clapper flat out lied to Wyden in an open Senate hearing, which inspired Ed Snowden to leak documents to Glenn Greenwald. With the Trump administration, Dan Coats took over Clapper's job... and Clapper's role of obfuscating in response to important questions from Wyden concerning NSA surveillance. Despite promises to the contrary, Coats (like Clapper before him) has refused to share just how many Americans have their information sucked up under Section 702. Since that program is up for renewal later this year, that kind of information seems quite relevant to the debate. However, as we noted back in June, Wyden has also been asking a different, and much more specific question of Coats. At a hearing in June, Wyden asked: Can the government use FISA Act Section 702 to collect communications it knows are entirely domestic? This seems like a kind of important question. 702 on its face, says that it can't be used to target domestic communications. Literally, the law says this: "An acquisition authorized under [this statute]... may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States." But, as we've learned, when Senator Wyden asks an "is this happening?" question -- the answer is always "yes." And, once again, it appears that Coats is playing games. Coats responded to that question at the time saying: "Not to my knowledge. It would be against the law." That seems like a pretty clear and definitive answer: "no." Which is as it should be. But then... something weird happened. The very next day, Coats' office put out a "clarifying" statement (ruh roh...), saying that Coats had "interpreted" Wyden's question to be referring specifically to Section 702(b)(4) (the part that says you can't spy on domestic communications). But, that's not what Wyden had asked. He had asked about the entirety of 702. So this "clarification" certainly seemed to suggest that Coats' original answer was incorrect in regards to the actual question, and instead, his staff was rewriting Wyden's question to make sure he had answe < - > https://www.techdirt.com/articles/20170914/00485538206/trump-administration-says-classified-if-they-can-let-nsa-spy-americans.shtml From rforno at infowarrior.org Fri Sep 15 15:16:39 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Sep 2017 20:16:39 -0000 Subject: [Infowarrior] - New Security Measures in iOS 11 and Their Forensic Implications Message-ID: New Security Measures in iOS 11 and Their Forensic Implications Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have. < - > https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/ From rforno at infowarrior.org Sat Sep 16 20:34:50 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Sep 2017 01:34:50 -0000 Subject: [Infowarrior] - Opinion: when they say your major is a problem, what they mean is your gender is a problem Message-ID: <64FEB872-5CC5-446C-B5B0-EDDE57446C08@infowarrior.org> Opinion: when they say your major is a problem, what they mean is your gender is a problem September 16, 2017 18:10 by Paul https://securityledger.com/2017/09/opinion-when-they-say-your-major-is-a-problem-what-they-mean-is-your-gender-is-a-problem/ In-brief: Talking about Susan Mauldin?s music degree is a socially acceptable way for men to vent about a woman who they don?t feel belongs in their workplace ? especially not in a senior role. Have you heard the latest scandal about Equifax? Not content to lose sensitive and personally identifying information on 143 million people, the company also had the temerity to hire Susan Mauldin, a music and composition major from the University of Georgia ? and a woman ? as its Chief Security Officer. No wonder the company is going to hell in a hand basket! That ? or something like it ? is the fourth day take on what will go down as one of the U.S.?s largest data breaches of 2017 and possibly a turning point in the long-stalled conversation about the need for strong data privacy protections in a country that has often seen fit to poo-poo such ideas. Clearly, what?s vexing our largest firms is the surplus of music, arts and humanities majors in top information security roles, right? After all, no less than History Major, Columnist and Chartered Financial Consultant Brett Arends of MarketWatch says so: When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company?s data security. Strong words, Brett. Especially coming from a guy with no professional degree in his chosen profession. Of course, it is not at all unusual for journalists to not have majored in journalism. In fact, it is so common that it?s not even worth having a conversation about. Whether or not Mr. Arends knows it, the same is true of the information security space, where twisted career paths are the norm, rather than the exception. Some examples? Microsoft?s Chief Security Officer, Michael Howard? He holds a Bachelor?s of Science degree from San Jose State University in Criminal Justice. Ford Motor Company?s Chief Information Security Officer Derek Benz? He?s a History Major from Hillsdale College and he has an MBA in Global Finance from Columbia Business School. Home Depot?s CISO Jamil Farshchi has three degrees ? none of them in computer science or engineering. One of the information security industry?s most celebrated hackers, Peiter Zatko (aka ?Mudge?) of BBN and, more recently of DARPA is a graduate of the Berklee School of Music. And those are the folks who have degrees. I can?t even figure out where Wal-Mart?s CISO, Kerry Kilker got his education, but I know he?s been with the company for more than 30 years after starting as an Information Systems Applications Programmer in 1985. Somehow, I think he knows his way around Wal-Mart?s IT operations pretty well, don?t you? ?So many of us in security have worked our way in and clawed our way up and we stand on the experience that we have and build on the experience of others,? noted security expert Chris Roberts (@sidragon1) told me. ?This realm we?ve created over the last 20+ years has only recently lent itself to certification and most of us have the scars and bruises from so many years of experience which arguably counts for as much if not more in some cases.? Ms. Mauldin certainly fits that mold. She had long stints at Hewlett-Packard and First Data Corp before joining Equifax ? a point Mr. Arendt acknowledges in his article, before swatting those inconvenient truths away. Indeed, it is interesting to note that the outrage over Mauldin noticeably skips over her male superior, CIO David Webb, whose undergraduate major was Russian and about whom little has been said. So why the vitriol about Equifax?s CSO?s qualifications? What?s the difference between those guys I named and Susan Mauldin? Well, clearly it is the fact that her company was the victim of a data breach, right? Wrong. Grant Bourzikas was the CISO at Scottrade during the period when the company was hacked and records on 4.6 million customers were exposed. Grant has a Bachelors in Accounting from the University of Missouri, St. Louis and no computer science or engineering degrees. I don?t recall his credentials being a matter of debate or outrage. He?s since moved on and is now CISO at the security firm McAfee. Maybe it?s the size of the breach, then? Nope. Bob Lord was the Chief Information Security Officer at Yahoo!, which coughed up sensitive information on 500 million people in a hack that predated his arrival at the company, but persisted during his tenure, as well. Bob has a degree in Political Science from the University of Chicago, but somehow his qualifications for the job were never a topic of conversation. Needless to say, Mrs. Mauldin isn?t getting the same soft-glove treatment. Well then. Maybe its the severity of the breach ? you know: Social Security numbers and credit ratings and such? Wrong again. Roy Mellinger has kept his job as CISO at Anthem despite that firm being the victim of a massive breach by a nation-state actor that surrendered detailed medical records on tens of millions of Americans. Still, I haven?t heard the trolls on Reddit banging the drum over Mr. Mellinger?s continued tenure at the firm. In fact, he was recently named Information Security Executive of the Year! But things are different when you?re a music major. Or should I say, they?re different when you?re a woman music major in an industry that often seems to not want women around, unless its to be objects of desire, or maids and mommies on call for immature (but technically adept) male engineers. That is especially true of the information security industry, where only around 1 in 10 professionals are women. You?ll be very hard put to find discussions of a male security executive?s per se right to have occupied the position he occupied, no matter his qualifications going into the job or what happens during his tenure. That kind of talk is reserved for women who have the misfortune of being in positions of authority when bad things happen. That double standard is everywhere in the faux outrage about Mrs. Mauldin. Before Mr. Arend?s piece on MarketWatch, the story was mostly fodder for conservative blogs like Gateway Pundit where reader comments frequently allege that Mauldin?s hire was an expression of gender-based preferences and political correctness. There was also (of course) a thread on Reddit, where comments slide quickly into overt and profound misogyny. In short: talking about Susan Mauldin?s music degree is a socially acceptable way for men (and they?re almost all men) to vent about a woman who they don?t feel belongs in their workplace ? especially not in a senior role. That truth is simply unavoidable. This isn?t about consequences. Regardless of what happens to male CISOs following high-profile breaches (many end up stepping down and finding other positions), you?ll be very hard put to find discussions of a male security executive?s per se right to have occupied the position he occupied, no matter his qualifications going into the job or what happens during his tenure. That kind of talk is reserved for women who have the misfortune of being in positions of authority when bad things happen. So where is the right place to focus our outrage? How about at the organization that employed her and who created the conditions by which this incident occurred. Deidre Diamond of the security staffing firm CyberSN notes that Equifax has 17 open (unfilled) job openings for information security, which suggests the organization?s security team was seriously understaffed. ?The first thing I thought of is what I see every day which is understaffed in security,? Diamond said. That isn?t to absolve Mauldin of her responsibility. ?To miss a (10 severity) vulnerability is negligence ? for sure,? she said. But it is to cast what happened in a more sympathetic light and one that doesn?t center on the person of the CSO or her resume. ?When you look at an organization like this and you see 17 roles on their website, I think to myself ?that?s an organization that is completely understaffed and that?s why a top 10 vulnerability gets missed, not a degree.'? It should be said that many, many information technology professionals and security professionals of both genders have stepped up on social media and elsewhere to defend diversity in the workplace. The voluminous comments on tech industry sites like Slashdot offer mostly support and plenty of anecdotes for the notion that diverse degrees and backgrounds can make for excellent security professionals (also: lots of music puns). ?Judging *anyone* as qualified or unqualified using only a single data point is naive,? Zatko Tweeted on Friday. True. But those discussions miss the point ? and the force behind the vitriol directed at Ms. Mauldin. It?s not about what she studied ? or even what she did. It?s about what she is: a woman. From rforno at infowarrior.org Sat Sep 16 20:45:44 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Sep 2017 01:45:44 -0000 Subject: [Infowarrior] - The Pirate Bay Website Runs a Cryptocurrency Miner (Updated) Message-ID: <14AEC641-19B9-4AC5-B49F-4476FA71EF2C@infowarrior.org> The Pirate Bay Website Runs a Cryptocurrency Miner (Updated) ? By Ernesto ? on September 16, 2017 A few hours ago a cryptocurrency miner appeared on The Pirate Bay website, using the computer resources of visitors to mine Monero coins. The operators of The Pirate Bay are testing it as a new way to generate revenue, but many users aren't happy. < - > https://torrentfreak.com/the-pirate-bay-website-runs-a-cryptocurrency-miner-170916/ From rforno at infowarrior.org Sun Sep 17 09:22:05 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Sep 2017 14:22:05 -0000 Subject: [Infowarrior] - Fwd: Federal probe into House technology worker Imran Awan yields intrigue, no evidence of espionage References: <472EFC0C-8DFD-4084-B010-DD398D1943F2@roscom.com> Message-ID: <1EF492F1-74E3-41FC-9775-0BD85EC85EC2@infowarrior.org> > Begin forwarded message: > > From: Monty > > > Federal probe into House technology worker Imran Awan yields intrigue, no evidence of espionage > The story of Awan and four other Pakistani-born computer technicians is a lightning rod charged by the convergence of politics, cybersecurity and fears of foreign intrusion. > > https://www.washingtonpost.com/investigations/federal-probe-into-house-technology-worker-imran-awan-yields-intrigue-no-evidence-of-espionage/2017/09/16/100b4170-93f2-11e7-b9bc-b2f7903bab0d_story.html > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rforno at infowarrior.org Sun Sep 17 15:27:43 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Sep 2017 20:27:43 -0000 Subject: [Infowarrior] - US policy is 'not to defend Canada' in any N Korea attack Message-ID: US policy is 'not to defend Canada' in any N Korea attack ? 