P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 18-11-15, 08:09 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - November 21st, '15

Since 2002



Volume XIV, Issue Number I






























"It’s a wretched yet predictable ritual after each new terrorist attack: Certain politicians and government officials waste no time exploiting the tragedy for their own ends. The remarks on Monday by John Brennan, the director of the Central Intelligence Agency, took that to a new and disgraceful low." – The New York Times


"Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn’t possibly think of a worse combination for a safe messenger." – The Grugq






































November 21st, 2015




Small Australian ISP Threatened with Legal Action Under New Site-Blocking Laws
Will Ockenden

A small Australian ISP has received a demand that it block access to an overseas website or face legal action in the Federal Court.

If the case goes ahead, it would be the first time Australia's site-blocking laws would be used and tested in court.

Law firm Moray and Agnew, acting for construction firm Simonds Homes, sent the legal demand last week, giving the ISP seven days to block the website.

The website is CHM Constructions (chmconstructions.com), which Moray and Agnew said was "infringing on Simonds' rights".

"We consider it to be incumbent upon you, as an internet service provider, to cease providing access to an online location outside Australia, the primary purpose of which is to facilitate the infringement of copyright," the letter demands.

It is understood that the ISP in question, which has only few thousand customers, has not blocked access to the website.

Moray and Agnew said failure to restrict access could result in a legal escalation.

"In the event that you fail to do so [block access to chmconstructions.com] ... Simonds is left with no option but to apply to the Federal Court pursuant to section 115A of the Copyright Act 1968."

It was widely assumed in the telecommunications industry that the first test of the laws would come from a major content rights holder like Foxtel.

The pay TV company said in August a site blocking case was likely "in the coming months".

To block or not to block, that is the question

Australia's site blocking laws came into effect in June.

They give rights holders the power to apply to the Federal Court to have foreign-based websites blocked, if the "primary purpose" of that website is to infringe copyright.

Before an injunction to block a website is granted, the Federal Court has to take into consideration a number of factors.

One condition is that the website is based overseas, which Moray and Agnew say chmconstructions.com is.

But the legislation also says the court must be satisfied that "the primary purpose of the online location is to infringe, or to facilitate the infringement of, copyright".

While the legislation does not define what constitutes a "primary purpose", the legislation's revised explanatory memorandum does explain it in more depth.

"The provision would only capture online locations that have the primary purpose of infringing copyright or facilitating the infringement of copyright," it said.

"This excludes online locations that are mainly operated for a legitimate purpose, but may contain a small percentage of infringing content."

Doesn't appear to be copyright related: Copyright Council

While the case has caused some concern in ISP circles, Fiona Phillips, the executive director of the Australian Copyright Council, said at first glance the case was not related to copyright.

"This case seems to be about trade marks or misleading and deceptive conduct, not about copyright," she said.

The CHM Construction website contains a Simonds Homes logo, and a link to its website, but Ms Phillips said that was probably not enough.

"This is a different issue that the Section 115A [legislation] was trying to address."

"To my knowledge there hasn't yet been any litigation around Section 115A, but once there is I assume ISPs, rights holders and the courts will have a better idea of how the legislation is supposed to work."

Letter shows possible 'unintended consequences' of site blocking laws

Internet Australia, the peak organisation representing internet users — many of whom run small ISPs — said the legal demand was an example of the unintended consequences warned about prior to the introduction of the law.

"Section 115 was introduced, with great fanfare, by the Abbott government as a means of dealing with so-called audio-visual 'piracy'," said Internet Australia's CEO Laurie Patton.

"The lawyers involved here appear to be using the provisions of 115 for a purpose for which it was not primarily designed, however lawful their actions may be.

"Ultimately an ISP will only be bound to act if a court orders it to do so.

"The problem for smaller ISPs is the potential costs involved in defending a matter like this and so they simply may not bother.

"The risk is that sites will be blocked without having been tested at law.

"So innocent sites could be victims of malicious actions, say, by competitors or aggrieved customers."

No one from Moray and Agnew, CHM Construction or Simonds Homes has responded to requests for comment.
http://www.abc.net.au/news/2015-11-1...lock-w/6955432





Charlotte Man Sentenced after Operating Second Largest File Sharing Site in U.S.
Nick Ochsner

A Charlotte man who operated a website that published pirated copies of songs and albums was sentenced to three years behind bars Tuesday.

Rocky P. Ouprsaith, 23, of Charlotte we sentenced by a federal judge in Norfolk, Va.

Ouprasith pleaded guilty to one count of copyright infringement in August.

According to prosecutors, Ouprasith operated RockDizMusic.com, the second largest online file sharing site in the United States, between May 2011 and October 2014. Prosecutors referred to the website as a ‘cyberlocker’.

Prosecutors alleged Ouprasith obtained the digital songs and albums from associates who uploaded the files to a separate website, RockDizFile.com.

Both websites were hosted on servers located first in France and, later, in Canada.

The US Attorney’s Office for the Eastern District of Virginia said this was the first criminal conviction for a cyberlocker operator in the United States.

The case was investigated by the United States Immigration and Customs Enforcement’s Homeland Security Investigations.

“Online piracy has a serious financial impact to business, which is felt at every level of a transaction – from the producer to the point-of-sales
clerk,” said Special Agent in Charge Clark E. Settles.

Prosecutors say the value of the pirated material published on Ouprasith’s website was more than $6 million.
http://www.wbtv.com/story/30540270/c...ing-site-in-us





Adele’s Album May Break Sales Records—Even Though It’s 2015
K.M. McFarland

2015 has been another dire year for the music industry in terms of high-profile album sales. Only one release thus far, Drake’s If You’re Reading This, It’s Too Late, has sold a million copies, and it took six months to do so. The only other record to go platinum in 2015 is Taylor Swift’s 1989—which came out last year.

But there’s a new contender in the wings, and if things go right it could upend everything conventional wisdom has been telling us about the music business. Adele’s highly-anticipated third album, 25, has a shot at breaking the all-time single-week sales record. Just to be clear: An album from 2015, a year where album sales are in the toilet and the industry is still freaking out about how to make streaming work as a viable business model, could be the fastest-selling record ever.

“Last year when Taylor Swift sold 1.3 million albums in her first week, everybody thought, ‘well that’s Taylor, she’s special, it’s her first pop record, she’s reaching a broader audience than ever,'” says David Bakula, senior vice president of industry insights for Nielsen Entertainment. “Lo and behold, along comes Adele. It’s one thing to talk about a million in sales, but just to know that people are actually mentioning [the sales record], it’s crazy.”

Wednesday, Billboard cited “insiders” who relayed that “Sony is projecting first-week CD sales of 1.5 million” which could pair with about 1 million in digital sales, 900,000 at Apple. iTunes has taken 450,000 digital preorders, while Amazon has pre-sold 100,000 physical and digital copies. That puts 25 in the realm of 2.5 million copies—just over the record-setting 2.415 million copies NSYNC’s No Strings Attached sold back in March 2000, before the digital music revolution destroyed the foundation of physical sales.

If those numbers seem over-inflated, then perhaps it’s time to revisit how successful 25’s first single “Hello” has been. It was the first single ever to top 1 million downloads in its first week. The video has been viewed over 400 million times on YouTube. And Adele’s previous album, 21, has sold 30 million units worldwide in four years. “21 has never been out of the top 200,” says Bakula. “This record is not only nothing like 21, it’s unlike anything we’ve seen in the past 15 years.” The singer has steered clear of the usual marketing strategies most current-day artist employ; she protects her vocal chords by not performing frequently, and she doesn’t engage with fans on social media. But the numbers don’t lie: a massive amount of people want to hear new Adele music—and more importantly, they’re willing to pay for it.

That’s why yesterday’s New York Times report that the album wouldn’t be made available on Apple Music, Spotify, or any other streaming service is so big. It’s a strategy pointedly aimed at boosting sales numbers to reach for NSYNC’s record, and 25 is uniquely positioned to do so. This album is being treated as a music industry messiah rescuing retailers everywhere, from independent record stores to big-box chains like Target—who have an exclusive edition that includes seven music videos. “Every time we see a change in the way music is consumed, people automatically just abandon the thought that albums could ever sell that quantity again,” Bakula says. “And then invariably a record comes out that completely blows away anything we thought could happen.”

But not everyone sees this as a unique victory. “I highly doubt that she’ll reach NSYNC’s sales plateau,” says Bob Lefsetz, author of influential music-industry blog The Lefsetz Letter. “But even if she meets it, who cares? It’s an old metric. That would be like counting how many phones Palm or Nokia sold, or how many floppy discs were sold.” To Lefsetz, the giant marketing push and sales frenzy around 25 represents a stark contrast to 21‘s long-tail success (30 million copies sold worldwide since 2011) and lasting cultural impact: “It’s pent-up demand. [Her] previous album was a step better than everything else in the marketplace. It became a phenomenon, ironically helped by credibility of leaving money on the table. This is a complete 180.”

This week’s Billboard chart saw a new-album showdown between One Direction and Justin Bieber, with the victor to be announced later today. It sounds like a clash of the titans, but even after weeks of jousting promotional campaigns and marketing gimmicks with digital partners like Lyft,their combined sales won’t add up to half of the projected numbers for Adele. Granted, a few outlier successes can’t save the whole industry—but 25 is the first straightaway industry success story to come along in a decade that doesn’t feel artificially trumped up to compete with the record-setting numbers of a pre-digital era. Refreshingly, Adele’s new album is genuinely inexplicable.
http://www.wired.com/2015/11/adele-r...setting-sales/





How Chemistry Is Rescuing Our Audio History from Melting
Katharine Gammon

Our cultural history is crumbling. Not because of bad education—though one might make that argument—but because of chemistry.

Between the late 60s and the late 80s, much of our culture—from the Nixon trials on television to unreleased music from famous artists like the Beatles—was recorded on magnetic tape, and this tape is starting to disintegrate. Some of the audio and visual data has already been safely adapted to digital storage, but the majority hasn’t—and it’s a problem of massive proportions.

The Cultural Heritage Index estimates that there are 46 million magnetic tapes in museums and archives in the U.S. alone—and about 40 percent of them are of unknown quality. (The remaining 60 percent are known to be either already disintegrated or in good enough condition to be played.)

What’s more, in only about 20 years we won’t be able to digitize them, according to audio and video preservationist George Blood, in Philadelphia. This is partly because digitization machines that can handle the tapes have ceased production. On Sept 30th, for example, Sony stopped taking orders for videotape machines, and in June 2015, the last audio reel-to-reel machine went out of production. Plus, the ones that already exist are wearing down—and parts to repair them are difficult to come by. And to add to this, the tapes themselves are degrading. Trying to digitally process these in studio-grade machines, for example, clogs the tape player heads, wrecking the very machinery that can digitize the tapes as stocks of them are dwindling.

