P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 06-09-17, 07:22 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - September 9th, ’17

Since 2002


































"That was a terrible mistake. We should have been studying it." – Kate Starbird






































September 9th, 2017




Stream-Ripping Site YouTube-MP3 Agrees to Shut Shop in Piracy Battle

Stream ripping is killing home file sharing
Dave Neal

POPULAR SERVICE YouTube-MP3, a website would let punters record songs off YouTube like we used to with tapes and the radio, is to close down because of copyright.

YouTube-MP3 is a stream-ripping enabler, which is already the most common form of music piracy. Currently, the site is still live and still offering to do what it does which is what got it into all the trouble with the US RIAA and the copyright cops in general.

However, we tried it and were told that the service does not work in our jurisdiction. Which is Kent.

"YouTube-mp3.org is the easiest online service for converting videos to mp3. You do not need an account, the only thing you need is a YouTube URL. We will start to convert the audiotrack of your videofile to mp3 as soon as you have submitted it and you will be able to download it," says the very first page of the website.

"Different from other services the whole conversion process will be perfomed by our infrastructure and you only have to download the audio file from our servers. Because of this our software is platform-independent: You can use it with your Mac, a Linux PC or even an iPhone. All our conversions will be

"All our conversions will be perfomed in high quality mode with a bitrate of at least 128 kBit/s. Do not worry, our service is completely free. We need approximately 3 to 4 minutes per video."

That is all very straightforward, except for the spelling of performed, and we can see why it might be the sort of thing that puts a bee into the bonnet of outfits like the RIAA. According to a report on TorrentFreak, naturally, the site operators have come to an agreement with the RIAA and will be shutting shop.

The site had been charged of going against the mighty DMCA rules and YouTube's terms and conditions. TF reports that the media victims felt really aggrieved.

"Through the promise of illicit delivery of free music, Defendants have attracted millions of users to the [YouTube-MP3] website, which in turn generates advertising revenues for Defendants," says the court papers filed by the RIAA on behalf of a number of record companies.

The courts were convinced, and the site operators have agreed to pay an undisclosed settlement amount, and to stay out of this kind of business in the future.
https://www.theinquirer.net/inquirer...-piracy-battle





With Torrent Sites Facing the Heat, Pirates Get Creative With Google Drive and Other Services
Manish Singh

• Pirates have to be more creative as torrent sites face the heat
• Google Drive appears to be the most popular tool to spread links
• Creative pirates are even using Google Maps to share links

As crackdown on torrent sites continues around the world, people who are pirating TV shows and movies are having to get a little more creative. Cloud storage services such as Google Drive, Dropbox, and Kim Dotcom's Mega are some of the popular ones that are being used to distribute copyrighted content, according to DMCA takedown requests reviewed by Gadgets 360.

Google Drive seems most popular among such users, with nearly five thousand DMCA takedown requests filed by Hollywood studios and other copyright holders just last month. Each DMCA requests had listed a few hundred Google Drive links that the content owners wanted pulled.

What's interesting though is that while at times pirates upload full movies to Google Drive or other cloud services, in other cases, these Google Drive links are empty and just have a YouTube video embedded.

YouTube videos stream really well even on poor connections, so that makes sense -- but YouTube is also easy to search, and pirated files are taken down quickly, so this is surprising, right? It turns out that the pirates found a simple workaround - the videos are simply uploaded as unlisted, so they don't turn up in search results. The links to these videos are then shared as Google Drive links through discussion forums and other channels so it's difficult for the content owners to find the videos and get them taken down.

Dropbox, Microsoft's OneDrive, and Mega are no different from Google Drive in this regard, but the volume of takedown notices suggests they are not being used as widely. While there were more than 4,700 DMCA requests to pull Google Drive links last month, only about 100 requests to pull Mega links were filed during the same period. There were less than a dozen requests pointing to Dropbox and OneDrive each.

Popular video sites YouTube, Vimeo, and Dailymotion are also being abused by distributing and hosting illicit content, DMCA takedown requests reveal, but the volume of such requests again implies that they are not being as widely used. Some pirates, getting creative, also turned to another streaming venue which is not used as widely - porn sites.

For example, last year, news outlets reported an instance where all the songs of Kanye West's The Life of Pablo album were uploaded as a video to the popular website PornHub. You can still find a number of movies on the site, and oddly enough, also things like game trailers and music videos that could safely be posted on other sites as well.

So why Google Drive?

It's very easy to create a Google account, which can then be used to access a plethora of company's services including Drive and YouTube. Ease of use plays a major part in why people are using Google Drive, says Jon, a resident of Switzerland, whom Gadgets 360 met on a popular piracy discussion board on Reddit.

Google Drive has one of the simplest user interfaces among cloud storage services, Jon - who works in IT services - explained in a conversation over Reddit. It's fairly easy to upload media files (like movies) there, and to create documents that can be shared online. People use these documents to list a bunch of links to other file-sharing websites, and direct links to torrents. The documents can also allow other users to add more links, making it easier to find files. Sharing such documents, or entire media files, is easy too, requiring less than five clicks.

Relatively abundant availability of free storage space by Google also makes Drive more enticing to customers, Jon added. Google offers 15GB of free Drive storage, while OneDrive and Dropox offer five, and two gigabytes of free storage space respectively.
These Google Drive links, as well as links to those of other cloud storage services, are then shared by people on select subreddits, forums, and Facebook groups. Over the past two weeks, Gadgets 360 located over a dozen Facebook groups where people openly share such files and request more movies and TV shows.

These groups on social media are crucial for people who are using Drive to distribute files. There's no search engine to scan through and find relevant Google Drive or entries from other cloud storage services. This makes it hard for copyright holders to find the links, while they remain easy to distribute.

Crackdown on torrent websites

Jon, who didn't share his last name, said people are moving to Google Drive and other services because authorities worldwide continue to crackdown on torrent websites and other file sharing services. In the last two years, KickassTorrents, ExtraTorrent, Shaanig, Yify Torrents and other websites, which together heydays used to garner over 500 million unique visitors (according to web analytics firm SimilarWeb), have all shut down.

Moreover, Internet service providers are increasingly making it difficult to access the few torrent websites that are still in operation, Jon said. "You've got to be part of a private tracker, public torrenting is over," he told Gadgets 360. Private torrent tracking websites usually require users to be invited — which in itself is a difficult process.

There are several publicly accessible torrent websites that continue to exist, but "torrenting" is getting more difficult by day, multiple people told Gadgets 360. Public sites are mired with pop-up windows filled with ads trying to sell them malware, which makes it a poor experience.

Perhaps the most creative pirates

The most unusual service that is being abused for distributing content that we came across is My Maps. It's a feature Google introduced in 2007 to enable users to create custom maps. Anyone can visit the My Maps website, and create a custom map by pointing to a location on the map, adding a title, and filling up a description box. Google doesn't verify what kind of information users are sharing in description, so you can again easily share links to unlisted YouTube streams, or Google Drive files to download. What this means is that people can then share locations on maps, which lead to the pirated movies.

Erik Mandre, managing director at Eesti Autoriőiguste Kaitse Organisatsioon, an Estonian organisation that works with several content stakeholders on copyright protection, says that several places have emerged over the months for illegal content distribution.

"We try to do our best to protect the producers and video distributors but of course finally it is up to Google," he told Gadgets 360.

"Generally speaking on the Web, crooks can do everything and they do not need to prove their license to distribute the content, but right holders must fill a lot of formalities and even then, some cases are going in favour of crooks. That's the life on the Internet. Burden of proof is on us all the way," he said. On its part, Mandre said, Google does swiftly respond to take down notices. The company has also made it much easier to file such requests. On YouTube, for instance, one can find the ability to contest ownership of the content on every video.

In a statement, a Google spokesperson said the company takes copyright infringement very seriously, but declined to share more. "It's against our policies to post copyright infringing links or content. Rightsholders can and do notify us when copyrighted material has been posted and we work quickly to review and take action on those notices."
http://gadgets.ndtv.com/internet/fea...movies-1745774





Why Everyone in Silicon Valley is Using an App Called Droplr

Staying organized and efficient is hard. And no one knows better than the fine people of Silicon Valley (no, not the show).

It can be hard enough to establish a system of organization and productivity for yourself, but getting on the same page with your digital collaborators can feel like an impossible task. There are just so many moving pieces — from file sharing to organizing multiple versions to juggling feedback to getting your teammates to adhere to a protocol — that standard productivity tools don't always cover.

One possible option that a growing number of teams in the Bay are implementing is Droplr. It’s a simple, reliable tool designed to help teams of creative professionals share and collaborate effortlessly.

A Droplr account allows teams of up to three users share and preview files, instantly showcase screenshots, annotate images, and much more. It integrates with your desktop and web browser to allow easy collaboration during every stage of your workflow. Plus, the Droplr remote server keeps all of your team’s assets organized and safe from accidental data loss.

Here’s a breakdown of how Droplr can help you and your teammates work better together:

File Sharing

Files big and small can be dropped onto your team’s remote Droplr server with the click of a mouse just by dragging your file up to the Droplr icon in your toolbar. Not only will it instantly appear on the cloud, but Droplr will immediately copy a link to your clipboard, which can provide any recipient with an immediate view of that file in their browser. If you want to limit access, you can password protect your files, or set them to disappear after a specific amount of time.

Snapping Screenshots

Enable the screenshot feature by opening Droplr in your toolbar and clicking the screenshot icon—or use the assigned hotkey. You can snap a specific area of your choosing, or capture the contents of a single window by hitting the space bar. Unlike your Mac’s built-in screenshot options, which dump your images on the desktop, Droplr immediately uploads them to your team’s server and gives you a direct, shareable link to a preview image.

Annotations

Sometimes you’ll need to give your collaborators some extra info about a given image. That’s where Droplr’s annotations feature comes in handy. It lets you mark up your screenshots with various tools, write notes right on the images, and even blur information that you need to keep under wraps.

Recording a Screencast

Whether you want to show off a website’s parallax scrolling effect, or give a coworker a visual walkthrough of a new workflow, recording and sharing a video of your screen can be a great method of communication. Droplr makes this easy. Select the recording option in your toolbar or by using the hotkey, select the area you want to record, and then save the recording as a high-DPI video or an animated GIF.

Organizing Your Files

Everything you share on Droplr can be categorized with meta-tags, allowing you to easily filter and search through your library of files, as well as group similar files into “Collections” for convenient access. You can even create boards around common concepts, themes, or projects and share them with your team.

Integrating with Other Apps

Droplr files can be previewed directly within Slack, Hipchat, Twitter, Basecamp, and many other popular third party apps. And you can expand that list even further with Droplr plugins, including ones that add support for Photoshop, Illustrator, Sketch, and more.

Cross-Platform Compatibility

Droplr isn't just for Mac users. It's also available for iOS and Windows devices, and its files are viewable for Android and Linux users, too. Now is the perfect time to get your team hooked up with Droplr. Its usual $384 fee for a four-year subscription has been reduced to $39.99, allowing Droplr to basically pay for itself with the extra productivity (and stress relief) it will provide.
http://mashable.com/2017/09/06/subsc.../#Bb7uzIzMOkqd





An Academic Publisher is Trying to Kill Sci-Hub, the “Pirate Bay of Science”
Keith Collins

The academic publishing business is starting to look a bit like the music industry did in the late 1990s. Publishers have steadily raised the cost to access journal articles in recent years, and free alternatives to their high-priced subscription model—both legal and illegal—have started to spring up. And like the music industry in the ’90s, rather than adapting to the new landscape, some academic publishers are responding by filing lawsuits.

The latest development in those suits came on Sept. 1 when the American Chemical Society, a publisher of multiple chemistry journals, asked a US federal court for an injunction that would force search engines and internet service providers to block Sci-Hub, a rogue pirating service for academic research. The publisher also requested a default judgement that would require Sci-Hub to pay the American Chemical Society $4.8 million. The lawsuit was originally filed in June, claiming copyright infringement, but Sci-Hub did not respond to the suit or appear in court.

Last June, a New York district court ruled that Sci-Hub must pay $15 million in damages to the publisher Elsevier, which also sued the website for copyright infringement. The site, however, is owned and operated by Alexandra Elbakyan, a Kazakh national who lives in Russia, outside the jurisdiction of US courts. Elbakyan holds no assets in the US, and it appears unlikely that Elsevier will ever see that money.

While the case of Sci-Hub is similar to the battle between the music industry and file-sharing services like Napster in the late 1990s, there are some key differences. Advocates of open research argue, for example, that a substantial portion of the research that publishers attempt to lock behind paywalls was funded with grants paid for by taxpayers, and that the public should therefore have unfettered access to it.

According to a recent study, Sci-Hub contains 68.9% of all academic research, and 85.2% of all papers originally published behind paywalls are available on the website for free. More than that, when a given article isn’t already available in Sci-Hub’s repository, the site can quickly fetch it using donated credentials for services like JSTOR, Elsevier, and Sage. Data scientist Daniel Himmelstein of the University of Pennsylvania, who conducted the study, concluded that Sci-Hub’s extensive catalogue is making the subscription publishing model “unsustainable.”

The annual revenue of the academic publishing industry was estimated to be about $25.2 billion in 2015.

Subscription fees charged by academic publishers have risen so high in recent years that even wealthy American universities have said they can’t afford them. When the Harvard Library reported its subscription costs had reached $3.5 million per year in a 2012 memo, for example, it said the fees were “fiscally unsustainable,” and the university asked its faculty to stop publishing research in journals that keep articles behind paywalls.

Elbakyan founded Sci-Hub in 2011, originally at sci-hub.org, and has been forced by court orders and law enforcement to change its domain address several times. The site is now available only on the dark web and over the encrypted messaging app Telegram, and is primarily funded through bitcoin donations.

Days after the American Chemical Society filed its injunction request to block Sci-Hub, Elbakyan blocked Russia from accessing the site, but the move does not appear related to the lawsuit. Elbakyan has had a tumultuous relationship with the academic community in Russia, and on Sept. 5 put a note on the Sci-Hub website explaining that she’d cut off the entire country from the service due to “persecution” from Russia’s “liberal opposition.”

Alexandra Elbakyan just blocked all of Russia from accessing Sci-Hub. Here's the message that pops up: original & translated by Google. pic.twitter.com/MbeUjjCY8Q

— Steve McLaughlin (@SteveMcLaugh) September 5, 2017
https://qz.com/1071508/chinas-one-be...can-economies/





Don’t Pay for Classic Books When You’re Going Back to School
Patrick Lucas Austin

If you’re heading back to school, there’s no doubt you’ve got a long list of required reading material. Whether it’s a classic like The Great Gatsby, or a more obscure title like A Farewell to Arms, you should avoid shelling out more money in addition to the cash you’re paying for your semester’s textbooks. Quartz compiled a slew of free reading resources are available if you’re looking to stock up on great literature, and you can read it basically anywhere, even if you can’t walk into a library.

Shakespeare Fans Should Visit MIT

To read the works of playwright William Shakespeare, head to MIT’s The Complete Works of William Shakespeare page. The works are organized in four categories: Comedy, History, Tragedy, and Poetry.

Library of Congress Goes Way Back

Read.gov is a site maintained by the Library of Congress, and features books and other literature available for free. The books are scanned in, and you’ll need to read it in a browser window, but with its selection of both classic and obscure titles, you’ll probably find something you might not get in a traditional bookstore or library.

Scribd, The Netflix of Books

If you’re willing to pay a subscription fee for some reading material, check out Scribd. For $9 per month you’ll gain access to articles from sites like The New York Times, and a library full books as well as audiobooks.

Project Gutenberg, A Public Domain Paradise

For books in the public domain that you can download to an e-reader, Project Gutenberg is an invaluable resource. With over 54,000 e-books in the public domain to choose from, an updating list of newly added books and the most downloaded titles, you’ll be able to enjoy the best of classic literature on whatever device you’ve got. It beats waiting to renew a classic title, whether physical or digital. It’s free, but donations are solicited to keep the operation running.
https://lifehacker.com/don-t-pay-for...o-s-1798713338





The Insane Number Of Times Game Of Thrones Episodes Were Pirated In Season 7
Laura Hurley

The seventh season of Game of Thrones delivered some of the biggest meetings and plot twists that viewers have been waiting for, all jam-packed into only seven episodes. As it turns out, there were plenty of people interested in the season who also apparently weren't too interested in watching through legal channels. New data indicates that Game of Thrones Season 7 was pirated over a billion times.

No, that's not a typo. New calculations in the wake of the Season 7 finale indicate that the most recent batch of episodes was indeed pirated more than a billion times. With only seven episodes, that one billion number for the season translates to approximately 140 million instances of piracy per episode. Given that only around 32 million people watched episodes through legal channels, the piracy numbers are truly staggering.

Surprisingly, a very small percentage of those who watched the season via piracy did it by downloading the episodes. According to piracy tracking company MUSO (via TorrentFreak), only 5.6% of that billion actually downloaded episodes to watch. The portion of viewers who used torrents was slightly higher, with 9.1%, but the vast majority of folks chose to stream the pirated content, with a whopping 84.7% watching the episodes online without download. The remaining 0.6% caught the episodes via private torrent.

All things considered, Season 7 wasn't the best for HBO when it comes to keeping a lid on Game of Thrones secrets. Hacks and leaks resulted in a couple of episodes hitting the web early, although the early releases definitely didn't stop the show from scoring record-breaking ratings through legal views. That said, the leaks seem to have resulted in a boost in piracy as well. The sixth episode -- which saw Jon Snow and Co. beyond to Wall to fetch a wight (and lose one of Dany's dragons) -- leaked days before its official airdate, and MUSO reports that it was pirated even more than the epic season finale.