15 September 2017 http://www.bbc.com/news/world-us-canada-41285474 A top general has told Canadian MPs they cannot count on US support if North Korea launches a nuclear attack on their country. Lt Gen Pierre St-Amand told the national defence committee in Ottawa there is no policy that requires the US to aid Canada in any nuclear attack. But on the upside, the committee also heard North Korea views Canada as a "peaceful" and "friendly" country. Pyongyang's missile launch over Japan on Friday has put the region on edge. Gen St-Amand told MPs: "The extent of the US policy is not to defend Canada. "That's the fact I can bring to the table." Canada has long avoided joining the US ballistic missile defence programme, under the assumption that the US would shoot down a nuclear missile heading for its northern neighbour anyway. But Lt Gen St-Amand's testimony suggested otherwise. However, Mark Gwozdecky, assistant deputy minister for international security, said all evidence suggested Canada was not in North Korea's crosshairs. "There's been no direct threat to Canada," Mr Gwozdecky told the meeting. "In fact, on the contrary, in recent contacts with the North Korean government, including in August when our national security adviser was in Pyongyang, the indications were they perceived Canada as a peaceful and indeed a friendly country." Mr Gwozdecky stressed that even if Canada was not a target, North Korea still posed a serious threat to global peace and security. From rforno at infowarrior.org Sun Sep 17 16:38:38 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Sep 2017 21:38:38 -0000 Subject: [Infowarrior] - AI can detect Alzheimer's 10 years before symptoms show up Message-ID: <4EE44F5B-145A-4A2E-B8A6-33A6A65053F1@infowarrior.org> AI can detect Alzheimer's 10 years before symptoms show up Mariella Moon, @mariella_moon https://www.engadget.com/2017/09/17/ai-alzheimers-early-detection/ Various researchers around the globe are developing ways to detect Alzheimer's as early as possible. After all, early detection gives people the power seek treatment that can slow down the condition's effects, as well as enough time to get their legal and financial affairs in order. Some decided to focus on blood and cerebrospinal fluid tests, while others are developing gadgets that can look for early signs. A team of researchers from the University of Bari in Italy, however, believe the answer lies in artificial intelligence. They developed an algorithm that can spot tiny structural changes in the brain caused by the disease a decade before symptoms even appear. They trained their AI by feeding it 67 MRI scans -- 38 from Alzheimer's patients and 29 from healthy controls. The researchers divided the scans into small regions and had their AI analyze the neuronal connectivity between. After training was done, they tested the algorithm by having it process brain scans from 148 subjects. Out of the total number, 48 were scans of people with the disease, while 48 were scans of people who suffered from mild cognitive impairment and eventually developed full-blown Alzheimer's. The AI was able to diagnose Alzheimer's 86 percent of the time. More importantly, it was able to detect mild cognitive impairment 84 percent of the time, making it a potentially effective tool for early diagnosis. Unfortunately, the researchers were limited to the scans in USC LA's Alzheimer's Disease Neuroimaging Initiative database. With more samples and further development, though, the AI could become more accurate until it's reliable enough to be used as a non-invasive early detection system. From rforno at infowarrior.org Mon Sep 18 06:03:02 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Sep 2017 11:03:02 -0000 Subject: [Infowarrior] - Inside the MPAA, Netflix & Amazon Global Anti-Piracy Alliance Message-ID: <436FF682-0A98-47FA-8ADE-E1F3DAF35977@infowarrior.org> (Even though MPAA is a member, this almost looks like an MPAA-for-the-future. --rick) Inside the MPAA, Netflix & Amazon Global Anti-Piracy Alliance ? By Andy ? on September 18, 2017 Back in June, MPAA, Amazon, Netflix, CBS, HBO, BBC, Sky, Bell Canada, CBS, Hulu, Lionsgate, Foxtel, Village Roadshow, and many more, revealed the Alliance for Creativity and Entertainment, a brand new initiative to tackle piracy on a global scale. Today, TorrentFreak can reveal the deal behind this massive operation. < - > https://torrentfreak.com/inside-the-mpaa-netflix-amazon-global-anti-piracy-alliance-170918/ From rforno at infowarrior.org Mon Sep 18 06:25:42 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Sep 2017 11:25:42 -0000 Subject: [Infowarrior] - Illinois Announces Key Partnership in Birth Registry Blockchain Pilot Message-ID: <2A567B82-9C1A-47E9-A057-E43204572C44@infowarrior.org> Illinois Announces Key Partnership in Birth Registry Blockchain Pilot The state of Illinois, which has six blockchain pilots underway, will partner with Utah-based Evernym for a birth registry pilot meant to individualize and secure identities. by Theo Douglas / September 8, 2017 http://www.govtech.com/data/Illinois-Announces-Key-Partnership-in-Birth-Registry-Blockchain-Pilot.html The next steps in Illinois? many blockchain pilots are beginning to take shape, as the state has announced it will partner with Utah-based Evernym, a leader in individually controlled digital identity solutions, in its birth registration pilot. The endeavor, one of six distinct blockchain explorations Illinois began last summer with a working group, is expected to utilize the Sovrin Foundation?s publicly available distributed identity ledger and expand upon accomplishments of the W3C Verifiable Claims Task Force, the state said Aug. 31. Recognizing that identity ? and, now, digital identity ? begin at birth, the state will explore using these technologies to create ?a secure ?self-sovereign? identity for Illinois citizens during the birth registration process,? it said in the announcement. This has been an ascendant year for blockchain, the encrypted digital recording of a transaction or an event through a shared ?incorruptible? ledger. It isn?t in wide use among state, county or local governments. But states including Illinois, Delaware and New Jersey are deeply interested and in May, the National Association of State Chief Information Officers (NASCIO) added blockchain to a list of the ?next big, transformational technologies.? Illinois has six pilots now underway, up from five in May, and is planning to deliver proofs of concept by the end of 2017, CIO Hardik Bhatt has said. In an effort to effectively manage resources, the state has reclassified its six pilots by urgency as either Priority 1 or Priority 2. Not surprisingly, the birth registry pilot is one of three Priority 1 pilots, along with a blockchain exploration with the state Department of Financial and Professional Regulations (DFPR) that could let residents verify doctors? licenses and insurance through an app; and an examination of tracking continuing education credentials underway with DFPR and the University of Illinois. Self-sovereign identity, a Sovrin specialty, is a digital identity that?s entirely controlled by the person to whom it belongs ? but can also be quickly and securely validated by agencies and private-sector businesses without turning to a ?centralized repository,? the state said in its statement. ?To structurally address the many issues surrounding digital identity, we felt it was important to develop a framework that examines identity from its inception at child birth,? Jennifer O?Rourke, business liaison for the Illinois Blockchain Initiative (IBI), said in the statement. Identity, O?Rourke noted, is ?foundational to nearly every government service,? as well as being the basis for public sector ?trust and legitimacy.? In the framework that Illinois and Evernym are partnering on, government agencies are expected to verify birth registration information and then ?cryptographically sign? attributes such as legal name, date of birth, sex or blood type. This would then create what?s known as ?verifiable claims? or attributes. Permission to view or share these government-verified claims would be stored on a ?tamper-proof distributed ledger protocol? as a decentralized identifier, the state has said. It would guarantee each attribute is ?cryptographically sealed? and can only be accessed with the permission of the person or his or her legal guardian. Returning primary control to an individual would naturally lessen the need for agencies and private sector businesses to keep their own databases of identity information. The state's other three Priority 2 pilots are a property title transfer conducted with Cook County, the state?s largest county; a use case on the recording of academic credentialing; and a tracking of Renewable Energy Credits, which are generated by creating electricity through wind turbines or solar panels and subsequently traded. In an August interview with Government Technology, Bhatt, the state?s outgoing CIO, said he thought government would be more a ?player? than a driver of the full adoption of blockchain. ?It has made its place on the hype cycle, it?s moving up and we?ll see how does the adoption (go)? You know this is a foundational technology, so it?s going to take time really for adoption,? Bhatt told GT. The CIO confirmed to GT on Thursday, Sept. 7 that he will be leaving the state for a role at Amazon. Theo Douglas Staff Writer From rforno at infowarrior.org Mon Sep 18 16:08:14 2017 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Sep 2017 21:08:14 -0000 Subject: [Infowarrior] - EFF resigning from W3C Message-ID: <172AF4CD-F563-438C-89B0-5379F0E4859C@infowarrior.org> https://www.eff.org/deeplinks/2017/09/open-letter-w3c-director-ceo-team-and-membership An open letter to the W3C Director, CEO, team and membership By Cory Doctorow September 18, 2017 Dear Jeff, Tim, and colleagues, In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing ?Encrypted Media Extensions,? an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties. When it became clear, following our formal objection, that the W3C's largest corporate members and leadership were wedded to this project despite strong discontent from within the W3C membership and staff, their most important partners, and other supporters of the open Web, we proposed a compromise. We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action. This covenant would allow the W3C's large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C's DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM. It would signal to the world that the W3C wanted to make a difference in how DRM was enforced: that it would use its authority to draw a line between the acceptability of DRM as an optional technology, as opposed to an excuse to undermine legitimate research and innovation. More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video. Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise. The W3C leadership countered with proposals ? like the chartering of a nonbinding discussion group on the policy questions that was not scheduled to report in until long after the EME ship had sailed ? that would have still left researchers, governments, archives, security experts unprotected. The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew ? and the large corporate members continued to reject any meaningful compromise ? the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors ? and every person who uses the web. The Director decided to personally override every single objection raised by the members, articulating several benefits that EME offered over the DRM that HTML5 had made impossible. But those very benefits (such as improvements to accessibility and privacy) depend on the public being able to exercise rights they lose under DRM law ? which meant that without the compromise the Director was overriding, none of those benefits could be realized, either. That rejection prompted the first appeal against the Director in W3C history. In our campaigning on this issue, we have spoken to many, many members' representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn't on the wrong side of this issue. This is unsurprising. You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea. Yet, somewhere along the way, the business values of those outside the web got important enough, and the values of technologists who built it got disposable enough, that even the wise elders who make our standards voted for something they know to be a fool's errand. We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they?ll be able to ensure no one ever subjects them to the same innovative pressures. So we'll keep fighting to fight to keep the web free and open. We'll keep suing the US government to overturn the laws that make DRM so toxic, and we'll keep bringing that fight to the world's legislatures that are being misled by the US Trade Representative to instigate local equivalents to America's legal mistakes. We will renew our work to battle the media companies that fail to adapt videos for accessibility purposes, even though the W3C squandered the perfect moment to exact a promise to protect those who are doing that work for them. We will defend those who are put in harm's way for blowing the whistle on defects in EME implementations. It is a tragedy that we will be doing that without our friends at the W3C, and with the world believing that the pioneers and creators of the web no longer care about these matters. Effective today, EFF is resigning from the W3C. Thank you, Cory Doctorow Advisory Committee Representative to the W3C for the Electronic Frontier Foundation From rforno at infowarrior.org Tue Sep 19 09:21:54 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Sep 2017 14:21:54 -0000 Subject: [Infowarrior] - A chilling study shows how hostile college students are toward free speech Message-ID: A chilling study shows how hostile college students are toward free speech By Catherine Rampell Opinion writer September 18 at 8:02 PM Here?s the problem with suggesting that upsetting speech warrants ?safe spaces,? or otherwise conflating mere words with physical assault: If speech is violence, then violence becomes a justifiable response to speech. Just ask college students. A fifth of undergrads now say it?s acceptable to use physical force to silence a speaker who makes ?offensive and hurtful statements.? That?s one finding from a disturbing new survey of students conducted by John Villasenor, a Brookings Institution senior fellow and University of California at Los Angeles professor. < - > https://www.washingtonpost.com/opinions/a-chilling-study-shows-how-hostile-college-students-are-toward-free-speech/2017/09/18/cbb1a234-9ca8-11e7-9083-fbfddf6804c2_story.html From rforno at infowarrior.org Tue Sep 19 11:08:55 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Sep 2017 16:08:55 -0000 Subject: [Infowarrior] - Why SESTA Is Such A Bad Bill Message-ID: <0D3E7BDD-02E9-4D99-BD20-4806620D306A@infowarrior.org> Why SESTA Is Such A Bad Bill from the so-much-damage dept We've been talking quite a bit about SESTA -- the Stop Enabling Sex Traffickers Act -- and why it's so problematic, but with hearings today, I wanted to dig in a bit more closely with the text to explain why it's so problematic. There are a large number of problems with the bill, so let's discuss them one by one. < - > https://www.techdirt.com/articles/20170918/18065238235/why-sesta-is-such-bad-bill.shtml From rforno at infowarrior.org Tue Sep 19 11:11:25 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Sep 2017 16:11:25 -0000 Subject: [Infowarrior] - Twitter rival Gab faces domain loss over extremist content Message-ID: <3CC2A2F8-018D-4C93-B434-7CC0F1CBD3E0@infowarrior.org> Twitter rival Gab faces domain loss over extremist content After anti-Semitic post, registrar gives Gab five days to find a new provider. https://arstechnica.com/tech-policy/2017/09/twitter-rival-gab-faces-domain-loss-over-extremist-content/ From rforno at infowarrior.org Tue Sep 19 14:48:23 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Sep 2017 19:48:23 -0000 Subject: [Infowarrior] - Court dismisses lawsuits over OPM data breach Message-ID: Court dismisses lawsuits over OPM data breach By Morgan Chalfant - 09/19/17 03:40 PM EDT http://thehill.com/policy/cybersecurity/351395-court-dismisses-lawsuits-over-opm-data-breach A District of Columbia court has dismissed two lawsuits over the Office of Personnel Management (OPM) data breach disclosed in 2015. The American Federation of Government Employees, the largest federal workers union, filed the class action lawsuit against OPM in June 2015, alleging that the breaches stemmed from gross negligence on the part of federal officials. The lawsuit was one of two consolidated complaints related to the OPM breach that the U.S. district court for D.C. dismissed on Tuesday, ruling that both sets of plaintiffs lacked the standing to bring their cases. In 2015, OPM disclosed two related cybersecurity breaches in which data on over 20 million Americans, most of them federal workers, was stolen by hackers. The plaintiffs in the AFGE suit, which included the union and an additional 38 federal workers, sought damages under the Privacy Act and the Little Tucker Act, as well as declaratory and injunctive relief under the Administrative Procedure Act. OPM argued last year that the case should be dismissed, arguing that the federal workers did not meet the basic requirements of the court for bringing forth the lawsuit. Another union, the National Treasury Employees Union, also sued against OPM?s acting director, alleging violations of their constitutional right to information privacy. On Tuesday, the D.C. court dismissed both complaints, saying that neither set of plaintiffs ?has pled sufficient facts to demonstrate that they have standing.? ?Defendants? motions to dismiss will be granted, and both cases will be dismissed in their entirety. The Court finds, applying the case law it is required to follow, that neither set of plaintiffs has pled sufficient facts to demonstrate that they have standing,? the court wrote in a memorandum opinion filed on Tuesday. ?Plaintiffs seek damages for improper disclosure of information and for a failure to maintain adequate safeguards under the Privacy Act, but they have not alleged that private information was ?disclosed,? as opposed to stolen, and they have not alleged facts to show that their claimed injuries were the result of the agency?s failures,? the court wrote. ?Plaintiffs have of stated a claim for breach of contract under the Little Tucker Act since they have not shown that OPM entered into a contract with them or that any contract was breached, and they have not alleged any violation of the United States Constitution.? OPM attracted massive scrutiny following the breach disclosures, a controversy that precipitated the resignation of then-director Katherine Archuleta. From rforno at infowarrior.org Wed Sep 20 14:29:14 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Sep 2017 19:29:14 -0000 Subject: [Infowarrior] - =?utf-8?q?Turning_Off_Wi-Fi_and_Bluetooth_in_iOS_?= =?utf-8?q?11=27s_Control_Center_Doesn=E2=80=99t_Actually_Turn_Off_Wi-Fi_o?= =?utf-8?q?r_Bluetooth?= Message-ID: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn?t Actually Turn Off Wi-Fi or Bluetooth https://motherboard.vice.com/en_us/article/evpz7a/turn-off-wi-fi-and-bluetooth-apple-ios-11 And it?s a feature, not a bug. Turning off Bluetooth and Wi-Fi when you're not using them on your smartphone has long been standard, common sense, advice. Unfortunately, with the iPhone's new operating system iOS 11, turning them off is not as easy as it used to be. Now, when you toggle Bluetooth and Wi-Fi off from the iPhone's Control Center?the somewhat confusing menu that appears when you swipe up from the bottom of the phone?it actually doesn't completely turn them off. While that might sound like a bug, that's actually what Apple intended in the new operating system. But security researchers warn that users might not realize this and, as a consequence, could leave Bluetooth and Wi-Fi on without noticing. "It is stupid," Collin Mulliner, a security researcher who's studied Bluetooth for years, told Motherboard in a Twitter chat. "It is not clear for the user." To be clear, and to be fair, this behavior is exactly what Apple wants. In its own documentation, the company says that "in iOS 11 and later, when you toggle the Wi-Fi or Bluetooth buttons in Control Center, your device will immediately disconnect from Wi-Fi and Bluetooth accessories. Both Wi-Fi and Bluetooth will continue to be available." That is because Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation. Motherboard tested this behavior on an iPhone with iOS 11 installed and verified that Bluetooth and Wi-Fi remain on in the settings after turning them off in the Control Center, as some users have started to notice. Andrea Barisani, a security researcher and one of the first people to notice this change, said in a Twitter direct message that the new user interface is not obvious at all and makes the user experience more "uncomfortable." Turning off Bluetooth and Wi-Fi reduces your exposure to potential attacks to hardware, firmware and software, so "it's good practice," Barisani told me. Just last week, security researchers revealed the existence of a series of bugs in the way some operating systems implemented Bluetooth that allowed hackers to take over victim's devices as long as the Bluetooth was on?without needing to trick the user into clicking a malicious link or do anything at all. It's worth mentioning that both Bluetooth and Wi-Fi will become active again when you toggle them off in the Control Center at 5 AM local time, according to Apple's documentation. It's unclear why that is, but just so you know. Apple did not immediately respond to a request for comment. The takeaway is that if you want to really and completely turn off Bluetooth and Wi-Fi on iOS11 you can't do it from the Control Center anymore, you'll have to do it through the Settings app. From rforno at infowarrior.org Wed Sep 20 14:43:20 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Sep 2017 19:43:20 -0000 Subject: [Infowarrior] - Equifax sends breach victims to fake notification site Message-ID: Equifax sends breach victims to fake notification site https://arstechnica.com/information-technology/2017/09/equifax-directs-breach-victims-to-fake-notification-site/ From rforno at infowarrior.org Wed Sep 20 23:23:52 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Sep 2017 04:23:52 -0000 Subject: [Infowarrior] - Peter Thiel for a Top Intelligence Advisory Post? Message-ID: Peter Thiel for a Top Intelligence Advisory Post? by Adam Ciralsky https://www.vanityfair.com/news/2017/09/donald-trump-peter-thiel-top-intelligence-advisory-post From rforno at infowarrior.org Thu Sep 21 06:44:00 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Sep 2017 11:44:00 -0000 Subject: [Infowarrior] - Distrustful U.S. allies force spy agency to back down in encryption fight Message-ID: <9ADC6ECA-B80C-475E-AECB-B99673FE5909@infowarrior.org> September 21, 2017 / 5:03 AM / Updated 5 minutes ago Distrustful U.S. allies force spy agency to back down in encryption fight Joseph Menn 8 Min Read SAN FRANCISCO (Reuters) - An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques - those least likely to be vulnerable to hacks - to address the concerns. The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck. The U.S. delegation to the ISO on encryption issues includes a handful of NSA officials, though it is controlled by an American standards body, the American National Standards Institute (ANSI). The presence of the NSA officials and former NSA contractor Edward Snowden?s revelations about the agency?s penetration of global electronic systems have made a number of delegates suspicious of the U.S. delegation?s motives, according to interviews with a dozen current and former delegates. A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to ?insert vulnerabilities into commercial encryption systems.? More than a dozen of the experts involved in the approval process for Simon and Speck feared that if the NSA was able to crack the encryption techniques, it would gain a ?back door? into coded transmissions, according to the interviews and emails and other documents seen by Reuters. ?I don?t trust the designers,? Israeli delegate Orr Dunkelman, a computer science professor at the University of Haifa, told Reuters, citing Snowden?s papers. ?There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.? The NSA, which does not confirm the authenticity of any Snowden documents, told Reuters it developed the new encryption tools to protect sensitive U.S. government computer and communications equipment without requiring a lot of computer processing power. NSA officials said via email they want commercial technology companies that sell to the government to use the techniques, and that is more likely to happen when they have been designated a global standard by the ISO. Asked if it could beat Simon and Speck encryption, the NSA officials said: ?We firmly believe they are secure.? < - > http://www.reuters.com/article/us-cyber-standards-insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-fight-idUSKCN1BW0GV From rforno at infowarrior.org Thu Sep 21 13:09:40 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Sep 2017 18:09:40 -0000 Subject: [Infowarrior] - May calls on internet firms to remove extremist content within two hours Message-ID: <381757D7-117D-45B3-BC7E-6BD9763E5996@infowarrior.org> Good luck with that. And since it's a hard goal to reach to begin with, I'm sure companies will err on removal-first (ie, 'censorship'). --rick May calls on internet firms to remove extremist content within two hours Theresa May is to urge internet companies to take down extremist content being shared by terrorist groups within two hours, during a summit with the French president and the Italian prime minister. May is meeting senior executives from Google, Facebook and Microsoft on the sidelines of the UN in New York on Wednesday alongside her French and Italian counterparts, Emmanuel Macron and Paul Gentiloni. The meeting comes amid growing concerns that groups such as Islamic State are able to produce and distribute videos and online magazines too readily. Home Office analysis shows that Isis shared 27,000 links to extremist content in the first five months of the 2017 and, once shared, the material remained available online for an average of 36 hours. < - > https://www.theguardian.com/uk-news/2017/sep/19/theresa-may-will-tell-internet-firms-to-tackle-extremist-content From rforno at infowarrior.org Thu Sep 21 15:42:35 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Sep 2017 20:42:35 -0000 Subject: [Infowarrior] - EPA teaching employees how to avoid leaking information Message-ID: Using ?Enemies of the United States" as a justification by the *EPA* s a political and Trumpain stunt. Why not just say "anyone who disagrees with us -- and/or the media" and be honest about it? Oh .... that this story is based on leaked information it itself, amusing, too. --rick EPA teaching employees how to avoid leaking information By Timothy Cama - 09/21/17 12:12 PM EDT 48 http://thehill.com/policy/energy-environment/351742-epa-holds-anti-leaking-training-for-employees Environmental Protection Agency (EPA) employees are undergoing mandatory classes as part of a Trump administration effort to stop unauthorized disclosures to the press. ?Enemies of the United States are relentless in their pursuit of information which they can exploit to harm U.S. interests,? according to a three-page fact sheet given to workers. Materials given to some of the employees, which were obtained by The Hill, use stark terms to warn about the consequences of leaking information. Few EPA employees handle classified information, but agency leadership is also trying to ensure that workers do not disclose ?controlled unclassified information.? ?