The cause of tape disintegration is something called sticky shed syndrome, a result of the hydrolysis of esters. When ester, a compound that partly constitutes the polyurethane binder that holds a tape’s magnetic particles, combines with water, they form a carboxylic acid plus alcohol. The acid and alcohol make the tapes sticky and unplayable. This means that tapes stored in damp, humid climates—like so many of the unplayable 1960s jazz tapes filling attics in the South—are especially prone to disintegration. Audio engineers know the sound of sticky shed right away: The tapes squeak and squeal across the players.

Sticky shed tapes are not lost to the world forever, however. They can be baked in a low-temperature oven (about 100 degrees F) for eight hours or more. This often drains the water from the tape and can make it playable for a short while. However, baking tapes also makes them precariously brittle—so treating tapes of unknown quality isn’t a good idea.

But letting these tapes just disintegrate would be akin to idly watching millions of books fall into a pit of fire. So Steve Morgan, an analytical chemist at the University of South Carolina, and Eric Breitung, a senior research scientist at the Metropolitan Museum of Art in New York City, decided to help prevent that outcome. Since batches of tapes stored in the same conditions could be degrading at different rates—due to the different manufacturing techniques and materials used throughout the years by different brands—Morgan and Breitung needed a way to figure out which tapes are degrading the fastest to prioritize the arduous digitization efforts.

Before them, other researchers had employed infrared spectroscopy, a non-invasive technique, to assess the damage. It works by identifying various light absorption peaks, corresponding to changes in ester, carboxylic acid, and alcohol content—each absorbs light differently. However, this approach wasn’t totally reliable: Not only were the peaks not very different between playable and nonplayable tapes, making the level of degradation difficult to determine, but the sound engineers also had difficulty working with the tool.

To overcome these hurdles, they combined a laptop-sized infrared spectrometer with an algorithm that uses multivariate statistics to pick up patterns of all the absorption peaks (this kind of analysis is called chemometrics). As the tapes go through the breakdown reaction, the chemical changes give off tiny signals in the form of compounds, which can be seen with infrared light—and when the patterns of reactions are analyzed with the model, it can predict which tapes are playable. The sound engineers could use this, says Breitung. “We couldn’t have them analyzing spectra—it would take too long and the types of changes were too subtle.” Taking spectra samples at 20 different places along the tape, the researchers get a pretty good sense of the tape’s condition.

Letting these tapes just disintegrate would be akin to idly watching millions of books fall into a pit of fire

With their new device, they started surveying cultural institutions around the U.S. to find the most rapidly degrading tapes, and it turned out that the quarter-inch audiotape—first used in 1972—was the type of media that the institutions were most worried about saving.

In a test of 133 quarter-inch audiotapes belonging to the Library of Congress, containing various media, the researchers identified which ones were unplayable with 92 percent accuracy. They confirmed the results by listening to them. A report on the new tool and the researchers’ findings was published in August in the journal Analytical Chemistry.

Tape also isn’t the only aging media in museum collections. For Gene DeAnna, head of the Library of Congress’s Recorded Sound Section, it’s the worsening state of lacquer discs that keeps him up at night. The problem with lacquer discs, which were used to record sound in the 1930s, first by movie studios and then by radio stations, is basically the same with magnetic tape. Even “if they are properly stored,” says DeAnna, “they start to break down.”

One batch of lacquer discs that has records of radio dispatches from World War II has been particularly challenging to digitize. Many radio stations had switched to using discs manufactured with a glass base instead of the typical aluminum base, since aluminum was in demand for the war effort. Glass discs are even more fragile. But a physicist at Lawrence Berkeley National Laboratory, with the help of some students, developed a machine to record the dispatches without having to touch the discs. Called IRENE—an acronym for Image Recover Erase Noise, Etc.—it takes a high-resolution digital image of the disc using a beam of light and translates it into a digital file.

DeAnna thinks this technology could transform the science of archives. Instead of making a copy of an original, and then a copy of that copy—and losing a bit of fidelity each time—IRENE offers the possibility of capturing the audio in its original state.
As opposed to making a copy and having the quality decrease, says DeAnna, “for the first time audio archivists can start thinking about preserving the object as an image of the grooves.”
http://nautil.us/blog/how-chemistry-...y-from-melting





Comcast’s Stream TV Service is Sparking a Controversy Over the Future of the Internet
Brian Fung

It turns out that Comcast's new video app, Stream TV, comes with a big asterisk: If you have access to the service and you are one of the growing number of customers who has to abide by Comcast's 300 GB monthly data cap, Stream TV won't count against it. In essence, you'll be able to watch as much Stream TV as you want and never hit your limit.

While "unlimited" may sound enticing, critics are seizing on the program as a potential violation of net neutrality — the rules passed by the federal government earlier this year that seek to prevent Internet providers from unfairly favoring some online content, including their own, over that of others. If big cable and telecom companies were allowed to do this, they could unfairly crush competitors and make it hard for consumers to get rival services from Netflix or a start-up, these critics worry.

But, likely to the alarm of net neutrality advocates, the government's rules might not even apply to Stream TV — and that's exactly how Comcast hopes regulators will see it.

"This is a cable video service" not cable Internet service, said Comcast spokesperson Lisa Scalzo Thursday.

That might seem like a meaningless distinction, but it could make all the difference. That's because the government's net neutrality rules only cover some digital communications, while leaving other types out. If Comcast can successfully argue its point, then the FCC may be unable to bring its net neutrality rules to bear against Stream TV, even if it might want to.

Comcast isn't the only one that offers unlimited consumption of streaming content. T-Mobile offers a streaming music program called Music Freedom and a suite of channels such as HBO, Netflix, ESPN and others called Binge On. Both of these offerings don't count against customer data caps. But these programs are covered by net neutrality rules because consumers access the content through broadband connections on their smartphones and tablets (while Stream TV is different, Comcast says; more on that in a bit).

Streaming services that sign on with T-Mobile's program get a huge potential benefit. Anybody who doesn't, gets hurt. This idea — the company that provides the data also shapes what consumers see — is what the net neutrality rules are designed to prevent.
T-Mobile chief executive John Legere has said that Binge On and Music Freedom are "highly net-neutrality friendly."

But if regulators allow such tactics to continue, it'll tilt the Internet to benefit large, established companies, argues Harvard University scholar Susan Crawford. That's why Crawford says the FCC shouldn't allow T-Mobile or Comcast to continue down this route.

On Thursday, FCC Chairman Tom Wheeler said he'd watch T-Mobile closely but that its exemption tactics didn't immediately appear to violate the net neutrality rules' key provisions.

"It's clear in the open Internet order that we said we are pro-competition and pro-innovation," Wheeler said. "Clearly, [T-Mobile's Binge On] meets both of those criteria: It's highly innovative and highly competitive."

Shannon Gilson, an FCC spokeswoman, added later that the agency is still "working to make sure it understands the new offering."

But when asked for Wheeler's views on Comcast's Stream TV, the FCC declined to comment. (There's nothing nefarious about this in itself; it's possible that the agency simply needs more time to analyze the situation.)

Even though critics see Comcast and T-Mobile as part of the same problem, there are some key differences that may lead to different outcomes. Comcast's Internet service is covered by the government's net neutrality rules. But Stream TV, Comcast says, runs over a separate part of the cable running into your house and falls under regulations that deal with cable television. And this could mean that the government will not be able to regulate Stream TV with its net neutrality rules, which are primarily aimed at Internet service.

Consumer advocates say that Comcast doesn't deserve to label Stream TV a cable video service that is exempt from net neutrality rules. If subscribers are able to watch Stream TV from outside the home, such as at WiFi hotspots, then it does indeed travel over the Internet.

"If this is a cable service, than every video online could be considered a cable service, and that's clearly not true," said Matt Wood, policy director at Free Press. "It's not something that is solely accessible through the Comcast wire."

What this back-and-forth shows is some of the deep questions facing the cable industry as it tries to adapt to an Internet future.
https://www.washingtonpost.com/news/...et-neutrality/





Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses
Steve Ragan

The Xfinity Wi-Fi service from Comcast is disclosing the full name and home address of residential customers, which is something the company says isn’t supposed to happen.

The disclosure of such information increases an already exposed attack surface, by allowing anyone with malicious intent to selectively target their marks.

It has been just over two years since Comcast launched the Xfinity Wi-Fi service, which created a separate wireless network in homes and businesses for existing customers and the general public.

This network, often identified with an SSID of “xfinitywifi” is supposed widen the availability of Wi-Fi access for customers, and it is sometimes pitched as a security measure, since customers with Xfinity Wi-Fi enabled can let visitors use the guest network, thus keeping the primary Wi-Fi password a secret.

There were two issues that immediately cropped up when this service was initiated, physical security and accountability.

The physical security concern existed because customers didn’t want their names and home addresses to appear in the public Xfinity Wi-Fi search results. Comcast addressed that fear in the media and public FAQs informing customers that only business information would be shared – customer names and home addresses would not appear on the map.

But the problem is, names and addresses were listed, and they're still being displayed in the search results when someone searches for an Xfinity Wi-Fi hotspot.

The following composite image shows residential customers with Xfinity Wi-Fi enabled. They are all in the same town, in the same state, and according to a public records search – none of them have ever been registered as a business. Please note: This image has been redacted by Salted Hash to remove the customer's last name, address, and the map markers which might identify their location.

Clearly this is an error on Comcast’s part, and when Salted Hash last spoke to Comcast about these customers, the representative said they would look in to it.

“I can confirm that our policy is to only include addresses of small business Wi-Fi hotspot locations and of outdoor/public/shopping district hotspot locations,” a Comcast spokesperson explained via email when asked about the information disclosure.

Again, as this article was being written, the customer information was still available via the Xfinity Wi-Fi website as well as the mobile app provided by Comcast.

Having a name and address exposed might not seem like a big deal to some, as its public information. However, this is data that Comcast isn’t supposed to be sharing, and as mentioned, it’s also something the company stated rather clearly that they wouldn’t share.

A criminal, armed with little more than the Comcast Xfinity application and a laptop, can pull enough public information to selectively target a person within minutes.

A person’s full name and address, along with the city and state, can be used to pull mortgage documents, which in turn often reveal banking details. With those records combined, a criminal could develop a targeted Phishing campaign aimed at financial gain. Or worse, they could use the information to develop a new ID and attempt to get loans in their victim’s name.

What Comcast’s mistake has done is open the door to a level of exposure that most people don’t consider. Again, a person’s name and address are public record, but no one expects their Internet provider to provide it to the masses complete with a link to “get directions to this location.”

Another level of exposure centers on accountability.

Comcast customers, when the Xfinity Wi-Fi service came online, worried that criminals would use their shared wireless access to commit crimes, leaving the customer taking the fall.