That said, we shouldn't take the MUSO data as 100% precise. The initial numbers come from SimilarWeb, which utilizes information from 200 million pirate devices in order to estimate web traffic and extrapolate totals. There's also the point that the streaming data doesn't take Chinese traffic into account, so the numbers might be much higher if Chinese piracy was included in the estimate.

Season 7 definitely isn't the first time that Game of Thrones has resulted in a ton of piracy. HBO has taken steps to try and stop people from pirating, which is especially understandable now that there are legal ways of watching HBO series online for a fee. HBO also stopped distributing hard copies of screeners to the press in order to prevent episode leaks from reviewers, although there were still some issues in Season 7.

Given that Season 8 will be the very last season of Game of Thrones, the odds are pretty good that even more people will be pirating in the next batch of episodes. Unfortunately, we don't yet know when those episodes will be ready to debut. No approximate premiere date has yet been announced, and it's possible that we won't get the new season until 2019. Stick around CinemaBlend for the latest in Game of Thrones news, and be sure to take a look at our fall TV premiere schedule.
http://www.cinemablend.com/televisio...ed-in-season-7





Facebook Offers Hundreds of Millions of Dollars for Music Rights
Lucas Shaw and Sarah Frier

• Would allow users to legally include songs in uploaded videos
• Social network is challenging YouTube as hub for video on web

Facebook's Plan to Become a Video Hub

Facebook Inc. is offering major record labels and music publishers hundreds of millions of dollars so the users of its social network can legally include songs in videos they upload, according to people familiar with the matter.

The posting and viewing of video on Facebook has exploded in recent years, and many of the videos feature music to which Facebook doesn’t have the rights. Under current law, rights holders must ask Facebook to take down videos with infringing material.

Music owners have been negotiating with Facebook for months in search of a solution, and Facebook has promised to build a system to identify and tag music that infringes copyrights. Yet such a setup will take as long as two years to complete, which is too long for both sides to wait, said the people, who asked not to be named discussing details that aren’t public.

Facebook is eager to make a deal now so that it no longer frustrates users, by taking down their videos; partners, by hosting infringing material; or advertisers, with the prospect of legal headaches.

New Home

The latest discussions will ensure Facebook members can upload video with songs just as it’s rolling out Watch, a new hub for video, and funding the production of original series. Facebook is attempting to attract billions of dollars in additional advertising revenue and challenge YouTube as the largest site for advertising-supported video on the web.

Facebook Chief Executive Officer Mark Zuckerberg said on the company’s second-quarter earnings call that for the next few years video will drive Facebook’s business and determine how well the company performs. He told investors to expect the company to continue to increase its investment in the format, as it sees video sharing overtaking text and photo sharing in the future.

While Facebook can still pursue professional music videos, the company chose to prioritize clearing user-generated material. Most of the videos being uploaded to Facebook are by individuals (as opposed to media companies). Tamara Hrivnak, a former YouTube executive, has been leading negotiations for Facebook since joining the company earlier this year. Also a former executive at Warner/Chappell Music Publishing, Hrivnak is well-liked by her former peers.

Industry Windfall

The money from Facebook is the latest windfall for a music industry surging from the growth of on-demand streaming services Spotify and Apple Music. Global music sales grew 5.9 percent in 2016, according to The International Federation of the Phonographic Industry. Vivendi SA’s Universal Music Group, owner of the world’s largest record label, reported a 15.5 percent increases in sales in the most recent fiscal quarter, while Warner Music Group, owner of the third largest label, reported a 13 percent increases in sales.

Most of the growth is attributable to paid services from Spotify and Apple, though sales from advertising on YouTube are growing as well. The industry has rebuked YouTube time and again for not respecting intellectual property and paying too little to musicians.
Faustian Bargain

Getting into business with Facebook presents something of a Faustian bargain. Rights holders need a deal. Given the current legal framework for copyright online, users are going to upload video with infringing material no matter what. The onus is on rights holders to police those videos. A deal ensures they get something rather than waste resources tracking down all the illegal videos.

Music industry executives also hope licensing songs for user-generated video on Facebook will place greater pressure on YouTube to behave. Yet by further empowering Facebook to host video and music, rights holders risk creating another YouTube –- a great source of promotion, but a place where consumption outpaces sales.
https://www.bloomberg.com/news/artic...r-music-rights





The Music Industry Bands Together to Finally Get Paid Online
Elizabeth Stinson

Last fall, a group of music industry heavyweights gathered in New York City to do something they’d mostly failed to do up to that point: work together. Representatives from major labels like Universal, Sony, and Warner sat next to technologists from companies like Spotify, YouTube, and Ideo and discussed the collective issues threatening their industry.

And there were many. For decades, major labels have watched record sales nose dive. Meanwhile, streaming services are growing in popularity but drowning in lawsuits. In 1998, the industry reported revenue of $13.8 billion; in 2016 it had dipped to $7.65 billion—and that was considered a good year. “It’s a really fragmented industry,” says Dan Harple, founder of Context Labs and one of the organizers of the meeting. The participants of that confab would later form a group called the Open Music Initiative.

Over the years, Harple's witnessed the power of technology change industries for the better; he’s also seen it wreak havoc on those that aren’t prepared. The music industry, he says, falls squarely into the latter category. After decades of building distribution channels around record contracts and sales, the micro-transactional nature of the internet has, in some ways, diluted the industry. “I like to make a joke that it’s akin to a FedEx guy who shows up and gets 80 percent of your product price," Harple says. "To me, that’s in some ways what the App Store does and iTunes does and streaming services do.”

Those might sound like fighting words, but Harple isn't against digital music. A trustee of the Berklee College of Music, he helped create internet standards like the Real Time Streaming Protocol, which powers the technology that lets you pause, play, fast forward, and rewind on applications like YouTube and QuickTime. And when it comes down to it, he says, everyone—from startups to legacy labels to publishing houses—faces the same underlying issue. “Pretty early on it was obvious that there's an information gap in the industry,” says Erik Beijnoff, a product developer at Spotify and a member of the OMI.

That "information gap" refers to the data around who helped create a song. Publishers might keep track of who wrote the underlying composition of a song, or the session drummer on a recording, but that information doesn't always show up in a digital file's metadata. This disconnect between the person who composed a song, the person who recorded it, and the subsequent plays, has led to problems like writers and artists not getting paid for their work, and publishers suing streaming companies as they struggle to identify who is owed royalties. “What we need is a lingua franca to help everyone speak the same language,” Beijnoff says.

Over the last year, members of the OMI—almost 200 organizations in total—have worked to develop just that. As a first step, they’ve created an API that companies can voluntarily build into their systems to help identify key data points like the names of musicians and composers, plus how many times and where tracks are played. This information is then stored on a decentralized database using blockchain technology—which means no one owns the information, but everyone can access it.

Think of it as a standardized set of liner notes. Keeping track of this metadata means artists and platforms can leverage it various ways without fear of violating rights. “It’s a simple question of attribution,” says Panos A. Panay, vice president of innovation and strategy at Berklee. “And payments follow attribution.”

Though the API is still in beta, members say it's a solid starting point for an industry that rarely shares information openly. The ripple effects go beyond money, too. Panay points to all the apps built on Twitter's API and says the flow of data within the music industry could encourage entrepreneurs to start new companies, developers to build new experiences, and musicians to get more creative with how they sample and produce music.

“You can envision a world where any sound that's ever been created—any guitar lick, any drum loop, any synth line, any vocal—is accounted for,” Panay says. “If you have attribution to underlying contributors, you can imagine an explosion of creativity.”
https://www.wired.com/story/the-musi...et-paid-online





Apple Reaches Music Deal With Warner, Eyes Sony Pact
Lucas Shaw and Alex Webb

• IPhone maker plans to pay record labels smaller percentage
• Paid streaming service has revived music industry; sales up

Apple Said to Seal Warner Music Deal

Apple Inc. has secured a deal for songs from Warner Music Group, the technology giant’s first agreement with a major label since introducing its on-demand music service two years ago, according to people familiar with the matter.

Warner will provide Apple a catalog spanning Ed Sheeran, the Red Hot Chili Peppers and Bruno Mars for both iTunes, the online store, and Apple Music, the streaming service. Apple plans to pay record labels a smaller percentage of sales from Apple Music subscribers than it did under its first deal for the streaming service, the people said, asking not to be identified discussing private information.

Large technology companies and music rights holders are establishing a framework this year for how to share proceeds from on-demand streaming, now the dominant source of sales for the record business in the U.S. Music rights holders are willing to accept a slightly smaller share of the sales from on-demand services, provided those services continue to sign up paying subscribers at a high rate.

Paid streaming was still a fledgling business when the company signed its initial deal, and it was willing to lose a little extra money because the service was intended to boost sales of the iPhone. Once the dominant player in online music, Apple was also eager to get a service on the market that could compete with growing rivals Spotify Ltd. and Google’s YouTube.

Industry Revival

Music has now taken on larger importance at Apple. The concept of paying for access to a trove of songs and curated lists on demand has since revived a music industry that was in decline for nearly two decades. Global music sales grew 5.9 percent to $15.7 billion in 2016, according to The International Federation of the Phonographic Industry. That number will climb to $41 billion by 2030, Goldman Sachs projected in a recent report.

The streaming service contributes to Apple’s services revenue, which the company aims to double to about $50 billion by 2020; and as users add more songs to their library, it serves to dissuade them from trading in their iPhone or iPad for a competing Android-operated device. The company also is said to be planning to spend about $1 billion in the next year on original video programming for Apple Music and other future video streaming products.

Apple pushed for a rate cut in this new round of talks after Spotify, the world’s largest paid music service, secured a rate reduction earlier this year. Apple has been paying labels 58 percent of sales, a higher rate than Spotify pays. Apple also traditionally granted publishers a higher rate than its Swedish rival. Apple is now considering giving labels a cut of 55 percent, which would decrease if subscriber numbers met targets.

Spotify had been paying labels about 55 percent of sales from paid subscribers, and paid publishers as well. That rate fell to about 52 percent, though the rate cut is contingent upon Spotify reaching certain performance metrics.

Sony Music Entertainment, owner of the second-largest record label, is also on the verge of a deal with Apple, one of the people said. A deal between Apple and Universal Music Group, owner of the top label, is further off.

Talks between Apple and the music industry are seldom as acrimonious as those including most other music services. While YouTube, Spotify, Pandora and other services allow people to listen to music for free, Apple only sells a paid on-demand service.

Warner Music Group is the first major music company to reach new, long-term deals with all three of the biggest players in music, Apple, YouTube and Spotify. Universal and Sony have agreements with Spotify, but have yet to sign new deals with YouTube and Apple. Warner hired former Sony executive Ole Obermann to oversee its digital business last November.
https://www.bloomberg.com/technology





Hobbyist Gives iPhone 7 the Headphone Jack We've Always Wanted

It requires real courage and lots of cash.
Mallory Locklear

For those of you who miss the iPhone headphone jack, you're definitely not alone. But Strange Parts creator Scotty Allen missed it so much that he decided to add one to his iPhone 7. He just posted a video of the project's entire saga, with all of its many ups and downs, and in the end he holds what he set out to create - a current generation iPhone with a fully functional headphone jack. It turns out, real courage is adding the headphone jack back to the iPhone.

The project took around 17 weeks to complete and throughout it Allen spent thousands of dollars on parts including multiple iPhones and screens and handfuls of lightning to headphone adaptors. Along the way, Allen bought a printer, a nice microscope and fancy tweezers. He had to design his own circuit boards, have a company manufacture multiple iterations of flexible circuit boards and at one point early on had to consult with a chip dealer that a friend hooked him up with, because who doesn't have a chip guy these days?

Towards the end, after breaking lots and I mean lots of parts, Allen gets a little down on the project and says he wants to give up. But he doesn't and it all works out. The final product works by using a lightning to headphone adaptor that's incorporated into the internal structure of the phone. However, because the headphone jack is powered via the phone's lightning jack with a circuit board switching between the two depending on whether headphones or a charger are plugged into the phone, you can't actually listen to music and charge the phone at the same time.

Aside from that caveat, the iPhone jack works normally in every other way. You can watch the video of the project below and you can watch Allen's video of how he made an iPhone 6S from parts he bought in public markets here. For those who want to add their own headphone jack to their iPhone 7, Allen has made the steps publicly available on Github.
https://www.engadget.com/2017/09/07/...eadphone-jack/





Apple, Amazon Join Race for James Bond Film Rights

The franchise, and its future, are up for grabs as Agent 007 is being viewed as one of the last untapped brands that could be a game changer.
Tatiana Siegel, Borys Kit

The James Bond sweepstakes has taken an unexpected turn. While Warner Bros. remains in the lead to land film distribution rights to the megafranchise — whose deal with Sony expired after 2015’s Spectre — a couple of unlikely suitors have emerged that also are in hot pursuit: Apple and Amazon.

The tech giants are willing to spend in the same ballpark as Warners, if not much more, for the rights, sources tell The Hollywood Reporter. MGM has been looking for a deal for more than two years, and Sony, Universal and Fox also had been pursuing the property, with Warners and Sony the most aggressive.

But the emergence of Apple — which is considered such a viable competitor that Warners is now pressing MGM hard to close a deal — and Amazon shows that the digital giants consider Bond one of the last untapped brands (like a Marvel, Pixar or Lucasfilm) that could act as a game-changer in the content space. Apple’s and Amazon’s inclusion in the chase would indicate that more is on the table than film rights, including the future of the franchise if MGM will sell or license out for the right price.

Sources say newly arrived executives Zack Van Amburg and Jamie Erlicht are spearheading the effort on Apple’s behalf. Given their background (the pair served as co-presidents of Sony Pictures Television and shocked the industry when they announced in June that they were leaving for Apple), this would suggest that Apple is interested in cutting a larger rights deal or acquiring full ownership to exploit Bond’s largely unmined TV potential. Valuation of the franchise may be anywhere between $2 billion and $5 billion, says an insider.

“In the world of Lucasfilm and Marvel, Bond feels really underdeveloped,” says someone familiar with the bidding process. Sources say that, along with the tech giants, Chinese companies could come in from the cold to pursue not just movie rights but massive licensing rights that could push deals into the billions of dollars.

Very few movie or pop-culture properties quite rival the splashiness of the Bond franchise, which remains one of the most iconic brands with worldwide appeal. And unlike Star Wars, which was not owned by a major corporation until Disney bought Lucasfilm in 2012, it is still somewhat independently owned. Some observers feel that the franchise, by only limiting itself to theatrical movies, remains vastly under-utilized by 21st century standards, where expectations are to exploit IP across all mediums, push out merchandising for all age brackets and have spin-offs and cinematic universes.

Other sources insist that, at this stage, Eon producers Barbara Broccoli and Michael G. Wilson remain traditional in their outlook and that theatrical movies are their main concern. The moves arrive on the heels of MGM locking in Daniel Craig to return for another Bond outing and setting a release date of Nov. 8, 2019, with Yann Demange, who helmed the 2014 movie ’71, and Blade Runner 2049’s Denis Villeneuve said to be frontrunners for the directing job.

Spectre was the last in a two-picture deal that Sony struck in 2011 with MGM, which controls the rights to Bond along with Eon. Sony released Spectre on Nov. 6, 2015, and Agent 007 didn't disappoint, with the film earning $881 million worldwide. Still, the film fell short of 2012's Skyfall, which grossed $1.1 billion worldwide to become the biggest film in the series' 55-year history that started with 1962's Dr. No.

Sony, which also released 2006's Casino Royale and 2008's Quantum of Solace, has reinvigorated the property with Craig in the lead. In 2011, Paramount nearly landed Bond when its rights were available but walked away from MGM's demands and the modest 8 percent distribution fee MGM was willing to pay. At the time, Sony prevailed by striking a deal that allowed MGM to co-finance The Girl With the Dragon Tattoo and the Total Recall remake.

Even if Apple and Amazon walk away from Bond empty-handed, both are already disrupting the tentpole movie business paradigm. In July, Amazon closed a deal to self-distribute its first film: Woody Allen’s Wonder Wheel. Amazon and Warner Bros. also recently teamed to co-finance a film adaptation of Donna Tartt’s The Goldfinch, which previously had been a Warners-only project. Apple has been expected to make a similar move in the content space. It’s conceivable that Warner Bros. could be involved theatrically with Bond in either scenario.

The Bond movies, while hits, are minimal sources of profit for any studio that makes them, at least under the most recent terms. In an email leaked during the Sony hack, Andrew Gumpert, former head of Sony’s business affairs, predicted that if Spectre grossed $1.1 billion, with a budget of $250 million to $275 million, the studio would earn just $35 million. Spectre grossed $200 million-plus shy of that estimate.

Speaking generally of Apple’s film ambitions and not specifically to Bond, UTA’s Yale Chasin says: “Apple is the biggest digital outlet for movies, so I think they are always present in the conversation whether they’re upfront or behind any other distributor out there that’s turning to them for real control in the digital market.”
http://www.hollywoodreporter.com/hea...rights-1035539





Attacked by Rotten Tomatoes
Brooks Barnes

Hollywood had a horrible summer.

Between the first weekend in May and Labor Day, a sequel-stuffed period that typically accounts for 40 percent of annual ticket sales, box office revenue in North America totaled $3.8 billion, a 15 percent decline from the same span last year. To find a slower summer, you would have to go back 20 years. Business has been so bad that America’s three biggest theater chains have lost roughly $4 billion in market value since May.

Ready for the truly alarming part? Hollywood is blaming a website: Rotten Tomatoes.

“I think it’s the destruction of our business,” Brett Ratner, the director, producer and film financier, said at a film festival this year.

Some studio executives privately concede that a few recent movies — just a few — were simply bad. Flawed marketing may have played a role in a couple of other instances, they acknowledged, along with competition from Netflix and Amazon.