[F]ederal employees, federal contractors and specifically assigned personnel, have a special responsibility to properly protect classified information and CUI from any unauthorized disclosure," an EPA fact sheet stated. Leaks across the government have angered leaders at all levels, particularly President Trump. At the EPA, employees have divulged policy plans, information about Administrator Scott Pruitt?s activities and information about alleged discord among workers. "It?s ironic that we have an anti-leaking story that is rooted from a leaked memo," EPA spokesman Jahan Wilcox said of the materials. The training materials cover espionage and hacks in addition to leaks, with examples of each - such as The Washington Post uncovering a "highly successful," and subsequently halted, program in 1972 that allowed the U.S. to intercept Soviet telephone conversations in limousines. ?The unauthorized disclosure of classified information or controlled unclassified information (CUI) harms our nation and shakes the confidence of the American people,? Donna Vizian, the acting assistant administrator for resources, said in a message to employees. The advice given to EPA employees includes marking sensitive information properly, avoiding trying to ?talk around? sensitive facts and speaking with supervisors to confirm who is authorized to see the information. From rforno at infowarrior.org Thu Sep 21 16:02:40 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Sep 2017 21:02:40 -0000 Subject: [Infowarrior] - Taser Wants to Build an Army of Smartphone Informants Message-ID: <3C9C1046-755C-4699-BCE3-22B5290DED39@infowarrior.org> Taser Wants to Build an Army of Smartphone Informants Ava Kofman September 21 2017, 11:54 a.m. Axon, the world?s largest vendor of police-worn body cameras, is moving into the business of capturing video taken by the public. In a survey emailed to law enforcement officials last month, the company formerly known as Taser International solicited naming ideas for its provisionally titled Public Evidence Product. According to the survey, the product will allow citizens to submit photos or video evidence of ?a crime, suspicious activity, or event? to Evidence.com, the company?s cloud-based storage platform, to help agencies ?in solving a crime or gathering a fuller point of view from the public.? Civil rights advocates interviewed by The Intercept were surprised to learn about the corporation?s latest initiative, seeing it as yet another untested effort to co-opt community oversight and privatize criminal justice. < - > https://theintercept.com/2017/09/21/taser-wants-to-build-an-army-of-smartphone-informants/ From rforno at infowarrior.org Thu Sep 21 17:00:52 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Sep 2017 22:00:52 -0000 Subject: [Infowarrior] - D.C. Court of Appeals: tracking phones without a warrant is unconstitutional Message-ID: D.C. court rules tracking phones without a warrant is unconstitutional https://www.cbsnews.com/news/d-c-court-rules-warrant-is-required-for-stingray-cell-phone-tracking/ Law enforcement use of one tracking tool, the cell-site simulator, to track a suspect's phone without a warrant violates the Constitution, the D.C. Court of Appeals said Thursday in a landmark ruling for privacy and Fourth Amendment rights as they pertain to policing tactics. The ruling could have broad implications for law enforcement's use of cell-site simulators, which local police and federal agencies can use to mimic a cell phone tower to the phone connect to the device instead of its regular network. In a decision that reversed the decision of the Superior Court of the District of Columbia and overturned the conviction of a robbery and sexual assault suspect, the D.C. Court of Appeals determined the use of the cell-site simulator "to locate a person through his or her cellphone invades the person's actual, legitimate and reasonable expectation of privacy in his or her location information and is a search." The Fourth Amendment guarantees, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." Play Video Secret tracking of cellphones D.C. Metropolitan Police's use of such cell-site simulator technology to nab suspect Prince Jones in 2013 "violated the Fourth Amendment," the court decided against the U.S. government on Thursday. "We thus conclude that under ordinary circumstances, the use of a cell-site simulator to locate a person through his or her cellphone invades the person's actual, legitimate and reasonable expectation of privacy in his or her location information and is a search," the court ruling said. "The government's argument to the contrary is unpersuasive." A December 2016 report from the House Oversight and Government Reform Committee found U.S. taxpayers spent $95 million on 434 cell-site simulator devices between 2010 and 2014, with the price tag for a single device hovering around $500,000. "While law enforcement agencies should be able to utilize technology as a tool to help officers be safe and accomplish their missions, absent proper oversight and safeguards, the domestic use of cell-site simulators may well infringe upon the constitutional rights of citizens to be free from unreasonable searches and seizures, as well as the right to free association," the report said. Under former Attorney General Eric Holder ? under some pressure from Congress ? the Department of Justice in 2015 issued a policy that federal authorities could only use cell-site simulators with a warrant. But that policy was never inked into law, and policies can change. Attorney General Jeff Sessions' tough-on-crime stance has worried some privacy advocates as to how he might use tools like cell-site simulators. ? 2017 CBS Interactive Inc. All Rights Reserved. From rforno at infowarrior.org Fri Sep 22 06:05:52 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Sep 2017 11:05:52 -0000 Subject: [Infowarrior] - Fwd: referral: The Fake News Fallacy References: <20170922103152.A442DA06D64@palinka.tinho.net> Message-ID: > Begin forwarded message: > > From: dan > > Worthwhile article from the New Yorker magazine > > https://www.newyorker.com/magazine/2017/09/04/the-fake-news-fallacy > > --dan > > > The Fake-News Fallacy > Old fights about radio have lessons for new fights about the Internet. > > By Adrian Chen > > Radio, in its early days, was seen as a means for spreading > hysteria and hatred, just as the Internet is today. > > On the evening of October 30, 1938, a seventy-six-year-old > millworker in Grover's Mill, New Jersey, named Bill Dock heard > something terrifying on the radio. Aliens had landed just down > the road, a newscaster announced, and were rampaging through the > countryside. Dock grabbed his double-barrelled shotgun and went > out into the night, prepared to face down the invaders. But, > after investigating, as a newspaper later reported, he "didn't > see anybody he thought needed shooting." In fact, he'd been duped > by Orson Welles's radio adaptation of "The War of the Worlds." > Structured as a breaking-news report that detailed the invasion > in real time, the broadcast adhered faithfully to the conventions > of news radio, complete with elaborate sound effects and > impersonations of government officials, with only a few brief > warnings through the program that it was fiction. > > The next day, newspapers were full of stories like Dock's. "Thirty > men and women rushed into the West 123rd Street police station," > ready to evacuate, according to the Times. Two people suffered > heart attacks from shock, the Washington Post reported. One > caller from Pittsburgh claimed that he had barely prevented his > wife from taking her own life by swallowing poison. The panic > was the biggest story for weeks; a photograph of Bill Dock and > his shotgun, taken the next day, by a Daily News reporter, went > "the 1930s equivalent of viral," A. Brad Schwartz writes in his > recent history, "[23]Broadcast Hysteria: Orson Welles's War of > the Worlds and the Art of Fake News." > > This early fake-news panic lives on in legend, but Schwartz is > the latest of a number of researchers to argue that it wasn't > all it was cracked up to be. As Schwartz tells it, there was no > mass hysteria, only small pockets of concern that quickly burned > out. He casts doubt on whether Dock had even heard the broadcast. > Schwartz argues that newspapers exaggerated the panic to better > control the upstart medium of radio, which was becoming the > dominant source of breaking news in the thirties. Newspapers > wanted to show that radio was irresponsible and needed guidance > from its older, more respectable siblings in the print media, > such "guidance" mostly taking the form of lucrative licensing > deals and increased ownership of local radio stations. Columnists > and editorialists weighed in. Soon, the Columbia education > professor and broadcaster Lyman Bryson declared that unrestrained > radio was "one of the most dangerous elements in modern culture." < - > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rforno at infowarrior.org Fri Sep 22 06:59:00 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Sep 2017 11:59:00 -0000 Subject: [Infowarrior] - Reminder: Wall Street 'analysis' is not to be taken seriously. Message-ID: <51CF918B-D734-487C-B6C6-CD09C03A954A@infowarrior.org> (x-posted) You cannot make this stuff up. These clowns have a warped view of what constitutes a "high quality" company, especially since such 'analyst' reports are geared for longer-term investors and not speculative traders. --rick Analyst William Warmington Jr. comments "We are upgrading EFX from Market Perform to Outperform following a 31% decline in the shares (vs. the S&P 500 +1.4%) since the company first announced a data breach impacting 143MM US consumers on 9/7/2017. The magnitude of the breach combined with a multitude of high-profile issues (notification timing, Congressional investigations/hearings insider stock sales, management turnover) have created, in our opinion, an attractive entry point for this high-quality consumer credit franchise. In this note we attempt to quantify the potential financial impact of the breach (framed as bull, base and bear cases) and are lowering our ests to reflect the base case. Despite the poor publicity, we believe EFX?s core B2B business will be largely unaffected." Source: https://www.streetinsider.com/Analyst+Comments/Wells+Fargo+Upgrades+Equifax+%28EFX%29+to+Outperform%2C+Megabreach+Creates+Opportunity/13319550.html From rforno at infowarrior.org Fri Sep 22 08:54:49 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Sep 2017 13:54:49 -0000 Subject: [Infowarrior] - Equifax is a reminder of larger cybersecurity problems Message-ID: Equifax is a reminder of larger cybersecurity problems By Richard Forno on September 22, 2017 at 3:50 am The Equifax data breach was yet another cybersecurity incident involving the theft of significant personal data from a large company. Moreover, it is another reminder that the modern world depends on critical systems, networks and data repositories that are not as secure as they should be. And it signals that these data breaches will continue until society as a whole (industry, government and individual users) is able to objectively assess and improve cybersecurity procedures. Although this specific incident is still under investigation, the fact that breaches like this have been happening ? and getting bigger ? for more than a decade provides cybersecurity researchers another opportunity to examine why these events keep happening. Unfortunately, there is plenty of responsibility for everyone. Several major problems need to be addressed before people can live in a truly secure society: For example, companies must find and hire the right people to actually solve the overall problems and think innovatively rather than just fixing the day-to-day issues. Companies must be made to get serious about cybersecurity ? at a time when many firms have financial incentives not to, also. Until then, major breaches will keep happening and may get even worse. < - > http://cyberlaw.stanford.edu/blog/2017/09/equifax-reminder-larger-cybersecurity-problems From rforno at infowarrior.org Fri Sep 22 09:13:45 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Sep 2017 14:13:45 -0000 Subject: [Infowarrior] - =?utf-8?q?London_rejects_Uber=E2=80=99s_license?