Comcast, in a statement to Salted Hash, said that each user must sign-in with an email address and the device’s MAC address is also logged. Moreover, there are two IP addresses in use on the Xfinity Wi-Fi service, one for the homeowner and one for the hotspot (guest account). Thus, it’s possible for Comcast to tell who was doing what, which should make residential customers feel at ease - since a criminal can't use the service for illegal activities while leaving them on the hook.

Only, that isn’t exactly true.

Comcast says that all usage is tied to the account holder and the MAC address of their device. For non-customers, or those that use the guess access offered by the Xfinity Wi-Fi service, their usage is tied to their email account and the MAC address of the registered device.

Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device’s MAC address as a key component of authentication. He made this discovery while doing a bit of digging on his system for research unrelated to this story.

Smith says that Wireshark captures and wireless logs makes it appear that Comcast stores the user’s MAC address in a database the first time a device is connected (where the user is presented with a request to provide Comcast login).

Once that initial login and registration is done, the next time the user is near an ‘xfinitywifi’ hotspot, they’ll auto-associate with access point with a password of “password” and a check to confirm that the MAC address on the device matches the one previously stored in the database. If that happens, access is granted. Comcast’s documentation supports Smith’s findings.

Auto-association is generally a bad way to deal with Wi-Fi access, but it’s also the most common form of access used. This issue isn’t new either, security experts have warned against trusting auto-associated hotspots for years.

In 2014, Greg Foss at LogRhythm discussed the issue of Xfinity Wi-Fi auto-association, and how a criminal could imitate the “xfinitywifi” SSID to trick Comcast customers into handing over their usernames and passwords.

A criminal that’s armed with legitimate Comcast usernames and passwords could exploit verification process the Xfinity Wi-Fi hotspot, because if the MAC address doesn’t match, they can authenticate and register a new one using the stolen credentials.

Foss developed some scripts to mimic a Comcast login page that could be used with a WiFi Pineapple from Hak5. Those scripts were later removed from their official hosting point, but they’re still freely available for anyone who wanted to look for them.

Another way to exploit the verification process would be to scan the wireless traffic near an Xfinity Wi-Fi hotspot and make note of the MAC addresses that are using the network. From there, the criminal could spoof the MAC address on their device and connect automatically using one of the previously authenticated ones.

In some cases, the criminal could connect as the customer by spoofing the homeowner's MAC address, which would leave them on the hook for any additional acts taken on the compromised account.

Comcast has taken some steps to secure the Xfinity Wi-Fi service recently, but their efforts have actually created a new problem.

Apple and Android users can download a new security application for Xfinity Wi-Fi (it isn’t available for Windows users) that will create a secure profile and protect their wireless sessions.

However, researcher Ken Smith discovered that the process of developing the secure profile on the device downloads a file (XFINITY.mobileconfig) containing the Xfinity Wi-Fi login name (often user@comcast.net) and password in clear text.

Comcast discourages customers from disabling the Xfinity Wi-Fi hotspot service. Their support page explains why:

“We encourage you to keep your XFINITY WiFi Home Hotspot feature enabled as it allows more people to enjoy the benefits of XFINITY WiFi and you will no longer need to provide your private XFINITY WiFi home network password to guests.”

Again, they drop hints that this service has security benefits. It doesn’t, and for some customers the service created additional risk by exposing their names and home addresses, as well as relying on technical controls that can be defeated with a bit of time and a small amount of effort.

Instructions on how to disable Xfinity Wi-Fi are online.
http://www.csoonline.com/article/300...addresses.html





GQ Publisher in Contempt of Court with Phone-Hacking Article

Condé Nast published magazine article that risked prejudice to trial of Rebekah Brooks and Andy Coulson, judges rule
Josh Halliday

The publisher of GQ magazine has been found guilty of contempt of court over a “very seriously prejudicial” article about the phone-hacking trial of Rebekah Brooks and Andy Coulson.

Condé Nast, the US publisher behind the magazine, was accused of publishing an article last year that could have “seriously impeded or prejudiced” the Old Bailey trial.

The article by the US journalist Michael Wolff, published during the trial last April, contained allegations that Rupert Murdoch, the owner of the now-defunct News of the World, was implicated in phone hacking, the high court in London was told.

The feature also included claims that had not been put before the trial jury, including that Brooks had received a £10.8m settlement from Murdoch.

Condé Nast is facing a large fine after the judges – the lord chief justice, Lord Thomas of Cwmgiedd, and Mrs Justice Nicola Davies – ruled that the article clearly created “a substantial risk” that the trial of Brooks, Coulson and other employees of the newspaper “would be seriously impeded or prejudiced”.

In a ruling handed down on Wednesday, Thomas said: “Prior to the Contempt of Court Act 1981, publication of an article that pre-judged the outcome would generally have been treated as a contempt. The provisions of section 2(2) (as developed in the case law) provide for a step-by-step analysis which protects the freedom of the press and balances the public interest in ensuring a fair criminal trial.

“On that analysis, it is in my view clear that the article published in the April 2014 issue of GQ created a substantial risk that the course of justice in the trial of R v Edmondson and others would be seriously prejudiced or impeded. Condé Nast therefore breached the strict liability rule and was therefore in contempt of court.”

Thomas said a hearing would be held at a future date to decide on the penalty that should be imposed – including a potentially “unlimited” fine.

One senior legal source suggested the fine might be around £10,000 – a punishment described by Thomas in a separate contempt of court case in 2012 as “the very bottom end of the scale” – but pointed out that the article had not caused the trial to be halted or abandoned.

The article was trailed on the front cover of the April issue of GQ under the headline: “Hacking exclusive! Michael Wolff at the trial of the century.” Inside, the article was printed under a large picture of Brooks and titled: “The court without a king.”
Brooks, who was reinstated as News UK chief executive in September, expressed surprise when Wolff attended the trial shortly after it began. She was eventually cleared of all charges, but told journalists outside the courtroom that she was irritated about the article, which she felt was sexist. She said passages written about her in Wolff’s article would never have been written about a man.

The attorney general, Jeremy Wright QC, said the GQ article “went against the most fundamental principle of our criminal justice system – namely that everyone is entitled to a fair trial”.

Wright said the piece had the potential to interfere with the administration of justice. He told the Guardian: “I want to make it very clear that these actions are only ever used in order to protect the integrity of the judicial process and to remove the risk of jurors being influenced by external issues.

“My role involves both defending the freedom of the press as well as protecting the fair administration of justice. There is a delicate balance to be struck between the right to voice opinions publicly with the equally important need to ensure fairness in the justice system. In this role, I do not act as a member of the government but rather as ‘guardian of the public interest’.”

According to the high court ruling, the GQ editor, Dylan Jones, initially believed that the article could not be published until after the trial due to concerns it could be prejudicial. However, after taking legal advice, Jones decided to publish it. The article was immediately raised to the phone-hacking trial judge, Mr Justice Saunders, and referred to the lord chief justice by the attorney general.

Andrew Caldecott QC, for the attorney general, told the high court in July that there was a clear implication in the feature that lawyers for Brooks and Coulson had a “hidden agenda” of protecting Murdoch’s interests and concealing his involvement in phone hacking.

Adrienne Page QC, for Condé Nast, argued that the article had not created a substantial risk of serious prejudice. It was “a highly subjective, personal and impressionistic sketch based upon the experience of visiting the trial courtroom”, she said. It combined “commentary, opinion, speculation and whimsy” and “toys with possibilities, rather than makes assertions”.

It was difficult to state unequivocally what the author was trying to convey “beyond revealing his personal contempt for the Murdoch empire and his own history of those who have been engaged in its service”, Page said.

However, the judges concluded: “I am left in little doubt that the effect of the article read as a whole was very seriously prejudicial.

“I cannot accept the submission advanced by Condé Nast that the article was riddled with ambiguity and lacking in identifiable assertions or that it was difficult to search for its meaning.

“On the contrary, it plainly implied that Mr Rupert Murdoch was a participant in the phone hacking, that the defendants must have been aware of the phone hacking, that the defence was being funded by him and conducted on the defendants’ instructions so as to protect his interests, but in a way that might also secure their acquittal.

“It was not mere comment or observation, but an article that made the clear implications about Mr Rupert Murdoch, Mrs Brooks and Mr Coulson I have set out.”

The Daily Mirror was fined £50,000 and the Sun £18,000 in 2011 for contempt of court for their coverage of the arrest of Christopher Jefferies, who was later released without charge in the Joanna Yeates murder case. Vincent Tabak was found guilty of her murder in October 2011.

The following year, the Daily Mail and Daily Mirror were fined £10,000 each over their coverage of Levi Bellfield’s conviction for the murder and abduction of Milly Dowler.
http://www.theguardian.com/uk-news/2...brooks-coulson





I'm 15 and I Can't Look Up from My Phone
Ruby Karp

I’m at a party hanging out with my friends. We are all heads down on our phones, until one of us pulls out Snapchat to take a group photo. We all fix our hair, pose, inspect the picture — then go back to complete silence with our devices.

Welcome to the teen generation.

As I’ve grown older, I have noticed that social events aren’t so social anymore. Our generation as a whole can’t seem to function without making sure everything is photographed. We have stopped living in the moment because it isn’t a moment for us until it is captured.

Our generation seems to have passed the point of having fun without documenting it.

As much as our elders tell us to delete these time-consuming, life-sucking apps, we don’t.

I’ve had various friends who have been wise enough to stay off social medias like Snapchat, Instagram and Facebook. Some aren’t on anything! But for those of us who are, we can’t delete and break free. Once we are on it, we don’t want to miss out on what we are losing once we get off it: access to other people’s moments, even if we aren't a part of them.

In the middle of a meal or a conversation, I can’t ever seem to resist the urge to pull my phone out and refresh my feed or text someone new. This is not because I'm part of a “sad” generation, due to our technology-based actions. It's not because I don’t know how to be social without my phone. This is my natural instinct in moments of awkwardness or boredom. When I don’t know what to say next, I check my phone.

Some say that my generation does this because we don’t know what to say. I completely agree. We pull out of phones out of discomfort, as a distraction to comfort ourselves about the weirdness of the situation.

I once read an article by a woman who said she would never go on a date with someone who pulled out their phone in the middle of it. For my generation, I fear this rule may have to be terminated. Most people I know can’t go longer than 10 minutes without checking their phones at least once. Whether it be to check for a message that we know we didn’t receive or even to check the time, we are constantly tapping our screens.

When I was 13, I would go to my friends Bar/Bat Mitzvahs. It was crazy how many kids sat in the back texting on their phones — as one of their friends was becoming a man/woman!

We have seemed to forget when we are crossing the line of disrespectful and decent.

I don’t know how this is going to change. I don’t know if it is going to change. I don't know if it has to.

I do know that I go to sleepaway camp for nine weeks where there is no cellphone reception, and I love it. I know the appropriate time to put my phone away and start conversation.

And there's still hope. While it is sad that this behavior has become instinct, we are still kids. We — surprise! — go outside. We take breaks. We sleep.