But most studio fingers point toward Rotten Tomatoes, which boils down hundreds of reviews to give films “fresh” or “rotten” scores on its Tomatometer. The site has surged in popularity, attracting 13.6 million unique visitors in May, a 32 percent increase above last year’s total for the month, according to the analytics firm comScore.

Studio executives’ complaints about Rotten Tomatoes include the way its Tomatometer hacks off critical nuance, the site’s seemingly loose definition of who qualifies as a critic and the spread of Tomatometer scores across the web. Last year, scores started appearing on Fandango, the online movie ticket-selling site, leading to grousing that a rotten score next to the purchase button was the same as posting this message: You are an idiot if you pay to see this movie.

Mr. Ratner’s sentiment was echoed almost daily in studio dining rooms all summer, although not for attribution, for fear of giving Rotten Tomatoes more credibility. Over lunch last month, the chief executive of a major movie company looked me in the eye and declared flatly that his mission was to destroy the review-aggregation site.

Kersplat: Paramount’s “Baywatch” bombed after arriving to a Tomatometer score of 19, the percentage of reviews the movie received that the site considered positive (36 out of 191). Doug Creutz, a media analyst at Cowen and Company, wrote of the film in a research note, “Our high expectations appear to have been crushed by a 19 Rotten Tomatoes score.”

Kersplat: “King Arthur: Legend of the Sword” got a Tomatometer score of 28 — anything under 60 is marked rotten — and audiences stayed away. After costing Warner Bros. at least $175 million to make, the movie took in $39 million at the domestic box office. In total.

How did a clunky website that has been around for 19 years amass such power?

The 36 people who work for Rotten Tomatoes hardly seem like industry killers. The site’s staff occupies a relatively ordinary Beverly Hills office complex — albeit one with conference rooms named “La La Land” and “Oz” — and includes people like Jeff Voris, an easygoing former Disney executive with graying hair who oversees operations, and Timothy Ryan, a former newspaper reporter who is a Rotten Tomatoes senior editor and lists “Leonard Maltin’s Movie Guide” as favorite reading.

The employee with the pink mohawk is Grae Drake, senior movie editor. She does a lot of video interviews and lately has been helping to fill a void created when Matt Atchity left as editor in chief in July for a bigger job at TYT Network, an online video company.

Jeff Giles, a 12-year Rotten Tomatoes veteran and the author of books like “Llanview in the Afternoon: An Oral History of ‘One Life to Live’,” writes what the site calls Critics Consensus, a one-sentence summary of the response to each film. (Disney’s latest “Pirates of the Caribbean” movie was summarized as proving “that neither a change in directors nor an undead Javier Bardem is enough to drain this sinking franchise’s murky bilge.”)

“Everyone here sweats the details every day,” said Paul Yanover, the president of Fandango, which owns Rotten Tomatoes. “Because we are serious movie fans ourselves, our priority — our entire focus — is being as useful to fans as we absolutely can be.”

Hold on a minute. Fandango?

Yes. In an absurdist plot twist, Rotten Tomatoes is owned by film companies. Fandango, a unit of NBCUniversal, which also owns Universal Pictures, has a 75 percent stake, with the balance held by Warner Bros. Fandango bought control from Warner last year for an undisclosed price. (All parties insist that Rotten Tomatoes operates independently.)

Mr. Yanover said it was silly for studios to make Rotten Tomatoes a box office scapegoat.

“There is no question that there is some correlation to box office performance — critics matter — but I don’t think Rotten Tomatoes can definitively make or break a movie in either direction,” he said. “Anyone who says otherwise is cherry-picking examples to create a hypothesis.”

He cited “Wonder Woman,” which was the No. 1 movie of the summer, with $410 million in ticket sales. It was undoubtedly helped by a strong Tomatometer score of 92. “Dunkirk,” “Spider-Man: Homecoming” and “Guardians of the Galaxy Vol. 2” all received high scores and drew huge crowds. Other films did not do well on the Tomatometer (“The Hitman’s Bodyguard,” “The Emoji Movie”) but still managed to find audiences.

Some filmmakers complain bitterly that Rotten Tomatoes casts too wide a critical net. The site says it works with some 3,000 critics worldwide, including bloggers and YouTube-based pundits. But should reviewers from Screen Junkies and Punch Drunk Critics really be treated as the equals of those from The Los Angeles Times and The New Yorker?

Mr. Yanover rejected those complaints, pointing to the site’s posted requirements. (“Online critics must have published no less than 100 reviews across two calendar years at a single, Tomatometer-approved publication,” for instance.) He also noted that critics at traditional outlets tended to be white men and that Rotten Tomatoes wanted to include female and minority voices.

‘Incredibly Layered’ Process

For the studios, the question of how individual reviews get classified as fresh or rotten is also a point of contention. Only about half of critics self-submit reviews and classifications to the site. Rotten Tomatoes staffers comb the web and pull the other half themselves. They then assign positive or negative grades.

“We have a well-defined process,” said Mr. Voris, the vice president of Rotten Tomatoes. “Our curators audit each other’s work. If there is any question about how a review should be classified, we have three curators separate and do independent reads. If there still isn’t agreement, we call the journalist.”

Staff members also fact-check what critics have self-submitted. In one recent instance, a review of “Alien: Covenant” that was submitted as fresh seemed rotten. The site reversed the categorization after contacting the critic for clarification.
Photo
Movies on Rotten Tomatoes are either classified as “fresh” (good) or “rotten” (bad). Credit David Walter Banks for The New York Times

Mr. Voris brushed aside the studios’ protests — shared by many critics — that the Tomatometer ratings damage films because they reduce nuanced reviews to blunt scores.

“I actually think it’s the opposite of simplified,” Mr. Voris said. “It’s incredibly layered.” Yes, the Tomatometer scores are the site’s best-known feature, he said. But Rotten Tomatoes also carries snippets of dozens of individual reviews. Beyond that, there are also links to full reviews. The site also generates its own news articles and feature stories (“75 Best Heist Movies of All Time”) that try to put new films into context.

Still, it is the Tomatometer scores that have become ubiquitous across the web. Rotten Tomatoes makes money through partnerships with companies like Apple, which lists the scores next to iTunes movie rentals and purchases. And to the dismay of movie marketers, Google has started to prominently display the scores even when users do not specifically search for them: Enter the name of a film into the search bar and the Tomatometer results pop up on the top right side of the results page, directly under the film’s poster.

“Rotten Tomatoes isn’t new, but its omnipresence is,” said Tim Palen, Lionsgate’s president of theatrical marketing. “The scores are even part of the local TV news on Friday going into the weekend.”

The battle between movie companies and critics is a perennial one. There was an outcry when some publications started using a series of stars to summarize reviews. (By some accounts, that system started in 1928, when The Daily News gave one star to the silent film “The Port of Missing Girls.”) Cries of harmful reductionism resurfaced in the 1980s, when the critics Gene Siskel and Roger Ebert brought their thumbs up or down edicts to syndicated television.

Rotten Tomatoes was founded in 1998 by students at the University of California, Berkeley who wanted reviews for kung fu movies in one place. The name harkens back to medieval Europe, where people would lob spoiled food, often eggs, at petty criminals in the stocks. The practice spread to some theaters in the 19th century. In 1883, The New York Times reported that “a large tomato thrown from the gallery” hit a Long Island actor “square between the eyes.”

In past years, studio publicists would occasionally lobby Rotten Tomatoes to include positive reviews from far-flung publications as a way of improving scores, especially for films with a 59 — on the line between receiving a red, plump fruit label (fresh) or the dreaded splotch of green goo (rotten). But Hollywood more or less lived with it.

Four things changed.

There was Fandango’s integration of Tomatometer scores with its ticketing platforms, which service about 28,000 movie screens in North America. Now, when Fandango customers buy tickets to a movie in the days leading up to its release, they are confronted by the film’s Tomatometer score. After the movie is released, a different Rotten Tomatoes rating — one based on audience response, which is invariably positive — begins to pop up on Fandango next to the Tomatometer score.

Then there is Rotten Tomatoes’ growth into a very popular hub. In 2009, the site, which sells advertising, attracted about 1.8 million unique visitors per month. It now attracts as many as 14 million unique visitors a month. The broader Fandango portfolio of sites reaches 60 million unique visitors a month.

Consumer behavior is also changing. People increasingly rely on review aggregation sites like Yelp and TripAdvisor to make all kinds of spending decisions. The trend is especially visible among young people, who make up Hollywood’s most important audience. According to National Research Group, a movie industry consulting firm, 34 percent of American teenagers now check Rotten Tomatoes before buying a ticket, up from 23 percent in 2014.

Hollywood Fights Back

Most importantly, studios are panicking because moviegoing is no longer a habit for most Americans. Because of climbing prices and competition from other forms of entertainment, a trip to the multiplex has become a special event. In particular, more movie fans are ignoring low- and mid-budget films when they are in theaters: Ehh, let’s wait until they show up on Netflix.

Studios are trying to battle Rotten Tomatoes on multiple fronts.

Marketers have discovered that early positive reviews can produce a bandwagon effect later, as some critics, especially those at less prestigious outlets, seek to go with the flow instead of against it. Studios have also started screening films early for pockets of critics. In some cases, studios create spreadsheets of which critics to invite to early screenings — often at festivals — based on questions such as who liked what in the past and who gives positive reviews more often than not.

It is notable that “Leatherface,” a horror movie scheduled for release in late October, already has a very positive Tomatometer score of 86 based on seven reviews. (Rotten Tomatoes requires a minimum of five reviews before calculating a score.) The seven reviews came after an August screening at a London festival called FrightFest that was attended by reviewers from sites like Dread Central and HeyUGuys, which bills itself as an outlet for “love letters to cinema.”

Another way to undercut Rotten Tomatoes involves restricting reviews until the last possible minute. Sony set a review embargo of opening day for “The Emoji Movie,” which left the Tomatometer blank until after many advance tickets had been sold and families had made weekend plans. “The Emoji Movie,” which ultimately received a Tomatometer score of 8, squeezed out decent opening-weekend ticket sales of $24.5 million.

If Rotten Tomatoes is a monster, the studios helped create it. As much as they fear and loathe low scores, they love high ones. Sony recently ended its trailer for “Baby Driver,” a heist thriller, by flashing the Rotten Tomatoes logo and “100 percent,” the film’s Tomatometer score at the time. (It later slipped to 94.) Annapurna did the same thing for “Detroit” in television ads. (Not that it helped; that drama flopped.)

And Rotten Tomatoes is getting stronger. The site is working to build its Tomatometer scores for TV shows into a more formidable force. Also in development are a half-dozen video series, including one built around a cheeky event created by Ms. Drake, the senior movie editor, called Your Opinion Sucks.

At that event, which started at the Comic-Con International fan convention in San Diego a few years ago, movie fans debate critics. The hourlong sessions can get heated.

“Let’s just say that it’s not an accident that I chose a costume than needs a whip,” Ms. Drake said as she prepared to co-host one of three sessions at Comic-Con in July. (She was dressed as Catwoman.)

On stage were online critics from The New York Observer, Screen Junkies and Schmoes Know. One member of the audience came to the microphone and offered an opinion: “The Fate of the Furious,” which got a “fresh” Tomatometer score of 66 in April, deserved an even higher score.

Snarky wisecracks from the critics and hosts started to fly. The stars have as much chemistry as “a mop and a bucket,” one said. Ms. Drake’s co-host, the comedian Scott Aukerman, said that “The Fate of the Furious,” the eighth movie in the action series, should have been called “No one wants to act with Vin Diesel anymore” because the actor had a separate storyline for much of the film.

It was time for the audience to vote. Most of the 200 or so people assembled raised green paddles, and so the movie was pronounced rotten.

With an intestinal gurgle sound effect.
https://www.nytimes.com/2017/09/07/b...ox-office.html





TV Turns 90 Today

A live webcast today will celebrate the transmission of the first electronic TV signal on Sept. 7, 1927, and the man behind it, Philo T. Farnsworth, per AP:

• The webcast (here) is set for 6 p.m. ET from the original location of Farnsworth's San Francisco lab. It'll be repeated at 9 p.m. and midnight.
• Veteran producer Phil Savenick created the site to detail the medium's history and the contributions of Farnsworth and other TV pioneers.
• The website includes a "virtual museum" of photos, videos and stories.
• In the 1930s, Farnsworth waged a successful legal battle to be recognized as the inventor of electronic television.
• The largely unsung scientist, a Utah native, died in 1971 at age 64.

https://www.axios.com/tv-turns-90-today-2482515293.html





T-Mobile US to Offer Free Netflix with Family Plan
Anjali Athavaley

T-Mobile US Inc (TMUS.O) said on Wednesday it will offer a free subscription to video streaming service Netflix Inc (NFLX.O) with its unlimited data family plans in a push to lure more subscribers.

The new offer shows how wireless carriers are bundling content with mobile service as a way to attract and keep customers in the United States, where most people already have cell phones and are increasingly using them to stream content.

Earlier this year, AT&T Inc (T.N), which is buying Time Warner Inc (TWX.N) for $85.4 billion in an effort to turn itself into a media powerhouse, started including HBO with its Unlimited Plus wireless plan. The company has said such offers are helping with subscriber retention.

T-Mobile, the No. 3 U.S. wireless carrier by subscribers, has been taking share from its larger rivals AT&T and Verizon Communications Inc (VZ.N) through cheaper prices and added perks. Its executives have not expressed interest in owning content but have said they are interested in partnering with media companies on delivering it. T-Mobile already allows users to stream video from Netflix without using their data.

Shares of Verizon and AT&T were down roughly 1.3 percent in afternoon trading. T-Mobile was up 0.11 percent at $63.71 and Netflix was up 2.2 percent at $178.39.

“T-Mobile is in an enviable position for the future communications landscape by building the bundle from scratch, without having to sustain legacy businesses that are in structural decline,” said Walter Piecyk, an analyst at BTIG, in a note. “Netflix is in a similarly enviable position, which makes them obvious and high profile partners.”

The offer allows customers with T-Mobile One plans who have two or more lines to get a standard Netflix subscription, normally priced at $10 a month, for free as part of an exclusive, long-term agreement that the company struck with Netflix. The plans are priced at $40 per line for a family of four.

Piecyk added that the promotion likely aims to get T-Mobile’s single-line users to add a second line since subscribers to family plans are more loyal.

The company said its latest move will not affect its financial forecasts, but Mike Sievert, T-Mobile’s chief operating officer, characterized the agreement with Netflix as a “big investment” during a call with reporters.

“Netflix is not providing us with a giant discount,” he said, adding that the move was in line of T-Mobile’s strategy of betting on benefits that subscribers value.
https://uk.reuters.com/article/idUKB5N1G8025





Comcast Shares Fall 7% after Management Warns of Losing 150,000 Video Subscribers in Q3
Trey Williams

Shares of Comcast Corp. CMCSA, -6.24% fell nearly 7% during intraday trade on Thursday after management said during a Bank of America media conference that investors can expect Comcast to lose between 100,000 and 150,000 video subscribers in the third quarter. The loss in subscribers will be due partly to the increased competition in a telecom landscape, as the broader industry contends with pressures from streaming. But management also said the hurricanes and storms hitting Texas and the southeast have had an impact. Comcast management said this quarter has been one of the most competitive in recent memory, with distributors being more aggressive and new internet streaming entrants offering packages that give them a negative gross margin. Shares of Comcast have gained more than 11% in the year to date, while the S&P 500 index SPX, -0.02% is up 10%.
http://www.marketwatch.com/story/com...-q3-2017-09-07





Comcast, Verizon, AT&T CEOs Refuse to Testify on Net Neutrality
Karl Bode

So we've noted a few times how Verizon, AT&T, Comcast and Charter lobbyists have not only been lobbying the FCC to kill popular net neutrality protections, but they're also lobbying for a new net neutrality law. Why would they kill one set of rules only to push for the creation of another? These ISPs know the current cash-compromised Congress is so dysfunctional that such a law either won't happen, or if it does will be written by ISP lobbyists intent on making it as flimsy as possible.

The goal here is simple: ISPs like Comcast want to pretend we can "put this entire debate to bed" with a new law their lawyers write that's so filled with loopholes to be effectively worse than no rules at all.

However this effort is proving more difficult than many of these companies hoped. Back in July, ISP-cozy lawmakers put out a call to all major Silicon Valley and telecom CEOs to come testify in a net neutrality hearing in front of the House Energy and Commerce Committee. The purpose of this hearing, these lawmakers claimed, was to "rethink the current regulatory model and build new rules from the ground up" in Congress, just as ISPs have been demanding.

But not a single ISP or giant Silicon Valley company CEO was willing to testify on the subject.

Why not? While Verizon or Comcast lobbyists and lawyers are more than happy to lie about net neutrality in misleading videos or disingenuous blog posts, having your CEO own these anti-consumer positions in front of Congress is something else entirely. Similarly, Silicon Valley CEOs at Google and Facebook likely don't want to own the fact they haven't cared about net neutrality since around 2010 or so, and in many parts of the world have actively worked to undermine the concept.

Of course lawmakers like Greg Walden state with CEOs refusing to testify, work can now proceed on this new law in the way major ISPs prefer it: behind closed doors and without any real transparency or public input.

“As negotiations progress on a permanent solution for net neutrality that ensures a free and open internet, the committee will postpone the original hearing in order to allow talks between stakeholders to continue,” said Walden's office in a statement.

As the fall arrives, expect this push for a new net neutrality law to reach a fevered drum beat as ISPs have their consultants, lobbyists, lawyers, think tankers and other representatives (clearly disclosed or not) argue that a new, flimsy law is the only real path forward and will "put the issue to rest" once and for all. But consumers shouldn't be fooled. There's a very easy, inexpensive way to protect net neutrality: listen to the will of the public and leave the existing, popular net neutrality protections alone.
https://www.dslreports.com/shownews/...trality-140263





Senate Democrats Fight FCC Plan to Lower America’s Broadband Standards

You can’t fix the US broadband problem by redefining it, senators tell FCC.
Jon Brodkin

Senate Democrats are fighting a Federal Communications Commission proposal that could lower America's broadband standards by redefining what counts as broadband Internet access.

