P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 11-06-14, 07:16 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - June 14th, '14

Since 2002


































"We are asking for information that proves unlawful or corrupt conduct by the US government, the New Zealand government, spy agencies, law enforcement and Hollywood." – Kim Dotcom


"The Internet of tomorrow is disparate networks. People can grow their own Internet." – Micha Benoliel






































June 14th, 2014




Infinit Revisits Personal Peer-to-Peer File Sharing
Kif Leswing

SUMMARY: Infinit is a fast, peer-to-peer file sharing application that uses its own protocol, eschewing Bittorrent.

A simple and fast way to share files peer-to-peer has been a holy grail for years: back in 2006, there was a flurry of companies addressing the space. You might remember AllPeers, Pando (not PandoDaily), or ToPeer, but rest assured, there were a lot of them, most of which threw in the towel when they found no clear path to monetization. When using a personal P2P program, the file is transferred directly to the recipient, as opposed to a web file sharing service like iCloud, which uploads the file to a server.

In the meantime, Dropbox became a $10 billion company while embracing the cloud: by applying a slick interface to Amazon Web Services, and promising users a dead simple way to share files, it gained over 300 million users and forged a bright future — no peer-to-peer protocols needed. But now a new French startup, Infinit, is revisiting personal P2P, but adding a cloud-based twist.

Even as personal cloud storage prices fall, personal P2P has a lot going for it: no hosting, no storage caps, superior privacy, and faster speeds for large file transfers. Whereas previous entrants into the personal P2P space often used open-source Bittorrent technology, Infinit uses a proprietary infrastructure, developed by co-founder Julien Quintard at Cambridge University.

As of now, Infinit has a Mac app, a Windows app, and an iPhone version in beta. First, you have to sign up for an Infinit account, which is how other users can find you and vice versa. Your account also lets Infinit act as a switchboard and cloud backup for the transfers: for instance, if you close your laptop before a transfer is finished, Infinit will email you to tell you the transfer didn’t complete. Alternately, it allows you to send files to Infinit users who might not have their computer on at the moment.

The app is well designed, and the Mac version is clearly the best version at the moment. Infinit lives in the menu bar, and offers a drop down menu not too different from Dropbox’s Mac implementation. To send a file to one of your contacts, simply drag the file up to the command-symbol icon. Infinit lets you search for new contacts, or simply send the file to an email: if the user doesn’t have an Infinit account, it’s possible to download a hosted version of the file. Its features are somewhat limited, but that means the app stays streamlined and simple.

I saw Infinit at the Techstars NY demo day last week, where its demo was a standout among the 12 startups competing, and where it announced that it raised $1.8 million in funding from Alven Capital and 360 Capital Partners. It’s an impressive app, and I can see it gaining a following among people who want to send big files regularly, like designers and coders. However, the old problem from 2006 remains: if Infinit becomes an indispensable app for millions, how is it going to make money?
https://gigaom.com/2014/06/09/infini...-file-sharing/





New Data on “6-Strikes” Copyright System Says 3% of Alleged Pirates had Internet Speed Reduced
Jeff John Roberts

SUMMARY: A new report finally sheds some details on a 6-strike system intended to deter piracy. One of the ways it does that is by slowing down pirates’ internet connections in some cases.

Internet service providers sent 1.3 million copyright warnings to subscribers in 2013, but only took steps to punish a small percentage of those by slowing down their connections.

Those findings are part of a new report that shines light on a controversial 6-strike enforcement process that was created last year as result of a private partnership between big studios and five large ISP’s (AT&T, Cablevision, Comcast, Verizon and Time Warner Cable). It involves the internet providers taking a series of escalating measures against alleged copyright infringers.

The process begins with two simple warning notices, followed by two more notices that require an acknowledgment, and then two “mitigation” measures — which involve the ISP redirecting the subscribers’ homepage and slowing down their internet connection.

Until now, few details have been available about how many people were affected and how the system has worked in practice. Here are some highlights from the report, which covers 10 months from 2013:

• 722,820 subscribers received a total of 1.3 million “Alerts”
• Only three percent, or 37,456 of the accounts, reached level 6, which results in reduced internet speed
• 265 people challenged the Alerts under an arbitration system and 18 percent of those (47 people) were successful, mostly by showing that someone else had used their account

“The majority of peer-to-peer copyright infringement is fueled by a small group of younger, predominately male digital consumers”

The report claims that there no “false positives” in which the content owner had misidentified the account
The report also states that most people knock off the infringing activities after the first notice, and that subsequent notices lead to a further decrease in the behavior.

A kindler, gentler copyright enforcement system?

The tone of the report suggests that Hollywood and music studios, which for years engaged in hardline legal tactics against piracy, are now embracing a more moderate philosophy when it comes to copyright enforcement.

In particular, the report notes that the digital marketplace has changed dramatically since 2009, and that consumers now have many options to buy legal versions of songs and videos at a reasonable price:

“With this expansion of Internet radio and music and video streaming and subscription services like Spotify, Beats Music, Hulu and Netflix, the marketplace for digital content is diverse, easily accessible and affordable.”
This comment appears to validate the theories of scholars like Bill Patry, who have long argued that the problem of piracy is largely a pricing problem, and that content owners should respond to it by flooding the market with authorized copies.

The 6-strike system itself is also a far cry from the original “3-strikes” system that copyright hawks had championed for years, and that (though never implemented) called for cutting off infringers from the internet altogether.

Finally, the overall tone of the report is much less strident than what we have come to expect from the studios, which have repeatedly portrayed file-sharing in the past as a criminal and law enforcement problem to be exterminated. This report instead uses more moderate language, and even takes account of the privacy interests of internet subscribers.

Some, however, may be uncomfortable that this de facto privacy enforcement regime between ISP’s and content owners is taking place largely outside the legal system, and that it could make the stakes even higher in the ongoing debate over net neutrality.

Here’s the report with some key parts underlined: 6 Strikes Summary
https://gigaom.com/2014/05/29/new-da...speed-reduced/





Kim Dotcom Offers £3m Bounty in Online Piracy Case

Megaupload founder in bid to prove US authorities aided by New Zealand illegally targeted him at behest of Hollywood studios
Agence France-Presse in Wellington

Kim Dotcom is offering a $5m (£3m) "bounty" to whistleblowers for information to help fight an online piracy case brought by the US.

The Megaupload founder, who is resisting extradition from New Zealand, said he had to resort to offering the money because the deck was stacked against him in one of the largest copyright infringement cases ever brought.

"My case is unfair," the German national tweeted. "I was declined discovery, I didn't get my own data back, I need whistleblowers I am offering USD $5M."

Dotcom, whose Megaupload empire was shut down in January 2012, has long argued that US authorities, aided by close ally New Zealand, illegally targeted him at the behest of Hollywood studios.

He told technology news website TorrentFreak.com that the multimillion dollar offer was aimed at helping him prove that allegation.

"We are asking for information that proves unlawful or corrupt conduct by the US government, the New Zealand government, spy agencies, law enforcement and Hollywood," he said.

"It is the opinion of my legal team that disclosure of such information would be lawful. I would also guarantee any whistleblower coming forward would have the best legal representation at zero cost."

Dotcom's extradition hearing is scheduled to begin in Auckland on 7 July although it has already been delayed several times amid legal wrangling over evidence disclosure.

If the 40-year-old and his three co-accused are sent to the US they will face charges of racketeering, money laundering and copyright theft, carrying potential jail terms of 20 years.

The US justice department and FBI claim Megaupload and related sites netted more than $175 m in criminal proceeds, and cost copyright owners more than $500m by offering pirated copies of movies, TV shows and other content.

Major music labels and the film industry in the US have also filed lawsuits against the filesharing site. Dotcom has launched a new venture called Mega while on bail.
http://www.theguardian.com/technolog...-online-piracy





Alamo Drafthouse Bans Google Glass In Movie Theaters
Jen Yamato

Google Glass wearers have one fewer place to sport their wearable devices. Alamo Drafthouse CEO Tim League made his company’s policy official today, announcing that the cinema chain will ban use of Google Glass once house lights dim and trailers begin. The issue of allowing Google Glass wearers to use the head-mounted gadgets in movies made headlines earlier this year when a Columbus, Ohio man was interrogated for wearing his Glass in an AMC theater screening of Jack Ryan: Shadow Recruit. Drafthouse Cinemas, which operates theaters in Texas, Virginia, Michigan, Missouri, Colorado, and New York and is expanding to California, waited to take an official stance until Google Glass users began bringing the devices into their locations.

“We’ve been talking about this potential ban for over a year,” League told Deadline. “Google Glass did some early demos here in Austin and I tried them out personally. At that time, I recognized the potential piracy problem that they present for cinemas. I decided to put off a decision until we started seeing them in the theater, and that started happening this month.” The move makes Google Glass the latest addition to the Drafthouse Cinemas black list which already includes movie talkers, texters, and Madonna.

Google Glass’ built-in video recording capability has raised privacy issues over filming in public spaces, but theater owners’ concerns revolve around Public Enemy #1 for exhibitors: Piracy. AMC declared the wearing of any video-capable device “not appropriate for the movie theater” following the Ohio incident. League clarified that the Google Glass policy will be enforced on a case by case basis, with consideration to users wearing Google Glass as their primary eyewear. “It will be case by case, but if it is clear when they are on, clear when they are off, will likely be OK,” he Tweeted.

“I realize that technology may change and this type of device may eventually become widely adopted and even replace traditional glasses,” he said. “Down the road our policies may have to morph. Given the technology that exists today, however, I decided that banning the device while movies are playing is the best decision for us right now.”
http://www.deadline.com/2014/06/alam...ovie-theaters/





Court: TV Licence Fees Don't Apply to Computers

A Swedish court ruled on Friday that computers, surfing tablets, and mobile phones will no longer be counted as television transmitter devices, meaning Swedes will not have to pay annual fees to Sweden's TV licensing authorities.

A computer with an internet connection should not be classified as a television transmitting device, the Supreme Administrative Court (Högsta förvaltningsdomstolen) ruled on Friday morning.

The case was brought to the court after the Sundsvall Court of Appeals rejected the claims of a Lund man who argued that his computer didn't even have TV channel-receiving software and that he shouldn't have to pay the fee.

The man was one of over 500 who had complained about the law, which came into effect last year.

Anyone in Sweden with a television receiver is required by law to pay the 2,076 kronor ($320) annual fee, which is collected and enforced by Radiotjänst, a division of Swedish public service broadcasting.

Radiotjänst collects around 7 billion kronor ($1.09 billion) per annum which is used to part-finance Sveriges Television, Sveriges Radio and Utbildningsradio (UR).

A 2006 law stating that anyone who can access an entire TV channel on any device is required to pay the fee came into effect last year when TV4 made all of its content available online. The law stated that the fee would be applicable on any " device meant to receive the transmission or retransmission of TV programmes, even if the equipment can be used for other means".

The court on Friday ruled that a computer, however, should not count as such a device. While computers can receive television signals, they are not specifically designed to do so and it is not their key purpose - thus exempting them from the fee.

The court referred to the television license as a "cumbersome responsibility", and stated that the fee cannot be imposed on computers without "clear support from the law".