Our generation has the reputation that we are consumed in technology. While that is completely correct, don’t forget that we are still kids. While technology is evolving, so are we. Hopefully soon someone will invent a robot that makes us stop texting at the dinner table.
http://mashable.com/2015/11/17/teens-obsessed-phones/





Author of Story Based on Leaks about Surveillance Parrots Brennan Condemning Leaks about Surveillance
Marcy Wheeler

Josh Rogin is among many journalists who covered John Brennan’s complaints about how “a number of unauthorized disclosures”and hand-wringing about our surveillance capabilities this morning (which was a response to Rogin asking “what went wrong” in Paris in questions).

But Brennan also said that there had been a significant increase in the operational security of terrorists and terrorist networks, who have used new commercially available encryption technologies and also studied leaked intelligence documents to evade detection.

“They have gone to school on what they need to do in order to keep their activities concealed from the authorities,” he said. “I do think this is a time for particularly Europe as well as the U.S. for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence services to protect the people that they are asked to serve.”

The FBI has said that Internet “dark spaces” hinder monitoring of terrorism suspects. That fuels the debate over whether the government should have access to commercial applications that facilitate secure communications.

Brennan pointed to “a number of unauthorized disclosures” over the past several years that have made tracking suspected terrorists even more difficult. He said there has been “hand wringing” over the government’s role in tracking suspects, leading to policies and legal action that make finding terrorists more challenging, an indirect reference to the domestic surveillance programs that were restricted after leaks by Edward Snowden revealed their existence.


I find it interesting that Rogin, of all people, is so certain that this is an “indirect reference to the domestic surveillance programs that were restricted after leaks by Edward Snowden revealed their existence.” It’s a non-sensical claim on its face, because no surveillance program has yet been restricted in the US, though FBI has been prevented from using NSLs and Pen Registers to bulk collection communications. The phone dragnet, however, is still going strong for another 2 weeks.

That reference — as I hope to show by end of day — probably refers to tech companies efforts to stop the NSA and GCHQ from hacking them anymore, as well as European governments and the EU trying to distance themselves from the US dragnet. That’s probably true, especially, given that Brennan emphasized international cooperation in his response.

I’m also confused by Rogin’s claim Jim Comey said Tor was thwarting FBI, given that the FBI Director said it wasn’t in September.

Even more curious is that Rogin is certain this is about Snowden and only Snowden. After all, while Snowden’s leaks would give terrorists a general sense of what might not be safe (though not one they tracked very closely, given the Belgian Minister of Home Affair’s claim that they’re using Playstation 4 to communicate, given that one of Snowden’s leaks said NSA and CIA were going after targets use of gaming consoles to communicate at least as early as 2008).

But a different leak would have alerted terrorists that their specific communications techniques had been compromised. The leak behind this story (which was a follow-up on leaks to the NYT, McClatchy, and WaPo).

It wasn’t just any terrorist message that triggered U.S. terror alerts and embassy closures—but a conference call of more than 20 far-flung al Qaeda operatives, Eli Lake and Josh Rogin report.

The crucial intercept that prompted the U.S. government to close embassies in 22 countries was a conference call between al Qaeda’s senior leaders and representatives of several of the group’s affiliates throughout the region.

The intercept provided the U.S. intelligence community with a rare glimpse into how al Qaeda’s leader, Ayman al-Zawahiri, manages a global organization that includes affiliates in Africa, the Middle East, and southwest and southeast Asia.

Several news outlets reported Monday on an intercepted communication last week between Zawahiri and Nasser al-Wuhayshi, the leader of al Qaeda’s affiliate based in Yemen. But The Daily Beast has learned that the discussion between the two al Qaeda leaders happened in a conference call that included the leaders or representatives of the top leadership of al Qaeda and its affiliates calling in from different locations, according to three U.S. officials familiar with the intelligence. All told, said one U.S. intelligence official, more than 20 al Qaeda operatives were on the call.

Al Qaeda leaders had assumed the conference calls, which give Zawahiri the ability to manage his organization from a remote location, were secure. But leaks about the original intercepts have likely exposed the operation that allowed the U.S. intelligence community to listen in on the al Qaeda board meetings.


That story — by Josh Rogin himself! (though again, this was a follow-up on earlier leaks) — gave Al Qaeda, though maybe not ISIS, specific notice that one of their most sensitive communication techniques was compromised.

It’s really easy for journalists who want to parrot John Brennan and don’t know what the current status of surveillance is to blame Snowden. But those who were involved in the leak exposing the Legion of Doom conference call (which, to be sure, originated in Yemen, as many leaks that blow US counterterrorism efforts there do) might want to think twice before they blame other journalism.
Tweet about this on Twitter22Share on Reddit
https://www.emptywheel.net/2015/11/1...-surveillance/





Metadata Surveillance Didn’t Stop the Paris Attacks

And yet intelligence officials and politicians are now saying it could have. They’re wrong.
Marcy Wheeler

Since terrorists struck Paris last Friday night, the debate over whether encryption prevents intelligence services from stopping attacks has reignited. The New York Times and Yahoo reported on vague claims that the terrorists’ use of encryption stymied investigators who might have thwarted their plans. CIA Director John Brennan made equally vague comments Monday morning, warning that thanks to the privacy protections of the post-Snowden era, it is now “much more challenging” for intelligence agencies to find terrorists. Jeb Bush piled on, saying that the United States needs to restore its program collecting metadata on U.S. phone calls, even though that program won’t be shut down until the end of this month.

Following a terrorism incident as shocking as the Paris attacks, it is no surprise that politicians and the intelligence establishment would want to widen American spying capabilities. But their arguments are conflating the forest—bulk metadata collection—and the trees: access to individual communications about the attack. To understand why that's the case, start with this tweet from former NSA and DHS official Stewart Baker: “NSA’s 215 program”—and by association the far larger metadata dragnet of which the domestically focused phone-metadata program is just a small part—“was designed to detect a Mumbai/Paris-style attack.”

Only it didn't.

The United States and United Kingdom’s metadata collection that focuses on the Middle East and Europe is far more extensive than the phone dragnet being shut down later this month, and its use has far more permissive rules. This dragnet is mostly limited by technology, not law. And France—which rewrote its surveillance laws after the Charlie Hebdo attack earlier this year—has its own surveillance system. Both are in place, yet neither detected the Nov. 13 plot. This means they failed to alert authorities to the people they should more closely target via both electronic and physical surveillance. In significant part, this system appears to have failed before it even got to the stage at which investigators would need to worry about terrorists’ use of encryption.

To understand why that’s true, it helps to understand how the metadata dragnet relates to surveillance of content as well as human spying.

In most public comments going back to the initial leaks from Edward Snowden (and in Baker’s tweet from the weekend), authorities have made a shaky claim: that the surveillance dragnet is “designed to detect” an attack like Paris. Based on that claimed purpose, their dragnets are failing.

But that claim was always an oversimplification. It oversold the importance of the dragnet, by itself, such that citizens might more willingly tolerate the collection of highly revealing personal details. Because it doesn’t include the actual content of our conversations, call metadata doesn’t seem especially intimate; if it’s the only thing authorities say they need to prevent a big terrorist attack, citizens might easily conclude that they’re fine with the government collecting it. But the claim also served to hide how quickly metadata analysis can lead to the reading of content.

The intelligence community has given us a more nuanced understanding of the purpose of the metadata dragnet, however, in a National Academy of Sciences paper on “Bulk Collection of Signals Intelligence” released earlier this year. President Obama asked for the paper in early 2014 to assess whether the intelligence apparatus could accomplish what it currently does with metadata dragnets (both those conducted in the U.S. and overseas) via more targeted data collection.

The NAS report measured the dragnet in terms of three functions:

• Contact chaining, which maps out networks of people based on whom they communicate or even spend time with.

• Identifying and keeping current all known identifiers (phone numbers, email addresses, device identifiers, IP addresses, Internet IDs) a person of interest uses. This is done, in part, by using algorithms to match up the communication patterns of different accounts.

• “Triaging” the identifiers collected to categorize the urgency of the threat to national security from the party associated with each one.

If the dragnet accomplishes its purpose, it will provide a fairly comprehensive picture of who is communicating or hanging out with whom, connect all the known communications identities of any given person (which is critical to developing a comprehensive picture of someone’s network and the communications tools he uses), and then use those pictures to identify who poses threats that should be followed more closely.

If the metadata dragnet works, that can happen even with encrypted communication.

It’s only through that process that authorities get around to actually reading content. Authorities will use the metadata dragnet, for example, to choose what content to keep from bulk content collection. It’s likely they’ll collect, but maybe not immediately read, communications that are one or two degrees of separation from identifiers of interest just in case it becomes interesting later. Importantly, the NSA will even keep encrypted communications that, because of their metadata, are of interest.

The metadata dragnet also helps the intelligence community decide whom to target in its bulky Section 702 PRISM collection, which last year affected more than 92,000 targets and everyone they communicated with. Here, rather than doing the bulk collection itself, the NSA capitalizes on the fact that much of the world uses American tech companies like Google and Facebook to conduct (and often, store) its online communications. So when the triaging process identifies new foreign identifiers that seem important, NSA can ask the tech companies to preserve and share on an ongoing basis everything that’s associated with that identifier, including more metadata. In most cases, NSA will get the content of communications those identifiers have, which they’ll read and store and pull up again in the future if a related identifier is involved.

There are a few exceptions where officials cannot get the contents of communications via PRISM because they’re encrypted at the user level, rather than server level. The most important of these exceptions are WhatsApp and iMessage (and the latter only if users have opted not to use Apple’s cloud to store their communications), as well as any communications users have encrypted on their own. The NSA can’t get this content from Facebook, Apple, or other providers, but it can get metadata, so for users of interest, surveilers should at least know who is communicating with whom as well as some other useful details about them, though not what they're saying.

For WhatsApp and iMessage users of interest, as well as those using their own encryption, the intelligence agencies will seek ways to bypass the encryption, often by hacking a user’s device or identifying his IP address and then accessing other devices or Internet accounts using that IP.

Importantly, however, it takes the triaging process or a particular event (like Friday’s attack) to identify users of such importance that the NSA will make the effort to conduct more targeted spying.

Finally, there’s old-fashioned physical surveillance and human intelligence, asking people to spy on others. As reflected by the CIA’s recent decision to add a digital innovation unit, even old-fashioned spying is increasingly guided and assisted by communications technology, both in identifying targets but also finding ways and information to compromise those targets. Numerous declassified reports make it clear the FBI uses the American phone dragnet to identify people who might make useful informants. (It also sometimes uses communications content to find intelligence they can use to coerce that cooperation.) Presumably, other intelligence services do the same.

For targets in a known location that are using very good communications security (by using encryption and ensuring their multiple identities cannot be correlated, not even with geolocation), physical surveillance of known targets (as several of the Paris perpetrators were by authorities) is always an option. The problem with that is it is very time- and labor-intensive—and because France and Belgium have so many potentially dangerous extremists, selecting whom would get that level of attention requires a very good combing process.