Under standards imposed during the Obama administration, the FCC says that all Americans should have access to home Internet service offering speeds of at least 25Mbps downstream and 3Mbps upstream, as well as access to mobile Internet. When the FCC makes its annual judgment of whether broadband is being deployed to all Americans quickly enough, the commission thus analyzes whether all parts of the country have both fast home Internet and mobile service.

But FCC Chairman Ajit Pai's proposal suggests that cellular Internet could be counted as a full substitute for home Internet access rather than a complement to it. Moreover, his proposal suggests that mobile wouldn't even have to meet the 25/3Mbps speed standard—instead, a 10Mbps/1Mbps mobile connection could suffice.

By lowering the standards, the FCC could conclude that America's broadband problem has been solved and thus take fewer steps to promote deployment and competition.

Consumers and Democrats object

Consumers already bashed the FCC plan by filing comments starting in early August, and 12 Democratic senators joined them in protest in a letter to the FCC on Thursday.

"[T]he Commission appears ready to decide that mobile broadband could be a substitute, rather than a complement, to fixed broadband service and that slower-speed mobile service substitutes as effectively," the senators wrote. While mobile broadband might one day evolve to be the equivalent of fixed Internet services such as cable and fiber, "that is not the case today," they wrote.

The letter continued:

At this time, such a striking change in policy would significantly and disproportionately disadvantage Americans in rural, tribal, and low-income communities across the nation, whose livelihoods depend on a reliable and affordable broadband connection... In reading this notice of inquiry, it appears that the FCC, by declaring mobile service of 10Mbps download/1Mbps upload speeds sufficient, could conclude that Americans' broadband needs are being met—when in fact they are not. By redefining what it means to have access, the FCC could abandon further efforts to connect Americans, as under this definition, its statutory requirement would be fulfilled. We believe that mobile broadband service cannot adequately support the same functions as does fixed service currently and, therefore, cannot be a substitute at this time. A small business owner who wants to begin a new venture today would not be adequately supported by mobile-only service. Should the decision to change current policy be made with the technology currently available, it would signal a strong departure from the Commission's mission, while also implying that certain consumers must accept lower-quality connectivity.

The letter was written by Senators Al Franken (D-Minn.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wisc.), Richard Blumenthal (D-Conn.), Heidi Heitkamp (D-N.D.), Amy Klobuchar (D-Minn.), Elizabeth Warren (D-Mass.), Brian Schatz (D-Hawaii), Edward Markey (D-Mass.), Tom Udall (D-N.M.), Kirsten Gillibrand (D-N.Y.), and Ron Wyden (D-Ore.). It was sent to Pai and the other four commissioners.

The FCC is taking initial comments from the public on its plan until Thursday, September 7, while reply comments are due September 22. The senators argued that more time is needed and asked for a 30-day extension.

"We believe that such substantial shifts in policy require greater consideration and debate, something that the current schedule for comment does not allow," they wrote. An extra month will give people time "to effectively respond to an inquiry that has potentially dire effects on the Commission's view of the reality of broadband access in America," they wrote.

Officials in Chairman Pai's office have "received the letter and are reviewing it," a commission spokesperson told Ars today.
https://arstechnica.com/information-...and-standards/





Speed Report Finds T-Mobile and Xfinity Providing Fastest Mobile and Broadband Internet in U.S.
Kurt Schlosser

Mobile and fixed broadband internet speeds in the U.S. are improving, but not all carriers and providers are created equal and not all areas of the country are benefitting equally from fast speeds.

Those are the findings according to a new market report from Speedtest by Ookla out of Seattle, which relied on data it captured from user-initiated tests during the first half of 2017. And for customers using T-Mobile for mobile internet and Comcast Xfinity for broadband, the results are especially good.

Speedtest credits infrastructure investments and upgrades as well as increased affordability of higher tiered packages for the fact that fast broadband keeps getting faster. The average download speed in the U.S. over fixed broadband during Q1 to Q2 was 64.17 Mbps (ranking 15th in the world) and average upload speed was 22.79 Mbps (24th in the world).

Xfinity is the top provider when it comes to Speed Score — which incorporates low-end, median and top-end performance for both download and upload speed — with a score of 69.58. Speedtest says that Comcast has been aggressively seeding the market over the past year with advanced modems capable of delivering a more consistent experience for customers. The cable provider has also been increasing the amount of DOCSIS 3.1 channels in order to deliver faster speeds, according to the report.

When looking at specific regions of the country, Xfinity is tops in the West and Northeast, while Suddenlink is the fastest provider in the South and Mediacom tops the Midwest. But the view highlights how much better broadband speeds can be in different parts of the U.S., with the Midwest and Northeast lagging.

When it comes to average fixed broadband speed on all platforms for the 100 largest cities, Kansas City, Mo., is on top followed by Austin; San Francisco; Charlotte, N.C.; and Atlanta.

Laredo, Texas had the slowest average speed, followed by Toledo, Ohio; Buffalo, N.Y.; Milwaukee; and El Paso, Texas.

When it comes to mobile, Speedtest found that improvements in technology and usage of available network spectrum led to a 19-percent increase in average download speeds in the U.S. to 22.69 Mbps. Last year’s report found that speeds jumped 33 percent year over year. Upload speeds improved slightly this year, up 4 percent to 8.51 Mbps.

These speeds give the U.S. a ranking of 44th in the world when it comes to fastest mobile internet speeds, down from 42nd last year. Speedtest points out that the geographic breadth of the U.S. makes it challenging for cellular speeds to compete with smaller, more densely populated nations.

While all four major carriers had increased download speeds, not all areas of the country are enjoying those benefits. Customers in rural areas saw average download speeds of 17.93 Mbps, which is 20.9 percent slower than the nation as a whole.

T-Mobile has the fastest network in the U.S. with a Speed Score of 23.17, and Speedtest credits the Bellevue, Wash.-based carrier’s tightly spaced cell site grid and smaller subscriber base as possible keys to success. Verizon tops AT&T and Sprint in the race behind T-Mobile.

T-Mobile is the fastest carrier in 40 of the 100 most populous cities in the U.S. Verizon is tops in 35, AT& T in 20 and Sprint in five.

Fort Wayne, Ind., had the fastest average mobile download speeds during the test period, followed by Minneapolis, Saint Paul, Atlanta and Pittsburgh. The slowest speed on the list — 32.2 percent slower than the national average — is in North Las Vegas. Laredo, Texas; Las Vegas; Newark, N.J.; and Aurora, Colo., round out the five cities with slowest download speeds.
https://www.geekwire.com/2017/speed-...-internet-u-s/





Did Unlimited Plans Actually Cripple Verizon’s Network?
Chris Mills

Early this year, Verizon launched a fantastic Unlimited data plan. Months later, it abruptly turned one plan into two, and tacked on a bunch of restrictions like mandatory video throttling. Analysts, competitors, and this lowly blogger were quick to point the finger at Verizon’s average download speed, which appeared to have taken a big hit since the introduction of unlimited data.

But according to Verizon’s execs, the network has “performed incredibly well” under Unlimited. Third-party data from OpenSignal and Ookla “doesn’t line up at all with what I’m seeing,” Verizon VP of wireless networks Mike Haberman, told me.

The case against Verizon is simple: crowd-sourced speedtest data from Opensignal and Ookla, the company behind Speedtest.net, shows a perceptible drop in Verizon’s average speed for the first half of 2017, after it introduced unlimited data. The extent of that drop varies depending on which dataset you’re looking at: according to Opensignal, the drop is about 2Mbps, or around 13%. The Ookla data specifically shows a 5% increase in the number of speedtests below the “acceptable threshold” of 5Mbps, indicating a sharp increase in the number of customers seeing very slow speeds.

The combined datasets of Ookla and Opensignal take in millions of real-world customer tests, so it’s impossible to argue that the change is real. But Verizon contends that the drop in speeds isn’t indicative of a network-wide problem. Instead, Haberman says that the unlimited plans were a hit in rural areas, where speeds are naturally slower than the national average. An increase in the percentage of speedtests being done in rural areas would naturally bring Verizon’s overall speeds down, but doesn’t mean that the network overall was saturated.

“I think it’s a matter of going Unlimited, a matter of where the adopters of Unlimited would be…I don’t know what they’re doing, but certainly you could use [unlimited plans] as a landline bypass, or if you don’t have any internet you can use it on your phone,” Haberman said. “Quite frankly, they’re going to the carrier with the best coverage. So, merely what you saw is people who don’t have any coverage, they now have coverage, and now they have an Unlimited plan. You saw a segment of customers coming over, which is why you see more samples in rural areas.”

An increase in the number of samples in rural areas doesn’t seem like a big enough change to explain away the nationwide change, however. Opensignal Lead Analyst Kevin Fitchard told me “the number of samples you’d need…that doesn’t make sense at all.” Opensignal has millions of tests of real Verizon customers in its data; recording a 13% decrease in average network speeds would need to be something much more than just a change in the geographical distribution of samples.

Ookla suggested a different reasoning for the slowdown in its report. Rather than overall network saturation, it suggests that the slowdown is from new unlimited customers running into the deprioritization threshold (22GB) en masse. When a Verizon Unlimited customer uses more than 22GB of data in a month, their data may be throttled where necessary, all the way down to 3G speeds. “Others have argued that these networks may be saturated. However, if they were, we’d expect to see the number of tests at every level of speed decrease. Our data does not bear this out and it seems likely we’re seeing reduced performance due to high usage de-prioritization,” Ookla said in a blog post.

So the most likely reason for Verizon’s slowdown is that Unlimited customers are hitting that deprioritization threshold, the cell towers they’re using are congested, and their speeds are being throttled, resulting in the slow speedtests. That’s not the same as all Verizon customers seeing the network slow down, but Fitchard argues that it doesn’t matter what you call it: it’s still congestion. It would be “almost absurdly naive” to suggest that Verizon’s network hasn’t seen any impact from the introduction of unlimited data, he said.

“We measure the experience consumers see on their mobile phones, so if what they see is are throttled speeds, then that’s the experience. We’re not trying to measure what the technical capabilities of the network are with our main 4G speed metric (that’s what our peak speed metric is for). We’re measuring typical everyday speeds. If throttling is having enough of an impact to cause a significant drop in those everyday speeds in our metrics, that means throttling is having a big impact on the consumer experience,” Fitchard explained.

This might all seem like minor haggling over details, but understanding what’s happened to Verizon’s network since the introduction of unlimited data is key to understanding the recent changes it made to its unlimited data plan. Verizon explained the changes as offering “greater consumer choice,” but a more logical explanation seems to be that the network in some places — possibly even just rural areas! — was seeing higher-than-expected usage, and Verizon needed to control that use in order to keep its network usable for everyone.

It’s also important to understand that the impact of unlimited plans on Verizon’s network doesn’t mean that the carrier “can’t keep up with Unlimited,” as T-Mobile would have you believe. Even with the drop in speeds, Verizon is level-pegging with T-Mobile’s network nationally, and beating it in the largest cities. While T-Mobile is scrambling to roll out 600MHz to increase its nationwide coverage to be on par with Verizon, Big Red is rolling out thousands of small-cell towers in cities, and refarming old 3G spectrum to LTE, all of which should massively boost capacity.

Ultimately, the people winning here are consumers. T-Mobile and Verizon can throw words at each other all they want, but the important thing is that both carriers are currently offering better, cheaper cell plans than we’ve had in years, and both are scrambling to build out insanely fast new LTE and 5G networks.
http://bgr.com/2017/09/08/verizon-un...work-coverage/





Google is Apparently Ready to Buy Smartphone Maker HTC

• Google is reportedly in the final stages of acquiring all or part of HTC.
• Smartphone maker HTC has struggled over recent quarters, and Google's putting new emphasis on hardware.
• Google already acquired and sold Motorola Mobility, so why repeat that?

Todd Haselton

A report from a Taiwanese news outlet called Commercial Times says Google is in the final stages of acquiring all or part of smartphone maker HTC.

The news follows a separate story from late August that suggested Taiwan-based HTC was interested in some sort of sale.

HTC, once one of the more popular smartphone makers in the United States, has fallen off of most carrier store shelves after several consecutive unsuccessful smartphone launches. It recently launched a separate division that sells virtual reality headsets.

The report seems fishy, since Google has already been down this road, but there's a reason why Google might be interested in HTC.

The Taiwanese company builds the Google Pixel, which means it could be a good fit for Google as it continues to cater to consumers with its "Pixel" smartphone brand.

Here's where it sounds off base: Google acquired Motorola Mobility and then sold it off just a couple of years later. Why repeat that move?

Commercial Times said HTC's poor financial position and Google's desire to "perfect [the] integration of software, content, hardware, network, cloud, [and] AI," is the driving force behind Google's interest. The news outlet said Google may make a "strategic investment" or "buy HTC's smartphone R&D team" which suggests that the VR team would exist as its own.

UBS analyst Eric J. Sheridan explained in a note on Thursday why Google might want to push further into hardware:

From a strategic standpoint, owning & operating its own mobile operating division would offset some of the key strategic challenges that Google's mobile computing business might face: a) a deeper integration of hardware/software would offset some of the Android fragmentation issues that do not plague Apple iOS; b) development cycles that maximize forward mobile computing trends (Google Lens, location, ARCore, Google Assistant) with possible greater user adoption; c) an offset to rising Distribution TAC expenses; & d) an offset to any negative industry dynamics (unbundling of apps) resulting from the European Commission's Android investigation.

Sheridan said a Google acquisition of HTC would be "immaterial to Alphabet" given its $95 billion cash stash.

Google and HTC declined to comment to CNBC.
https://www.cnbc.com/2017/09/07/goog...port-says.html





China’s Twitter-Like Weibo Orders Users to Register their Real Names

Deadline comes as government seeks to tighten its grip on online speech ahead of next month’s Communist Party congress
Nectar Gan

China’s Twitter-like microblogging site Weibo has issued an ultimatum to its users demanding they verify their accounts with their real names before next Friday, as Beijing further tightens its control of online speech in the lead-up to a key leadership reshuffle.

Sina Weibo said in an official notice on Friday that users would be asked to verify their accounts before posting on the platform. It gave a deadline of September 15, but did not say what would happen to those who failed to comply.

The ultimatum came after China’s cyberspace regulator issued a new rule last month that effectively bans anonymous online commenting from next month. On October 18, the ruling Communist Party will open its twice-a-decade congress, revealing its new leadership line-up for the next five years.

The government has been steadily tightening its grip on the internet since the start of the year. As well as being more vigorous in its implementation of existing regulations, it has introduced a sweeping cybersecurity law, and launched a campaign to outlaw unlicensed virtual private networks that allow people to access censored websites.

China’s internet regulators have been pushing for real-name registration for online discussion platforms for years, but enforcement has been lax and there are still unverified users active online.

Weibo users were first asked to register their real names in 2011, when the Beijing municipal government issued a regulation as part of a push to rein in online rumour-mongering and “cleanse” content. But a year later, Sina admitted publicly that it had failed to fully implement the regulation because it was time consuming and eroded its user base.

In 2015, the Cyberspace Administration vowed to ramp up the policy to cover other internet services – including instant messaging programs, microblogs, online forums and other communication websites – and pledged to strengthen oversight, but neither was strictly enforced.

In Friday’s announcement, Weibo stressed that all users, including those who registered before 2011, would be targeted in the latest push for real-name verification.

It said that since 2011 it had required all new users to register with their real names and had been “guiding” old users to do the same. People were asked to provide their mobile phone numbers as in mainland China these too had to be registered to a “real” person, it said.

The statement said Weibo had so far completed real-name registration for all “active users”, without elaborating. The service boasted 340 million active monthly users in the first quarter of this year, accounting for 40 per cent of the country’s population and surpassing Twitter, which is blocked in China, which had about 328 million active monthly users.

The company did not immediately respond to the South China Morning Post’s requests for comment on Friday.

The cybersecurity law enacted in June places internet companies under greater pressure to monitor users and their activities.

In anticipation of the law coming into force, some companies, such as the Quora-like question-and-answer website Zhihu and search engine Baidu, had already asked users to verify their identities.

In August, internet giants Tencent, Baidu and Sina Weibo were placed under investigation by regulators for allowing users to spread content that “harms national security, public safety and social order”.

On Thursday, the Cyberspace Administration issued new rules to rein in instant messaging chat groups, demanding service providers verify the identities of their users and keep a log of group chats for no less than six months.
http://www.scmp.com/news/china/polic...ter-their-real





Chinese Man Sentenced to Prison for Selling VPN Software

A Chinese man running a small-scale website on which he sold VPN software has been sentenced to 9 months in prison. Weibo netizens take the man’s prosecution as another sign that authorities are stepping up their fight against software that allows people to browse websites that are blocked in China.

A 26-year-old man from the city of Dongguan, Guangdong province, has been sentenced to 9 months in prison for selling VPN software through his own website.

According to China’s Supreme People’s Court (SPC) database (China Judgments Online) Deng Jiewei was found guilty for the crime of “illegal control of a computer system”, contained in Article 285 of China’s Criminal Law.

The criminal law Article states:

“Whoever violates state regulations and intrudes into computer systems with information concerning state affairs, construction of defense facilities, and sophisticated science and technology is be sentenced to not more than three years of fixed-term imprisonment or criminal detention.”

The prosecution notice, issued online on an information disclosure platform of the People’s Procuratorate (人民检察院案件信息公开网), states that the man was arrested in October of 2016 for setting up a .com website earlier last year through which he offered two types of VPN software, making a total profit of approximately 2125 US$ (14000 RMB).