It was also decided that the man in Lund will get his money back, although Radiotjänst said they do not plan on reimbursing others.

"We believe we have done the right thing to this day. This is a new praxis and will be applicable in the future," Radiotjänst CEO Carl-Gustav Johansson said.
http://www.thelocal.se/20140613/comp...ce-fees-court/





‘Popcorn Time’ Gives Users Anonymity with a Free Built-In VPN
Ernesto

One of the Popcorn Time forks has included a free VPN option in its software, allowing users to hide their IP-addresses from the public, This feature is a response to copyright trolls, who regularly send settlement requests to users who pirate movies via BitTorrent.

The Popcorn Time phenomenon took the Internet by storm earlier this year. The software became the subject of hundreds of news articles, as it offered P2P streaming in an easy to use Netflix-style interface.

Overwhelmed by the response the original team quickly retired. However, since the code is open source, many competing forks quickly adopted the project, each taking it in a different direction.

Time4Popcorn is one of the most users reincarnations of Popcorn Time. The team behind the project has introduced several new features to their version, including TV-show listings and Android support.

These changes definitely increased the appeal of the application, but there was a threat lurking around the corner. In common with all other BitTorrent-based software, copyright holders are actively monitoring the activities of people who pirate their works.

This already resulted in fines for German users of a Popcorn Time fork, but users in the United States and other regions where copyright trolls are active face the same risk. To counter this “threat” the Time4Popcorn team decided to implement a VPN feature, for free.

“Throughout these last months we realized that making the ultimate watching experience for everyone is important. However, something that is even more important to us is that everyone will be able to get this experience without risking themselves,” the Time4Popcorn team tells TorrentFreak.

The news about the settlement requests prompted the developers to include a VPN option to anonymize use of their client.

This week the feature was added to the latest 4.2 Alpha release. By clicking a lock icon users can quickly connect and disconnect the built-in protection. Although it may take some more time before a stream starts playing, it appears to work just fine.

“Thanks to the new VPN feature everyone from anywhere in the world will be able to use Popcorn Time, worry free. That makes us very happy,” the team tells us.

The VPN itself is not run by the Popcorn Time team. Instead, they came to an agreement with the VPN provider Kebrum, who are offering their services for free. TorrentFreak reached out to Kebrum to find out why they agreed to join the project.

“There are not a lot of opportunities in life to be a part of a revolution and we have recognized this opportunity. One of the main goals of the company is to bring back the anonymity to the internet,” Kebrum’s Martin tells us.

“We believe Popcorn Time is the revolution that will change the entertainment industry forever. And now, with our help, Popcorn Time can do for the world of internet anonymity the same as they will do for the world of entertainment.”

This revolution does come at a cost for the company, as it has to pick up the bills. However, Kebrum believes that the brand exposure will make up for this investment. The traffic shouldn’t be a problem for the company, as it has plenty of resources available.

“From our experience and the expected usage stats provided by Popcorn Time, we believe that the resources we allocated for Popcorn Time users should be enough in order to give a good and fast download experience. Our servers are prepared to handle the traffic,” Martin says.

As with all other features, the VPN functionality is released as open source under a GPL-V3 license.

The Time4Popcorn team plans to inform its users about the new VPN feature in the coming days, and once it’s included in the stable release older versions will update automatically.
http://torrentfreak.com/popcorn-time...in-vpn-140607/





No Web? No Worry. DewMobile Raises $20M to Further File-Sharing App
Sonja Cheung

Chinese startup DewMobile Inc., which has designed an application that allows users to transfer files between devices without being connected to the Web, has scored a $20 million Series B round of funding from investors including IDG Capital Partners and Northern Light Venture Capital.

DewMobile’s Zapya allows users to transfer files between devices without being connected to the Web. Agence France-Presse/Getty Images
Innovation Works also participated in the funding. Beijing-based Innovation Works, which was set up by Taiwanese venture capitalist Kai-Fu Lee, and Northern Light were also among a group of investors that had previously backed the company’s $4 million Series A round and $2 million worth of angel investment.

DewMobile ’s application, known as Zapya, or Kuaiya in China, reconfigures the Wi-Fi chip in a user’s smartphone or computer, for instance, so it essentially works as a router that can send out signals and establish a connection to other people’s electronics. For those who have also downloaded Zapya, users can share files including movies or games without a Web connection.

This is particularly relevant for people who live in cities or countries where Internet connection is poor.

Over 90% of Zapya’s users are from China, with others from places including Malaysia and Myanmar, where telecom infrastructure is less developed. Zapya currently has around 80 million users, said Frank Wang, chairman and chief executive of DewMobile .

In China, some of Zapya’s users can be found in lower-tier cities, where blue-collar workers have traditionally had to congregate at “download bars” to access online movies or mobile games due to little or no Internet connection at their homes or work.

Mr. Wang said he expects users of Zapya to increase to 100 million by this autumn, and up further to 200 million by next spring. The application can be used across electronics that include personal computers and Android devices, and is “self-replicating,” he said. This means that Zapya automatically picks up on any nearby device, and can invite non-users to download the application. This viral-like feature has meant that DewMobile hasn’t had to do much marketing of the application.

When user numbers rise up to the 100 million mark, Mr. Wang said that will be the time to commercialize Zapya. DewMobile is planning to team up with game developers who are seeking to increase distribution, and would utilize Zapya to pass on games. When Zapya is downloaded on, for example, the smartphone of a new user so would the game.

For now, proceeds from the Series B round will be used to expand DewMobile ’s team of 70 people, to potentially 140 people in the future. It currently has offices in Beijing, Nanjing and Silicon Valley in the U.S.

DewMobile will likely keep its focus on China, Southeast Asia and other emerging markets, with plans to expand into the U.S. at a far later date.

DewMobile was set up in 2012 by Mr. Wang, a serial entrepreneur, who previously co-founded a wireless network company called Azalea Networks Inc . that was sold in 2010 to Aruba Networks , a network products maker. After the acquisition, Mr. Wang moved onto Northern Light in an advisory role to help guide the Beijing-based venture firm’s portfolio companies on the operations side.
http://blogs.wsj.com/venturecapital/...e-sharing-app/





Could This App Create A Free, Secret Web?
Parmy Olson

Facebook is doing it with drones, Google is doing it with balloons that occasionally crash into power lines. Bringing free Internet access to the unconnected millions in developing countries is complicated and expensive. What if there was an easier way?

A startup called Open Garden thinks the answer is already in people’s pockets: their smartphones.

In the last two years, five million people have downloaded the company’s free Android app Open Garden to create wireless hotspots, and its FireChat app for iPhones and Droids to chat anonymously with other users “off the grid.” The FireChat app suffers from a few bugs and messy, chaotic chat rooms, but what’s tantalizing about both services is that they need no WiFi connection or carrier plan to get connected. Just another person with the app, within a 70-meter radius.

These apps are among the first consumer use cases for a technology known as mesh networking. This refers to the creation of a peer-to-peer “mesh” of smartphones that form their own separate network. If at least one smartphone is online, the rest of the network can not only talk to one another, but connect to the web too.

The technology sounds unreal, but it works. After it launched last March, FireChat instantly became the top social networking app in Taiwan. The reason: around 100,000 activists in Taipei had taken to the streets to protest a trade agreement with China, and local blogs like this one urged them to download FireChat — just in case the government shut down web access.

In the end there was no shut-down, but people still used FireChat to remind one another to be safe, and communicate with student activists occupying the parliament, according to Open Garden. Many activists even found themselves arguing with other FireChat users on mainland China about the trade agreement they were protesting. These kinds of cross-border debates are almost unheard of on popular Chinese chat services like WeChat or Sina Weibo thanks to Beijing’s firewall.

There’s been similar interest for FireChat in Iran. Users in the country have started 1,800 FireChat groups, according to Open Garden, making Iran the second biggest user of the app after the United States. India, Brazil and Mexico follow close behind, and Open Garden says people in Cairo and on the outskirts of Baghdad, Iraq are using the app too.

These are places where accessing the Internet is expensive, even dangerous, and where having a secret network away from the prying eyes of state authorities is an attractive prospect.

Mesh networks aren’t new. The U.S. government has put millions into building them in countries like Cuba to promote activism there. (See also the USDA’s Cuban “Twitter” project.)

But Open Garden seems to be getting more traction than other, similar efforts. Its chat service can be used both with an internet connection, and without. Users just need to have their WiFi and Bluetooth on, even if their phone is in airplane mode. If there’s no WiFi signal, it’ll work if there’s another user within 70 meters (230 feet). Once a FireChat user goes off the grid like this, San Francisco-based Open Garden can’t track them anymore. That’s why they have no idea how many people are actually using its off-the-grid feature. But downloads and user feedback suggest people are using it to create their own separate networks.

“The Internet of tomorrow is disparate networks,” said FireChat founder Micha Benoliel from the company’s headquarters on San Francisco’s Treasure Island. “People can grow their own Internet.” FireChat and parent company Open Garden have about 10 employees based in an open plan office on the corner of a dusty road that passes abandoned army compounds and other large buildings in the island. Around the corner is a striking view of the San Francisco metropolis, the kind of urban area where mesh networking could really take off.

That speaks to the bigger potential for Open Garden’s technology — not secret communication, but getting more people online.

Open Garden has already worked with entrepreneurs in India who used 10,000 donated Android tablets to get web access, once just a few put Open Garden on their smartphones to turn them into makeshift routers. The entrepreneurs had almost no connectivity infrastructure around them, Open Garden says, but they could still access the web.

To get a whole city like San Francisco online, Benoliel says he’d need at least 7% of the city’s population to use Open Garden. That’s around 500 devices per square kilometer of a densely populated area. If he can reach that tipping point, Benoliel says he’ll get around 93% of those users connected to each other, and the web, for free.

The idea is moving from being far-fetched to possible because urban areas are now teeming with smartphones. There are more than 800 million Android phones and 300 million iPhones in active use in the world today. With those numbers growing, the prospects of creating “meshes” in densely populated cities gets bigger every year.

“Google has millions of Android phones they never see because they never connect to the Internet,” says Benoliel, who has been working on the technology for more than three years.

He points out that 99% of his Android tablet users are Wifi-only, and rely on hotspots to get online. Open Garden thinks it could get those people online for an extra 44 minutes longer per day, on average, if they used its app. While that would eat further into some users data plans, the constant moving of devices would mean that users “get as much as they give,” the company says.

A note on the technology behind this: For iPhones, Open Garden harnesses Apple’s Multi-peer Connectivity Framework, a little known feature that Apple introduced with iOS 7 for the iPhone last September.

Back then it was unclear why Apple installed the framework in the first place — that is, until last Monday.

At its WWDC keynote, Apple revealed it had also put the protocol in its new operating system for Mac, called Yosemite, part of its move to get its devices talking to one another more seamlessly. Apple calls this Continuity, and it’s bound become a much bigger part of whatever Apple rolls out later this year with a wearable or smart home device.

Open Garden has already already been harnessing Apple’s technology to let iPhones to talk to each other, and without any help from carriers. (Apple, whose tight relationships with carriers is key to its $88 billion-a-year iPhone business, probably wouldn’t want to go down that route itself.)