It all comes back to this triage, which is in significant part about how well the intelligence community uses that forest of metadata to pick whom it should target.

“Knowing who someone communicates with is metadata, not content, and most encrypted protocols (e.g. WhatsApp, Telegram, etc.) don’t change this,” Nicholas Weaver, a researcher at the International Computer Science Institute at UC–Berkeley explains. “In attempting to identify actual threat actors, ‘this person is communicating with ISIS’ is probably all you need to justify more intensive targeted actions, such as system compromise, that bypass any effects of encryption.”

There are a number of reasons why the dragnet might not work as planned. Some important metadata may be missing, perhaps even from the PlayStation 4 consoles some terrorists have used to communicate, which Belgium’s Interior Minister said has posed particular problems in the days before the attack. (Though there’s no evidence PS4s played a role in this attack.) Some metadata, especially that scraped from content, may be increasingly unavailable if the content itself is encrypted. When individuals keep their online identities rigorously separate, that too makes the dragnet less useful, as it makes it hard to identify a terrorist network. Finally, it may be that the triage process doesn’t always measure the importance of communications effectively.

In any case, news reports on the investigation into Friday’s attacks have suggested that some of the terrorists involved in the attack—even a figure identified as the possible planner—have had some of their communications analyzed already. If so, enough metadata was available to partially map out this network. If investigators know about these communications now, they could have known about them on Thursday, before the attack. And if they did, investigators might have been able to bypass whatever encryption the terrorists did use.

The terrorists who conducted Friday’s attack may well have been using encryption. But if so, it appears that the metadata dragnet failed well before agencies got to any encrypted communications.
http://www.slate.com/articles/techno...t_stopped.html





After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption
Kim Zetter

It’s not surprising that in the wake of the Paris terrorist attacks last Friday, US government officials would renew their assault on encryption and revive their efforts to force companies to install backdoors in secure products and encryption software.

Just last month, the government seemed to concede that forced decryption wasn’t the way to go for now, primarily because the public wasn’t convinced yet that encryption is a problem. But US officials had also noted that something could happen to suddenly sway the public in their favor.

Robert S. Litt, general counsel in the Office of the Director of National Intelligence, predicted as much in an email sent to colleagues three months ago. In that missive obtained by the Washington Post, Litt argued that although “the legislative environment is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

With more than 120 people killed in Paris, government officials are already touting the City of Light as the case against encryption.

In the story about that email, another US official explained to the Post that the government had not yet succeeded in persuading the public that encryption is a problem because “[w]e do not have the perfect example where you have the dead child or a terrorist act to point to, and that’s what people seem to claim you have to have.”

With more than 120 people killed last week in Paris and dozens more seriously wounded, government officials are already touting the City of Light as that case. CIA deputy director Michael Morell said as much on CBS This Morning, suggesting that recalcitrant US companies and NSA whistleblower Edward Snowden are to blame for the attacks.

“We don’t know yet, but I think what we’re going to learn is that [the attackers] used these encrypted apps, right?,” he said on the show Monday morning. “Commercial encryption, which is very difficult, if not impossible, for governments to break. The producers of this encryption do not produce the key, right, for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris.”

CIA Director John Brennan said something similar at a security forum this morning.

“There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it,” he said. “And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve…. And I do hope that this is going to be a wake-up call.”

'Intel agencies are drowning in data... It's not about having enough data; it's a matter of not knowing what to do with the data they already have.' EFF Attorney Nate Cardozo

No solid information has come out publicly yet about what communication methods the attackers used to plot their assault.

On Sunday, the New York Times published a story stating that the Paris attackers “are believed to have communicated [with ISIS] using encryption technology.” The paper’s sources were unnamed European officials briefed on the investigation. It was not clear, however, “whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate,” the paper noted.

Twitter users harshly criticized the Times story, and it has since disappeared from the site (though it is archived) and the URL now points to a different story, with no mention of encryption.

A Yahoo news story on Saturday added to the theme, declaring that the Paris attacks show that US surveillance of ISIS is going dark. “Over the past year, current and former intelligence officials tell Yahoo News, IS terror suspects have moved to increasingly sophisticated methods of encrypted communications, using new software such as Tor, that intelligence agencies are having difficulty penetrating—a switch that some officials say was accelerated by the disclosures of former NSA contractor Edward Snowden.”

Numerous other news stories have suggested that attackers like the ones who struck Paris may be using something other than WhatsApp. According to the Daily Mail and others, authorities in Belgium, where some of the attackers were based, have found evidence that jihadis there have been using the PlayStation 4 network to recruit and plan attacks. A source told the paper that they are using it because “Playstation 4 is even more difficult to monitor than WhatsApp.” The sources didn’t indicate if they were speaking specifically about the Paris attackers or about other jihadis in that country. But the fallacy of these statements has already been pointed out in other stories noting that communication passing through the PlayStation network is not encrypted end-to-end, and Sony can certainly monitor communications passing through its network, making it even less secure than WhatsApp.

US Law enforcement and intelligence agencies have been warning for years that their inability to decrypt communication passing between phones and computers—even when they have a warrant or other legal authority to access the communication—has left them in the dark about what terrorists are planning.

But there are several holes in the argument that forcing backdoors on companies will make us all more secure. While doing this would no doubt make things easier for the intelligence and law enforcement communities, it would come at a grave societal cost—and a different security cost—and still fail to solve some of the problems intelligence agencies say they face with surveillance.

1. Backdoors Won’t Combat Home-Brewed Encryption.
Forcing US companies and makers of encryption software to install backdoors and hand over encryption keys to the government would not solve the problem of terrorist suspects’ products that are made in countries not controlled by US laws.

“There’s no way of preventing a terrorist from installing a Russian [encryption] app or a Brasilian app,” notes Nate Cardozo, staff attorney for the Electronic Frontier Foundation. “The US or UK government could mandate [backdoors], but Open Whisper Systems is not going to put in a backdoor in their product period and neither is PGP. So as soon as a terrorist is sophisticated enough to know how to install that, any backdoor is going to be defeated.”

Such backdoors also will be useless if terrorist suspects create their own encryption apps. According to the security firm Recorded Future, after the Snowden leaks, its analysts “observed an increased pace of innovation, specifically new competing jihadist platforms and three major new encryption tools from three different organizations—GIMF, Al-Fajr Technical Committee, and ISIS.” Encryption backdoors and keys also don’t help when terrorists stop using digital communications entirely. A 2011 AP story indicated that al-Qaida had long ago ditched cell phones and internet-connected computers in favor of walkie talkies and couriers.

News reports about the Paris attacks have indicated that some of the perpetrators lived in the same town in Belgium—which would have made it very easy to coordinate their attack in person, without the need for digital communication.

2. Other Ways to Get Information. The arguments for backdoors and forced decryption often fail to note the many other methods law enforcement and intelligence agencies can use to get the information they need. To bypass and undermine encryption, intelligence agencies can hack the computers and mobile phones of known targets to either obtain their private encryption keys or obtain email and text communications before they’re encrypted and after they’re decrypted on the target’s computer.

In the case of seized devices that are locked with a password or encryption key, these devices have a number of security holes that give authorities different options for gaining access, as WIRED previously reported. A story this week pointed to vulnerabilities in BitLocker that would make it fairly easy to bypass the Windows encryption tool. And the leaks of Edward Snowden that the NSA and British intelligence agencies have a constantly evolving set of tools and methods for obtaining information from hard-to-reach systems.

“We’re still living in an absolute Golden Age of surveillance,” says Cardozo. “And there is always a way of getting the data that is needed for intelligence purposes.”

3. Encryption Doesn’t Obscure Metadata. Encryption doesn’t prevent surveillance agencies from intercepting metadata and knowing who is communicating with whom. Metadata can reveal phone numbers and IP addresses that are communicating with one another, the date and time of communication and even in some cases the location of the people communicating. Such data can be scooped up in mass quantities through signals intelligence or by tapping undersea cables. Metadata can be extremely powerful in establishing connections, identities and locating people.

“[CIA] Director Brennan gleefully told us earlier this year that they kill people based on metadata,” Cardozo says. “Metadata is enough for them to target drone strikes. And that’s pretty much the most serious thing we could possibly do with surveillance.”

Some metadata is encrypted—for example, the IP addresses of people who use Tor. But recent stories have shown that this protection is not foolproof. Authorities have exploited vulnerabilities in Tor to identify and locate suspects.

“Tor can make the ‘where’ a little more difficult, but doesn’t make it impossible [to locate someone],” Cardozo says. “And Tor is a lot harder [for suspects]to use than your average encrypted messaging tool.”

4. Backdoors Make Everyone Vulnerable. As security experts have long pointed out, backdoors and encryption keys held by a service provider or law enforcement agencies don’t just make terrorists and criminals open to surveillance from Western authorities with authorization—they make everyone vulnerable to the same type of surveillance from unauthorized entities, such as everyday hackers and spy agencies from Russia, China, and other countries. This means federal lawmakers on Capitol Hill and other government workers who use commercial encryption would be vulnerable as well.

The National Security Council, in a draft paper about encryption backdoors obtained by the Post earlier this year, noted the societal tradeoffs in forcing companies to install backdoors in their products. “Overall, the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption,” the paper stated.

If all of these aren’t reason enough to question the attacks on encryption, there is another reason. Over and over again, analysis of terrorist attacks after the fact has shown that the problem in tracking the perpetrators in advance was usually not that authorities didn’t have the technical means to identify suspects and monitor their communications. Often the problem was that they had failed to focus on the right individuals or share information in a timely manner with the proper intelligence partners. Turkish authorities have already revealed that they had contacted French authorities twice to warn them about one of the attackers, but that French authorities never got back to them until after the massacre in Paris on Friday.

Officials in France indicated that they had thwarted at least six other attack plots in recent months, but that the sheer number of suspects makes it difficult to track everyone. French intelligence maintains a database of suspected individuals that currently has more than 11,000 names on it, but tracking individuals and analyzing data in a timely manner to uncover who poses the greatest threat is more than the security services can manage, experts there have said. It’s a familiar refrain that seems to come up after every terrorist attack.

“If Snowden has taught us anything, it’s that the intel agencies are drowning in data,” Cardozo says. “They have this ‘collect it all mentality’ and that has led to a ridiculous amount of data in their possession. It’s not about having enough data; it’s a matter of not knowing what to do with the data they already have. That’s been true since before 9/11, and it’s even more true now.”
http://www.wired.com/2015/11/paris-a...ion-backdoors/





The US Government is Already Lying Like Crazy About Surveillance after the Paris Attacks
T.C. Sottek

At a Center for Strategic & International Studies talk today, CIA director John Brennan renewed one of the government's favorite lies about spying: that mass surveillance has been successful in stopping a bunch of mysterious threats while it is simultaneously too ineffective to stop real attacks, because of privacy advocates and whistleblowers. Here's what Brennan said:

In the past several years because of a number of unauthorized disclosures and a lot of hand wringing over the government's role in the effort to try to uncover these terrorists there have been some policy and legal and other actions taken that make our ability collectively, internationally, to find these terrorists much more challenging. I do hope that this is going to be a wake up call, particularly in areas of Europe where I think there has been a misrepresentation of what the intelligence and security service is doing...