The notice clarifies that the .exe software sold by Deng allowed users to circumvent China’s web censorship and visit foreign websites.

“I am scared we could all be arrested now.”

Although the sentencing took place in January of this year, the news only surfaced on Chinese social media on September 3rd, soon gaining over 6000 shares on one Weibo post about the issue, and over 4000 shares of another post that reported the sentencing.

Many netizens questioned the severity of the punishment for selling a program to browse the Internet. “The crime of wanting to know the truth and selling a ladder,” one person said, referring to VPNs as a way to ‘climb over’ the Great Firewall of China. Another Weibo user posted an image of George Orwell’s 1984 in response to the news.

One commenter sarcastically wrote: “I suggest we now also bring back the crime of counter-revolution (反革命).”

Some netizens wondered how the man could have been prosecuted under Article 285: “How can using a VPN be defined as ‘intruding into computer systems’?”, one Weibo user asked.

Another person also noted that the law concerns the intrusion of computer systems relating to ‘state affairs’, but that the prosecuted man was only running a small-scale website selling VPN software. “According to this sentencing, I am also guilty for using a VPN,” he said. Another commenter shared similar worries: “I am scared we could all be arrested now.”

Chinese authorities have introduced numerous restrictions on virtual private networks (VPNs) this year. In January, China’s Ministry of Industry and Information Technology issued a notice that it will strictly contain the unapproved use of VPNs by Chinese firms.

In July, Bloomberg News reported that the Chinese government had instructed telecommunications carriers to block VPN access by all individuals in China by February 2018. Shortly thereafter, Apple removed all major VPN apps from the App Store in China.

On Weibo, some see the prison sentence for the VPN-seller in Guangdong as another sign that authorities are stepping up their fight against software that allows users to browse blocked websites. “The dark days are coming,” one man writes.

By Miranda Barnes & Manya Koetse
http://www.whatsonweibo.com/chinese-...-vpn-software/





Almost 2/3rds of Tech Workers Now Use a VPN, Leading Supplier Reports 300% Growth
Ben Lovejoy

An international cybersecurity awareness survey found that 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both …

While much of that usage will be because it’s installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes.

The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices. NordVPN reports that it has seen a 300% increase in take-up of its services in both the USA and UK since legislative threats emerged in both countries.

Back in March, both the Senate and the House overturned privacy rules created by the FCC, leaving Internet service providers free to sell your Internet browsing history and location data to advertisers.

And right now, the government is considering abandoning net neutrality rules, meaning ISPs and carriers could effectively create a two-speed Internet. Companies paying a premium would have traffic to their sites prioritized, while we’d get slower connections to the rest of the Internet. We’ve already seen mobile carriers throttling video streams.

Using a VPN solves both problems as it makes it impossible for an ISP or carrier to see which sites you are visiting or what you are doing there.

More than 10M people took part in a public consultation on net neutrality, with 40 tech giants encouraging them to do so. While Apple did not speak out at that stage, it did last week call on the government to keep current net neutrality protections in place.

Check out our review of NordVPN.
https://9to5mac.com/2017/09/04/vpn-usage/





We Can’t Let the Dark Web Give Online Anonymity a Bad Name

The dark web showcases the worst parts of the internet - but it also shows us it’s possible to browse without giving up our privacy
John Denley

Hackers, drugs and porn. The dark web is easy to distill into cliché. It’s a bad place where bad people do bad things, usually while wearing hoodies and ruining their eyesight hunching over a laptop in a darkened room.

But there’s something more to the dark web, too. It’s a tiny enclave where the real promises of the internet - freedom, anonymity, privacy - are, for the most part, still intact.

“The dark web isn’t for a single purpose,” says Sarah Jamie Lewis, an anonymity and privacy research who maps the dark web, exploring how its sites are connected by links, shared bitcoin addresses or other identifiers. At the end of September she’s speaking at WIRED Security in London on September 28.

For plenty of people, including those in marginalised communities or people live under authoritarian regimes, using the internet anonymously is a matter of survival. It allows them to live their lives and communicate without the fear of their government, or any other malicious observer, keeping tabs on what they’re doing.

The dark web is designed to allow people to browse with complete anonymity. Sites are set up so that their location is hidden and they won’t show up in search results. Anyone who has the address of a dark website can visit it – providing they’re using the right kind of browser – while the identity of the website owner, and its visitors, stays hidden.

The open internet is a very different place. Here, your internet provider can see which sites you’re visiting and when you’re enjoying your internet-connected vibrator. If you’re in the states, they’re allowed to sell that information to the highest bidder. Google keeps an eye on your browsing and search history, and uses that data to deliver tailored to your every insecurity.

We’ve come a long way since the early days of the internet, Lewis says. Now we’re all paying with our personal data, whether we know about it or not. “I think we made a mistake when we made free services on the internet,” she says. “They’re not free, you are giving something up to use them.”

The dark web offers an alternative way of doing things. People shouldn’t be forced into paying with their data, Lewis says. “We have models for funding services that allow people to pay and support users without abusing them.”

She’s already seeing a change in the kinds of people that are using the dark web and other services, such as secure messengers Ricochet and Briar, that can’t be traced. “I think we are seeing a demographic shift,” she says. Off-grid services are no longer the preserve of people who have something to hide.

For some, anonymous apps and websites are the only way to avoid being traced by abusive ex-partners. Lewis has seen an increasing number of cases where technology-savvy abusers track their victims through their online metadata.

Slowly, online anonymity is becoming more acceptable to normal users, says Lewis. At the beginning of this year, the volume of encrypted web traffic overtook that of encrypted traffic. Now, as long as you’re browsing a website that uses HTTPS (signified by that little lock next to the URL), a broadband provider or other observor is unable to see exactly what you’re reading or posting on the web. They can, however, still see metadata, including information about which sites you visited and when.

Online anonymity is a double-edged sword. The privacy afforded by the dark web creates the perfect hiding place for criminal organisations to buy and sell stolen credit card information or plot the next cyber attack. “The amount of money changing hands on the dark web is huge,” says Avi Kasztan, CEO of the Israel-based cyber intelligence firm SixGill.

SixGill claims to surreptitiously track criminals on the dark web so that they know when and where hackers are planning to strike next. These attacks, which include stealing databases, extorting customers and identity theft, are usually carried out by sophisticated networks of hackers who use the dark web to plan attacks. “It’s very rare, almost impossible, for one person to conduct an attack against a serious organisation,” he says. “You cannot do everything alone.”

But the dark web isn’t a total safe haven for online criminals. In July this year, a joint operation between Europol and US police took down two of the largest dark web drug marketplaces, AlphaBay and Hansa. The Dutch National Police took control of Hansa in late June, but deliberately left the site online, to catch users flooding to the site after the shutdown of AlphaBay.

If the authorities are to continue putting pressure on dark marketplaces, they’ve got their work cut out. When one dark site dies, users move quickly to competitors. In the week after Alphabay and Hansa shut down, the number of listings on other sites rose by up to 28 per cent. Many of the dark webs worst corners, including sites that host child porn and images of torture, remain incredibly difficult to shut down.

The dark web, in all its deplorable infamy, has given online anonymity a bad name. The same goes for encryption in messaging apps like WhatsApp. Encryption isn’t for “normal people,” argued home secretary Amber Rudd recently, it only benefits terrorists who can plot without fear of being overheard.

But researchers like Lewis are fighting against this tide of ignorance to turn privacy in a mainstream concern. The popularity of encrypted messaging apps is a start, but for now the conversation over online anonymity concentrates on the malicious few who abuse that rights, and not on the many who desperately need the security and freedom that anonymity provides.

Enshrining anonymity across the web would require a monumental change in thinking from the public, tech companies and governments, Lewis says. “Right now, it’s an impossibility.”
https://www.wired.co.uk/article/dark...ternet-freedom





Leaked Document: EU Presidency Calls for Massive Internet Filtering
Diego Naranjo

A Council of the European Union document leaked by Statewatch on 30 August reveals that during the summer months, that Estonia (current EU Presidency) has been pushing the other Member States to strengthen indiscriminate internet surveillance, and to follow in the footsteps of China regarding online censorship. Standing firmly behind its belief that filtering the uploads is the way to go, the Presidency has worked hard in order to make the proposal for the new copyright Directive even more harmful than the Commission’s original proposal, and pushing it further into the realms of illegality.

According to the leaked document, the text suggests two options for each of the two most controversial proposals: the so-called “link tax” or ancillary copyright and the upload filter. Regarding the upload filter, the text offers two alternatives:

• Option A maintains the Commission’s original proposal of having in place an upload filter which will be under the control of platforms and other companies that are hosting online content. Although it removes mentions to “content recognition technologies”, in reality, there is no way to “prevent the availability” (another expression which remains in the text) of certain content without scanning all the content first.
• Option B is, at best, a more extreme version of Option A. In fact, it seems so extreme that it almost makes the first option look like a reasonable compromise. This may, of course, be the “diplomatic” strategy. In this extreme option, the text attacks again the liability regime of the e-commerce Directive – which, bizarrely, would not be repealed, leaving us with two contradictory pieces of EU law but adds a “clarification” of what constitutes a “communication to the public”. This clarification establishes that platforms (and its users) would be liable for the copyright infringing content uploaded by its users.

The proposals in this leak highlight a very dangerous roadmap for the EU Member States, if they were to follow the Presidency’s lead. The consequences of these flawed proposals can only be prevented if civil society and EU citizens firmly raise their voices against having a censorship machine in the EU. We will be turning on our call tool at savethememe.net before each of the key votes in the European Parliament. Make use of the tool, and call your representatives to stop the #censorshipmachine!

No, you can’t enjoy the music you paid for, says EU Parliament Committee (05.07.2017)
https://edri.org/no-you-cant-enjoy-t...eu-parliament/

Proposed Copyright Directive – Commissioner confirms it is illegal (28.06.2017)
https://edri.org/proposed-copyright-...it-is-illegal/

EU Copyright Directive – privatised censorship and filtering of free speech (10.11.2016)
https://edri.org/eu-copyright-direct...f-free-speech/

Copyright reform: Document pool
https://edri.org/copyright-reform-document-pool/

(Contribution by Diego Naranjo, EDRi)
https://edri.org/leaked-document-eu-...net-filtering/





Queensland Police Get New Powers to Tackle Terrorism
Felicity Caldwell

• During a terrorist emergency, police can search phones, require passwords and copy evidence.
• Police will also be able to move and destroy homemade explosives.
• The bill passed with bipartisan support.

New Queensland laws to help police fight terrorism, including powers to turn phones, high-tech fridges and other devices into surveillance tools, have passed Parliament.

The laws give police more powers during and following attacks, including to search people or vehicles without a warrant during a declared terrorist emergency.

It would allow police to search mobile phones during a terrorist emergency to look for communication between offenders and footage of the attack.

It would also give police the power to turn existing devices into surveillance devices during a declared emergency, including by remotely installing software, when the life, health or safety of a person was in danger.

Member for Capalaba Don Brown said many foiled terrorist attacks were as a result of tip-offs from the community.

"So it's disheartening to see Pauline Hanson and the stunt that occurred in relation to the burqa in the federal Parliament," Mr Brown said.

"We need to ensure that we have stronger ties with the Muslim community, not push them away."

Police Minister Mark Ryan said the debate on the bill came after the recent arrests in Sydney.

"Unfortunately those events are not without precedent," he said.

"Within the last three years, there has been five terrorist attacks in Australia and 13 major counter-terrorism disruption operations undertaken in response to planned terrorist attacks.

"This serves as a stark and sobering reminder that threat of terrorism to our country and community is very real."

Mr Ryan said police needed the powers to respond to terrorism and other threats, while legislation needed to strike the balance between protection of the community and individual rights.

Police Commissioner Ian Stewart previously remarked officers could turn a fridge into a covert listening device.

"It is not outside the realm that, if you think about the connected home that we now look at quite regularly where people have their security systems, their CCTV systems and their computerised refrigerator all hooked up wirelessly, you could actually turn someone's fridge into a listening device," Mr Stewart said in July.

Opposition Police spokesman Tim Mander said Australians must remain vigilant.

"We all hope that the powers being implemented in this legislation are never needed in Queensland but we should also be realistic," Mr Mander said.

"These are extensive powers needed at this time but we must also ensure that they have the appropriate judicial oversight and that monitoring of these powers acts to ensure they are used effectively and appropriately."
https://www.brisbanetimes.com.au/pol...05-p4yvqh.html





Military Appeals Court Says Demands To Unlock Phones May Violate The Fifth Amendment
Tim Cushing

A decision handed down by the Appeals Court presiding over military cases that almost affirms Fifth Amendment protections against being forced unlock devices and/or hand over passwords. Almost. The CAAF (Court of Appeals for the Armed Forces) doesn't quite connect the final dot, but does at least discuss the issue, rather than dismiss the Fifth Amendment question out of hand. (h/t FourthAmendment.com]

The case stems from a harassment case against a soldier who violated (apparently repeatedly) a no-contact order separating him from his wife. After being taken into custody, Sgt. Edward Mitchell demanded to speak to a lawyer. Rather than provide him with a lawyer, investigators asked him to unlock his phone instead.

Appellee invoked his right to counsel at approximately 10:50 a.m. Appellee's platoon leader signed a "Receipt for Pre-Trial/Post Trial Prisoner or Detained Person," and SSG Knight escorted Appellee back to his unit, where he remained in the company area and accessed both his Kyocera phone and iPhone.

[...]

In the office, Investigator Tsai informed Appellee of the verbal search and seizure authorization, and Appellee questioned the validity of verbal authorizations, asking to see a written one. Around this time, the commander left the office. Investigator Tsai told Appellee that verbal authorizations are valid and asked if Appellee had any cell phones on his person. Appellee then handed an iPhone to the investigators. Investigator Tsai saw that the iPhone was protected by a numeric passcode, and asked Appellee to provide it. Appellee refused.

At this point, this line of questioning should have been abandoned. Actually, it should never have begun without Mitchell's lawyer present. But the investigators apparently believed that asking, rather than ordering, Mitchell to unlock his phone made the whole thing consensual.

Investigator Tsai then handed the phone back to Appellee and asked him to unlock it, saying: "if you could unlock it, great, if you could help us out. But if you don't, we'll wait for a digital forensic expert to unlock it." Neither investigator knew at the time that Appellee's iPhone had two finger/thumb prints stored, and could have potentially been opened using "Touch ID capabilities." Appellee then entered his passcode and unlocked the phone: "[Appellee] was also required to permanently disable the cell phone's passcode protection. In order to do so, [he] was required to access the phone's settings and enter his numeric passcode (PIN) two more times to fully disable the phone's protections."

The military judge at the lower level suppressed the evidence, holding that Mitchell was in custody without requested legal representation at the time he unlocked his phone for investigators. The Appeals Court affirms the lower court's findings.

Under the circumstances presented, we conclude that the Government violated Appellee's Fifth Amendment right to counsel as protected by Miranda and Edwards. The Government does not contest that Appellee was in custody when he invoked his right to counsel while detained at the military police station. It is almost equally clear that Appellee was in custody in his commander's office when investigators asked him to unlock his iPhone.

The court also points out that simply asking nicely for an in-custody suspect to "help out" the government by possibly incriminating themselves doesn't make it any more Fifth Amendment-compliant, nor does it change the nature of questioning from an "interrogation" to "a couple of guys chatting about stuff with absolutely no criminal case-building implications."

This line of questioning qualifies as interrogation. The agents' initial request—“can you give us your PIN?”—is an express question, reasonably likely to elicit an incriminating response. The Government contends that a request for consent to search is not an interrogation, citing this Court’s reasoning in United States v. Frazier that “such requests are not interrogations and the consent given is ordinarily not a statement.” 34 M.J. 135, 137 (C.M.A. 1992). But asking Appellee to state his passcode involves more than a mere consent to search; it asks Appellee to provide the Government with the passcode itself, which is incriminating information in the Fifth Amendment sense, and thus privileged.

The court points out the simple act of unlocking a phone can be incriminating. It demonstrates for investigators and prosecutors the person holding the phone may well be responsible for any incriminating content found on it. It also implies ownership, making it easier to connect the person to the device (and the content contained).

By asking Appellee to enter his passcode, the Government was seeking an “answer[] … which would furnish a link in the chain of evidence needed to prosecute” in the same way that Hoffman and Hubbell used the phrase. Not only did the response give the Government access to direct evidence as in Hubbell, it also constituted direct evidence as in Hoffman. See Hubbell, 530 U.S. at 39–40 (“The documents were produced before a grand jury …. The use of those sources of information eventually led to the return of an indictment ….”); Hoffman, 341 U.S. at 488 (“[T]ruthful answers … to these questions might have disclosed that he was engaged in such proscribed activity.”). As even the dissent concedes, Appellee’s response constitutes an implicit statement “that [he] owned the phone and knew the passcode for it.”

Based on that, the court finds Mitchell's Fifth Amendment rights were violated by this in-custody request to provide a passcode. Unfortunately, the court considers this the end of its judicial inquiry.

In light of this holding, we need not reach the question of whether the Government directly violated Appellee’s Fifth Amendment privilege against compelled self-incrimination. We thus do not address whether Appellee’s delivery of his passcode was “testimonial” or “compelled,” as each represents a distinct inquiry.