FireChat is all about demonstrating the potential of Open Garden’s mesh networks. “It’s a bit like when Microsoft came out with Windows and wanted to show people the benefit of the graphical user interface,” says Open Garden co-founder Christophe Daligault. “It came out with Word and Excel and people said, ‘Oh, this is the kind of applications we can build.’”

Till then, Open Garden needs to make money. It has considered licensing its patented technology to the likes of Google and Facebook, to help get them into the developing world and the next frontier for selling online ads.

But the startup is far more interested in releasing a software development kit (SDK) for other Internet partners who could show ads through Open Garden’s mesh networks, in exchange for a fee.

“This can be a billion dollar company if we can get to the tipping point,” says Benoliel, referring to the 7% uptake in urban areas.

Open Garden may already see itself getting close. The company raised more than $10 million in venture capital funding at a $40 million valuation in April, according to filings provided by VC Experts. Since then it’s been seeking even more, according to another source with knowledge of the matter, and at an eye-popping $1 billion valuation.

Daligualt and Benoliel wouldn’t comment on the details of their fundraising.

“Our core business is connectivity,” Benoliel repeats. “The traditional players are the carriers, who deploy cable and fiber infrastructure. Then you have a new breed of players in connectivity, like Facebook and Google, playing at with fiber but now doing experimental work with satellite and drone.

“We believe we fit there with a revolutionary approach. With a simple app.”
http://www.forbes.com/sites/parmyols...ee-secret-web/





Ars Tests Internet Surveillance—by Spying on an NPR Reporter

A week spent playing NSA reveals just how much data we leak online.
Sean Gallagher

On a bright April morning in Menlo Park, California, I became an Internet spy.

This was easier than it sounds because I had a willing target. I had partnered with National Public Radio (NPR) tech correspondent Steve Henn for an experiment in Internet surveillance. For one week, while Henn researched a story, he allowed himself to be watched—acting as a stand-in, in effect, for everyone who uses Internet-connected devices. How much of our lives do we really reveal simply by going online?

Henn let me into his Silicon Valley home and ushered me into his office with a cup of coffee. Waiting for me there was the key tool of my new trade: a metal-and-plastic box that resembled nothing more threatening than an unlabeled Wi-Fi router. This was the PwnPlug R2, a piece of professional penetration testing gear designed by Pwnie Express CTO Dave Porcello and his team and on loan to us for this project.

The box would soon sink its teeth into the Internet traffic from Henn's home computer and smartphone, silently gobbling up every morsel of data and spitting it surreptitiously out of Henn's home network for our later analysis. With its help, we would create a pint-sized version of the Internet surveillance infrastructure used by the National Security Agency. Henn would serve as a proxy for Internet users, Porcello would become our one-man equivalent of the NSA’s Special Source Operations department, and I would become Henn's personal NSA analyst.

As Henn cleared a spot on his desk for the PwnPlug, he joked that it might not provide anything useful for us to analyze. In the year since Edward Snowden pulled back the curtain of secrecy around the NSA’s dragnet surveillance programs, many of the major Internet service providers targeted by the spy agency have publicly announced plans to better protect customers, often through the expanded use of encryption.

Our experiment would answer the question: could a passive observer of Internet traffic still learn much about a target in this post-Snowden world?

Henn dialed up Porcello and put him on speakerphone as we finalized the location and setup of the PwnPlug. As I snapped in an Ethernet cable, Henn turned on his iPhone and connected to the PwnPlug’s Wi-Fi network. Porcello watched remotely as data from Henn's network suddenly poured into a specially configured Pwnie Express server.

“Whoa,” Porcello said. “Yep, there’s Yahoo, NPR... there’s an HTTP request to Google... the phone is checking for an update. Wow, there’s a lot of stuff going on here. It's just thousands and thousands of pages of stuff... Are you sure you’re not opening any apps?”

“I didn’t do anything!” Henn replied. “My phone is just sitting here on my desk.”

He checked his phone and found that Mail, Notes, Safari, Maps, Calendar, Messages, Twitter, and Facebook were running in the background—and making connections to the Internet. The Safari Web browser proved the most revealing. Like most people who use the iPhone, Henn had left open dozens of websites; when his phone had connected to the PwnPlug’s network, the browser had refreshed them, revealing movies he was checking out for his kids, a weather report, and research he was doing for work.

In the first two minutes of our test, we had already captured a snapshot of Henn’s recent online life—and the real surveillance hadn't even begun.

Your own personal NSA

While the NSA runs hundreds of surveillance programs, its broad, passive surveillance of the Internet has just two key components: Turbulence, a network monitoring system that skims traffic from the Internet’s fiber-optic backbone, and XKeyscore, an analytics database that processes the captured traffic, using rules that look for specific strings of text or patterns in data (e-mail addresses, phone numbers, file attachments). According to leaked NSA documents and whistleblower testimony, pieces of both Turbulence and XKeyscore are scattered about the world near Internet chokepoints such as the infamous “secret room” at AT&T’s San Francisco offices that has been described by former AT&T employee Mark Klein.

To recreate this setup in miniature, the PwnPlug in Henn’s office was configured as a Wi-Fi access point; it acted as our equivalent of the NSA’s Turbulence. While the PwnPlug is generally used for network penetration testing, Porcello configured the device used in our test only to intercept traffic outbound to or inbound from the Internet, not traffic that began and ended on Henn's home network. The device captured every packet matching these criteria and sent it over a secure SSH connection back to a server at Pwnie Express headquarters in Berlin, Vermont.

The remote machine at Pwnie acted as our diminutive version of XKeyscore. To emulate the NSA's processing of captured traffic, Porcello ran a number of open source analytics tools against Henn's traffic, including the ngrep packet search tool, the tshark and Wireshark traffic analysis tools, the tcpflow data stream capture tool, the dsniff suite’s passive monitoring tools, and tcpxtract for capturing files within Internet traffic.

For more than a month before the experiment began, Ars Technica and NPR made technical and legal preparations to ensure that any data captured from Henn would be handled with confidentiality and care. The focus would be solely on Henn’s personal online activities; we explicitly did not attempt to penetrate NPR’s corporate network, to hack Henn’s computer or phone, or to grab traffic from Henn's other family members. We would simply watch the traffic passing between our test Wi-Fi network and the Internet in the same way that the NSA collects data from millions of Internet users around the world each day.

Our full access to Henn's activities lasted for several days while he reported a single story. To make Henn as accurate a proxy as possible for the average unsuspecting Internet user, one condition stipulated for the test was that when the PwnPlug was active, Henn wouldn’t take extra measures to avoid surveillance (though he followed his normal operational security protocols). Henn could also pull the plug on our test at any time.

The experiment unfolded in two phases. In the first, we simply observed Henn’s normal Internet traffic. In the second, Henn, Porcello, and I stopped the broad surveillance of Henn and turned our tools on specific traffic created by leading Web applications and services. Here's what we found.

You’re listening to NPR

Watching Henn’s traffic let us track much of his activity on the open Internet, but it didn’t give us everything. Like many people who work from home, Henn's corporate e-mails, Voice over IP phone (VoIP) calls, and other official communications were concealed by encryption—either by application-specific encryption or by NPR’s virtual private network. Encryption, when applied consistently, at least helps to thwart casual passive surveillance.

However, we quickly discovered that the encryption used by most popular Internet services doesn’t completely protect users from eavesdropping. Inconsistent implementations of encryption, plus data leaked by connections to unprotected sites, still provided us with enough data to paint a fairly complete picture of what Henn was doing.

On one of the days we watched him, Henn was reporting on environmentally friendly data centers, though I didn't know this at the time.

I got my first hint of what Henn was researching by reconstructing his Google searches. Google encrypts searches by default now, but data leaks from Google’s search engine can easily give up a person’s searches once they’ve been de-anonymized—in part by using Google’s own “cookies” against a target.

To provide its services, Google uses several cookies, small bits of unique text that are stored by users' Web browsers. One of these, the PREF cookie, tracks user identity separately from a Google login, in part to track what users search for and then to serve up context-appropriate advertisements.

This unique identification capability means that cookies are also valuable to anyone else listening in. According to documents published by The Washington Post, the NSA has used Google’s PREF cookie ID value as a “strong identifier” to associate a specific Web browser with a specific stream of Web traffic.

Even within Google’s encrypted sites, Google doesn’t encrypt PREF cookie data sent from the browser to various services. For example, Google’s secure search page makes calls out to Google Maps using the PREF cookie “in the clear,” along with unencrypted requests for maps embedded within search results. Thus, map data presented within the otherwise “secure” search results can offer hints about what the user was actually searching for—or even the street address.

In our test, I was able to isolate PREF cookie data quickly and use it as a key to search through all of Henn’s captured traffic. In the first block of traffic I searched, I got hits on Henn’s ID for calls to ads.google.com from a discount shopping site. Henn said he had no recollection of him or his wife ever visiting the site, so how this request was generated by his Web browser remains a mystery.

But there were also requests to maps.google.com from within Google Search. The maps showed Grundy County, Iowa and Forest City, North Carolina. What did both locations have in common? One is the site of a wind farm for a new Facebook data center; the other holds an existing high-efficiency Facebook data center.

In addition, the search queries for these locations were embedded in the Web calls to maps.google.com. When I discussed these locations with him later, Henn confirmed he was looking at the locations to see if he could get local public radio reporters or freelancers to make site visits.

I conducted the same location test on myself and found the same thing—a search using a store's name generated an unencrypted request to Google Maps, which contained my search term and data about my IP address. Security researcher Ashkan Soltani confirmed the leak in an e-mail exchange, writing, "Basically the short answer is: it's significant but depends on the client." (Internet Explorer appears unaffected.)

We reached out to Google for comment. It turns out that we had found a bug in Google search—one that Google has since corrected.

But there are even simpler ways to track someone's searches—if you can't see the search queries themselves, look at the results that get clicked. It’s possible to reverse engineer searches by scanning captured traffic for “referrer” tags, which tell websites about incoming traffic.

As part of our analysis of Henn’s traffic, I searched for "Google" in these referrer tags, allowing me to identify the pages Henn clicked on from Google search result pages. Google stopped sending its search terms as part of the referrer tag when it started encrypting search result pages, so I couldn’t always determine the exact search query Henn had used. But thanks to the search engine optimization efforts of the websites he visited, I was able to capture URL keywords that provided strong hints—keywords that Henn would later tell me matched almost exactly with his searches:

• who-coined-cloud-computing
• data-centers-waste-vast-amounts-of-energy-belying-industry-image
• global-warming-and-energy
• searching-the-planet-to-find-power-for-the-cloud
• recent-updates-to-the-oed
• clickclean-interactive-us
• ca-vantage-data-centers-id
• new-iowa-wind-farm-will-feed-facebook-data-center
• global-warming-and-energy
• the-facebook-data-center-faq

With the map information and a partial Google search history reconstructed, I could easily guess what sort of story Henn was researching.