You're probably going to hear this lie furiously repeated in the coming weeks and months as security hawks in the US and Europe march toward another ground war in Asia, and renew their calls for a radically strengthened surveillance state. Glenn Greenwald at The Intercept has thoroughly documented the genesis of this lie, but here's the short version: the government can't have it both ways on security. It can't ask that companies and individuals strengthen their defenses against attacks while at the same time demanding companies like Apple and Google to sabotage their users by giving the government the means to break encryption.

The truth is that we've only begun to reform a small part of the mass surveillance apparatus in the United States; only telephone spying has been limited so far, and the NSA still has a broad reach across most forms of electronic communications. As Marcy Wheeler pointed out earlier today in response to Brennan's remarks, the US hasn't even shut down any of the NSA's controversial programs yet! And other countries are stepping up electronic surveillance authority, so it's not clear what Brennan is talking about when he says that "policy and legal actions" have made surveillance of terrorists more challenging. Is he talking about the sweeping law France passed in July that dramatically expanded the country's surveillance powers?

The US government has not provided a credible story about the effectiveness of mass surveillance. As Greenwald notes, officials have been clamoring about the threat of encryption for more than 20 years, so the idea that terrorists aren't already aware of surveillance countermeasures is preposterous. We've also known since the 9/11 Commission submitted its report that the government's inability to foil the largest and most sophisticated terrorist attack in history was based on its failure to share and analyze information, not because it was unable to scoop up everything that happens on the internet in real-time.

Terrorism's greatest threat is its ability to provoke us into harming ourselves through fear and haste. Don't fall for lazy horror stories from people who want to destroy privacy on the internet for everyone.
https://www.theverge.com/2015/11/16/...ce-cia-brennan





U.S. Mass Surveillance Has No Record of Thwarting Large Terror Attacks, Regardless of Snowden Leaks
Jenna McLaughlin

Despite the intelligence community’s attempts to blame NSA whistleblower Edward Snowden for the tragic attacks in Paris on Friday, the NSA’s mass surveillance programs do not have a track record — before or after Snowden — of identifying or thwarting actual large-scale terrorist plots.

CIA Director John Brennan asserted on Monday that “many of these terrorist operations are uncovered and thwarted before they’re able to be carried out,” and lamented the post-Snowden “handwringing” that has made that job more difficult.

But the reason there haven’t been any large-scale terror attacks by ISIS in the U.S. is not because they were averted by the intelligence community, but because — with the possible exception of one that was foiled by local police — none were actually planned.

And even before Snowden, the NSA wasn’t able to provide a single substantiated example of its surveillance dragnet preventing any domestic attack at all.

The recent history of terror arrests linked to ISIS is documented in an internal unclassified Department of Homeland Security document provided to The Intercept via SecureDrop. It shows that terror arrests between January 2014 and September 2015 linked to ISIS were largely of people trying to travel abroad, provide material support, or plan attacks that were essentially imaginary.

The document, dated before the Paris attacks, includes a list and map of 64 U.S. persons arrested on terror-related charges over the course of nine months who were “assessed to be inspired by the Islamic State of Iraq and the Levant,” or ISIS.

The document assigns six categories to types of arrests made in the given time period: a foiled attack, “aspirational” planning, “advanced attack plotting,” failed travel, travel, or material support.

The only foiled attack involved the arrests of Elton Simpson and Nadir Soofi, who traveled from Arizona to Garland, Texas, bearing assault weapons and body armor, intending to shoot up an art contest involving the drawing of cartoons of the Prophet Muhammad. Both attackers were shot by local police officers.

There are just five instances of what the report’s authors call “advanced attack plotting” — two of which involve the FBI providing assistance in planning or acquiring supplies for an attack before making an arrest.

Harlem Suarez, a 23-year-old from Florida, had been posting on Facebook about his support for ISIS when an undercover FBI agent started communicating with him, eventually about a “timer bomb” he wanted to construct and detonate on a public beach in Key West. Suarez asked the undercover agent if he knew how to assemble a bomb, and the agent agreed to get what he needed, subsequently goading him by asking if he was “true to the Islamic State” or “just playing games.” Suarez paid the FBI agent for the materials to assemble the bomb, and the agent taught him how to detonate it. When he tried to carry out the attack, he was arrested. His attorneys described him as “troubled and confused” in a statement.

An FBI agent also provided a fake explosive device to John T. Booker, a 20-year-old Kansas man who was indicted for attempting to use a weapon of mass destruction.

Christopher Cornell, a 20-year-old from Ohio, started posting on Twitter under an alias about his support for ISIS when someone in contact with Cornell agreed to be an FBI informant. Cornell talked about attacking the U.S. Capitol. But his father said it was the FBI that was “taking him somewhere, and they were filling his head with a lot of this garbage.”

Munther Omar Saleh, a New York college student, was arrested after trying to stab federal officers executing a search warrant at his home. The FBI said he and a co-conspirator discussed setting off a pressure-cooker bomb in New York, but no such charge was filed.

Usaamah Rahim, a 26-year-old Boston man, was killed by police officers when he was stopped for questioning after allegedly threatening them with a knife. He had been posting ISIS-inspired social media messages, and had threatened to kill Pamela Geller, the host of the Garland, Texas, Muhammad cartoon contest. Law enforcement sources called that plot a “fantasy,” but said his second plan, to kill cops, was more believable.

There were 12 examples of “aspirational” plots, or even less advanced plans to commit attacks.

There were 30 arrests involving people who were trying to travel to join up with ISIS, most of whom failed, and 15 of people attempting to provide some sort of “material support.”

That’s hardly a record of averting major ISIS attacks on the homeland.

In fact, there’s no evidence that the NSA’s extraordinary surveillance dragnet, as revealed by Snowden, has disrupted any major attack within the U.S. ever.

The U.S. government initially responded to Snowden’s disclosures in 2013 by suggesting that he had irreparably damaged valuable, life-saving capabilities. Two weeks after the media first reported on Snowden’s leaks, President Barack Obama said that the NSA “averted … at least 50 threats … because of this information,” gathered through communications collection in the United States and abroad.

Members of Congress and the administration alike subsequently repeated that claim, upping the total to 54 attacks thwarted.

But only 13 of the 54 cases “had some nexus to the U.S.,” Senator Patrick Leahy, D-Vt., said in a Senate Judiciary Committee hearing in October 2013. And they were not all terror “plots”; a majority involved providing “material support,” like money, to foreign terror organizations.

Then-NSA Director Keith Alexander was forced to dial back the rhetoric, eventually saying only that the intelligence programs “contributed to our understanding” and “helped enable the disruption of terrorist plots.”

The only incident the NSA has ever disclosed in which its domestic metadata collection program played a key role involved a San Diego man who was convicted of transferring $8,500 to al Shabaab in Somalia — the terror group responsible for a mass shooting at a mall in Kenya. And the metadata program is the only one that has been reigned in since the Snowden disclosures.

The three other terrorism cases the NSA cited as warrantless surveillance success stories were debunked. Either the government could have gotten a warrant, or it received a tip from British intelligence, or it was a case of fraud, not terrorism.

A White House panel concluded in December 2013 that the NSA’s bulk collection of Americans’ telephone information was “not essential in preventing attacks.” A member of the panel took it one step further, when he told NBC News that there were no examples of the NSA stopping “any [terror attacks] that might have been really big” using the program.
https://theintercept.com/2015/11/17/...snowden-leaks/





File Says N.S.A. Found Way to Replace Email Program
Charlie Savage

When the National Security Agency’s bulk collection of records about Americans’ emails came to light in 2013, the government conceded the program’s existence but said it had shut down the effort in December 2011 for “operational and resource reasons.”

While that particular secret program stopped, newly disclosed documents show that the N.S.A. had found a way to create a functional equivalent. The shift has permitted the agency to continue analyzing social links revealed by Americans’ email patterns, but without collecting the data in bulk from American telecommunications companies — and with less oversight by the Foreign Intelligence Surveillance Court.

The disclosure comes as a sister program that collects Americans’ phone records in bulk is set to end this month. Under a law enacted in June, known as the U.S.A. Freedom Act, the program will be replaced with a system in which the N.S.A. can still gain access to the data to hunt for associates of terrorism suspects, but the bulk logs will stay in the hands of phone companies.

The newly disclosed information about the email records program is contained in a report by the N.S.A.’s inspector general that was obtained by The New York Times through a lawsuit under the Freedom of Information Act. One passage lists four reasons that the N.S.A. decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that “other authorities can satisfy certain foreign intelligence requirements” that the bulk email records program “had been designed to meet.”

The report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. Because of the way the Internet operates, domestic data is often found on fiber optic cables abroad.

The N.S.A. had long barred analysts from using Americans’ data that had been swept up abroad, but in November 2010 it changed that rule, documents leaked by Edward J. Snowden have shown. The inspector general report cited that change to the N.S.A.’s internal procedures.

The other replacement source for the data was collection under the FISA Amendments Act of 2008, which permits warrantless surveillance on domestic soil that targets specific noncitizens abroad, including their new or stored emails to or from Americans.

“Thus,” the report said, these two sources “assist in the identification of terrorists communicating with individuals in the United States, which addresses one of the original reasons for establishing” the bulk email records program.

Timothy Edgar, a privacy official in the Office of the Director of National Intelligence in both the George W. Bush and Obama administrations who now teaches at Brown University, said the explanation filled an important gap in the still-emerging history of post-Sept. 11, 2001, surveillance.

“The document makes it clear that N.S.A. is able to get all the Internet metadata it needs through foreign collection,” he said. “The change it made to its procedures in 2010 allowed it to exploit metadata involving Americans. Once that change was made, it was no longer worth the effort to collect Internet metadata inside the United States, in part because doing so requires N.S.A. to deal with” restrictions by the intelligence court.

Observers have previously suggested that the N.S.A.’s November 2010 rules change on the use of Americans’ data gathered abroad might be connected to the December 2011 end of the bulk email records program. Marcy Wheeler of the national security blog Emptywheel, for example, has argued that this was probably what happened.

And officials, who spoke on the condition of anonymity to discuss sensitive collection programs, have said the rules change and the FISA Amendments Act helped make the email records program less valuable relative to its expense and trouble. The newly disclosed documents amount to official confirmation.

The N.S.A. and the Office of the Director of National Intelligence did not respond to a request for comment.