= =?utf-8?q?=2C_saying_the_company_is_not_=E2=80=98fit_and_proper=E2=80=99_?= =?utf-8?q?for_passengers?= Message-ID: <9296AB86-2E69-4DB9-AA19-0050ACC087F9@infowarrior.org> (Wondering if they used their Greyball software in London, too? --rick) London rejects Uber?s license, saying the company is not ?fit and proper? for passengers By William Booth and Karla Adam September 22 at 9:24 AM < - > Transport for London, the governing authority, said that it rejected the application to renew the license because ?Uber?s approach and conduct demonstrate a lack of corporate responsibility? by not reporting serious criminal offenses, obtaining medical certificates and background checks for the drivers. < - > Tom Tugendhat, a Tory member of Parliament, said Khan was a ?Luddite? who wants to ?switch off the Internet.? ?By banning Uber, Sadiq Khan is showing that socialism is about control when the Internet is pushing for freedom of choice,? he said. < - > https://www.washingtonpost.com/world/europe/london-rejects-ubers-license-saying-ride-share-doesnt-protect-passengers/2017/09/22/6241d210-9f82-11e7-9083-fbfddf6804c2_story.html From rforno at infowarrior.org Fri Sep 22 09:17:52 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Sep 2017 14:17:52 -0000 Subject: [Infowarrior] - Microsoft's subsea speed monster: A cable 16 million times faster than your broadband Message-ID: <89B96106-162F-46C3-A07A-7DD829CFFBF5@infowarrior.org> (IMO this is the take-away quote: "Marea continues the trend of tech giants investing in their own high-capacity subsea cables, rather than merely leasing them from other operators." --rick) Microsoft's subsea speed monster: A cable 16 million times faster than your broadband New Marea link gives Microsoft and Facebook enough capacity to stream 71 million HD videos at once. By Liam Tung | September 22, 2017 -- 12:09 GMT (05:09 PDT) | Topic: Networking http://www.zdnet.com/article/microsofts-subsea-speed-monster-a-cable-16-million-times-faster-than-your-broadband/ Microsoft, Facebook and Telefonica have hit a key milestone in delivering their new trans-Atlantic subsea cable with a data capacity of 160 terabits per second. Telefonica subsidiary Telxius has finished laying the Microsoft- and Facebook-backed Marea subsea cable, which stretches 4,000 miles (6,600km) across the Atlantic ocean from Virginia Beach, Virginia, to Bilbao in northern Spain. Microsoft boasts that its 160-terabit/s cable is 16 million times faster than your home broadband and could stream 71 million HD videos simultaneously. The cable contains eight pairs of fiber-optic threads wrapped in copper. Telxius, which will operate the cable once it goes live, began construction in August 2016. Marea, Spanish for 'tide', offers Facebook and Microsoft more global capacity for their data services, but also improved resilience thanks to landing at different points to most networks, which on the US side come ashore around New York and New Jersey. The route is south of existing transatlantic cables. Microsoft of course has a massive data center in Virginia too, on which it's reportedly spent $1.1bn. Facebook and Amazon also have data centers there. Marea continues the trend of tech giants investing in their own high-capacity subsea cables, rather than merely leasing them from other operators. As Wired noted recently, the Marea cable noteworthy in that Microsoft and Facebook have more control over its future than if they joined a consortium of telecoms providers, as Microsoft did with six Asian telco firms to launch the New Cross Pacific Cable. They also don't need to share capacity with other telecoms providers. Google, meanwhile, has backed the 60-terabit/s Faster cable, which spans 5,600 miles (9,000km) between Japan and the US west coast and gives Google exclusive access to part of its capacity. According to Microsoft, Marea is the highest-capacity connection of more than a dozen trans-Atlantic subsea cables. Marea also connects to nearby Sopelana, which links up with fiber networks connecting to other major European hubs like Paris, Frankfurt, Amsterdam, and London. Microsoft also points out that Bilbao offers a convenient path to hubs in Africa, the Middle East, and Asia. For Microsoft, the cable will help it improve its various cloud services, such as Azure, Office 365, Skype and Xbox Live. Facebook says it will help it improve the "increasingly data-intensive services" that it provides through WhatsApp, Messenger, Facebook, and Instagram. The cable is expected to become operational in early 2018, according to Microsoft. From rforno at infowarrior.org Fri Sep 22 17:58:29 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Sep 2017 22:58:29 -0000 Subject: [Infowarrior] - DHS tells 21 states they were Russia hacking targets before 2016 election Message-ID: DHS tells 21 states they were Russia hacking targets before 2016 election By Joe Uchill - 09/22/17 05:21 PM EDT 253 http://thehill.com/policy/cybersecurity/351981-dhs-notifies-21-states-of-they-were-targets-russian-hacking The Department of Homeland Security (DHS) notified 21 states Friday that Russia attempted to hack their election systems before the 2016 election. In the majority of the states, the Department of Homeland Security only saw preparations for hacking, like scanning to find potential modes for attack. Voting machines are not connected to the internet and cannot be scanned in this way, but other systems, including those housing voter rolls, can be. DHS has not released a list of what states were notified. "[R]ecognizing that state and local officials should be kept informed about cybersecurity risks to election infrastructure, we are working with them to refine our processes for sharing this information while protecting the integrity of investigations and the confidentiality of system owners," DHS Spokesman Scott McConnell said in a written statement to The Hill. McConnell later added: "As part of our ongoing information sharing efforts, today DHS notified the Secretary of State or another chief election officer in each state of any potential targeting we were aware of in their state leading up to the 2016 election. We will continue to keep this information confidential and defer to each state whether it wishes to make it public or not.? The Wisconsin Elections Commission, took the DHS up on that offer, announcing that it was one of the states notified by DHS. Wisconsin officials said their internet-facing systems were among those scanned by Russia but Russia did not hack or in any way impact any of its machines. The United States intelligence community believes that Russia hacked the Democratic National Committee and other political targets in an attempt to influence the election. They do not, however, believe voting machines were hacked or votes were directly altered by Russia. In August, Judd Choate, state election director for Colorado and president of the National Association of State Election Directors, expressed frustration that states had not been notified of Russian hacking attempts. At the time, DHS said it was working to address the issue, but that its initial policy was to only notify the group that was attacked ? often times a contractor. Illinois and Arizona announced before the election that voter roles connected to the internet had been hacked by Russia. Alabama, Colorado, and Florida also confirmed to The Hill they had been targeted. Five other states told The Associated Press they had been targeted including Colorado, Illinois, Maryland, Virginia and Washington. In most cases, they said they did not know until notified Friday by the U.S. Department of Homeland Security. Elections are organized by states, not the federal government. DHS, however, has declared elections critical infrastructure, giving states a variety of voluntary options for assistance. Lawmakers are raising questions about why DHS took so long to notify states. ?It's unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I'm relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election," said Sen. Mark Warner (D-Va.), the top Democrat on the Intelligence Committee, in a statement. ? Morgan Chalfant contributed to this report. ? This story was last updated at 6:51 p.m. From rforno at infowarrior.org Sat Sep 23 07:35:34 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Sep 2017 12:35:34 -0000 Subject: [Infowarrior] - Apple: iPhones Are Too 'Complex' to Let You Fix Them Message-ID: <3034D747-8A03-4CF5-A7A5-CB542B828266@infowarrior.org> Uh huh..... Apple: iPhones Are Too 'Complex' to Let You Fix Them https://motherboard.vice.com/en_us/article/xwgg8z/apple-iphones-are-too-complex-to-allow-unauthorized-repair related: 'Fair Repair Act' proposal in New York under fire by Apple lobbyists http://appleinsider.com/articles/17/05/18/fair-repair-act-proposal-in-new-york-under-fire-by-apple-lobbyists From rforno at infowarrior.org Fri Sep 1 06:01:55 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 01 Sep 2017 11:01:55 -0000 Subject: [Infowarrior] - Talk of Assange pardon worries intelligence community Message-ID: <933A8090-F07E-4059-908A-2F63B88F4C54@infowarrior.org> Talk of Assange pardon worries intelligence community By Joe Uchill - 09/01/17 06:00 AM EDT 145 http://thehill.com/policy/technology/348773-could-trump-pardon-assange A GOP lawmaker's suggestion that Wikileaks founder Julian Assange could be pardoned by President Trump is being eyed warily by people in the intelligence community. While a pardon for Assange seems unlikely, it's hardly impossible considering Trump's praise for Wikileaks and Assange's own efforts to question U.S. intelligence that Russia sought to influence last year's election. As such, the idea is being taken seriously in intelligence quarters. ?It would send a terrible message to the intelligence community,? said Robert Deitz, a former senior counselor to the director of the Central Intelligence Agency and general counsel at the National Security Agency. Deitz currently works as a Professor at George Mason University?s Schar School of Policy and Government. ?What moral are people supposed to draw from that? Why on earth would you believe Julian Assange before the intelligence community?? Rep. Dana Rohrabacher (R-Calif.), who has come under scrutiny for his own ties to Russia, is behind the Assange pardon push. The deal Rohrabacher is trying to cut: pardon Assange in exchange for information he claims proves Russia did not collude with the Trump campaign during the 2016 presidential race. The California Republican became the first U.S. lawmaker to meet with Assange at the Ecuadorian embassy in London early last month, where Assange has been holed up for years in an attempt to avoid arrest. Rohrabacher claims Assange offered him "firsthand" evidence during the meeting that would prove there was no collusion between the Trump campaign and Russia during the race. Earlier this week, Rohrabacher claimed a meeting is in the works between himself and the president to discuss Assange's information and a potential pardon. Trump showed he is willing to flex his pardoning power last week when he announced he would pardon Joe Arpaio, the controversial former sheriff of Maricopa County, Ariz. The decision has stirred speculation in Washington over how the president will use the authority in the future, and with Assange, some suggest a pardon could be self-serving for Trump who has cast doubt on the NSA, CIA, FBI and Office of the Director of National Intelligence. ?He?d show that he?d do anything to skate out of the not just allegation, but clear fact of Russia?s involvement [in the election]. That would be appalling,? said Glenn Carle, a 23-year veteran of the CIA?s clandestine services who finished up his career as deputy national intelligence officer for transnational threats on the National Intelligence Council. However, unlike Arpaio, Assange hasn't actually been charged or convicted of any wrongdoing by the United States. Officials have suggested for months that Assange could be charged at any time, but it still hasn't happened. ?It would be extremely unusual to pardon someone who hasn?t been charged,? said Margaret Love, who served as the Department of Justice pardon attorney between 1990 and 1997. Love noted that some of the only cases where people who had not been charged with a