What crypto doesn’t conceal

Once you’ve left the (relative) safety of the major search, mail, and social media providers, the vast majority of what you do online is an open book. Most websites are unencrypted, as are the identifying cookies that Web browsers pass to them—cookies that can help unmask the people using those browsers. And while most of the major webmail services and other e-mail providers have provided encryption to protect e-mail content between users and their mail servers, a significant portion of e-mail traffic between mail servers remains unencrypted—leaving the content open to perusal by governments or anyone else who can capture it.

Extracting meaningful information from all that content doesn’t require that someone read everything in it. The NSA’s XKeyscore and a variety of traffic analysis tools can pull a trove of information from unencrypted Web and mail traffic. They can scan for keywords or look for patterns in data that identify “entities”—known data structures such as a name, an e-mail address, or a phone number. They can also count the repetition of words within a document to provide analysts with a sense of what the text is about—“bomb instructions,” “divorce lawyers,” or “casual encounters.”

Based on analysis of Henn’s traffic, I already knew that he was looking into cloud computing. I also knew the organizations he was researching based on the Web URLs. But who was he speaking with? The tools that Porcello set up identified a handful of phone numbers and e-mail addresses seen in Henn's Web traffic.

Some of these were banal, such as 1-800 numbers for customer service from some of the sites he visited. Another phone number was from Uberconference, a free SIP phone application that some reporters had been testing. But others, Henn later confirmed, were for people he had called as part of his research.

While we did not probe NPR's network, part of Henn's workflow included downloading an audio file from an NPR server. Our analysis tools identified and plucked the audio file from Henn's traffic stream and revealed a security hole that would have allowed me (had I the desire and the legal clearance) to obtain similar raw audio for some other NPR reports. (NPR quickly addressed the issue.)

With a fairly complete picture of Henn's reporting, it was time to end our broad monitoring of his network. Henn pulled the cord on the PwnPlug, and we moved on to phase two: a targeted examination of some major online tools and services.

Getting to know you

Taken together, the information we collected in the first part of our experiment was fairly revealing. But it only scratched the surface of what we could learn from an individual's Internet traffic. We began systematically testing some of the biggest and most popular services on the Internet with both Web and mobile device interfaces.

Many sites that can leak personal data don’t use encryption by default—or at all. In fact, many e-commerce websites allow users to perform searches and to access other information of a personal nature before logging in, only requiring a secure connection when it comes time to pay.

For example, if you search for something on Amazon or look at your wish list, your traffic is unencrypted by default. This traffic can include your name, birth date, and location, as well as searches for potentially embarrassing items. The following are search terms Dave Porcello was able to capture from his own Web traffic during the second phase of our testing:

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53.
Cookie: session-id=190-9015664-2689569; session-id-time=2082787201l;

http://www.amazon.com/gp/aw/s/ref=is...Flux+capacitor.

http://www.amazon.com/gp/aw/s/ref=is...ants+Dispenser.

http://www.amazon.com/gp/aw/s/ref=is_box_?k=Wolf+Urine.

http://www.amazon.com/gp/aw/s/ref=is_box_?k=Live+bees.

http://www.amazon.com/gp/aw/s/ref=is...ve+cockroaches.

http://www.amazon.com/gp/aw/s/ref=is_box_?k=Uranium+Ore.

http://www.amazon.com/gp/aw/s/ref=is_box_?k=bone+saw.

http://www.amazon.com/gp/aw/s/ref=is...k=roll+of+tarp.

http://www.amazon.com/gp/aw/s/ref=is_box_?k=shovel.

http://www.amazon.com/gp/aw/s/ref=is...detta+mask+set.

http://www.amazon.com/gp/aw/s/ref=is...a+travel+guide.

Even applications that require a login and then encrypt parts of their traffic can leak personal data. Searching for packets with the keyword “Skype,” I came across what looked like normal Web traffic—a series of GET requests sent to api.skype.com. Skype calls themselves weren’t targeted by our surveillance, because Skype-to-Skype video and audio calls are encrypted, but it turns out the Skype client uses an unencrypted Web interface to retrieve the photo “avatars” for people in a user’s contact list. Part of that request contains the username of the contact, potentially revealing one's Skype contact list:

We contacted Microsoft to check on this particular leak and were told that it had been fixed in a recent update of the Skype Windows app. When we had captured the data in April, the version we tested was only a month old, however, so it’s likely that many other Skype users are also leaking data from their contact lists. (And we know that the NSA collects such contact list data on a massive scale.)

Leaky phones

Your phone also leaks a substantial amount of data. We tested a number of mobile apps on multiple devices and found a whole pile of potentially privacy-exposing data, including:

Weak crypto support on older devices. Facebook’s mobile security was fine on most current generation devices. But a Facebook app on an older Android device sent profile images and other photos unencrypted. We also found that Google searches from an Android 4.1.1 (“Jelly Bean”) device were unencrypted as well.

Geolocation data. The iOS Weather application, which uses Yahoo’s Weather API, passed location in clear text. We also found that images taken with the iOS Camera app included, by default, location data, full data about the phone itself, whether the front or rear-facing camera was used, and the compass direction the phone was facing when the camera fired. If phone images are posted via a nonsecure app or e-mail account, this EXIF metadata can be easily detected in the packet stream.

The Web history that never dies. As mentioned, a good chunk of Henn’s earlier mobile Web activity showed up on our first day of collection thanks to unclosed mobile Safari “tabs.” Safari stays live even when it’s been closed on the screen; behind the scenes, it can reload pages that were previously open.

AT&T "brain" updates. Dave Porcello intercepted a file download from AT&T to an iPhone that included default settings for a variety of services. One of those settings, Porcello said, was a switch that tells the iPhone to automatically connect to Wi-Fi access points with the SSID “attwifi”. Attackers who want to put themselves in the middle between a phone and the broader Internet need only have their attacking device advertise with the SSID in the file. That feature can be disabled on iPhone devices, but according to Pwnie Express’ Oliver Weis, that isn’t the case with AT&T Android devices.

We contacted both AT&T and Apple for comment; Apple pointed us to AT&T, but AT&T didn't respond.

Personal mobile app data. Some mobile apps offer little or no encryption of their content, which can contain location information and other personal data. Pinterest, for example, sends and receives all its data except for “settings” information in the clear. WhatsApp leaks the user's phone number. SnapChat encrypts everything—but it leaks the registration data for its under-13 version, SnapKidz.

Unencrypted VoIP calls from an app. While Uberconference only provided us one of Henn's phone numbers in the clear, Dave Porcello tested another VoIP app called RingCentral and found that it left everything unencrypted, including the call itself. Porcello was able to extract the full audio of a call from an iPhone’s Internet traffic—and says he won't be using that particular app anymore.

App downloads. Monitoring the traffic to modern smartphones and tablets can also reveal which apps are being bought and downloaded. Porcello found that both iOS apps and system updates appeared to be delivered to devices as unencrypted .zip files. Google Play Store content and apps and Android OS updates are also delivered unencrypted.

Such encryption gaps don’t just provide a way to spy on what’s on someone’s phone; they also offer an opportunity for hackers (at the NSA and elsewhere) to attack. Attackers could conceivably build a malicious version of an iOS or Android update or spoof the Google Play store and deliver an “evil” version of an app to a targeted phone—especially if the attackers can also fool the phone into connecting to their own malicious Wi-Fi access point. (Update: As readers have noted, the digital signature on iPhone and Google Play apps makes this difficult at best. However, digital signatures for software vendors have been stolen in the past.)

We’re all insecure

Even without resorting to more aggressive, active attacks, the amount of information that can be obtained with simple network tools is staggering. This is exactly why the NSA has invested so much time and money in its passive Internet surveillance capabilities—and why even “drive-by” surveillance by anyone who can capture pieces of your daily life on the Internet is a potential hazard to your privacy.

After our brief one-week surveillance of Henn’s online activities, I joked that I could have written his story about data centers for him. And while that wasn’t quite true, we had uncovered a vast trove of information—the exact types of information the NSA could use as a digital fingerprint to identify and track any of us online:

• Most of the apps on Henn’s iPhone, based on application data while he was connected to the Wi-Fi
• The operating systems he used on personal computers, and the applications they ran—such as Microsoft Office, Outlook, Internet Explorer 7, Skype, and an app for syncing workout data from his wearable device
• Henn's mobile phone number, unique device identifiers (UDID), model numbers, operating system versions, and cellular provider
• The addresses of e-mail and VPN servers and personal e-mail services
• Every website he visited and how often
• Cookies used to read paid websites
• Places he might be planning to travel
• The general content of Web search queries and which sites he visited as a result
• E-mail addresses and phone numbers he looked up online
• His patterns of activity—when he was working, using his computer for non-work purposes, or was active on a smartphone

Voluntarily opening up your online life to this kind of monitoring is not for the fainthearted, but the exercise was revealing.

“If you have even the foggiest idea of how technology works and you think about what you are actually doing online,” Henn said afterward, “you have probably realized some of this could happen to you. But going through it myself, it was still kind of shocking in the detail.” He also realized with surprise that anyone tracking his Internet usage "could actually know more about my own past than I did."

Porcello, a security veteran, was himself chastened by data leaks from applications he frequently used—and he pointed out just how hard security is, especially for smaller companies. "We just look for apps that work and trust them," he said, because they help get work done—and the average small business doesn't have the time or resources to run penetration tests against every piece of software it uses.

Our experiment also highlighted my own lapses in daily operational security; playing NSA for a few days has made me want to dive deeper into my own Internet traffic to see where my network might leak personal data. That’s not because I’m concerned about being a government surveillance target; but I am concerned about what I, my children, and even my parents expose about ourselves online, even when we aren’t doing anything obviously wrong. Even if I make sure every application on every device in my house is up-to-date and do everything I can to lock things down, all I’m doing is minimizing my potential exposure—not removing it altogether.

Surveillance technology has become a commodity these days. While the NSA has invested untold billions to build its Internet collection capability, most users face more imminent threats of being surveilled while eating lunch in a mall food court by someone with a few hundred dollars' worth of mobile hardware and some open-source tools. And businesses are at risk of widespread breaches by anyone with a thousand bucks and physical access to the corporate network.

Is the Internet a safer place than it was before we knew about Prism? In some ways. But for the vast majority of people online, a little paranoia remains a very healthy thing.
http://arstechnica.com/security/2014...rnet-traffic/?





Noam Chomsky: A Surveillance State Beyond Imagination Is Being Created in One of the World's Freest Countries

A White House lawyer seems determined to demolish our civil liberties.

In the past several months, we have been provided with instructive lessons on the nature of state power and the forces that drive state policy. And on a closely related matter: the subtle, differentiated concept of transparency.

The source of the instruction, of course, is the trove of documents about the National Security Agency surveillance system released by the courageous fighter for freedom Edward J. Snowden, expertly summarized and analyzed by his collaborator Glenn Greenwald in his new book, "No Place to Hide."

The documents unveil a remarkable project to expose to state scrutiny vital information about every person who falls within the grasp of the colossus - in principle, every person linked to the modern electronic society.

Nothing so ambitious was imagined by the dystopian prophets of grim totalitarian worlds ahead.

It is of no slight import that the project is being executed in one of the freest countries in the world, and in radical violation of the U.S. Constitution's Bill of Rights, which protects citizens from "unreasonable searches and seizures," and guarantees the privacy of their "persons, houses, papers and effects."