Even though the ruling doesn't extend far enough to make passcodes worthy of Fifth Amendment protections, the judicial analysis at least shows providing passwords can create evidence to be used against the accused. This decision doesn't quite stretch that far thanks to the investigators' ignoring Mitchell's invocation of his right to an attorney, but it does the act of entering passwords can be considered self-incriminating.
https://www.techdirt.com/articles/20...mendment.shtml





Free Walkie-Talkie App Tops App Store Charts Ahead of Hurricane Irma

It’s already being used by rescue workers in Houston
Nick Statt

With the Category 5 Hurricane Irma, now one of the strongest hurricanes ever recorded in the Atlantic, on its way toward the Caribbean and possibly the southeastern tip of the US, a little-known walkie-talkie app has shot to the top of Apple’s App Store. The free app, called Zello Walkie Talkie, lets your phone communicate as a two-way radio so long as you have a network or Wi-Fi connection. What makes it useful is that it allows immediate voice communication to others in a shared channel, as opposed to having to place a phone call and hope someone on the other end picks up. The ad-free service can also be used to send texts and photos.

Zello first began rising in the top free chart as Tropical Storm Harvey made landfall in Texas as a Category 4 hurricane two weeks ago. According to USA Today, the app is the go-to service for rescue workers in the Houston area. Zello CEO Bill Moore told the paper that its service saw 20 times as many new users in Houston last week as rescue efforts ramped up.

The app’s usage is only going to increase as preparations for Irma continue and residents in the Caribbean and Florida prepare for the worst. The company’s official Facebook page says Zello Walkie Talkie is seeing as many as 7,000 new registrations per minute, and the team is working tirelessly to maintain uptime as usage skyrockets. The National Hurricane Center predicts Irma may hit southern Florida as early as this weekend.
https://www.theverge.com/2017/9/6/16...hurricane-irma





What Happens Inside a 100-hop IPv6 Wireless Mesh Network?
Wireless Networking in the Extreme

A wireless mesh network is a network where the nodes in the network help other nodes achieve coverage and connectivity by forwarding messages on behalf of others.

Street lighting systems is an example of where a wireless mesh network is needed. A single-hop network would not provide enough coverage, so the lights help each other to reach out.

The picture above shows an installation of a Thingsquare IPv6 mesh in the wild. (Although our system is known to be able to run on really, tiny devices operated by a single coin-cell battery, this particular installation does not use those low-power mechanisms as street lights have access to power.)

The big challenge with such a large wireless network is to understand what is going on – and how to develop the software that makes them tick.

In this article we look into how we develop such large-scale systems at Thingsquare and the tools we use. We push the envelope with a 100-hop network, which is larger than what we typically would see in real-world installations.

To see what happens in a 100-hop network, we have built a testbed in our office. The testbed consists of 100 wireless nodes placed in a bookshelf. The nodes all use the TI CC2538 wireless System-on-a-Chip, running the Thingsquare wireless mesh over a IEEE 802.15.4e low-power radio layer. The nodes are powered by USB, but otherwise have only a wireless connection. Each node also has an LED, which we use to develop and test our wireless lighting system. By default, the nodes form one large wireless network.

Because every node in the testbed is close to each other, they can easily form a single-hop network. That is, every node can reach every other node without meshing.

To setup a 100-hop network, we manually configure their routes. This way, we can force the system to become a 100-hop network.

Setting up 100 Hops

After configuring the system to have a 100-hop structure, the mesh looks like this:

We now have a way to test the system with 100 hops, something that is beyond anything we are likely to see in the wild.

100 Hops in Action

To see the 100 hops in action, we set up one node to act as a sniffer and run Wireshark to capture the packets from the network. We then ask the node that is 100 hops away to make a secure TLS connection with the backend. In the Wireshark logs, we see the TLS traffic as well as the ICMPv6 control traffic that is used by the RPL routing protocol to set up and maintain its routing graph.

(For more in-depth information about the RPL IPv6 routing protocol, see this article from our docs.)

If we look at the traffic inside the network, we can see how the packets move from node to node, in a snake-like manner:

In the Simulator

A wireless mesh system is extremely complex and while a testbed is essential to testing the system, it is not enough for developing it.

To develop our wireless mesh system, we use our wireless network simulator. The simulator lets us set up the same environment as we see in the real world, but on a single computer. There, we can inspect almost every aspect of the system to see what is going on.

To see a similar behavior as we did our testbed, we set up a simulation with a regular grid of nodes and configure them in a similar fashion as we did in the testbed: they choose parents in the routing graph to make the network as long as possible.

The simulator also lets us see the packets in a timeline window, where we can see exactly what each node does at any given time.

Conclusion

Wireless mesh networking allow us to build extremely large-scale networks. But such networks are complex and to build the software that make them tick, we need both hardware testbeds and software simulators.
http://www.thingsquare.com/blog/arti...ops-ipv6-mesh/





UW Professor: The Information War is Real, and We’re Losing it

A University of Washington professor started studying social networks to help people respond to disasters. But she got dragged down a rabbit hole of twitter-boosted conspiracy theories, and ended up mapping our political moment.
Danny Westneat

It started with the Boston marathon bombing, four years ago. University of Washington professor Kate Starbird was sifting through thousands of tweets sent in the aftermath and noticed something strange.

Too strange for a university professor to take seriously.

“There was a significant volume of social-media traffic that blamed the Navy SEALs for the bombing,” Starbird told me the other day in her office. “It was real tinfoil-hat stuff. So we ignored it.”

Same thing after the mass shooting that killed nine at Umpqua Community College in Oregon: a burst of social-media activity calling the massacre a fake, a stage play by “crisis actors” for political purposes.

“After every mass shooting, dozens of them, there would be these strange clusters of activity,” Starbird says. “It was so fringe we kind of laughed at it.

“That was a terrible mistake. We should have been studying it.”

Starbird is in the field of “crisis informatics,” or how information flows after a disaster. She got into it to see how social media might be used for the public good, such as to aid emergency responders.

Instead she’s gone down a dark rabbit hole, one that wends through the back warrens of the web and all the way up to the White House.

Starbird argues in a new paper, set to be presented at a computational social-science conference in May, that these “strange clusters” of wild conspiracy talk, when mapped, point to an emerging alternative media ecosystem on the web of surprising power and reach.

It features sites such as Infowars.com, hosted by informal President Donald Trump adviser Alex Jones, which has pushed a range of conspiracies, including that the Sandy Hook school shooting was a staged fake.

There are dozens of other conspiracy-propagating websites such as beforeitsnews.com, nodisinfo.com and veteranstoday.com. Starbird cataloged 81 of them, linked through a huge community of interest connected by shared followers on Twitter, with many of the tweets replicated by automated bots.

Infowars.com alone is roughly equivalent in visitors and page views to the Chicago Tribune, according to Alexa.com, the web-traffic analysis firm.

“More people are dipping into this stuff than I ever imagined,” Starbird says.

Starbird is in the UW’s Department of Human Centered Design & Engineering — the study of the ways people and technology interact. Her team analyzed 58 million tweets sent after mass shootings during a 10-month period. They searched for terms such as “false flag” and “crisis actor,” web slang meaning a shooting is not what the government or the traditional media is reporting it to be.

It happens after every mass shooting or attack. If you search for “false flag” and “Westminster,” you’ll find thousands of results theorizing that last week’s attack outside British Parliament was staged (presumably to bring down Brexit, which makes no sense, but making sense is not a prerequisite).

Starbird’s insight was to map the digital connections between all this buzzing on Twitter with a conglomeration of websites. Then she analyzed the content of each site to try to answer the question: Just what is this alternative media ecosystem saying?

It isn’t a traditional left-right political axis, she found. There are right-wing sites like Danger & Play and left-wing sensationalizers such as The Free Thought Project. Some appear to be just trying to make money, while others are aggressively pushing political agendas.

The true common denominator, she found, is anti-globalism — deep suspicion of free trade, multinational business and global institutions.

“To be antiglobalist often included being anti-mainstream media, anti-immigration, anti-science, anti-U.S. government, and anti-European Union,” Starbird says.

So it was like the mind of Stephen Bannon, chief adviser to Trump, spilled across the back channels of the web.

Much of it was strangely pro-Russian, too — perhaps due to Russian twitter bots that bombarded social channels during the presidential campaign (a phenomenon that’s now part of the FBI investigation into the election, McClatchy reported last week).

The mainstream press periodically waded into this swamp, but it only backfired. Its occasional fact checks got circulated as further evidence: If the media is trying to debunk it, then the conspiracy must be true.

Starbird is publishing her paper as a sort of warning. The information networks we’ve built are almost perfectly designed to exploit psychological vulnerabilities to rumor.

“Your brain tells you ‘Hey, I got this from three different sources,’ ” she says. “But you don’t realize it all traces back to the same place, and might have even reached you via bots posing as real people. If we think of this as a virus, I wouldn’t know how to vaccinate for it.”

Starbird says she’s concluded, provocatively, that we may be headed toward “the menace of unreality — which is that nobody believes anything anymore.” Alex Jones, she says, is “a kind of prophet. There really is an information war for your mind. And we’re losing it.”

I sat dumbfounded for a time as she spooled through tweets in her database: an archive of endless, baseless speculation that nevertheless is evidence of a political revolution. It should be unnecessary to say, but real humans died in these shootings. How disgustingly cruel it is to the survivors to have the stories of those deaths altered and twisted for commercial or ideological ends.

Starbird sighed. “I used to be a techno-utopian. Now I can’t believe that I’m sitting here talking to you about all this.”
http://www.seattletimes.com/seattle-...ere-losing-it/





Judge Dismisses Shiva “I Invented EMAIL” Ayyadurai’s Libel Lawsuit Against Techdirt

Judge: Techdirt articles were opinionated and hyperbolic, but not libel.
Cyrus Farivar

A federal judge in Massachusetts has dismissed a libel lawsuit filed earlier this year against tech news website Techdirt.

The claim was brought by Shiva Ayyadurai, who has controversially claimed that he invented e-mail in the late 1970s. Techdirt (and its founder and CEO, Mike Masnick) has been a longtime critic of Ayyadurai and institutions that have bought into his claims. "How The Guy Who Didn't Invent Email Got Memorialized In The Press & The Smithsonian As The Inventor Of Email," reads one Techdirt headline from 2012.

One of Techdirt's commenters dubbed Ayyadurai a "liar" and a "charlatan," which partially fueled Ayyadurai's January 2017 libel lawsuit.

In the Wednesday ruling, US District Judge F. Dennis Saylor found that because it is impossible to define precisely and specifically what e-mail is, Ayyadurai's "claim is incapable of being proved true or false."

The judge continued: "One person may consider a claim to be 'fake' if any element of it is not true or if it involves a slight twisting of the facts, while another person may only consider a claim to be 'fake' only if no element of it is true."

While the lawsuit against Masnick has been thrown out, the judge ruled against him on his request to hear the case according to California law. Masnick's attorneys were hoping to win the case under the California anti-SLAPP law, which would have allowed for Masnick to have his legal fees paid.

We reached out to Masnick and Ayyadurai for comment, and we will update the post with any responses we get.

Ayyadurai could appeal the judge's order, but was denied permission to amend the complaint and re-file it.

UPDATE 6:15pm ET: Charles Harder, Ayyadurai's attorney, e-mailed Ars a statement on behalf of his client, saying that Ayyadurai would be appealing the ruling.

"False speech is not protected by the Constitution, and TechDirt’s false and malicious speech about Dr. Ayyadurai should receive no legal protection," Ayyadurai said in the statement. "False speech does harm to readers, who are misled by it; it does harm to journalism, which is weakened by it; and it does harm to the subjects of the speech, whose reputations and careers are damaged by it."

UPDATE Thursday 12:18am ET: Early on Wednesday, Masnick authored a post on Techdirt about the ruling.
https://arstechnica.com/tech-policy/...mail-inventor/





Case Dismissed: Judge Throws Out Shiva Ayyadurai's Defamation Lawsuit Against Techdirt
Mike Masnick

As you likely know, for most of the past nine months, we've been dealing with a defamation lawsuit from Shiva Ayyadurai, who claims to have invented email. This is a claim that we have disputed at great length and in great detail, showing how email existed long before Ayyadurai wrote his program. We pointed to the well documented public history of email, and how basically all of the components that Ayyadurai now claims credit for preceded his own work. We discussed how his arguments were, at best, misleading, such as arguing that the copyright on his program proved that he was the "inventor of email" -- since patents and copyrights are very different, and just because Microsoft has a copyright on "Windows" it does not mean it "invented" the concept of a windowed graphical user interface (because it did not). As I have said, a case like this is extremely draining -- especially on an emotional level -- and can create massive chilling effects on free speech.

A few hours ago, the judge ruled and we prevailed. The case has been dismissed and the judge rejected Ayyadurai's request to file an amended complaint. We are certainly pleased with the decision and his analysis, which notes over and over again that everything that we stated was clearly protected speech, and the defamation (and other claims) had no merit. This is, clearly, a big win for the First Amendment and free speech -- especially the right to call out and criticize a public figure such as Shiva Ayyadurai, who is now running for the US Senate in Massachusetts. We're further happy to see the judge affirm that CDA Section 230 protects us from being sued over comments made on the blog, which cannot be attributed to us under the law. We talk a lot about the importance of CDA 230, in part because it protects sites like our own from these kinds of lawsuits. This is just one more reason we're so concerned about the latest attempt in Congress to undermine CDA 230. While those supporting the bill may claim that it only targets sites like Backpage, such changes to CDA 230 could have a much bigger impact on smaller sites like our own.

We are disappointed, however, that the judge denied our separate motion to strike under California's anti-SLAPP law. For years, we've discussed the importance of strong anti-SLAPP laws that protect individuals and sites from going through costly legal battles. Good anti-SLAPP laws do two things: they stop lawsuits early and they make those who bring SLAPP suits -- that is, lawsuits clearly designed to silence protected speech -- pay the legal fees. The question in this case was whether or not California's anti-SLAPP law should apply to a case brought in Massachusetts. While other courts have said that the state of the speaker should determine which anti-SLAPP laws are applied (even in other states' courts), it was an issue that had not yet been ruled upon in the First Circuit where this case was heard. While we're happy with the overall dismissal and the strong language used to support our free speech rights, we're nevertheless disappointed that the judge chose not to apply California's anti-SLAPP law here.

However, that just reinforces the argument we've been making for years: we need stronger anti-SLAPP laws in many states (including Massachusetts) and, even more importantly, we need a strong federal anti-SLAPP law to protect against frivolous lawsuits designed to silence protected speech. The results of this case have only strengthened our resolve to do everything possible to continue to fight hard for protecting freedom of expression and to push for stronger anti-SLAPP laws that make free speech possible, and not burdensome and expensive.

You have not heard the last from us on the issue of the First Amendment, free speech and anti-SLAPP laws -- or how some try to use the court system to silence and bully critics. Step one of this is our new Free Speech edition, which we announced just a few weeks ago, where we are focusing more of our reporting efforts on issues related to free speech and anti-SLAPP. We intend to do a lot more as well. For years, we've talked about these issues from the position of an observer, and now we can talk about them from the perspective of someone who has gone through this process as well.

Of course, if you have to face something like this, it helps to have great lawyers--and we're immensely grateful for the incredible hard-work of Rob Bertsche, Jeff Pyle and Thomas Sutcliffe along with the rest of the team at their firm, Prince Lobel Tye LLP.

Finally, I can't even begin to thank everyone who has supported us over the past nine months -- whether by kind words (you don't know how much that helped!) or through our survival fund at ISupportJournalism.com or by becoming a Techdirt Insider. We just passed Techdirt's 20th anniversary and while it's one thing to think that people like and support you, it's another thing altogether to see how people come out to support you when it matters most. And we were overwhelmed by the support we received over the past nine months, and the kind words and help that many, many people offered. It was beyond heartening, and, once again, it reinforces our resolve to continue to speak up for free speech and to do what we can to protect others' ability to speak out as well.
https://www.techdirt.com/articles/20...techdirt.shtml





Mozilla is Desperately Needed to Save the Web, But Does it Stand a Chance?

Mozilla used to be our bulwark against the the closure of the web. Can it muster a defense again?
Matt Asay

I can't remember the last time I cared about Mozilla. I also can't remember a time when we needed it more.

Back in 2008 I could say, with some semblance of sanity, that "The Web's platform is Firefox." Nearly 10 years later, Mozilla's Firefox is almost a rounding error in desktop market share, and nonexistent in mobile browser market share. It offers a few other services, like Pocket, but largely gets ignored.

This is a mistake. Our world is increasingly mediated by the internet, and that internet has just a few gatekeepers, collecting tolls as we browse. As Python guru Matt Harrison put it, "Vendors control the default browser which 99.9% of people use." Those vendors are happy to sell us access to information. Nothing about it is free.

You are most definitely the product

On mobile, where the majority of the world's content is now consumed, Google and Facebook own eight of the top 10 apps, with apps devouring 87% of our time spent on smartphones and tablets, according to new comScore data (Figure A).

For that remaining 13% of time spent on the mobile web, Google and Apple offer the two dominant browsers. Though Apple has introduced ad blocking in Safari, according to Augustine Fou, head of Marketing Science, an ad consultancy, roughly 0% of mobile users block ads. Much of this comes down to how hard it is to deliver good ad blocking on mobile devices, as Cloud Technology Partners engineer Adam Barrett has posited, but part of it also comes down to how clunky it is to get ad blocking operational on your browser of choice.

And, for most people, their browser of choice (Google Chrome) has yet to implement ad blocking.

Oh, sure, it's coming. Google has talked up how it's going to block "the most intrusive ads." But let's be clear: Google's business depends upon advertising. It might be willing to scrap the worst ads—the kind that may push users onto other platforms—but there is zero chance that Google will stop selling user privacy to build its ad revenues. No one at Google has "bankruptcy" as a goal.

In sum, the majority of our time online is now mediated by just a few megacorporations, and for the most part their top incentive is to borrow our privacy just long enough to target an ad at us.

Mozilla to the rescue?