crime were pardoned included former President Gerald Ford's pardon of still-uncharged former President Richard Nixon after Watergate; President Carter's pardon of Vietnam draft dodgers; and President Reagan's pardon of illegal immigrants. Former members of the intelligence community told The Hill that such a pardon of Assange would also come with serious consequences. ?By serving the system, you undermine your values. By speaking out, you?re betraying your oath. I spent a career getting people in that situation to commit treason,? said Carle. A pardon would also likely be interpreted as a slap in the face to the intelligence community as it continues to lick wounds caused by a culture of leaking. ?Leaks are harmful,? said Deitz. ?They can end up with people getting killed or losing access to other sources.? Michael Borohovski, a former intelligence contractor currently at a cybersecurity firm he founded, Tinfoil Security, similarly said that such a pardon would reinforce the idea that it is okay to leak. ?Assange allegedly was involved with a few of the largest intelligence leaks of all time. Pardoning him would make it seem okay,? Borohovski said. From rforno at infowarrior.org Sun Sep 3 07:46:38 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 03 Sep 2017 12:46:38 -0000 Subject: [Infowarrior] - DOJ: No evidence Obama wiretapped Trump Tower Message-ID: <2BAD192C-EBA6-461B-8D90-9A569757ECCD@infowarrior.org> (TL;DR: When even your own agencies refute your 'fake news'. -- rick) Justice Department: No evidence Obama wiretapped Trump Tower By MATTHEW NUSSBAUM 09/02/2017 05:23 PM EDT http://www.politico.com/story/2017/09/02/obama-trump-tower-wiretap-no-evidence-242284 There is no evidence to support President Donald Trump's claim that Barack Obama ordered the wiretapping of Trump Tower during the 2016 presidential campaign, the Justice Department said in a new court filing. The DOJ made the statement in a motion for summary judgment filed Friday in response to a Freedom of Information Act lawsuit by the watchdog group American Oversight. "Both FBI and NSD confirm that they have no records related to wiretaps as described by the March 4, 2017 tweets," the government said, referring to the Justice Department?s National Security Division. James Comey, who was FBI director at the time Trump made the statements, also said neither the FBI nor the Justice Department had information to support the tweets in sworn testimony before Congress. Trump later fired Comey, a move that has come under increasing scrutiny amid federal investigations into Russian interference in the 2016 campaign. ?The FBI and Department of Justice have now sided with former Director Comey and confirmed in writing that President Trump lied when he tweeted that former President Obama ?wiretapped? him at Trump Tower,? said Austin Evers, executive director of American Oversight. Trump has never produced any evidence to back up the explosive claim, which he made on Twitter in March, and which a spokesman for Obama promptly denied. "Terrible! Just found out that Obama had my 'wires tapped' in Trump Tower just before the victory. Nothing found. This is McCarthyism!" Trump wrote at the time. "How low has President Obama gone to tapp my phones during the very sacred election process. This is Nixon/Watergate. Bad (or sick) guy!" Trump added. In response to a question about the DOJ filing, White House Press Secretary Sarah Huckabee Sanders said Saturday, ?This is not news,? and that the White House had responded to the matter weeks ago. The White House has argued that Trump's comments were merely alleging surveillance, which is why he put 'wires tapped' in quotation marks in the initial tweet. From rforno at infowarrior.org Tue Sep 5 06:45:25 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Sep 2017 11:45:25 -0000 Subject: [Infowarrior] - Invisible Manipulation: 10 ways our data is being used against us Message-ID: <97205695-1D0D-4D1F-B522-12CFD74FDD8D@infowarrior.org> Invisible Manipulation: 10 ways our data is being used against us Privacy International Sep 4 https://medium.com/@privacyint/invisible-manipulation-efb4243011ca From rforno at infowarrior.org Wed Sep 6 06:03:05 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 06 Sep 2017 11:03:05 -0000 Subject: [Infowarrior] - UK's Terrorism Law Reviewer Says Tech Companies Shouldn't Offer Encryption To Anonymous Users Message-ID: <23D63D63-6865-4611-A6FF-60DC05107B53@infowarrior.org> UK's Terrorism Law Reviewer Says Tech Companies Shouldn't Offer Encryption To Anonymous Users https://www.techdirt.com/articles/20170901/15020638134/uks-terrorism-law-reviewer-says-tech-companies-shouldnt-offer-encryption-to-anonymous-users.shtml From rforno at infowarrior.org Wed Sep 6 14:57:06 2017 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 06 Sep 2017 19:57:06 -0000 Subject: [Infowarrior] - Ayyadurai's defamation suit against Techdirt tossed by judge Message-ID: <4012F78C-8E29-403B-A494-D6285CC50685@infowarrior.org> Shiva Ayyadurai's defamation suit against Techdirt tossed by judge [pdf] (archive.org) http://ia801509.us.archive.org/32/items/gov.uscourts.mad.185980/gov.uscourts.mad.185980.48.0.pdf Background info..... https://www.techdirt.com/blog/?tag=shiva+ayyadurai From rforno at infowarrior.org Wed Sep 6 19:30:16 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Sep 2017 00:30:16 -0000 Subject: [Infowarrior] - Ayyadurai to appeal his loss in Techdirt case Message-ID: https://arstechnica.com/tech-policy/2017/09/judge-dismisses-libel-lawsuit-filed-by-self-proclaimed-e-mail-inventor/ < - > Charles Harder, Ayyadurai's attorney, e-mailed Ars a statement on behalf of his client, saying that Ayyadurai would be appealing the ruling. "False speech is not protected by the Constitution, and TechDirt?s false and malicious speech about Dr. Ayyadurai should receive no legal protection," Ayyadurai said in the statement. "False speech does harm to readers, who are misled by it; it does harm to journalism, which is weakened by it; and it does harm to the subjects of the speech, whose reputations and careers are damaged by it." From rforno at infowarrior.org Thu Sep 7 16:04:34 2017 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Sep 2017 21:04:34 -0000 Subject: [Infowarrior] - Equifax says data breach could potentially affect 143 million US consumers Message-ID: <27199FCD-851D-493C-B9FC-3783B1EA8118@infowarrior.org> Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html Todd Haselton | @robotodd Published 29 Mins Ago | Updated Moments Ago CNBC.com Equifax, which supplies credit information and other information services, said Thursday that a data breach could have potentially affected 143 million consumers in the United States. The population of the U.S. was about 324 million as of Jan. 1, 2017, according to the U.S. Census Bureau, which means the Equifax incident affects a huge portion of the United States. Equifax said it discovered the breach on July 29. "Criminals exploited a U.S. website application vulnerability to gain access to certain files," the company said. Shares of Equifax fell more than 5 percent during after-hours trading. Leaked data includes names, birth dates, Social Security numbers, addresses and some driver's license numbers, all of which the company aims to protect for its customers. The company added that 209,000 U.S. credit card numbers were obtained, in addition to "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers." Equifax CEO and Chairman Richard Smith said apologized to consumers and customers and noted that he's aware the breach affects what Equifax is supposed to protect. Equifax said it is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities. Its private investigation into the breach is complete. From rforno at infowarrior.org Thu Sep 7 19:00:59 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 00:00:59 -0000 Subject: [Infowarrior] - Coincidence? 3 Equifax Managers Sold Stock Before Hack Was Revealed Message-ID: <87F096AE-E85E-4FA5-8722-D891B8791497@infowarrior.org> hree Equifax Managers Sold Stock Before Cyber Hack Was Revealed By Anders Melin September 7, 2017, 5:59 PM EDT https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers. The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans. Equifax said in the statement that intruders accessed names, Social Security numbers, birth dates, addresses and driver?s-license numbers, as well as credit-card numbers for about 209,000 consumers. The incident ranks among the largest cybersecurity breaches in history. Equifax shares tumbled 6.2 percent to $133.90 in extended trading at 5:50 p.m. in New York. Marisa Salcines, a spokeswoman for the Atlanta-based company, didn?t immediately return a call for comment. From rforno at infowarrior.org Thu Sep 7 19:30:17 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 00:30:17 -0000 Subject: [Infowarrior] - How to Protect Yourself From That Massive Equifax Breach Message-ID: <98758C29-5BC6-4B5A-A1FB-6C69B16276BB@infowarrior.org> ? Lily Hay Newman ? security ? 09.07.17 ? 07:34 pm How to Protect Yourself From That Massive Equifax Breach https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach No data breach is good, but some are more palatable than others. We would all rather hear that our florist got hacked than, say, our bank. And the most painful breaches, like the Office of Personnel Management or Anthem health insurance incidents that involved stolen Social Security numbers and other hard-to-change personal data, are naturally the most valuable targets for attackers. We can now add the massive credit reporting agency Equifax to that list. On Thursday, the company disclosed that a data breach it discovered on July 29 may have impacted as many as 143 million consumers in the United States. Equifax is one of the three main organizations in the US that calculates credit scores, so it has access to an extraordinary amount of personal and financial data for virtually every American adult. The company says that hackers accessed data between mid-May and July through a vulnerability in a web application. Attackers got their hands on names, Social Security numbers, birth dates, addresses, some driver's license numbers, and about 209,000 credit card numbers. 182,000 ?dispute documents,? essentially complaint submissions that include personal identifying data, were also compromised in the breach. All told, as much as 44 percent of the US population will feel the impact of this breach for years to come, especially when it comes to their Social Security numbers. ?When this type of stuff happens, it?s like oh, crap,? says Alex McGeorge, the head of threat intelligence at the security firm Immunity, ?Your Social Security number doesn?t change, so this data is going to get resold on the black market and hold its value for a while." Assuming data was stolen by criminals and not a nation state, experts predict that it will circulate for years. There are some things you can do to protect yourself. Equifax is offering a website?www.equifaxsecurity2017.com?where you can check whether you are one of the 143 million people whose data may have been compromised. (A small number of citizens in the United Kingdom and Canada may also be affected.) Currently, the website doesn?t give you a simple answer about whether or not your data may have been affected, but it seems to tell you if it wasn?t. Equifax is also offering a year of free credit monitoring and identity theft insurance that you can (and should) sign up for on that site if you're a US resident. If your information could have been compromised in the breach, you might also want to consider paying for additional years of credit monitoring after Equifax?s free year expires. Attackers may have better luck abusing the leaked data in earnest after that first year is over and many potential victims lose free monitoring. You should also keep a close eye on your finances. "Consumers should remain calm and be cognizant of their personal credit report and activity," says Mark Testoni, the president of SAP National Security Services. "Check for notifications to see if new credit applications have been filed on your behalf, and monitor your accounts for adverse action. If your details are circulated on the black market, the big risks are fraudulent credit applications on your behalf and bad actors trying to find ways to take advantage of your personal [data].? Equifax hasn?t indicated who was behind the breach and says a law enforcement probe is ongoing. It's also unclear whether attackers compromised a third party that contracts with Equifax or a main Equifax web application. The ?dispute document? data that was part of the breach is relatively specific and could indicate that the vulnerable web app was related to a customer submission service or a server that hosted databases including customer feedback logs. The company maintains, though, that its core credit reporting databases were unaffected?cold comfort given the scale of the breach that did occur. ?It begs the question, if 143 million people could be affected and this does not touch your core, where were you keeping this data?? McGeorge says. ?Where does this data live that?s not your core?? Equifax is an obvious target for hackers since it processes so much valuable, individualized