After the Sept. 11 attacks, Mr. Bush secretly authorized the N.S.A. to conduct surveillance and data-collection activities without obeying the Foreign Intelligence Surveillance Act, in a program called Stellarwind.

The email records component caused many internal headaches. In 2004, the Justice Department questioned its legality, contributing to a confrontation in the hospital room of Attorney General John Ashcroft and the threat of a mass resignation.

Mr. Bush then halted the program until the intelligence court began issuing secret orders authorizing it.

The court limited the categories of data that the N.S.A. was permitted to collect and restricted how it could gain access to the data. After violations of those limits were revealed in 2009, the N.S.A. suspended the program until mid-2010, only to end it the next year.
http://www.nytimes.com/2015/11/20/us...ram-ended.html





After Paris, ISIS Moves Propaganda Machine to Darknet

Daesh website launches with new video focusing on the Paris terror attacks, while the media pushes new fight on encryption
Steve Ragan

Less than a day after the horrific attacks in Paris, Daesh (al-dowla al-islaamiyya fii-il-i'raaq wa-ash-shaam, a.k.a. ISIS/ISIL) took the Al-Hayat propaganda machine to the Darknet and published a new video celebrating the Paris attacks.

The new website is a collection of propaganda by Al-Hayat Media Center, the media division of Daesh. It hosts the usual anti-Western iconography, as well as songs (Nasheeds) and poems for mujahids in various locations.

The website also contains translations from the recent statement issued by Daesh claiming credit for the Paris attacks in English, Turkish, and Russian.

The new propaganda hub was discovered by researcher Scot Terban, who shared his findings with Salted Hash. Terban came across the new Al-Hayat hub while performing jihadi research over the weekend.

In a post on the Shamikh forum (a known jihadi bulletin board), someone posted the new address and instructions for reaching it.

The post explained that the new Al-Hayat hub was needed, because other websites were removed almost as soon as they are registered. The hope is that by existing on the Darknet, Daesh can thwart most efforts to shut them down.

Over the years, there have been several claims made that Daesh had propaganda and recruitment hubs on the Darknet, but no one has ever published proof of those claims or explored how the propaganda machine operates in public.\

Terban has mirrored the website and its files; he says he plans to publish more details in the coming days.

"The site mirrors many of the other standard bulletin boards that the jihadi’s have had over the years replete with videos and sections in all languages. Given that this site has popped up today in the Darknet just post the attacks in Paris, one has to assume that an all out media blitz is spinning up by Al-Hayat to capitalize on the situation," Terban wrote.

The new propaganda hub also directs visitors to Telegram, the encrypted chat / messaging platform that became the key communication tool for Daesh after Twitter and Facebook started to take action against their supporters.

Telegram's Channels feature has enabled the terrorist group to reach nearly 20,000 people instantly, as it acts as a sort of RSS feed.

In the hours after the public started to realize the scope of the attacks on Paris, intelligence officials, lawmakers, and pundits focused on Daesh's use of Telegram as a means of communication with supporters and active members.

In a story by the New York Times, later removed without explanation [archive], the situation in Paris was used to reignite the encryption debate.

The story focused on comments from European officials who were "briefed on the investigation" that said the Paris attackers had used encrypted communications, adding that authorities have a hard time monitoring such channels.

"Intelligence officials have been pressing for more leeway to counter the growing use of encryption," the story added.

But newspaper of record isn't the only agency attempting to turn the terror attacks in Paris into a tool to remove privacy.

In the UK, a story published by The Telegraph calls for the passing of the Snooper's Charter, "or London will be next."

The Snooper's Charter is draft legislation that if passed would require ISPs and telecom companies to maintain records of each user's Internet browsing activity, including social media, email, VoIP, gaming, and mobile phone messaging services, while storing this data for up to 12 months.

"In the coming weeks the government’s surveillance bill will be passing through the Commons. If we truly believe in standing in solidarity with Paris, we must let it pass. We must demand it passes," the Telegraph article states.

Sunday's media push for a new fight on encryption was expected in some circles.

In September, the Washington Post published a story detailing comments made by the intelligence community's top lawyer, Robert S. Litt, who wrote in an email to colleagues that, while "the legislative environment is very hostile" towards efforts to weaken encryption, "it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement."

During Sunday's Face the Nation broadcast, Mike Morell, former deputy director of the Central Intelligence Agency, opened the door for more fighting about encryption by stating that a public debate was needed.

"We have in a sense had a public debate. That -- that debate was defined by Edward Snowden, right, and the concern about privacy. I think we're now going to have another debate about that. It's going to be defined by what happened in Paris," he said.

As the newly launched Daesh propaganda portal proves, terrorists and criminals will always find away around laws and law enforcement efforts such as bulk collection.

Encryption didn't cause the senseless, cowardly acts in Paris, evil human beings did.

While a quick fix would be welcome, there isn't one.

Bulk record collection and weakened encryption will do nothing to stop terrorism. Using the attacks in Paris as an excuse to do both of those things is insulting to the good men and women who died this weekend.
http://www.csoonline.com/article/300...o-darknet.html





Encryption App Telegram Probably Isn't as Secure for Terrorists as ISIS Thinks
Joseph Cox

The debate around encryption and its use by extremists is reaching fever pitch. In particular, media reports have picked up on ISIS and other terrorist groups’ open endorsements of the encrypted messaging app Telegram on propaganda sites and extremist magazines.

But some experts say that Telegram may not be as secure as its jihadi advocates may like to believe.

Telegram is a free app for iOS, Android, and Windows phones, and also has desktop versions. The app has a "Secret Chat” function, which allows users to send end-to-end encrypted messages, meaning that only the intended recipients should be able to read them.

In September, the company's founder Pavel Durov claimed that the platform is used to send 12 billion messages everyday, and confirmed that ISIS uses the app. A site publishing ISIS propaganda endorses Telegram, and the Al Qaeda-linked Global Islamic Media Front, a group that essentially rubber-stamps security software for jihadis, advocated the use of Telegram for secure communications in a magazine last month.

However, in a blog post published Wednesday, the operational security expert known as “the Grugq” laid out several problems with the chat app that might hinder a terrorist from using it to communicate securely or anonymously.

“Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn’t possibly think of a worse combination for a safe messenger,” he wrote.

Because terrorists face more sophisticated and resourceful adversaries than the average user—such as nation states—they have more to worry about when it comes to security.

The Grugq points out that Telegram requires a working phone number to register. But, he writes, “Users will make security mistakes and register with their personal mobile numbers.” Indeed, another pseudonymous researcher, known as “Switched,” tweeted an apparent thread from an ISIS forum where users had signed up for Telegram with their own phone numbers. Linking a personal phone number to a service risks creating a trail of breadcrumbs for investigators to follow.

Telegram then uploads the user's contacts database to its servers. “This allows Telegram to build a huge social network map of all the users and how they know each other,” the Grugq writes—obviously a concern if you’re trying to run a clandestine network.

Telegram's encrypted chat function is not enabled by default either: users have to select to start a “Secret Chat,” and it is not possible to encrypt an existing chat. The Grugq says this might lead to mistakes result in jihadis sending unencrypted messages.

Some experts are also worried about the encryption that Telegram uses.

“It's not obviously broken. Just really nonstandard,” Matthew Green, an assistant professor at Johns Hopkins University, told Motherboard in a Twitter message. “For me that's a red flag.” Nonstandard cryptography has not been as widely vetted as more standard alternatives.

To be fair, Telegram has hosted a competition to break the app's encryption with a prize pool of $300,000, but no one claimed it.

Green also suggests that Telegram might be susceptible to a certain man-in-the-middle attack, whereby an attacker could swap a target’s encryption key for their own to listen in on a conversation.

This is because Telegram’s key verification method consists of complicated pictures of blue-coloured squares, rather than an alphanumeric code like most other apps.

“I think it might be possible for a man in the middle to tamper with the fingerprint such that it's close, but not quite the same. But would fool most people on casual comparison,” he said.

Even if a jihadi did manage to get an encrypted conversation running, and was reasonably sure it wasn't being listened in on, the metadata created by that exchange still reveals a lot about the individual and his actions.

“Anything using a mobile phone exposes a wide range of metadata,” the Grugq noted. “In addition to all the notification flows through Apple and Google’s messaging services, there [are] the IP traffic flows to/from those servers, and the data on the Telegram servers.” This could be swept up by government surveillance programmes. (This metadata leakage is not unique to Telegram and applies to some other encryption apps too.)

Telegram did not respond to a list of questions asked by Motherboard.
http://motherboard.vice.com/read/enc...as-isis-thinks





John McCain Wants to Outlaw Encryption that the US Government Can't Crack
Rob Price

US senator John McCain has indicated that he will push to outlaw encryption technology that the US government is unable to crack.

On Tuesday, he told reporters that "in the Senate Armed Services [Committee], we’re going to have hearings on it and we’re going to have legislation," according to The Hill, labeling the current state of affairs "unacceptable."

Encryption refers to scrambling data in such a way that it is unreadable without the correct password or key. Tech companies are increasingly incorporating "strong" and "end-to-end" encryption into their products — rendering the contents inaccessible to prying eyes.

The iPhone, for example, encrypts its contents by default, and cannot be decrypted by Apple or the authorities if they don't have the correct passcode.

This move towards stronger encryption was largely brought about by the revelations of now-exiled NSA whistleblower Edward Snowden, whose disclosures about Western governments' spy programs sparked a global debate about surveillance and stoked privacy fears.

It is a shift that has alarmed law enforcement in the West, who fear that it means vital evidence is "going dark." In September 2014, a senior US police officer warned that the iPhone's default-on encryption would make it "the phone of choice for the pedophile."

However, technologists and privacy activists counter that any attempts to weaken encryption would be ineffectual, make ordinary people less secure online, would be open to abuse, and set a dangerous international precedent for authoritarian governments to demand access to data.

The New Crypto War

Encryption enthusiasts have largely had the upper hand in the debate, dubbed the "New Crypto War" given its parallels to similar debates over limits on cryptography in the Nineties. After deliberating, and despite the urgings of the FBI, the Obama administration says it has no plans to legislate against strong encryption, and the UK government says it doesn't either (although concerns remain over the wording of the UK's proposed new spying bill).

But the issue has reared its head again following the deadly terrorist attacks in Paris on Friday, that left more than 120 dead, and hundreds injured.

CIA director John Brennan said that "there are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it ... And I do hope that this is going to be a wake-up call."

New York Police Department head Bill Bratton has joined the anti-crypto chorus. He told MSNBC: "We have a huge operation in New York City working closely with the Joint Terrorism Task Force where we’re monitoring and they go dark, because basically they go onto an encrypted app, they’re going onto sites that we can’t access."

The New York Times also reported on Monday that "the attacks are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly" — before deleting the story, and subsequently redirecting readers to a new one that does not mention encryption. (Here's a link to an archived version of the original.)