Then there's Mozilla, an organization whose mantra is "Internet for people, not profit." That feels like a necessary voice to add to today's internet oligopoly, but it's not one we're hearing. Mozilla once had a commanding share of the desktop web browser market; today that share has dwindled, and on mobile devices it's virtually non-existent.

This isn't good, but I'm not sure what to do about it. We clearly need an organization standing up for web freedom, as expecting Google to do that is like asking the fox to guard the henhouse. Google does many great things, but its clear incentive is to sell ads. We are Google's product, as the saying goes.

It's unclear what Mozilla should do. While it took its eye off the mobile ball for too long, its Firefox and Firefox Focus browsers are great. I've been running them at Mozilla director Asa Dotzler's suggestion, and I'm impressed by how zippy fast they both are. In Firefox (though not Firefox Focus, which strips all the crap away), I still get the "sponsored content" silliness telling me that "Stunning Asian Women Seek Older Men from Ottawa." Yes, I'm typing this from Ottawa, but I'm only here overnight. And am I really that old? (OK, don't answer that....)

As former MySQL executive and Duo Security COO Zack Urlocker has stated, "What is Mozilla's 21st-century mission? I am not sure browser wars matter anymore."

Nor do other areas where Mozilla seems to be investing (like Pocket, an Instapaper clone that allows you to save content for later reading?). Rust, a cool programming language it's developing, has promise, but not to save the web from the all-consuming embrace of Facebook and Google, especially as they wall off the experience in apps.

If I sound like I don't know what to propose Mozilla should do, it's because I don't. I simply feel strongly that the role Mozilla played in the early browser wars needs to be resurrected to save the web today. I'd love your thoughts: Is it too late, or is there something that Mozilla (or Apple or...?) can do to reverse this shift toward centralization and content closure?
http://www.techrepublic.com/article/...tand-a-chance/





Android Oreo Could Eat Through Your Data Allowance Even if You Have Wi-Fi Enabled
Mark Wycislik-Wilson

An apparent bug with Android Oreo has been discovered which means Google's mobile operating system could be munching its way through your data allowance, even if you're connected to a wireless network.

A thread on Reddit highlighted the issue, with many people pointing out that it could prove expensive for anyone not using an unlimited data plan. Google is apparently aware of the problem and is working on a patch, but in the meantime Oreo users are being warned to consider disabling mobile data when they are at home or using a wireless connection elsewhere.

Reddit user Unusual_Sauce explains: "After updating to Oreo last night, I received a huge spike in data usage, all the while being connected to Wi-Fi. I contacted support and was told that they are aware of the issue and are working on a fix. In the meantime I have turned off mobile data while at home, so only Wi-Fi is being used."

It seems that Unusual_Sauce is not alone, and some have suggested that the Mobile Data Always Active option is to blame. You can access this setting by enabling Developer Options and flicking the toggle to the disabled position. In previous versions of Android, the Mobile Data Always Active option was disabled by default, but is enabled now in Oreo.
https://betanews.com/2017/09/06/andr...eo-data-usage/





Bugs in Arris Modems Distributed by AT&T Vulnerable to Trivial Attacks
Michael Mimoso

Trivially exploitable vulnerabilities have been discovered in several Arris home modems, routers and gateways distributed to consumers and small businesses through AT&T’s U-verse service.

It’s unknown yet whether the firmware vulnerabilities were introduced by the OEM or the ISP since AT&T seems to have access to Arris firmware and can customize code on the devices before they’re sent to customers, researchers at security consultancy Nomotion told Threatpost. The researchers uncovered support interfaces easily accessible over SSH, and hidden services exposing the devices to remote and local attacks.

Nomotion security analyst Joseph Hutchins said his firm elected to publicly disclose the vulnerabilities because of their severity and because of Arris’ history with security issues of this sort. A request for comment from Arris was not returned in time for publication.

An Arris representative told Threatpost the company is verifying the specifics of the Nomotion report.

“Until this is complete, we cannot comment on its details. We can confirm Arris is conducting a full investigation in parallel and will quickly take any required actions to protect the subscribers who use our devices,” Arris said in a statement provided to Threatpost.

“Even as early as February, there was another incident where they had similar security issues and their blatant carelessness has gotten out of hand,” said Nomotion CEO Orlando Padilla. “I think with a little bit of pressure, hopefully they’ll fix things up.”

Nomotion also said in a report published today that ISPs are responsible for ensuring the security of their network and equipment leased or sold to consumers.

The most serious of the five flaws affects the NVG589 and NVG599 modems, firmware update 9.2.2h0d83, which enables SSH by default and also contains hardcoded credentials that afford anyone access to the cshell service on the modem.

Hutchins said cshell is capable of viewing or changing the Wi-Fi SSID or password, modifying network configurations, reflashing firmware from a file served from the internet, or controlling a kernel module that injects ads into unencrypted traffic.

The cshell binary runs as root, meaning that any exploitable command injection or buffer overflow vulnerability will give an attacker root on the device. Nomotion estimates, however, that only 15,000 hosts are vulnerable after a Censys search, a much lower number than the impact posed by some of the other vulnerabilities.

Victimized gateways, meanwhile, can be corralled into a botnet, similar to that used by the Mirai malware to DDoS Dyn and other web-based services last fall. An attacker can also use these bugs to run code on the device to inject ads into traffic, or exploit other vulnerabilities on client devices running on the local network. Hutchins also said that since there’s no certificate pinning, an attacker could force the victim’s browser to accept a certificate from the gateway.

“You have full control of the traffic at that point,” he said.

Nomotion also found default credentials on the NVG599’s caserver HTTPS server running on port 49955, as well as a command injection vulnerability in the same webserver. Hutchins said the server accepts commands that would allow an attacker to upload their own firmware image, and either access or change an internal SDB database configuration. Nomotion estimates from Shodan and Censys searches that around 220,000 devices are vulnerable to this bug alone.

A separate information disclosure vulnerability in a service running on port 61001 would be useful to attackers, but would require them knowing the device serial number in advance in order to make a request.

The final bug affects possibly every AT&T device, all of which have port 49152 open, likely for remote access and support. Nomotion calls it a firewall bypass, and said a predictable three-byte value followed by the MAC address affords an attacker remote access.

“It is believed that the original purpose of this service was to allow AT&T to connect to the AT&T issued DVR devices which reside on the internal LAN. However, it should be painfully obvious by now that there is something terribly wrong with this implementation,” Nomotion wrote in its report. “Added to the severity is the fact that every single AT&T device observed has had this port (49152) open and has responded to probes in the same way.”

Hutchins said the most of the bugs are trivial to exploit.

“There’s no way people are not exploiting this in the wild,” Hutchins said. “It’s so trivial, we just didn’t see any point in going through the process of disclosure to the vendor and the waiting period because we just can’t see anyone not using this in the wild.”
https://threatpost.com/bugs-in-arris...ttacks/127753/





More than Four Million Time Warner Cable Records Exposed in Leak

A woman walks in front of the Time Warner Cable logo at its office in San Diego, California, U.S., November 2, 2016. REUTERS/Mike Blake

(Reuters) - More than four million records of users of Time Warner Cable’s MyTWC app were found unsecured on an Amazon server last month, digital security research center Kromtech Security Center said in a blog post on Friday.

The files — more than 600 gigabytes in size containing sensitive information such as transaction ID, user names, Mac addresses, serial numbers, account numbers — were discovered on Aug. 24 without a password by researchers of Kromtech.

“A vendor has notified us that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources,” Charter Communications Inc (CHTR.O), Time Warner Cable’s parent, said in an email.

The information was removed immediately after the discovery and the incident is being investigated, Charter said.

The breach was eventually linked to BroadSoft Inc (BSFT.O), a communications company, whose unit developed the MyTWC app.

Broadsoft did not immediately respond to a request for comment.

Reporting by Laharee Chatterjee and Arjun Panchadar in Bengaluru; Editing by Shounak Dasgupta and Sriraj Kalluvila
https://uk.reuters.com/article/us-ti...-idUKKCN1BC5LM





A Simple Design Flaw Makes It Astoundingly Easy To Hack Siri And Alexa

Hackers can take control of the world’s most popular voice assistants by whispering to them in frequencies humans can’t hear.
Mark Wilson

Chinese researchers have discovered a terrifying vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon’s Alexa assistant.

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

The researchers didn’t just activate basic commands like “Hey Siri” or “Okay Google,” though. They could also tell an iPhone to “call 1234567890” or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to “open the backdoor.” Even an Audi Q3 could have its navigation system redirected to a new location. “Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user,” the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.

In other words, Silicon Valley has designed human-friendly UI with a huge security oversight. While we might not hear the bad guys talking, our computers clearly can. “From a UX point of view, it feels like a betrayal,” says Ame Elliott, design director at the nonprofit SimplySecure. “The premise of how you interact with the device is ‘tell it what to do,’ so the silent, surreptitious command is shocking.”

To hack each voice assistant, the researchers used a smartphone with about $3 of additional hardware, including a tiny speaker and amp. In theory, their methods, which are now public, are duplicatable by anyone with a bit of technical know-how and just a few bucks in their pocket.

In some cases, these attacks could only be made from inches away, though gadgets like the Apple Watch were vulnerable from within several feet. In that sense, it’s hard to imagine an Amazon Echo being hacked with DolphinAttack. An intruder who wanted to “open the backdoor” would already need to be inside your home, close to your Echo. But hacking an iPhone seems like no problem at all. A hacker would nearly need to walk by you in a crowd. They’d have their phone out, playing a command in frequencies you wouldn’t hear, and you’d have your own phone dangling in your hand. So maybe you wouldn’t see as Safari or Chrome loaded a site, the site ran code to install malware, and the contents and communications of your phone were open season for them to explore.

The exploit is enabled by a combination of hardware and software problems, the researchers explain in their paper. The microphones and software that power voice assistants like Siri, Alexa, and Google Home can pick up inaudible frequencies–specifically, frequencies above the 20KhZ limits of human ears. (How high is 20kHz? It’s just above the mosquito ringtone that went viral a few years ago, which allowed young students who hadn’t damaged their hearing yet to text message friends without their teachers hearing.)

According to Gadi Amit, founder of NewDealDesign and industrial designer of products like the Fitbit, the design of such microphones make them difficult to secure from this type of attack. “Microphones’ components themselves vary in type, but most use air pressures that probably cannot be blocked from ultrasounds,” Amit explains. Basically, the most popular mics of today transform turbulent air–or sound waves–into electrical waves. Blocking those super-hearing capabilities might be impossible.

That means it’s up to software to decipher what’s human speech and what’s machine speech. In theory, Apple or Google could just command their assistants to never obey orders from someone speaking at 20kHz with a digital audio filter: “Wait, this human is telling me what to do in a vocal range they can’t possibly speak! I’m not going to listen to them!” But according to what the Zhejiang researchers found, every major voice assistant company exhibited vulnerability with commands stated above 20kHz.

Why would the Amazons and Apples of the world leave such a gaping hole that could, potentially, be so easily plugged by software? We don’t know yet, though we’ve reached out to Apple, Google, Amazon, Microsoft, Samsung, and Huawei for comment. But at least two theories are perfectly plausible, and both come down to making voice assistants more user-friendly.

The first is that voice assistants actually need ultrasonics just to hear people well, compared to analyzing a voice without those high frequencies. “Keep in mind that the voice analyzing software might need every bit of ‘hint’ in your voice to create its understanding,” says Amit of filtering out the highest frequencies in our voice systems. “So there might be a negative effect that lowers the comprehension score of the whole system.” Even though people don’t need ultrasonics to hear other people, maybe our computers rely upon them as a crutch.

The second is that some companies are already exploiting ultrasonics for their own UX, including phone-to-gadget communication. Most notably, Amazon’s Dash Button pairs with the phone at frequencies reported to be around 18kHz, and Google’s Chromecast uses ultrasonic pairing, too. To the end user, that imperceptible pairing creates a magical experience that consumers have come to expect in the modern age of electronics (“How’s it work? Who cares, it’s magic!”). But because we can’t hear these mechanisms at work, we also can’t tell when they’ve gone wrong, or when they’ve been hijacked. They’re designed to be invisible. It’s the equivalent to driving a car with a silent engine. If the timing belt breaks, you might only realize it when the car inevitably stops and the engine is ruined.

User-friendliness is increasingly at odds with security. Our web browsers easily and invisibly collect cookies, allowing marketers to follow us across the web. Our phones back up our photos and contacts to the cloud, tempting any focused hacker with a complete repository of our private lives. It’s as if every tacit deal we’ve made with easy-to-use technology has come with a hidden cost: our own personal vulnerability. This new voice command exploit is just the latest in a growing list of security holes caused by design, but it is, perhaps, the best example of Silicon Valley’s widespread disregard for security in the face of the new and shiny.

“I think Silicon Valley has blind spots in not thinking about how a product may be misused. It’s not as robust a part of the product planning as it should be,” says Elliott. “Voice systems are clearly hard to secure. And that should raise questions . . . It’s difficult to understand how the systems work, and sometimes by deliberate design. I think hard work is needed to undo the seamlessness of voice and think about adding more visibility into how the system works.”

For now, there’s a relatively easy fix to most DolphinAttack vulnerabilities. All you have to do is turn off the always-on settings of Siri or the Google Assistant on your phones and tablets, and a hacker won’t be able to talk to your phone (except during those moments you’re trying to talk to it, too). Meanwhile, the Amazon Alexa and Google Home (the Home was not tested by researchers but is theoretically just as vulnerable) both have hard mute buttons that should do the trick for a majority of the time.

But of course, these solutions are self-defeating. If the only way we can safely use voice assistants is to ensure they’re not listening, then what point do they even serve? Maybe these eavesdropping computers don’t belong in our lives in the first place–or at least, not anywhere in public.

We’ve reached out to Apple, Google, Amazon, Microsoft, Samsung, and Huawei and will update this story if we hear back.
https://www.fastcodesign.com/9013901...siri-and-alexa





Vulnerabilities Discovered in Mobile Bootloaders of Major Vendors
Catalin Cimpanu

Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the boot-up sequence, opening devices to attacks.

The vulnerabilities came to light during research carried out by a team of nine computer scientists from the University of California, Santa Barbara.

Researchers developed BootStomp to analyze bootloaders

The research team looked into the shadowy world of Android bootloaders, components that are hard to analyze because they are closed-source and tend to lack typical metadata (such as program headers or debugging symbols) that are usually found in normal programs and help reverse engineering and security audits.

Most of the team's work focused on developing a new tool named BootStomp specialized in helping test and analyze bootloaders.

The goal of BootStomp is to automatically identify security vulnerabilities that are related to the (mis)use of attacker-controlled non-volatile memory, trusted by the bootloader’s code. In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitute a security threat.

Experts found six new flaws

By using BootStomp to find problematic areas of the previously obscure bootloader code, and then having the research team look over the findings, experts said they identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged and confirmed five.

"Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said. "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."

For their work, researchers considered five different bootloaders from four different vendors.

- Huawei / HiSilicon chipset [Huawei P8 ALE-L23]
- NVIDIA Tegra chipset [Nexus 9]
- MediaTek chipset [Sony Xperia XA]
- Qualcomm's new LK bootloader
- Qualcomm's old LK bootloader

Researchers knew that the old Qualcomm LK bootloader was affected by CVE-2014-9798, and when BootStomp re-identified the old security bug, the team knew their tool was working properly. They also found a vulnerability in the NVIDIA chipset, and five in HiSilicon bootloaders. The full results are below.
https://www.bleepingcomputer.com/new...major-vendors/





TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities
Catalin Cimpanu

An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system.

According to a team of four computer scientists from the Florida State University and Baidu X-Lab, the problem lies in the design of the ARM TrustZone technology, widely deployed with the vast majority of today's Android devices.

Attack exploits TrustZone design flaw

The ARM TrustZone technology is a System on Chip (SoC) representing a secure area of the main processor included in Android smartphones.

It is a special section of the Android kernel that runs its own operating system — the TrustZone OS — that works separately from the main Android OS.

TrustZone is tasked with creating a secure zone where the Android OS can run the most crucial and sensitive operations, like the ones that handle encrypted data. These operations run as special apps — named trustlets — inside the TrustZone OS.

When TrustZone OS loads a trustlet, it first checks its cryptographic digital signature to see if it is signed by the right party. This integrity check aims at removing the risk of loading tampered trustlets.

TrustZone does not feature version rollback protection

In a paper released this summer, researchers discovered that an attacker could downgrade trustlets to older versions, ones that are vulnerable to various exploits.

"The threat is caused by the fact that the trustlets (trusted applications) lack version rollback prevention, and use the same key pair for different firmware versions," Yue Chen, one of the researchers, told Bleeping Computer via email.

This means attackers can replace new trustlets with older versions of the same trustlet without the TrustZone OS ever noticing the switch, because the cryptographic keys are the same.

Attack successful against most of today's smartphones

The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6.

They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) — Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone.

"As tested, this threat exists in almost all the Android devices on the current market, including Samsung Galaxy S7, Google Pixel, Google Nexus, Huawei Mate 9 (Pro), and their older versions and series," Yue says. "Affected devices also include other smaller phone vendors."

Vulnerability reported and patched

"We have already reported this vulnerability to the affected mobile vendors, and they have integrated patches in their latest updates, as well as fixes for newer device versions," Yue told Bleeping via email.

"To prevent being exploited, it is important for end users to timely update their devices to the latest versions, and apply any available security patches," Yue added.

The researcher also told Bleeping that he is not aware of any large-scale malware-spreading operation using the flaw he described in his team's research.

Attack not easy to exploit

The good news is that exploiting the attack described by Yue et al. is not as easy as it sounds.

"A successful exploit first needs to have the root privilege of the device (e.g., exploit another vulnerability), and then use this issue combined with other vulnerabilities to exploit the device," said the researcher.