data, but there is also some irony given the personal security and identity theft defense products the company sells. "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax chairman and CEO Richard Smith said in a statement. "We pride ourselves on being a leader in managing and protecting data." There will be more questions in the days ahead about how this happened, and who at Equifax knew what, when. But it's probably time for Smith to revise his marketing pitch. From rforno at infowarrior.org Fri Sep 8 06:54:17 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 11:54:17 -0000 Subject: [Infowarrior] - The Fake Americans Russia Created to Influence the Election Message-ID: <491CEC5C-F201-48FC-B93B-1246168AAD85@infowarrior.org> The Fake Americans Russia Created to Influence the Election https://www.nytimes.com/2017/09/07/us/politics/russia-facebook-twitter-election.html Sometimes an international offensive begins with a few shots that draw little notice. So it was last year when Melvin Redick of Harrisburg, Pa., a friendly-looking American with a backward baseball cap and a young daughter, posted on Facebook a link to a brand-new website. ?These guys show hidden truth about Hillary Clinton, George Soros and other leaders of the US,? he wrote on June 8, 2016. ?Visit #DCLeaks website. It?s really interesting!? Mr. Redick turned out to be a remarkably elusive character. No Melvin Redick appears in Pennsylvania records, and his photos seem to be borrowed from an unsuspecting Brazilian. But this fictional concoction has earned a small spot in history: The Redick posts that morning were among the first public signs of an unprecedented foreign intervention in American democracy.... < - > From rforno at infowarrior.org Fri Sep 8 10:12:18 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 15:12:18 -0000 Subject: [Infowarrior] - Why the Equifax breach is very possibly the worst leak of personal info ever Message-ID: Why the Equifax breach is very possibly the worst leak of personal info ever Consumers' most sensitive data is now in the open and will remain so for years to come. by Dan Goodin - Sep 8, 2017 2:09am EDT https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/ It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks?for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users. The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Amateur response Besides the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company has handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss. Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach. While Equifax officials told the news service the employees hadn't been informed of the breach at the time of the sale, the transaction at a minimum gives the wrong appearance and suggests incident responders didn't move fast enough to contain damage in the days after a potentially catastrophic hack came into focus. What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat. Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks. It was bad enough that Equifax operated a website that criminals could exploit to leak so much sensitive data. That, combined with the sheer volume and sensitivity of the data spilled, was enough to make this among the worst data breaches ever. The haphazard response all but guarantees it. Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. From rforno at infowarrior.org Fri Sep 8 11:28:58 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 16:28:58 -0000 Subject: [Infowarrior] - Equifax Faces Multibillion-Dollar Lawsuit Over Hack Message-ID: <75BD37D5-0D49-437F-B083-E6FB5BBF75AB@infowarrior.org> (x-posted) Equifax Faces Multibillion-Dollar Lawsuit Over Hack Class action seeking to represent 143 million consumers alleges company didn?t spend enough on protecting data. By Polly Mosendz September 8, 2017, 8:55 AM EDT https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit Equifax Hack May Expose Data of 143 Million Users A proposed class-action lawsuit was filed against Equifax Inc. late Thursday evening, shortly after the company reported that an unprecedented hack had compromised the private information of about 143 million people. In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack. Data revealed included Social Security numbers, addresses, driver?s license data, and birth dates. Some credit card information was also put at risk. Equifax first discovered the vulnerability in late July, though it chose not to announce it publicly until more than a month later. The company was widely criticized for its customer service approach in the aftermath of the hack, as users struggled to understand whether their information had been affected. Others expressed frustration that three senior executives sold about $1.7 million in stock in the days following the discovery of the hack. A spokeswoman for Equifax said the men ?had no knowledge that an intrusion had occurred at the time.? The plaintiffs in the lawsuit are Mary McHill and Brook Reinhard. Both reside in Oregon and had their personal information stored by Equifax. ?In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard?s information from unauthorized access by hackers,? the complaint stated. ?Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.? The case was filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions. Ben Meiselas, an attorney for Geragos, said the class will seek as much as $70 billion in damages nationally. From rforno at infowarrior.org Fri Sep 8 11:45:04 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 16:45:04 -0000 Subject: [Infowarrior] - PSA: Read the Equifax TOS before enrolling in their 'protection' Message-ID: <6B0E4B89-13DB-47CC-B32B-F34D540307E1@infowarrior.org> By signing up on Equifax?s help site, you risk giving up your legal rights Worried you may be affected by Equifax's massive data breach? The credit bureau has set up a site, equifaxsecurity2017.com, that allows you to check whether your personal information was exposed. But you may want to think twice about using it, and here's why. The website's terms of service potentially restricts your legal rights. Sharp-eyed social media users have combed through the data breach site's fine print ? and have found what they argue is a red flag. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service: < - > https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/?utm_term=.4a761406f46a Also check out the MegaThread.... https://www.reddit.com/r/personalfinance/comments/6yv4gb/official_mega_thread_recent_equifax_security/ From rforno at infowarrior.org Fri Sep 8 15:17:22 2017 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Sep 2017 20:17:22 -0000 Subject: [Infowarrior] - Equifax Breach Response Turns Dumpster Fire Message-ID: <3F6EA258-0F37-4E59-9D81-5F2FC4BD566D@infowarrior.org> Equifax Breach Response Turns Dumpster Fire https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/ From rforno at infowarrior.org Fri Sep 8 21:28:21 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Sep 2017 02:28:21 -0000 Subject: [Infowarrior] - Virginia scraps touchscreen voting machines Message-ID: <9B873A1C-1CDE-4DFA-8FA3-E49A5FA471CB@infowarrior.org> Virginia scraps touchscreen voting machines By Morgan Chalfant - 09/08/17 06:49 PM EDT 82 http://thehill.com/business-a-lobbying/349896-virginia-scraps-touchscreen-voting-machines The Virginia State Board of Elections moved Friday to do away with touchscreen voting machines in the state by November?s election, a move aimed at boosting security. The board decided to phase out the machines this year after the Virginia Department of Elections recommended that the touchscreen voting machines be decertified. The recommendation came after security experts breached numerous types of voting machines with ease at the DEF CON cybersecurity conference in Las Vegas in July, according to The Richmond Times-Dispatch. The move comes amid heightened concerns over foreign interference in future elections, in light of the U.S. intelligence community?s conclusion that Russia used cyberattacks and disinformation to interfere in the 2016 presidential election. Virginia?s gubernatorial election will take place in November, meaning that the move to get rid of the machines would result in 22 localities having to replace their equipment less than two months before the vote. The state has already passed a law mandating that the machines be phased out by 2020. According to the Times-Dispatch, 10 localities have already started purchasing new equipment. The remaining 12 would need to work quickly to phase out the old equipment by Nov. 7. ?The security of the election process is always of paramount importance. The Department is continually vigilant on matters related to security of voting equipment used in Virginia,? Edgardo Cort?s, the state?s election commissioner, said in a news release Friday. ?The ability to meaningfully participate in our democracy is one of the most important rights that we have as citizens, and the Department of Elections is dedicated to maintaining voters? confidence in the democratic process.? Cyber experts have raised alarm over the touchscreen devices, called direct-recording electronic, or DRE, voting machines, because they yield no paper records that can be checked with the electronic records to make sure votes are tallied accurately. More than 100 cyber and voting experts penned a letter to Congress in June urging them to take steps to secure future elections, including a recommendation to phase out DRE voting machines and others that do not produce a voter-verified paper ballot. ?While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots,? they wrote. ?Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks.? The letter was sent the day that Department of Homeland Security officials testified of evidence that Russia targeted election-related systems in 21 states ahead of the 2016 presidential election. While officials maintain that the systems targeted were not involved in vote tallying, Moscow?s interference campaign has nevertheless stoked fears about the possibility that foreign actors could attempt to use hacking to affect vote counts in the future. From rforno at infowarrior.org Sat Sep 9 18:51:05 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Sep 2017 23:51:05 -0000 Subject: [Infowarrior] - Equifax' awesome scheme for freeze thaw PINs Message-ID: For those looking to freeze their credit reporting data this weekend, you may find it pathetically interesting to note that the scheme Equifax uses to generate the PIN for you to thaw the freeze is, I kid you not, the date and time your freeze request transaction was processed: IE, MMDDYYHHMM. You can't make this stuff up. --rick From rforno at infowarrior.org Sun Sep 10 09:10:33 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Sep 2017 14:10:33 -0000 Subject: [Infowarrior] - Be Very, Very Concerned About What Allergan Just Did Message-ID: <83358FD0-A09A-4B90-97FD-F09AD11F4430@infowarrior.org> (c/o KM) Be Very, Very Concerned About What Allergan Just Did Posted on September 9, 2017 by rachelsachs http://blogs.harvard.edu/billofhealth/2017/09/09/be-very-very-concerned-about-what-allergan-just-did/ Yesterday, it was announced that Allergan had transferred the ownership of the patents on its billion-dollar drug Restasis, used for the treatment of chronic dry eye, to the Saint Regis Mohawk Tribe. The Tribe then exclusively licensed the drug back to Allergan, in exchange for tens of millions of dollars in both licensing and royalty fees. Although it may not sound like it, this transfer is potentially huge news in the drug pricing world. It is also extremely complex, and its full implications have yet to be determined. Enormous caveat before we begin: I am by no means an expert on tribal sovereign immunity. I may well be wrong here. (In fact, I would very much like to be wrong here.) There is little (any?) case law on sovereign immunity?s impact in the Hatch-Waxman area, and much of what follows is extrapolated from case law on tribal sovereign immunity both in IP and in other contexts, state sovereign immunity in the IP area, and discussions with other law professors. Please let me know if this is your area of expertise and you believe I?ve gotten the analysis wrong! In short, if repeated and taken to its logical conclusion, this transfer has the potential to prevent any invalidity challenges to any drug patents. Would-be generic competitors could not seek to initiate inter partes review (IPR) actions before the Patent and Trademark Office (PTO). They could not bring declaratory judgment actions in federal court. And ? both most importantly and most unclear ? they could not bring Paragraph IV claims under Hatch-Waxman, preventing generic companies from challenging patents? invalidity and requiring us all to wait until the very end of patent expiration to experience generic competition. Here?s why: tribal sovereign immunity claims will bar these suits. Let?s take them one at a time. First, Allergan?s stated reason for the transfer is to insulate it from the ongoing IPR action against its patents. Allergan does not want to allow the PTO to find its patents to be invalid, and a newly asserted sovereign immunity argument seems likely to allow Allergan to dismiss the IPR. State