The Snowden connection (or not)

Former CIA deputy director Michael Morell suggested that Paris could shift the momentum of the debate around encryption, and that Edward Snowden bears some responsibility for what happened in Paris.

"I think what we’re going to learn is that [the attackers] used these encrypted apps, right?" He told CBS on Monday. "This is a result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether the government should have access to the keys, and I think the result may be different this time as given what’s happened in Paris."

At this point, there's no direct evidence that the attackers used encryption to cover their steps, although ISIS-affiliated individuals are known to use encrypted messaging apps like Telegram to communicate.

Terrorists have also been using encryption technology since long before Snowden's revelations: A report from USA Today from February 2001 — before 9/11 — has circulated following the Paris attacks, that warns that "terror groups hide behind Web encryption."

Glenn Greenwald, one of the journalists whom Snowden leaked to, also furiously reacted to the accusations. Writing on The Intercept, he argued that "any terrorist capable of tying his own shoe — let alone carrying out a significant attack — has known for decades that speaking on open telephone and internet lines was to be avoided due to U.S. surveillance. As one Twitter commentator put it yesterday when mocking this new It’s-Snowden’s-Fault game: “Dude, the drug dealers from the Wire knew not to use cell phones."

Calls for legislation

It's in this context that McCain and others are calling for legislation to combat encryption. "In the Senate Armed Services [Committee] we're going to have hearings on it and we're going to have legislation,” he said.

Senator Dianne Feinstein said that "the chairman and I will consult other members of our committee will consult and hopefully we will be able to come forward with some proposals that make some good sense," according to The Hill. She didn't elaborate on the nature of these proposals: "I don’t think it makes sense to speculate."

Many technologists have expressed doubt that any ban would be remotely enforceable, given that many encryption tools are open source or developed outside of Western jurisdictions.
http://www.businessinsider.com/john-...-doors-2015-11





Tech Group Rejects Post-Paris Call for Data Encryption 'Backdoors'
Dustin Volz

A leading U.S.-based technology industry group on Thursday, in its first statement since last week's Paris attacks, rejected calls to give U.S. law enforcement authorities backdoor keys to let them circumvent encryption technology for cellphones.

Weakening encryption to help the government monitor electronic communications in the name of national security "simply does not make sense," the Information Technology Industry Council said in a statement released to Reuters.

"After a horrific tragedy like the Paris attacks, we naturally search for solutions: weakening encryption is not a solution," said Dean Garfield, president of the Washington-based organization, which represents Apple, Google, Microsoft and dozens of other blue-chip tech companies.

The attacks in Paris last Friday killed 129 and wounded hundreds. The Islamic State militant group has claimed responsibility.

Some U.S. intelligence officials and lawmakers have seized on the assault to rekindle a debate about whether tech companies should cooperate with authorities by building “backdoors” into encrypted devices and platforms.

Government authorities have said the growing prevalence of encrypted email and messaging platforms, such as iMessage or WhatsApp, hamstring their ability to monitor criminal suspects and thwart militant plots.

Despite early reports the Paris attackers relied on encryption, no hard evidence has emerged they used any particular form of secure messaging. A mobile phone recovered by French authorities at the scene of one of the attacks and believed to be linked to one of the suspects was found with an unencrypted text message, according to French media.

Last month, the White House abandoned an effort to lobby tech companies and Congress to allow law enforcement and intelligence officials backdoor access to encrypted messaging. The idea has re-emerged in the wake of Paris, but congressional aides say federal legislation on the issue remains unlikely.

Privacy advocates, tech companies and security researchers say backdoors would expose data to malicious hackers.

"Encryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks,” Garfield said in his statement.

“We deeply appreciate law enforcement's and the national security community’s work to protect us, but weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys."

(Reporting by Dustin Volz; Editing by Eric Beech and Peter Cooney)
http://uk.reuters.com/article/2015/1...0T82SS20151119





Mass Surveillance Isn’t the Answer to Fighting Terrorism
By THE EDITORIAL BOARD

It’s a wretched yet predictable ritual after each new terrorist attack: Certain politicians and government officials waste no time exploiting the tragedy for their own ends. The remarks on Monday by John Brennan, the director of the Central Intelligence Agency, took that to a new and disgraceful low.

Speaking less than three days after coordinated terrorist attacks in Paris killed 129 and injured hundreds more, Mr. Brennan complained about “a lot of hand-wringing over the government’s role in the effort to try to uncover these terrorists.”

What he calls “hand-wringing” was the sustained national outrage following the 2013 revelations by Edward Snowden, a former National Security Agency contractor, that the agency was using provisions of the Patriot Act to secretly collect information on millions of Americans’ phone records. In June, President Obama signed the USA Freedom Act, which ends bulk collection of domestic phone data by the government (but not the collection of other data, like emails and the content of Americans’ international phone calls) and requires the secretive Foreign Intelligence Surveillance Court to make its most significant rulings available to the public.

These reforms are only a modest improvement on the Patriot Act, but the intelligence community saw them as a grave impediment to antiterror efforts. In his comments Monday, Mr. Brennan called the attacks in Paris a “wake-up call,” and claimed that recent “policy and legal” actions “make our ability collectively, internationally, to find these terrorists much more challenging.”

It is hard to believe anything Mr. Brennan says. Last year, he bluntly denied that the C.I.A. had illegally hacked into the computers of Senate staff members conducting an investigation into the agency’s detention and torture programs when, in fact, it did. In 2011, when he was President Obama’s top counterterrorism adviser, he claimed that American drone strikes had not killed any civilians, despite clear evidence that they had. And his boss, James Clapper Jr., the director of national intelligence, has admitted lying to the Senate on the N.S.A.’s bulk collection of data. Even putting this lack of credibility aside, it’s not clear what extra powers Mr. Brennan is seeking.

Most of the men who carried out the Paris attacks were already on the radar of intelligence officials in France and Belgium, where several of the attackers lived only hundreds of yards from the main police station, in a neighborhood known as a haven for extremists. As one French counterterrorism expert and former defense official said, this shows that “our intelligence is actually pretty good, but our ability to act on it is limited by the sheer numbers.” In other words, the problem in this case was not a lack of data, but a failure to act on information authorities already had.

In fact, indiscriminate bulk data sweeps have not been useful. In the more than two years since the N.S.A.’s data collection programs became known to the public, the intelligence community has failed to show that the phone program has thwarted a terrorist attack. Yet for years intelligence officials and members of Congress repeatedly misled the public by claiming that it was effective.

The intelligence agencies’ inability to tell the truth about surveillance practices is just one part of the problem. The bigger issue is their willingness to circumvent the laws, however they are written. The Snowden revelations laid bare how easy it is to abuse national-security powers, which are vaguely defined and generally exercised in secret.

Listening to Mr. Brennan and other officials, like James Comey, the head of the Federal Bureau of Investigation, one might believe that the government has been rendered helpless to defend Americans against the threat of future terror attacks.

Mr. Comey, for example, has said technology companies like Apple and Google should make it possible for law enforcement to decode encrypted messages the companies’ customers send and receive. But requiring that companies build such back doors into their devices and software could make those systems much more vulnerable to hacking by criminals and spies. Technology experts say that government could just as easily establish links between suspects, without the use of back doors, by examining who they call or message, how often and for how long.

In truth, intelligence authorities are still able to do most of what they did before — only now with a little more oversight by the courts and the public. There is no dispute that they and law enforcement agencies should have the necessary powers to detect and stop attacks before they happen. But that does not mean unquestioning acceptance of ineffective and very likely unconstitutional tactics that reduce civil liberties without making the public safer.
http://www.nytimes.com/2015/11/18/op...terrorism.html





Ex-CIA Director: Snowden Should be 'Hanged' for Paris
Bradford Richardson

A former CIA director says leaker Edward Snowden should be convicted of treason and given the death penalty in the wake of the terrorist attack on Paris.

“It’s still a capital crime, and I would give him the death sentence, and I would prefer to see him hanged by the neck until he’s dead, rather than merely electrocuted,” James Woolsey told CNN’s Brooke Baldwin on Thursday.

Woolsey said Snowden, who divulged classified in 2013, is partly responsible for the terrorist attack in France last week that left at least 120 dead and hundreds injured.

“I think the blood of a lot of these French young people is on his hands,” he said.

Woolsey, who served as the head of the CIA from 1993 to 1995, said the Snowden leak was “substantial.”

“They turned loose not only material about some procedural aspects of something, they turned loose, for example, some substantial material about the Mexican intelligence service and law enforcement working together against human trafficking,” he said.

Woolsey wondered if Snowden were "pro-pimp."

Current CIA Director John Brennan has recently echoed his predecessor’s sentiments, arguing that Snowden's disclosures make it harder for intelligence officials to track terror plots.

“I think any unauthorized disclosures made by individuals that have dishonored the oath of office, that they have raised their hand and attested to, undermines this nation’s security,” Brennan said about Snowden at the Overseas Security Advisory Council’s annual meeting on Wednesday.

Snowden fled the country after stealing classified information and disclosing the extent of U.S. surveillance programs. He currently resides in Russia, where he has been granted temporary asylum.
http://thehill.com/blogs/blog-briefi...nged-for-paris





After Endless Demonization Of Encryption, Police Find Paris Attackers Coordinated Via Unencrypted SMS
Karl Bode

In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied in the amount of hallucination involved, the New York Times even having to pull one such report offline. Other claims the attackers had used encrypted Playstation 4 communications also wound up being bunk.

Yet pushed by their sources in the government, the media quickly became a sound wall of noise suggesting that encryption was hampering the government's ability to stop these kinds of attacks. NBC was particularly breathless this week over the idea that ISIS was now running a 24 hour help desk aimed at helping its less technically proficient members understand encryption (even cults help each other use technology, who knew?). All of the reports had one central, underlying drum beat implication: Edward Snowden and encryption have made us less safe, and if you disagree the blood is on your hands.

Yet amazingly enough, as actual investigative details emerge, it appears that most of the communications between the attackers was conducted via unencrypted vanilla SMS:

"...News emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying “we’re off; we’re starting.” Police were also able to trace the phone’s movements.


The reports note that Abdelhamid Abaaoud, the "mastermind" of both the Paris attacks and a thwarted Belgium attack ten months ago, failed to use encryption whatsoever (read: existing capabilities stopped the Belgium attacks and could have stopped the Paris attacks, but didn't). That's of course not to say batshit religious cults like ISIS don't use encryption, and won't do so going forward. Everybody uses encryption. But the point remains that to use a tragedy to vilify encryption, push for surveillance expansion, and pass backdoor laws that will make everybody less safe -- is nearly as gruesome as the attacks themselves.
https://www.techdirt.com/articles/20...pted-sms.shtml

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

November 14th, November 7th, October 31st, October 24th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - November 24th, '12 JackSpratts Peer to Peer 0 21-11-12 09:20 AM
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 03:35 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)