Much as government lawyers may try, there is no way to reconcile these principles with the assault on the population revealed in the Snowden documents.

It is also well to remember that defense of the fundamental right to privacy helped to spark the American Revolution. In the 18th century, the tyrant was the British government, which claimed the right to intrude freely into the homes and personal lives of American colonists. Today it is American citizens' own government that arrogates to itself this authority.

Britain retains the stance that drove the colonists to rebellion, though on a more restricted scale, as power has shifted in world affairs. The British government has called on the NSA "to analyse and retain any British citizens' mobile phone and fax numbers, emails and IP addresses, swept up by its dragnet," The Guardian reports, working from documents provided by Snowden.

British citizens (like other international customers) will also doubtless be pleased to learn that the NSA routinely receives or intercepts routers, servers and other computer network devices exported from the United States so that it can implant surveillance tools, as Greenwald reports in his book.

As the colossus fulfills its visions, in principle every keystroke might be sent to President Obama's huge and expanding databases in Utah.

In other ways too, the constitutional lawyer in the White House seems determined to demolish the foundations of our civil liberties. The principle of the presumption of innocence, which dates back to Magna Carta 800 years ago, has long been dismissed to oblivion.

Recently The New York Times reported the "anguish" of a federal judge who had to decide whether to allow the force-feeding of a Syrian prisoner who is on a hunger strike to protest his imprisonment.

No "anguish" was expressed over the fact that he has been held without trial for 12 years in Guantanamo, one of many victims of the leader of the Free World, who claims the right to hold prisoners without charges and to subject them to torture.

These exposures lead us to inquire into state policy more generally and the factors that drive it. The received standard version is that the primary goal of policy is security and defense against enemies.

The doctrine at once suggests a few questions: security for whom, and defense against which enemies? The answers are highlighted dramatically by the Snowden revelations.

Policy must assure the security of state authority and concentrations of domestic power, defending them from a frightening enemy: the domestic population, which can become a great danger if not controlled.

It has long been understood that information about the enemy makes a critical contribution to controlling it. In that regard, Obama has a series of distinguished predecessors, though his contributions have reached unprecedented levels, as we have learned from the work of Snowden, Greenwald and a few others.

To defend state power and private economic power from the domestic enemy, those two entities must be concealed - while in sharp contrast, the enemy must be fully exposed to state authority.

The principle was lucidly explained by the policy intellectual Samuel P. Huntington, who instructed us that "Power remains strong when it remains in the dark; exposed to the sunlight it begins to evaporate."

Huntington added a crucial illustration. In his words, "you may have to sell [intervention or other military action] in such a way as to create the misimpression that it is the Soviet Union that you are fighting. That is what the United States has been doing ever since the Truman Doctrine" at the outset of the Cold War.

Huntington's insight into state power and policy was both accurate and prescient. As he wrote these words in 1981, the Reagan administration was launching its war on terror - which quickly became a murderous and brutal terrorist war, primarily in Central America, but extending well beyond to southern Africa, Asia and the Middle East.

From that day forward, in order to carry out violence and subversion abroad, or repression and violation of fundamental rights at home, state power has regularly sought to create the misimpression that it is terrorists that we are fighting, though there are other options: drug lords, mad mullahs seeking nuclear weapons, and other ogres said to be seeking to attack and destroy us.

Throughout, the basic principle remains: Power must not be exposed to the sunlight. Edward Snowden has become the most wanted criminal in the world for failing to comprehend this essential maxim.

In brief, there must be complete transparency for the population, but none for the powers that must defend themselves from this fearsome internal enemy.
http://www.alternet.org/civil-libert...ted-one-freest





NSA: Our Systems Are So Complex We Can’t Stop Them from Deleting Data Wanted for Lawsuit
Andrea Peterson

The National Security Agency recently used a novel argument for not holding onto information it collects about users online activity: it's too complex.

The agency is facing a slew of lawsuits over its surveillance programs, many launched after former NSA contractor Edward Snowden leaked information on the agency's efforts last year. One suit that pre-dates the Snowden leaks, Jewel v. NSA, challenges the constitutionality of programs that the suit allege collect information about American's telephone and Internet activities.

In a hearing Friday, U.S. District for the Northern District of California Judge Jeffrey S. White reversed an emergency order he had issued earlier the same week barring the government from destroying data that the Electronic Frontier Foundation had asked be preserved for that case. The data is collected under Section 702 of the Amendments Act to the Foreign Intelligence Surveillance Act.

But the NSA argued that holding onto the data would be too burdensome. "A requirement to preserve all data acquired under section 702 presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information," wrote NSA Deputy Director Richard Ledgett in a court filing submitted to the court.

The complexity of the NSA systems meant preservation efforts might not work, he argued, but would have "an immediate, specific, and harmful impact on the national security of the United States." Part of this complexity, Ledgett said, stems from privacy restrictions placed on the programs by the Foreign Intelligence Surveillance Court.

"Communications acquired pursuant to Section 702 reside within multiple databases contained on multiple systems and the precise manner in which NSA stays consistent with its legal obligations under the [FISA Amendments Act] has resulted from years of detailed interaction" with the Foreign Intelligence Surveillance Court and the Department of Justice, Ledgett wrote. NSA regularly purges data "via a combination of technical and human-based processes," he said.

The government's explanation raises more concerns, said Cindy Cohn, EFF's legal director. "To me, it demonstrates that once the government has custody of this information even they can't keep track of it anymore even for purposes of what they don't want to destroy," she said in an interview.

"With the huge amounts of data that they're gathering it's not surprising to me that it's difficult to keep track-- that's why I think it's so dangerous for them to be collecting all this data en masse," Cohn added.

The debate over preserving data for the lawsuit puts EFF in the odd position of arguing that the government should retain data the group ultimately wants destroyed.

According to Cohn, EFF discovered the issue by accident: An e-mail exchange with a Justice Department lawyer last week revealed that the government was looking into whether it could preserve data collected under 702 programs. That was surprising, she said, because the NSA had previously been ordered to preserve the data related to the suit, including an initial preservation order in 2009 and temporary restraining order in March.

But it's unclear just how much of the data EFF seeks has already been destroyed. In a brief filed with the court in May, EFF said there was "no doubt" that the government had already destroyed evidence related to the claims.

The government has argued that the case, which was filed in 2008, should be thrown out and that Section 702 programs do not target Americans so it is "highly unlikely" that the plaintiffs communications were acquired through those programs. EFF disputes that argument.
http://www.washingtonpost.com/blogs/...d-for-lawsuit/





Microsoft Protests Order for Email Stored Abroad
Steve Lohrjune

Microsoft is challenging the authority of federal prosecutors to force the giant technology company to hand over a customer’s email stored in a data center in Ireland.

The objection is believed to be the first time a corporation has challenged a domestic search warrant seeking digital information overseas. The case has attracted the concern of privacy groups and major United States technology companies, which are already under pressure from foreign governments worried that the personal data of their citizens is not adequately protected in the data centers of American companies.

Verizon filed a brief on Tuesday, echoing Microsoft’s objections, and more corporations are expected to join. The Electronic Frontier Foundation is working on a brief supporting Microsoft. European officials have expressed alarm.

In a court filing made public on Monday, Microsoft said that if the judicial order to surrender the email stored abroad is upheld, it “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.”

The search warrant was granted by a federal magistrate judge in New York last December, as part of a criminal inquiry. Neither the identity nor the nationality of the customer has been revealed. The company objected, saying that because the customer’s emails were stored in Dublin, they were beyond the reach of a domestic search warrant. Search warrants seeking information abroad are rare, experts said.

But Microsoft lost that round two months ago, and this week is beginning its push for a reversal in Federal District Court in New York.

“This is a policy decision as well as a legal one,” said Peter Swire, a professor at the Georgia Institute of Technology, who served on a White House advisory group on intelligence and communications technologies last year.

In a criminal proceeding, the debate plays out in public court filings from the outset. That openness is in sharp contrast with intelligence data harvesting, which was conducted for years in secrecy, with minimal review, until Edward J. Snowden’s leaks showed the extent of clandestine information gathering by the National Security Agency.

In his ruling in April, James C. Francis, a magistrate judge in federal court in New York, wrote, “Microsoft’s argument is simple, perhaps deceptively so.”

Microsoft contends that the rules that apply to a search warrant in the physical world should apply online. The standard of proof for a search warrant is “probable cause” and “particularity” — that is, a person’s name and where the person, evidence or information reside.

A subpoena — the less powerful court-ordered investigation tool — requires only that the information is “relevant to an ongoing investigation.” But a subpoena, unlike a search warrant, requires that the person being investigated be informed.

Judge Francis, in his order, wrote that the Electronic Communications Privacy Act, passed in 1986, created an in-between category intended at the time to protect people from indiscriminate data gathering that subpoenas might allow of online communications. The result, he wrote, is “a hybrid: part search warrant and part subpoena,” and applied to information held in Microsoft’s data center overseas.

Privacy experts are concerned that the judge’s order, if it stands, will open the gate to unchecked investigations in the digital world, of anyone, anywhere. “United States search warrants do not have extraterritorial reach,” said Lee Tien, a lawyer for the Electronic Frontier Foundation. “The government is trying to do an end run.”

But the Justice Department asserts that Microsoft is stretching the law. In a filing, Preet Bharara, United States attorney for the Southern District of New York, described the company’s analogy between physical search warrants and digital ones as “misguided,” and said Internet companies cannot avoid complying with a search warrant “simply by storing the data abroad.”

If Microsoft prevailed, he wrote, it would be “a dangerous impediment to the ability of law enforcement to gather evidence of criminal activity.”

A spokeswoman for his office said it would have no comment beyond the court filings.

Governments routinely exchange information in criminal cases through cooperative agreements called mutual legal assistance treaties. In his order, Judge Francis cited a source saying the treaty process could be “slow and laborious.”

But Mr. Swire, an Internet policy and privacy expert, said these treaties were the appropriate mechanism for obtaining information from abroad in criminal cases. And he noted that the Obama administration had sought increased funding for handling legal assistance treaty cases.

The warrant suggests that the inquiry involves drugs. The warrant specifically requests any email or other communications “pertaining to narcotics, narcotics trafficking, importation of narcotics into the United States” and related money laundering.

Industry experts say it is highly likely the person whose emails were sought resided in Europe when using the Microsoft web email service, Outlook.com (though the customer apparently used an address with the service through its previous name, MSN.com).

For faster service, the big online service providers — like Google, Microsoft, Amazon and Yahoo — locate data centers near major markets around the world. Data is typically stored nearest the customer’s location, for shorter transmission distances.

In its court filing this week, Microsoft said its global network of data centers included more than one million computers in more than 100 data centers spread over 40 countries.

The Snowden leaks and the view that American tech companies were too cooperative with the United States government have hurt the prospects for American tech companies abroad. Earlier estimates of potential lost sales over the next few years have ranged as high as $180 billion, or 25 percent of industry revenue, according to Forrester Research.

To address those concerns, the companies are building more data centers abroad. But that strategy looks less appealing if companies can be ordered to hand over data regardless of where it is stored, as Microsoft is being ordered to do.