universities whose patents end up in IPRs have successfully used this argument, and there is no reason to think it would not work here. This is also the reason that declaratory judgment actions of invalidity in federal court will be dismissed. As Professor Mike Carrier states in the New York Times? coverage of Allergan?s transfer, there are reasons to be concerned about this set of implications. (Some might also remember that BIO and PhRMA have lobbied for legislation that would insulate their patents from IPR challenges. They have been unsuccessful so far, and we might see Allergan?s actions here as one strategy to accomplish what they were otherwise unable to do.) But it gets worse. Because it seems likely that tribal sovereign immunity would also insulate the tribe from a counterclaim of invalidity as part of a Hatch-Waxman Paragraph IV suit. Recall that the usual posture of a Paragraph IV suit is as follows: a generic drug company has filed a Paragraph IV ANDA alleging that the innovator company?s patents are invalid (for example). The innovator company then sues the generic for patent infringement, as permitted by the statute. The generic drug company may then counterclaim for invalidity. If they succeed in invalidating the innovator company?s patents, then the generic can come to market earlier than anticipated and help bring down drug prices more quickly. Except that tribal sovereign immunity should insulate an innovator company from that counterclaim for invalidity. This may not be the case for state universities, who have been held to waive sovereign immunity for counterclaims by initiating the infringement suit in the first instance. But in a range of contexts, courts have held or reaffirmed that even tribes initiating lawsuits are immune from counterclaims. And it does not appear (on its face) that Hatch-Waxman has abrogated this sovereign immunity. Allergan has said that the transfer ?has no impact on? an ongoing ANDA proceeding for its Restasis patents. But as a matter of law, it is not clear why that would be so. (For more, see Jake Sherkow?s great Tweetstorm here.) < - > http://blogs.harvard.edu/billofhealth/2017/09/09/be-very-very-concerned-about-what-allergan-just-did/ From rforno at infowarrior.org Sun Sep 10 11:50:51 2017 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Sep 2017 16:50:51 -0000 Subject: [Infowarrior] - Equifax Lobbied To Kill Rule Protecting Victims Of Data Breaches Message-ID: <7DF4F9F6-6418-46C0-9FA7-17F39B07EA9E@infowarrior.org> Equifax Lobbied To Kill Rule Protecting Victims Of Data Breaches By Alex Kotch @alexkotch AND David Sirota @davidsirota On 09/08/17 AT 5:56 PM http://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929 If you want to know if you were one of the 143 million people whose data was breached in a hack of Equifax?s data, the company has a website you can use to find out ? but there appears to be a catch: To check, you have to agree to give up your legal right to sue the company for damages. The outrage that clause has now generated could complicate the company?s efforts ? backed by Republican lawmakers ? to block an imminent rule that would ban companies from forcing customers to agree to such provisions. On Friday, social media users spotlighted fine print on Equifax?s website that appears to force users to agree to waive their class action rights if they use the company?s website to see if their personal data was exposed by the recent hack. It is precisely the kind of arbitration clause that a pending Consumer Financial Protection Bureau (CFPB) rule is designed to outlaw ? if Republicans and the Trump administration allow it to go into effect as scheduled later this month. Federal documents reviewed by International Business Times show that in response to that 2016 rule, the Consumer Data Industry Association (CDIA) ? which says it is ?the trade association which represents Equifax? ? pressed regulators to back off the proposed prohibitions, saying the regulations would subject data companies to tough penalties if during a class action suit they were found to have broken the law. In one section of the letter, CDIA declares that federal regulators ?should exempt from its arbitration rule class action claims against providers of credit monitoring products.? The letter asserted that allowing customers to sue companies ?would not serve the public interest or the public good? because it could subject the companies to ?extraordinary and draconian civil liability provisions? under current law. In another section of the letter, Equifax?s lobbying group says that a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies ?to unmanageable class action liability that could result in full disgorgement of revenues? if companies are found to have illegally harmed their customers. Equifax?s lobbying group argued against the prohibition even as it acknowledged that a 2015 government study found ?that credit reporting constituted one of the four largest product areas for class action relief? for consumers. Consumer groups countered the claims of CDIA and other rule opponents by saying the ability to file suit is necessary to protect Americans? legal rights. ?The use of forced arbitration clauses has created a closed system where corporations allow court access only when it?s in their interest, where it is functionally impossible for consumers to recover small dollar amounts they are due under law, and where the deterrent effect of class actions has been lost,? wrote the Consumer Federation of America in a 2016 letter to the CFPB. As written, the rule may not prevent Equifax from restricting customers? legal rights as they seek to find out whether they have been harmed by this week?s data breach: The legal language says the arbitration provisions would apply only to contracts and terms of service six months after the rule goes into effect. However, the massive data breach and backlash against the company?s arbitration clause may impede Republicans? efforts to repeal the rule. ?Equifax is doubling down on this data breach with a breach of that trust,? said Karl Frisch, executive director of consumer watchdog Allied Progress, in a press release. ?This is nothing more than an underhanded attempt to deny the victims of this cyber attack their day in court... There couldn?t be a clearer example of why this new rule from the Consumer Financial Protection Bureau is so essential.? With frustration about the breach and the website language simmering, Equifax issued a statement Friday evening. ?In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident,? said the company. Equifax has delivered more than $500,000 of campaign cash to Republican lawmakers since the creation of the CFPB in 2010. During that time, congressional Republicans have waged a campaign to weaken the CFPB, culminating in this year?s Republican legislative proposals to repeal the rule and fully eliminate the agency. A top Trump-appointed regulator ? former bank lawyer turned Acting Comptroller of the Currency Keith Norieka ? has also previously pushed for the rule to be delayed. According to government watchdog Public Citizen, 24 Republican senators co-sponsoring a bill to kill the arbitration rule have, over the course of their political careers, collectively received over $11 million in campaign contributions from commercial banks and over $100 million from the financial sector overall. Equifax itself has directly lobbied the CFPB on the arbitration rule. Federal records show that since the second quarter of 2015, a team of lobbyists from Equifax?s own government relations shop lobbied the Bureau on the ?Use of arbitration agreements involving consumer financial products and services.? This year, the company was still lobbying the CFPB; during the most recent period for which lobbying information is available, the second quarter of 2017, Equifax had five lobbyists personally pushing the CFPB to revise the rule. The company and CDIA are also both lobbying Congress on a Republican-sponsored House bill, pointed out by journalist David Dayen on Twitter on Friday, that would cap class action damages at $500,000 and eliminate punitive damages altogether. The bill's sponsor, Barry Loudermilk (R-GA), announced CDIA's support. A long-time CDIA lobbyist and former top staff member from the Senate Banking Committee, Geoffrey P. Gray, is now lobbying Congress on a Republican bill to repeal post-2008 financial regulations. Federal records show that Gray has been working specifically to influence ?provisions related to the structure, powers, and funding of the CFPB.? UPDATED 9:10 p.m.: This story was updated to include a statement from Equifax. From rforno at infowarrior.org Tue Sep 12 06:14:03 2017 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Sep 2017 11:14:03 -0000 Subject: [Infowarrior] - A new website lets you automatically sue Equifax with a click Message-ID: A new website lets you automatically sue Equifax with a click Ethan Wolff-Mann Yahoo FinanceSeptember 11, 2017 https://finance.yahoo.com/news/new-website-lets-automatically-sue-equifax-click-214730288.html The entrepreneur behind DoNotPay, a free online chatbot that has successfully fought around 375,000 parking tickets in New York, Seattle, and the U.K., is launching a new service on Tuesday that will allow people to sue Equifax for $15,000 in mere minutes. On September 7, Equifax revealed a massive cybersecurity breach that potentially exposed the Social Security numbers and other personal information of 143 million people. The breach has spurred two dozen lawsuits in federal court involving lawyers who want to represent many plaintiffs. But it tends to be tough for individuals to sue companies like Equifax on their own. ?Three days ago I realized I should definitely be doing something for this,? Joshua Browder, DoNotPay?s creator, told Yahoo Finance. ?I was doing research and I found no one is going down to small claims court on the state level.? Despite the pending federal lawsuits, Browder sees small claims court as the ideal way to deal with this, without involving costly lawyers or complex cases that could last years. ?I think people should be empowered to do it themselves,? Browder said. ?Instead of taking Equifax to federal court, they could take Equifax to small claims. In a lot of these states you?re not allowed lawyers, there are no legal fees, and state judges are more sympathetic and more fair. They don?t take kindly to big corporations pushing people around.? Class action cases generally won?t affect a consumer?s right to take a corporation to small claims court, provided the company does business in that state. However, you may have to opt-out of a class action to be eligible, something for which DoNotPay might have to write another bot. ?The consumer can definitely go forward in small claims court, even if a class action is pending,? said F. Paul Bland, an attorney and executive director for Public Justice. ?There?s no chance a class action would bar a consumer from bringing such a case.? How the chatbot works Earlier this year, Browder had developed a custom software that allows him to quickly create a ?chatbot,? a program that asks users questions. Using the answers, the chatbot can create useful forms ? in this case, the documents needed to take Equifax to court. With a team of mostly volunteer lawyers, Browder worked around-the-clock to get this new Equifax-suing robot on his DoNotPay website. ?I thought, what if there were a way to file small claims in all 50 states? So I researched a process and found it?d be easy to do,? Browder said. ?The small claims court is rigorous and efficient.? The hard part, said Browder, was figuring out who to sue and the individual states? quirks in the small claims suit-filing procedure. California is easy, but states like Texas make it very difficult, requiring a plaintiff to create their own lawsuit and complaint. The other challenge is figuring out where to serve. In terms of damages, different states cap the amount differently, but somewhere between $10,000 to $15,000 is standard. Justifying these numbers is easy, according to Browder. ?Our response is, we seek the maximum because of the permanent damage,? he said. ?But in reality I think it varies. I think a lot of people will be hurt by this and will be able to demonstrate if someone has a $15,000 fraud there?s no reason they won?t get $15,000 back.? DoNotPay does not make money or receive commissions so far, although Browder said perhaps an ad-revenue-based business model may appeal in the future. For Browder, a senior at Stanford, it?s more about the principle than money. In his view, DoNotPay can make a difference by handling the hard parts so a wronged consumer can more easily seek justice. ?It finds all the details of who exactly to sue and who to give the papers to,? Browder said. ?All you have to do is provide your name and phone number. Then it spits out 8 pages with instructions and necessary forms. It probably takes about 20 seconds.? After you have the pages, you take the forms to court and they mail the parties a court date, which may be within in a month or two. The ace-in-the-hole for small claims, Browders said, is that the defendant isn?t allowed to recoup legal costs ? making it far less risky if the consumer loses.