In its filing, Microsoft emphasized that point. The government’s position, it warned, will “ultimately erode the leadership of U.S. technology companies in the global market.”

The case is expected to run for some time. Oral arguments, before Judge Loretta A. Preska, are scheduled for July 31. After her ruling, there may be appeals.

Whatever the outcome, Orin Kerr, a professor at George Washington University Law School, said Congress needs to update the Electronic Communications Privacy Act of 1986. Back then, he noted, dial-up service from CompuServe was the state of the art. “The idea of having email stored abroad was not something that was imagined when the law was passed,” he said.
http://www.nytimes.com/2014/06/11/te...ed-abroad.html





2nd China Army Unit Implicated in Online Spying
Nicole Perlroth

The email attachment looked like a brochure for a yoga studio in Toulouse, France, the center of the European aerospace industry. But once it was opened, it allowed hackers to sidestep their victim’s network security and steal closely guarded satellite technology.

The fake yoga brochure was one of many clever come-ons used by a stealth Chinese military unit for hacking, said researchers at CrowdStrike, an Irvine, Calif., security company. Their targets were the networks of European, American and Japanese government entities, military contractors and research companies in the space and satellite industry, systematically broken into for seven years.

Just weeks after the Justice Department indicted five members of the Chinese army, accusing them of online attacks on United States corporations, a new report from CrowdStrike, released on Monday, offers more evidence of the breadth and ambition of China’s campaign to steal trade and military secrets from foreign victims.

The report, parts of which The New York Times was able to corroborate independently, ties attacks against dozens of public and private sector organizations back to a group of Shanghai-based hackers whom CrowdStrike called Putter Panda because they often targeted golf-playing conference attendees. The National Security Agency and its partners have identified the hackers as Unit 61486, according to interviews with a half-dozen current and former American officials.

Those officials say the N.S.A. and its partners are currently tracking more than 20 hacking groups in China, over half of them units of the People’s Liberation Army, as they break into public and private sector companies ranging from satellite, drone and nuclear weapon component makers to technology and energy companies and research groups.

Unit 61486, researchers say, in some instances shared computing resources and communicated with members of Unit 61398, the P.L.A. unit whose members were the focus of last month’s indictments.

“If you look at all the groups that we track in China, the indictments are just the very tip of the iceberg,” said George Kurtz, a co-founder of CrowdStrike.

Knowledge of the attacks, which continue even now and are being reported for the first time, emerge amid an escalating conflict between the United States and China over online espionage.

Tensions had been simmering for years, but grew more pointed last year when an American cybersecurity company, Mandiant, identified Unit 61398 as the source of thousands of attacks on foreign companies. The Justice Department’s indictment last month named five members of that group and, for the first time, named some of its victims, which included Alcoa, Westinghouse Electric and the United States Steel Corporation.

In response, Chinese officials have denounced the indictments, denied the charges, cited recent revelations that the United States has engaged in its own cyberespionage, and announced retaliatory measures, including new inspection procedures for American technologies, all raising the prospect of a trade war.

The decision to issue indictments against the members of Unit 61398 has proved controversial, even inside the Obama administration. The members of the unit are almost certain never to see the inside of an American courtroom, and American officials fear that it could become more difficult to negotiate norms of behavior with China.

The same issue will arise in the case of this newly disclosed unit, whose operations pose as large a threat to American infrastructure as the one whose members have been indicted.

CrowdStrike’s forensic investigation revealed that members of Unit 61486 took steps to hide their origins — by using compromised foreign websites to launch their attacks, for instance — but left behind digital traces of their identities and whereabouts. The report does not name the companies that were targeted because of confidentiality agreements CrowdStrike has with clients.

The hackers’ tools were developed during working hours in Chinese time zones, researchers say, and Internet records show that in one case hackers used the same I.P. address as members of Unit 61398 to launch their attacks. The use of that address for simultaneous attacks suggests cooperation between Unit 61398 and Unit 61486, said Adam Meyers, CrowdStrike’s head of threat intelligence.

CrowdStrike, founded by two former executives of the security software company McAfee, is one of a new generation of computer security companies that specialize in so-called computer forensics.

Rather than reacting to attacks by hackers, the company tries to understand who hackers are and what methods they are using. It has released several reports on global hacking over the last year.

The firm’s investigation revealed that the group targeted its victims with custom malware disguised as emails containing PDF invitations to aerospace and satellite conferences, job postings and, in one case, the brochure for a yoga studio in Toulouse.

Once victims clicked on decoy files, they inadvertently downloaded malicious programs onto their computers. That opened the door for attackers to enter the victim’s network, see which other devices and networks their victim was connected to, and eventually steal trade secrets and design schematics for satellite and aerospace technology.

CrowdStrike’s researchers said they traced attacks on dozens of the company’s clients in the space and satellite industry to the group; the researchers say the list of victims could number in the hundreds, if not thousands.

In some cases, researchers said, attackers slipped up and registered websites used in their assaults under the same email address they used to register personal blog and social media accounts. In one case, an attacker deployed a remote access tool, or RAT, from a web domain registered to an email address that belonged to a onetime student at the School of Information Security Engineering at Shanghai Jiao Tong University, a top university long suspected of being a state recruiting ground for hackers.

Representatives for Shanghai Jiaotong did not respond to fax messages requesting comment.

In another case, an email address — which popped up repeatedly in Internet records for attack domains — was used to register a personal blog on Sina.com, the Chinese Internet portal, to a 35-year-old who listed the military as his profession. The soldier did not return requests for comment, but in security discussion forums, CrowdStrike’s researchers uncovered discussions between that person and two other hackers, whose noms de guerre, ClassicWind and Linxder, have been linked to members of Unit 61398.

The 35-year-old’s Picasa albums show photos of him in military training and celebrating his birthday with friends in military garb, and pictures of his dormitory, where P.L.A. officer hats are conspicuously in the background. And in his album labeled “office,” photos show a tall white building in Shanghai, surrounded by satellite dishes and dormitory-style residences. Researchers at CrowdStrike believe it is the headquarters for Unit 61486.

Visited by The New York Times, the P.L.A. headquarters — just north of downtown Shanghai in the Zhabei district — were clearly marked as a “military zone.” Soldiers guard the entrance to the building, which is surrounded by tall walls topped with wire fencing, a moat and trees that camouflage military satellite dishes. Viewed from nearby landmarks, the building is full of military personnel and patriotic military slogans.

Military analysts at the Project 2049 Institute, a defense research group in Arlington, Va., suspected that Unit 61486 supported China’s space surveillance network and maintained close ties with the Beijing Remote Sensing Research Institute, a state-sponsored organization whose mission is to explore “leading technologies in earth observation and the mechanisms for acquiring and distributing remote sensing information,” according to its website. The analysts never presented any evidence.

CrowdStrike believes its report offers the final proof. “We’ve got the gun, the bullet and the body,” Mr. Meyers said of evidence connecting attacks on its clients, in the space and satellite sectors, back to Unit 61486.

“The awareness level may be going up,” said Mr. Kurtz of CrowdStrike. “But the Chinese are not slowing down. They keep plowing away.”

David E. Sanger contributed reporting from Washington.
http://www.nytimes.com/2014/06/10/te...erattacks.html





Report: Cybercrime and Espionage Costs $445 Billion Annually
Ellen Nakashima and Andrea Peterson

A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income.

The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm.

“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.

The report, funded by the security firm McAfee, which is part of Intel Security, represents one of the first efforts to analyze the costs, drawing on a variety of data.

“Cybercrime costs are big, and they’re growing,” said Stewart A. Baker, a former Department of Homeland Security policy official and a co-author of the report. “The more that governments understand what those costs are, the more likely they are to bring their laws and policies into line with preventing those sorts of losses.”

According to the report, the most advanced economies suffered the greatest losses. The United States, Germany and China together accounted for about $200 billion of the total in 2013. Much of that was due to theft of intellectual property by foreign governments.

Though the report does not break out a figure for that, or name countries behind such theft, the U.S. government has publicly named China as the major perpetrator of cyber economic espionage against the United States.

The Chinese government has accused the United States of being one of the biggest perpetrators of cyber-espionage, but the U.S. government has always objected that it does not steal intellectual property and hand it to its own industries to give them a competitive advantage.

CSIS estimated that the United States lost about $100 billion. Germany was second with $60 billion, and China followed with $45 billion.

In both the United States and China, the losses represent about 0.6 percent of their economies, while Germany’s loss is 1.6 percent.

Japan, the world’s fourth largest economy, reported losses of $1 billion, which researchers said was extremely low and not credible.

Valuing intellectual property is an art form, based on estimating future revenues the intellectual property will produce or the value the market places on it, the report said. Putting a price tag on it is difficult but not impossible, it said.

Intellectual-property theft lessens companies’ abilities to gain a full return on their inventions, and so they turn to other activities to make a profit, the report states. That depresses overall global rates of innovation, it said.

The report stated that countries appear to tolerate cybercrime losses as long as they stay at less than 2 percent of their national income. If losses rise above 2 percent, “we assume it would prompt much stronger calls for action as companies and societies find the burden unacceptable,” it said.

The report breaks the harm into three categories, without giving figures. The largest, it said, is intellectual property theft. The second is financial crime, or the theft of credit card and other types of data largely by criminal rings. The third is theft of confidential business information to gain an advantage in commercial negotiations or business deals.

CSIS used several methods to arrive at a range of estimates, from $375 billion to as much as $575 billion. Researchers looked for published data from governments around the world. They interviewed officials in 17 major countries. And they came up with a predictive model based on a CSIS report last year that estimated the cost of cybercrime to the U.S. economy. Their figures also included the cost of recovering from cyberattacks.

The main assumption they used was that the cost of cybercrime is a constant share of national income — at least in countries with similar levels of development.

In less developed countries, that cost is about 0.2 percent of gross domestic product, and in advanced economies it is almost 1 percent.

In 2009, McAfee issued a news release that pegged global economic losses at more than $1 trillion. The figure was cited by the White House and then-National Security Agency director Gen. Keith B. Alexander. But this year’s CSIS report concluded that it was unlikely that cybercrime cost more than $600 billion, which is the cost of the global drug trade.

The researchers said cybercrime and economic espionage require a response on par with global efforts to reduce drug trafficking. Besides better cybersecurity technologies, they said, governments need to devote resources to building defenses and to commit to observing existing international commitments to protect intellectual property.
http://www.washingtonpost.com/world/...f0a_story.html





Cyberattack Insurance a Challenge for Business
Nicole Perlroth and Elizabeth A. Harris

Julia Roberts’s smile is insured. So are Heidi Klum’s legs, Daniel Craig’s body and Jennifer Lopez’s derrière. But the fastest-growing niche in the industry today is cyberinsurance.

Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker.

Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses.

The main problem is quantifying losses from attacks, because they are often intangible — lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year.

“The losses that are more tangible and more readily quantifiable are the ones you’ll be able to insure against more easily,” said Ed Powers, who heads the online risk services practice at Deloitte & Touche, the accounting firm. “The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones.”

At the same time, underwriters lack the data they need to figure out how likely it is that an attack will occur, or what it will cost. This is because most breaches go unnoticed or are never publicly reported. Information on past attacks is not particularly helpful because attackers are always getting more advanced, and the risk is increasing as companies put their most valuable data online.

Graeme Newman, a director at CFC Underwriting, said that in underwriting property, insurance companies can draw on reams of data spanning hundreds of years.

“They could tell you exactly the chance of an office building burning down in Midtown Manhattan, but there isn’t anyone on this planet who could tell you the probability of a large U.S. retailer being hacked tomorrow,” Mr. Newman said.

“Statistics from five years ago are almost irrelevant today,” he added.

Total cyberinsurance premiums paid last year reached $1.3 billion, according to Betterley Risk Consultants, a jump from the $1 billion paid in 2012. The bulk of that involves smaller policies issued to small to midsize businesses.

The most coverage a company can hope to acquire, using multiple underwriters, is about $300 million, experts say, significantly less than the billions of dollars’ worth of coverage available in property insurance.

The problems companies face in getting insurance are illustrated by the situation Target faced last year.

At the time of its breach, the retailer had cobbled together $100 million in coverage, on top of a $10 million deductible, according to regulatory filings. The coverage, which came from multiple carriers, will barely compensate for the $1 billion in losses some analysts are forecasting. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say, and it expects insurance to cover $52 million of that.

Target had tried to get more insurance; at least one carrier had turned it down, according to a person briefed on the discussions who spoke on the condition of anonymity.

Cyberinsurance has existed since the 1990s, but companies were forced to consider coverage when a New York court ruled in February that Sony’s general liability policy would not cover the $2 billion in costs the company incurred from the huge data breach in 2011 involving the online network for its PlayStation game console.

Cyberinsurance policies vary widely. The most comprehensive ones reimburse for immediate cleanup costs like hiring a forensics firm, notifying customers, setting up call centers and paying for free credit monitoring. Some also cover legal fees and the cost of hiring a crisis management firm.

But those costs can be only the tip of the iceberg, experts say.

For example, after the breach at Target, its profit was cut nearly in half — down 46 percent over the same period the year before — in large part because the breach scared away its customers. The loss to the brand is essentially unmeasurable.

“There is no real way to put empirical data on what the value of a brand is post-breach, during a breach and prior to a breach,” said Michael Tanenbaum, senior vice president of ACE Professional Risk, part of Ace. “We are about science and math, and you just can’t get your arms around it. And two people can’t always agree on whether a brand has been diminished.”

To regain consumer confidence, Target announced that it would speed the adoption of more secure chip-and-PIN technology in its stores and for its branded debit and credit cards, a step it estimates will cost $100 million. That expense is not covered by its insurance policies.

Policies also exclude some major forms of breach, like state-sponsored online espionage attacks, which tripled last year, according to a recent Verizon report.

“Most companies think their policy will cover them from all cyberevents, but in reality it only kicks in in a sliver of breach events,” said Jacob Olcott, a cybersecurity expert at Good Harbor Security Risk Management, which advises companies on the risk.
Some experts say insurers keep policies narrow simply because there are too many unknowns. In most cases, insurers use questionnaires to determine a client’s risk of a breach. Rarely, Mr. Olcott said, they will perform a penetration test, in which paid hackers try to break into a company’s network to identify its weak spots.

“They won’t do the due diligence you might expect,” he said.

More data about breaches has been forced into the open because of the Health Insurance Portability and Accountability Act, or Hipaa, of 1996, which established strict security and privacy standards for patient data and became a model for many state breach notification laws.

Insurers say those laws have forced more companies to step forward when data is lost, creating more actuarial data for underwriters to draw upon. Last year, the Ponemon Institute, a nonprofit that tracks breaches, estimated that the cost of a data breach was $188 per compromised record, with 28,765 records breached on average in the year.

Still, risk experts say that those figures reflect only upfront cleanup costs and grossly underestimate the cost to companies when trade secrets are stolen or reputational damage occurs.

The market continues to evolve. Recently, A.I.G. became the first insurer to expand its cybercoverage to include physical risks, like property damage and bodily injury. If an attack on an oil company resulted in an explosion, damage from that could now be covered, said Tracie Grella, global head of professional liability at A.I.G.

Another wrinkle in the market is the uncertainty over how to assess the risk of cloud computing services, which increasingly are the repository for all sorts of data maintained by businesses.

A big question is whether the aggregation of data from many companies in a cloud service like Amazon’s is safer or more vulnerable. One breach could mean catastrophic loss for many companies. But some businesses might be better off outsourcing their data to a large cloud provider like Amazon that has greater resources to protect it, said Ty Sagalow, a former chief operating officer at A.I.G. who is now a president of an insurance consulting group.

Whatever the complexities, cyberinsurance is now big business.

“Insurers can’t afford not to be in this thing,” Mr. Sagalow said.
http://www.nytimes.com/2014/06/09/bu...-business.html





The Government Can No Longer Track Your Cell Phone Without a Warrant
Jason Koebler

The government and police regularly use location data pulled off of cell phone towers to put criminals at the scenes of crimes—often without a warrant. Well, an appeals court ruled today that the practice is unconstitutional, in one of the strongest judicial defenses of technology privacy rights we've seen in a while.

The United States Court of Appeals for the Eleventh Circuit ruled that the government illegally obtained and used Quartavious Davis's cell phone location data to help convict him in a string of armed robberies in Miami and unequivocally stated that cell phone location information is protected by the Fourth Amendment.

"In short, we hold that cell site location information is within the subscriber’s reasonable expectation of privacy," the court ruled in an opinion written by Judge David Sentelle. "The obtaining of that data without a warrant is a Fourth Amendment violation."

In Davis's case, police used his cell phone's call history against him to put him at the scene of several armed robberies. They obtained a court order—which does not require the government to show probable cause—not a warrant, to do so. From now on, that'll be illegal.

The American Civil Liberties Union, who argued the case, said that the decision is a "resounding defense of the Fourth Amendment's continuing vitality in the digital age."

"This opinion puts police on notice that when they want to enlist people’s cell phones as tracking devices, they must get a warrant from a judge based on probable cause. The court soundly repudiates the government’s argument that by merely using cell a phone, people somehow surrender their privacy rights," Freed Wessler, who argued the case, said in a statement.

"The United States further argues that cell site location information is less protected than GPS data because it is less precise. We are not sure why this should be significant."

Indeed, the decision alone is a huge privacy win, but Sentelle's strong language supporting cell phone users' privacy rights is perhaps the most important part of the opinion. Sentelle pushed back against several of the federal government's arguments, including one that suggested that, because cell phone location data based on a caller's closest cell tower isn't precise, it should be readily collectable.

"The United States further argues that cell site location information is less protected than GPS data because it is less precise. We are not sure why this should be significant. We do not doubt that there may be a difference in precision, but that is not to say that the difference in precision has constitutional significance," Sentelle wrote. "That information obtained by an invasion of privacy may not be entirely precise does not change the calculus as to whether obtaining it was in fact an invasion of privacy."

The court also cited the infamous US v. Jones Supreme Court decision that held that attaching a GPS to a suspect's car is a "search" under the Fourth Amendment. Sentelle suggested a cell phone user has an even greater expectation of location privacy with his or her cell phone use than a driver does with his or her car. A car, Sentelle wrote, isn't always with a person, while a cell phone, these days, usually is.

"One’s cell phone, unlike an automobile, can accompany its owner anywhere. Thus, the exposure of the cell site location information can convert what would otherwise be a private event into a public one," he wrote. "In that sense, cell site data is more like communications data than it is like GPS information. That is, it is private in nature rather than being public data that warrants privacy protection only when its collection creates a sufficient mosaic to expose that which would otherwise be private."

Finally, the government argued that, because Davis made outgoing calls, he "voluntarily" gave up his location data. Sentelle rejected that, too, citing a prior decision by a Third Circuit Court.

"The Third Circuit went on to observe that 'a cell phone customer has not ‘voluntarily’ shared his location information with a cellular provider in any meaningful way.' That circuit further noted that 'it is unlikely that cell phone customers are aware that their cell phone providers collect and store historical location information,'” Sentelle wrote.

"Therefore, as the Third Circuit concluded, 'when a cell phone user makes a call, the only information that is voluntarily and knowingly conveyed to the phone company is the number that is dialed, and there is no indication to the user that making that call will also locate the caller,'" he continued.

Unfortunately for Davis, the court also held that the government had enough evidence to convict him anyway, and did not completely overturn his 162-year sentence.
http://motherboard.vice.com/read/the...hout-a-warrant





iOS 8 Strikes an Unexpected Blow Against Location Tracking
Russell Brandom

It wasn't touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy. As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize that address, effectively disguising any trace of the real device until it decides to connect to a network.

Any Phone Using iOS 8 Will Be Invisible to the Process

Why are iPhones checking out Wi-Fi networks in disguise? Because there's an entire industry devoted to tracking customers through that signal. As The New York Times reported last summer, shops from Nordstrom's to JC Penney have tried out the system. (London even tried out a system using public trash cans.) The system automatically logs any phone within Wi-Fi range, giving stores a complete record of who walked into the shop and when. But any phone using iOS 8 will be invisible to the process, potentially calling the whole system into question.

A Privacy Win for Apple

Combined with inventory and in-store video, the records are immensely valuable to stores as marketing data, and companies like Euclid Analytics and Path Intelligence have made an industry out of providing them. But now that Apple has embraced MAC spoofing, the practice of Wi-Fi sniffing may stop working entirely. With more than one in three US smartphones running iOS, and a notoriously fast adoption cycle for new operating systems, any data collected is likely to leave out a huge sector of the population.

The result is a privacy win for Apple users and a major blow against data marketing — and all it took was an automatic update.
http://www.theverge.com/2014/6/9/579...ation-tracking





Comcast is Turning Your Xfinity Router Into a Public Wi-Fi Hotspot
Dwight Silverman

Some time on Tuesday afternoon, about 50,000 Comcast Internet customers in Houston will become part of a massive public Wi-Fi hotspot network, a number that will swell to 150,000 by the end of June.

Comcast will begin activating a feature in its Arris Touchstone Telephony Wireless Gateway Modems that sets up a public Wi-Fi hotspot alongside a residential Internet customer’s private home network. Other Comcast customers will be able to log in to the hotspots for free using a computer, smartphone or other mobile device. And once they log into one, they’ll be automatically logged in to others when their devices “see” them.

Comcast says the hotspot – which appears as “xfinitywifi” to those searching for a Wi-Fi connection – is completely separate from the home network. Someone accessing the Net through the hotspot can’t get to the computers, printers, mobile devices, streaming boxes and more sitting on the host network.

Comcast officials also say that people using the Internet via the hotspot won’t slow down Internet access on the home network. Additional capacity is allotted to handle the bandwidth.

You can read more about Comcast’s reason for doing this in my report on HoustonChronicle.com.

What’s interesting about this move is that, by default, the feature is being turned on without its subscribers’ prior consent. It’s an opt-out system – you have to take action to not participate. Comcast spokesman Michael Bybee said on Monday that notices about the hotspot feature were mailed to customers a few weeks ago, and email notifications will go out after it’s turned on. But it’s a good bet that this will take many Comcast customers by surprise.

If you have one of these routers and don’t want to host a public Wi-Fi hotspot, here’s how to turn it off.

• Log into your Comcast account page at customer.comcast.com.

• Click on Users & Preferences.

• Look for a heading on the page for “Service Address.” Below your address, click the link that reads “Manage Xfinity WiFi.”

• Click the button for “Disable Xfinity Wifi Home Hotspot.”

• Click Save.

You can see screenshots of the process in the slideshow above. Note that this will only work once the hotspot is live on your router.

Some other details about the hotspots:

• Each hotspot actually contains separate connections for 2.4-GHz and 5-GHz Wi-Fi devices, and the Arris routers use the 802.11n standard.

• If you have one of the Arris modem/router combos, but are using your own Wi-Fi router, the Arris device won’t broadcast the free hotspot. Likewise if you are using your own modem as well as your own router.

• If you opt out of hosting a hotspot, you can still use others’ Xfinity Wi-Fi hotspots with your Comcast login.

• The additional capacity for public hotspot users is provided through a separate channel on the modem called a “service flow,” according to Comcast. But the speed of the connection reflects the tier of the subscriber hosting the hotspot. For example, if you connect to a hotspot hosted by a home user with a 25-Mbps connection, it will be slower than if you connect to a host system on the 50-Mbps tier.

• I asked Spencer Kurn, analyst and partner with New Street Research, whether Comcast Internet subscribers may be liable for illegal activities conducted by people using the hotspot associated with their accounts. Kurn said no, anymore than Starbucks is liable for illicit behavior by the customers who use its in-store hotspots.

You can get more information at Comcast’s FAQ for Xfinity Wi-Fi.

Update: Comcast has turned on the first 50,000 residential hotspots.
http://blog.seattlepi.com/techblog/2...ot/#24139101=0





Cisco: Broadband Providers Should Not Treat All Bits the Same

The US FCC's net neutrality rules need to make room for some traffic management, the company says
Grant Gross

All bits running over the Internet are not equal and should not be treated that way by broadband providers, despite net neutrality advocates' calls for traffic neutral regulations, Cisco Systems said.

A huge number of Internet-connected devices with a wide variety of traffic requirements, including billions of machine-to-machine connections, will come online over the next four years, Cisco predicted in its Visual Networking Index Global Forecast and Service Adoption, released Tuesday.

"What we're seeing is a wide range and a very diverse range of devices, applications and requirements that results in a much greater complexity of the networks," said Robert Pepper, Cisco's vice president for global technology policy. "The Internet of everything is here, it's real, and it's growing."

Some Web-based applications, including rapidly growing video services, home health monitoring and public safety apps, will demand priority access to the network, while others, like most Web browsing and email, may live with slight delays, said Jeff Campbell, Cisco's vice president for government and community relations.

"We really have a multiplicity of applications and services that are now running across the network, some of which require dramatically different treatment than others," he said.

Some net neutrality advocates have objected to U.S. Federal Communications Commission Chairman Tom Wheeler's proposed rules that would allow broadband providers to engage in "commercially reasonable" traffic management.

Cisco has long called on the FCC to allow broadband providers to manage their traffic. "It's going to be more and more important to manage the traffic on the network in a way that does not treat all bits the same," Campbell said. "Different bits do matter differently. We need to ensure that we have a system that allows this to occur."

It's important that the FCC ensure an open Internet, but it's also important that "we have a robust network," Campbell said. The FCC should allow broadband providers to maintain quality of service "to ensure that some applications will run properly and effectively on the Internet," Campbell said. "That means using the intelligence of the network to ensure that those bits receive the quality of service they need."

In addition to a rapidly expanding number of devices connected to the Internet, peak time traffic will increase faster than average network traffic, putting a strain on broadband providers and driving demand for traffic management, Cisco said.

Matt Wood, policy director at digital rights group Free Press, questioned Cisco's conclusions about net neutrality. In some cases, applications needing priority traffic may not run on the public Internet, where net neutrality rules would apply, he said. For example, many machine-to-machine applications may run on spectrum set aside for them, he said.

"Even if [applications] do use the open Internet, do they in fact need priority to function?" Wood added by email. "Or do Cisco and the ISPs just want to make a buck by selling priority?"

Some Cisco predictions of Internet traffic, including predictions of a video-driven "exaflood" haven't panned out, Wood said.

"What expertise [Cisco's past predictions] give them in assessing the supposed need for the company's own proprietary deep packet inspection and priority routing tools, I certainly don't know," he said.

Some predictions from Cisco's latest report:

-- Global IP traffic will increase by a 21 percent compound annual growth rate between 2013 and 2018, from 51 exabytes a month to 132 exabytes per month.

-- U.S. IP traffic will growth by a 20 percent compound annual growth rate, despite the fact that most U.S. residents are already online. That growth will be driven by new devices, including tablets and Web-connected high-definition television sets, Cisco said.

-- IP video will be 79 percent of all IP traffic by 2018, up from 66 percent in 2013.

-- Machine-to-machine devices, while having relatively small traffic demands, will make up 47 percent of the IP-connected devices in the U.S. in 2018, compared to just 25 percent in 2013. There will be 7.3 billion connected M2M devices worldwide by 2018.

-- Wi-Fi and mobile-connected devices will generate 61 percent of IP traffic by 2018, with Wi-Fi at 49 percent and traditional cellular at 12 percent. Wi-Fi's percentage was 41 percent, cellular was 3 percent and fixed broadband was 56 percent in 2013.

-- By 2018, there will be nearly 21 billion global network connections, up from about 12.4 billion connections in 2013.

-- Global broadband speeds will reach 42Mbps by 2018, up from 16Mbps at the end of 2013.
http://www.computerworld.com.au/arti...all_bits_same/





Cable Companies Duped Community Groups Into Fighting Net Neutrality
Daniel Cooper

Last week, it transpired that the big cable companies were bankrolling fake consumer groups like Broadband for America and The American Consumer Institute. These "independent consumer advocacy groups" are, in truth, nothing of the sort, and instead represent the interests of its benefactors, in the fight against net neutrality. If that wasn't bad enough, VICE is now reporting that several of the real community groups (oh, and an Ohio bed-and-breakfast) that were signed up as supporters of Broadband for America were either duped into joining, or were signed up to the cause without their consent or knowledge.

For instance, TalkingWithHeroes, a veterans organization, was listed as a member, but its head hadn't even heard of net neutrality, and insisted that they remain nonpolitical. Another, the Ohio League of Conservation Voters was unaware of Broadband for America until it discovered that it was listed as an official supporter. A third, the Texas Organization of Rural and Community Hospitals did sign up, but said that it had been duped, because it believed that Broadband for America was a cause promoting broadband installation in rural areas. The list of supposed members stops making sense when you read that Buster's Auto Art and Summitville Tile and Roofing are, for some reason, members of an anti-net neutrality campaign group.

VICE has also discovered that Broadband for America, which describes itself as a consumer group, is actually run by a lawyer who supported Verizon's lawsuit against the FCC. Former senator John Sununu, who co-chairs the organization, can't really present himself as being nonpartisan, since he himself currently has a seat on Time Warner Cable's board. Then there's Beneva Shulte, another leading figure at BfA that just happens to be tied up with a lobbying firm that represents Verizon in the capital. We'll leave you to draw your own conclusions, of course, but it's probably worth saying that both Engadget and AOL do not endorse Broadband for America, just in case you see our names pop up somewhere they shouldn't.
http://www.engadget.com/2014/06/11/m...-astroturfing/





Official FCC Blog

Removing Barriers to Competitive Community Broadband
Tom Wheeler

If any city understands the power of networks to drive economic growth, it’s Chattanooga, Tennessee.

Chattanooga’s proximity to the Tennessee River – a natural network – fueled its initial growth. When the railroad network arrived in the mid-19th century, Chattanooga became a boom town. The railroad allowed raw material to flow into the area and finished products to flow out to markets around the country – making Chattanooga an industrial powerhouse.

Yesterday, I had the opportunity to meet with Chattanooga Mayor Andy Berke, and when it comes to networks driving economic growth in Chattanooga, past is prologue.

Mayor Berke and the city’s leaders recognized that today’s high-speed broadband networks will be the indispensable platform for tomorrow’s economic growth and the jobs of the future. That’s why Chattanooga invested in building out one of the nation’s most robust community broadband networks.

The network was partly built out of necessity. Local phone and cable companies chose to delay improvements in broadband service to the Chattanooga area market. Without faster networks, Chattanooga residents were at risk of finding themselves on the wrong side of the digital divide, bypassed by the opportunities high-speed connectivity enables.

Chattanooga’s investment in community broadband has not only helped ensure that all its citizens have Internet access, it’s made this mid-size city in the Tennessee Valley a hub for the high-tech jobs people usually associate with Silicon Valley. That’s because Chattanooga’s networks deliver gigabit-per-second speeds, removing bandwidth as a constraint on innovation. Businesses have responded. Amazon has cited Chattanooga’s world-leading networks as a reason for locating a distribution center in the area, as has Volkswagen when it chose Chattanooga as its headquarters for North American manufacturing.

Smaller businesses such as Claris Networks, Co.Lab, EDOps, and Lamp Post Group relocated to the city, and Chattanooga is also emerging as an incubator for tech start-ups. Mayor Berke told me people have begun calling Chattanooga “Gig City” – a big change for a city famous for its choo-choos.

Ironically, Chattanooga is both the poster child for the benefits of community broadband networks, and also a prime example of the efforts to restrict them.

Tennessee is one of many states that have placed limits on the deployment of community networks. Tennessee’s law is restricting Chattanooga from expanding its network’s footprint, inhibiting further growth. The mayor told me how adjoining communities have asked to join the network, but cannot also be served by a simple extension of the broadband network because of the state law. In some of these communities, there is no available broadband service whatsoever. Commercial broadband providers can pick and choose who to serve based on whether there is an economic case for it. On the other hand, Mayor Berke told me that Chattanooga believes that it has a duty to ensure that all of its citizens have affordable broadband Internet access.

I understand that, like any venture, community broadband there hasn’t always been a success. But a review of the record shows far more successes than failures. If the people, acting through their elected local governments, want to pursue competitive community broadband, they shouldn’t be stopped by state laws promoted by cable and telephone companies that don’t want that competition.

I believe that it is in the best interests of consumers and competition that the FCC exercises its power to preempt state laws that ban or restrict competition from community broadband. Given the opportunity, we will do so.

The facts speak for themselves: competition works – when it is allowed to. Throughout the country where we have seen competitive broadband providers come in to a market, prices have gone down and broadband speeds have gone up. No wonder incumbent broadband providers want to legislate rather than innovate.

Removing restrictions on community broadband can expand high-speed Internet access in underserved areas, spurring economic growth and improvements in government services, while enhancing competition. Giving the citizens of Chattanooga and leaders like Mayor Berke the power to make these decisions for themselves is not only the right thing to do; it’s the smart thing to do.
http://www.fcc.gov/blog/removing-bar...nity-broadband

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

June 7th, May 31st, May 24th, May 17th


Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 02:42 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)