For technically inclined users, this article is based on research released in July 2017 under the name of "Downgrade Attack on TrustZone." Copies of this paper are available online here and here.

This is not the first major attack on ARM TrustZone. Last year, at the USENIX security conference, researchers detailed the ARMageddon vulnerability, also targeting TrustZone.

Google is well aware of the danger of having TrustZone compromised and the company is currently willing to pay up to $200,000 for a remote exploit chain or exploit leading to a TrustZone or Verified Boot hack.
https://www.bleepingcomputer.com/new...lnerabilities/





Bug in Windows Kernel Could Prevent Security Software From Identifying Malware
Catalin Cimpanu

Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.

The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space.

The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

Bug affects all Windows versions released in the past 17 years

The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000.

Misgav’s tests showed that the programming error has survived up to the most recent Windows 10 releases.

Microsoft introduced the PsSetLoadImageNotifyRoutine notification mechanism as a way to programmatically notify app developers of newly registered drivers. Because the system could also detect when a PE image was loaded into virtual memory, the mechanism was also integrated with antivirus software as a way to detect some types of malicious operations.

Microsoft did not see this as a security issue

Right now, the biggest problem is that security software relies on this method to detect some types of malicious operations.

“We did not test any specific security software,” Misgav told Bleeping Computer via email. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”

“We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year,” Misgav told Bleeping. “They did not deem it as a security issue.”

“Some references online indicate that the bug was somewhat known, but as far as we can tell its root cause and full implications weren't described in detail up until now,” the researcher also said.

For technical details, an enSilo blog post details the fine intricacies of how PsSetLoadImageNotifyRoutine works and how the bug alters its normal, supposed behavior.
https://www.bleepingcomputer.com/new...fying-malware/





Credit Reporting Firm Equifax Says Data Breach Could Potentially Affect 143 Million US Consumers

• Equifax said data on 143 million U.S. customers was obtained in a breach.
• The breach was discovered July 29.
• Personal data including birth dates, credit card numbers and more were obtained in the breach.
• Three Equifax executives sold shares in the company days after the breach was discovered.

Todd Haselton

Equifax, which supplies credit information and other information services, said Thursday that a data breach could have potentially affected 143 million consumers in the United States.

The population of the U.S. was about 324 million in 2017, according to Census Bureau estimates, which means the Equifax incident affects a huge portion of the country.

Equifax said it discovered the breach on July 29. "Criminals exploited a U.S. website application vulnerability to gain access to certain files," the company said.

SEC filings show that three Equifax executives – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – sold nearly $2 million in shares in the company days after the cyberattack was discovered. It was unclear whether their share sales had anything to do with the breach.

Equifax said in a statement that the three executives sold a "small percentage" of their shares on Tuesday, August 1, and Wednesday, August 2, adding they "had no knowledge that an intrusion had occurred at the time they sold their shares."

The SEC declined to comment on the share sales.

Bloomberg News first reported the share sales.

Shares of Equifax fell more than 12 percent in after-hours trading.

The company said the exposed data include names, birth dates, Social Security numbers, addresses and some driver's license numbers, all of which Equifax aims to protect for its customers.

Equifax added that 209,000 U.S. credit card numbers were obtained, in addition to "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

"This is a security risk for any and every website that anyone uses," Christopher O'Rourke, founder and CEO of cybersecurity firm Soteria, told CNBC.

"Most often, security questions to access those websites use that data, like a previous address, so this becomes an open-source intelligence nightmare, worse in many ways than the Office of Personnel Management government breach. It's nasty. If I can get my hands on that information I can call a bank. They're going to ask me for your Social, address, the information that was leaked here, to get access."

Equifax Chairman and CEO Richard Smith apologized to consumers and customers and noted that he's aware the breach affects what the company is supposed to protect.

Equifax said it is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities. Its private investigation into the breach is complete. NBC News, citing law enforcement sources, reported that the FBI was actively investigating the incident and that the company has been cooperating with the bureau.
https://www.cnbc.com/2017/09/07/cred...consumers.html





By Signing Up On Equifax's Help Site, You Risk Giving Up Your Legal Rights

Credit firm Equifax disclosed that a data breach, discovered in July 2017, may have impacted as many as 143 million consumers in the United States.
Brian Fung

Worried you may be affected by Equifax's massive data breach? The credit bureau has set up a site, equifaxsecurity2017.com, that allows you to check whether your personal information was exposed. But regulators are becoming concerned that the site could pose risks to consumers. As a result, you may want to think twice about using it. Here's why.

The website's terms of service potentially restricts your legal rights.

Sharp-eyed social media users have combed through the data breach site's fine print - and have found what they argue is a red flag. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service:

AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.

This language is commonly known in the industry as an "arbitration clause." In theory, arbitration clauses are meant to streamline the amount of work that's dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer that arbitration clauses do more harm to consumers than good - and the agency put in place a rule to ban them.

"In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal right," Richard Cordray, the CFPB's director, told reporters in July, according to my colleague Jonnelle Marte.
As the investigation into Equifax data breach grows, here's what you need to do

For consumers affected by Equifax's breach, this is a live issue; there is already at least one class-action suit brewing against Equifax. Critics say that arbitration is problematic because it limits consumers' ability to find facts to support their case, a process otherwise known as discovery, to appeal decisions or to present their case before a jury.

Equifax didn't immediately respond to questions about the arbitration clause.

If the government is moving to bar arbitration clauses, then why is one in there?

Despite the CFPB's move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won't happen until Sept. 18, the CFPB said. What's more, the rule doesn't work retroactively, meaning that the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.

The CFPB said Friday that Equifax's arbitration clause was "troubling" and that the agency is investigating the data breach and Equifax's response.

"Equifax could remove this clause so that consumers can receive this service without condition," the CFPB said in a statement.

The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Donald Trump to become official, but if it does, then the CFPB's regulation could be nixed.

On Friday, New York Attorney General Eric Schneiderman took aim at Equifax's arbitration clause, tweeting that his staff has contacted the company urging it to remove that part of the fine print.

"This language is unacceptable and unenforceable," the state's top lawyer said in his tweet. Minutes later, Schneiderman's office announced a formal probe into the Equifax breach. In a release, the state attorney general's office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the "black market," according to a person familiar with the investigation.

A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives prior to the discovery of the hack.

So should I register with the Equifax site, or not?

It's up to you, but you should know going into the process what you're signing up for. There appears to be an escape hatch from the arbitration clause in Equifax's main terms of use, but it's unclear if that applies to the credit monitoring program known as TrustedID Premier, whose more specific terms of use may be found here. Both documents contain an arbitration clause.

Here's what we think we know. According to Joel Winston, a former deputy attorney general for the state of New Jersey and a privacy and data protection lawyer, you are not bound by any of Equifax's terms of use if you do not engage the company at all.

"If you do nothing, these rules don't apply to you," he said. But, he added, going to equifaxsecurity2017.com and entering your name and partial Social Security number does likely expose you to at least one of the two documents.

"Something applies to you," said Winston. "Whether that's the terms of service of TrustedID Premier, or Equifax's main terms of service, is unclear. But there's a very strong argument that some terms apply to you."

If you move forward and actually sign up for TrustedID Premier, he said, then you're definitely bound by the specific terms of use of that service - which contains the arbitration clause but not the opt-out provision contained in the main Equifax terms of use.

If you fall into this category, said Winston, then you have almost certainly waived your right to participate in any class-action suit related to the breach.

What about TrustedID Premier's FAQ?

Some readers have pointed out that Equifax maintains an FAQ about TrustedID Premier, and that the FAQ appears to limit the scope of TrustedID Premier's terms of use to "the free credit file monitoring and identity theft protection products, and not the cybersecurity incident" that was disclosed this week.

This language may appear to limit Equifax's ability to block class-action lawsuits, said Winston, but don't be fooled.

"Just because someone in the marketing department wrote that the terms of service don't apply to the cybersecurity incident means nothing compared to the contractual obligations of the terms of use," he said.

"You could say, 'What you're saying here is deceitful,' but it's a real gray area," he said. "If you look back at the TrustedID terms of use, the last paragraph says 'entire agreement between us,' which basically reiterates that the terms of service is the entire agreement and anything else you read on the website have no applicability."

Meanwhile, there's something else that you should know if you do decide to use Equifax's website to check if you were affected.

The site demands even more information from you to prove your identity.

To make sure that the person checking the database is really you, Equifax's data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, the fact that you must volunteer more of what would otherwise be private information may not inspire much confidence.

Is there anything else I can do?

You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means that you can effectively check your credit for free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.
http://www.courant.com/nation-world/...908-story.html





Equifax’s Instructions Are Confusing. Here’s What to Do Now.
Ron Lieber

It’s time for all of us to play defense, because Equifax clearly did not.

In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

So my default assumption quickly switched to this: Equifax has no earthly idea who is affected. I tried calling a phone representative for clarification, too, but she gave me incorrect information about the nature of the company’s offer to consumers and then told me to just use the website when I went about correcting her. On Friday evening, the company issued a statement claiming to have fixed the problems and tripled the number of people in its call center.

Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.

That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.

And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?

Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.

Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.
In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?
How to Protect Your Information Online

There are more reasons than ever to understand how to protect your personal information. Major website breaches seem ever more frequent.

Once you do (and it may take a little time to complete the process), the bureaus are not supposed to release your credit report to any company except the ones that already have you as a customer. Why is this important? When a thief shows up with your Social Security number and address to apply for credit in your name, the lender will go to fetch your credit report before anything else happens. If it can’t retrieve the report because of the freeze, then no new account for the thief.

You can thaw your freeze every time you want to apply for new credit by using a personal identification number that the companies give you, which you absolutely should not lose. This costs a few more dollars. (Would it kill Equifax to waive these fees for a while, given the circumstances? Or how about forever?) The process is annoying, but it takes only about 15 minutes to do this at all three of the big agencies. Those precious minutes, by the way, are also why the credit bureaus hate freezes. They gum up the works and make it harder for them to peddle your files to credit card companies and such, thus making ever more money off your data.

A credit freeze is different from a fraud alert, though you should also request one of those in the wake of the Equifax breach, for the longest possible time on offer, from Equifax, Experian and TransUnion as well. Once that free alert is in place, potential creditors should contact you for confirmation anytime you (or a thief) tries to open up a new account.

Some people also use credit monitoring services that ping you every time there’s a change in your credit report, but I’ve always found them to be anxiety-producing. Instead, I check one of my credit reports for free every four months at annualcreditreport.com. That plus the permanent security freezes are enough to keep me sleeping well at night.

Or at least it used to be. I have always worried that a giant breach would someday come to one of the big credit reporting agencies, and now here we are. The data is out there, and thieves may use it in ways that freezes cannot thwart. They may try to gain access to other people’s health insurance, file tax reports in their names on Jan. 2 to claim a big refund and do other things that we haven’t even thought of yet.

And then there’s this: A security freeze doesn’t protect you if the thieves break into the vault of the company that maintains the freeze. That’s what happened here, and we will now spend years seeing what happens next.
https://www.nytimes.com/2017/09/08/y...to-do-now.html





Best Buy Stops Selling Security Software Made by Russian Firm

Reports of Kremlin ties led retailer to pull the product.
Kavita Kumar

Best Buy is pulling internet security software from a Russian company off its shelves and from its website amid outside concerns that Kaspersky Lab could have links to the Russian government.

The decision was prompted by media reports, congressional testimony and industry discussion raising questions about Moscow-based Kaspersky, a respected cybersecurity firm. The Richfield-based retailer, which has not conducted its own investigation, felt there were too many unanswered questions and so has decided to discontinue selling the products, according to a person familiar with the decision.

Kaspersky Lab, which boasts it has more than 400 million users, said in a statement that it does not have any unethical ties or inappropriate affiliations with any governments, including Russia.

“The only conclusion seems to be that Kaspersky Lab ... is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts,” the company said.

Kaspersky added that it has had a good relationship with Best Buy and that the current suspension of its products could be re-evaluated in the future. In the meantime, its software continues to be sold through its own website and through other retailers such as Target, Walmart.com, Amazon.com and Staples.com.

At the same time, some federal lawmakers are pressing for legislation that would ban the U.S. government from using Kaspersky’s software. They are on heightened alert about Russian hackers in the wake of their interference in the U.S. presidential election.

Company e-mails from Kaspersky that have surfaced in the media also have raised suspicions of a link between Kaspersky and the Kremlin.

In an op-ed that ran in the New York Times this week, U.S. Sen. Jeanne Shaheen, D-N.H., noted that six top intelligence officials, including the heads of the Federal Bureau of Investigation and Central Intelligence Agency, recently testified that they would not be comfortable with Kaspersky Lab software on their agencies’ computers.

“Beyond the evidence of direct links between [Eugene] Kaspersky and the Russian government, we cannot ignore the indirect links inherent in doing business in the Russia of President Vladimir Putin, where oligarchs and tycoons have no choice but to cooperate with the Kremlin,” she wrote.

A Best Buy spokesman confirmed that the products will no longer be sold at Best Buy but offered no further information because the company doesn’t comment on its relationships with vendors.

“In light of what we know about Kaspersky Lab and Russia’s cyberattacks on our private and public networks, this is a very sound decision,” said U.S Sen. Amy Klobuchar, D-Minn.

Best Buy had carried three internet security software brands, including Kaspersky’s. The Kaspersky software, which it sold for more than a decade, does not come preloaded on computers that are sold at Best Buy. Rather, it is an extra product available for purchase that customers can load themselves.

Best Buy will allow customers who have bought Kaspersky software from it, and who still have active subscriptions, to exchange it for free for another product in the next 45 days. Customers also can uninstall it themselves or have a Geek Squad agent do it for free within that time window.

The Kaspersky Internet Security software has received generally positive reviews from Best Buy users with a 4.3 star rating among more than 1,800 reviews. The software is aimed at protecting computers from malware, hackers, banner ads and spam.
http://www.startribune.com/best-buy-...irm/443279653/





A.I. Can Detect the Sexual Orientation of a Person Based on One Photo, Research Shows

• The Stanford University study found that machines had a far superior "gaydar" when compared to humans.
• The machine intelligence tested in the research could correctly infer between gay and straight men 81 percent of the time, and 74 percent of the time for women.

Sam Meredith

Artificial Intelligence (AI) can now accurately identify a person's sexual orientation by analyzing photos of their face, according to new research.

The Stanford University study, which is set to be published in the Journal of Personality and Social Psychology and was first reported in The Economist, found that machines had a far superior "gaydar" when compared to humans.

The machine intelligence tested in the research could correctly infer between gay and straight men 81 percent of the time, and 74 percent of the time for women. In contrast, human judges performed much worse than the sophisticated computer software, identifying the orientation of men 61 percent of the time and guessing correctly 54 percent of the time for women.

The research has prompted critics to question the possible use of this type of machine intelligence, both in terms of the ethics of facial-detection technology and whether it could be used to violate a person's privacy.

Michal Kosinski and Yilun Wang, the lead researchers of the study, suggested the software was able to find subtle differences in facial structure between gay and straight people and therefore could accurately conclude their sexual orientation.

'Threat to safety and privacy'

The Stanford University researchers found that gay men and women typically had "gender-atypical" features and expressions. While a person's "grooming style" also factored in to the computer algorithm, essentially suggesting gay women appeared more masculine and vice versa.

When the AI reviewed five images of a person's face, rather than one, the results were even more convincing – 91 percent of the time with men and 83 percent of the time with women.

The paper indicated its findings showed "strong support" for the theory that a person's sexual orientation stems from the exposure to various hormones before birth. The AI's success rate in comparison to human judges also appeared to back the concept that female sexual orientation is more fluid.

The researchers behind the study argued that with the appropriate data sets, similar AI tests could spot other personal traits such as an individual's IQ or even their political views. However, Kosinski and Wang also warned of the potentially dangerous ramifications such AI machines could have on the LGBT community.

"Given that companies and governments are increasingly using computer vision algorithms to detect people's intimate traits, our findings expose a threat to the privacy and safety of gay men and women," Kosinski and Wang said in the report.
https://www.cnbc.com/2017/09/08/a-i-...rch-shows.html





Read Rickie Lee Jones' Poignant Tribute to Steely Dan's Walter Becker

Singer Rickie Lee Jones is a longtime Steely Dan fan who collaborated with the late Walter Becker on her 1989 album Flying Cowboys. In recent years, Jones was asked to serve as opener during Steely Dan's Carnegie Hall residencies in New York, where she joined the band onstage during their set. Following Becker's death September 3rd, Jones penned a tribute to her friend and producer, which you can read below:

I first heard Steely Dan back in Kansas City, Missouri, where I ended up living with my dad after running away from home a second summer in a row. It was 1970 and I was just 15 years old. "Do It Again" was playing on the radio that summer night. I had just dropped some acid and I was on my way to see Led Zeppelin for their KC concert on their first USA tour. My date was a fat guy I had just met – him driving by and said, "Hey you wanna go to a concert?" He had high hopes I guess, and I just wanted to get out of the house. What I remember more than Led Zeppelin though is "Do It Again" drumming through the twilight heat, and the joy of all that Victor Feldman percussion.

Sexy. Contained. Because what "the Dan" accomplished was this: They introduced a new idea into the musical conversation of the time. It was the idea that intelligent music was cool. In a year where drum solos lasted minutes, quarter hours even, and singers screamed – a lot. Steely Dan made it cool to be educated. It is safe to say that they are the beginning of college rock.

There, right there, that's where that idea begins. Two homely guys who write with a fortitude that no one else processed. None of this emotional crap. They were all business. Which led to sophistication. Which is how they are categorized by punk rockers today. Which is kind of funny, because they loved the simplicity of the blues and 12 bar rock & roll. Yes, they were, more or less, responsible for the drum machine (built by their engineer Roger Nichols). But I like to think that was some kind of punishment for being so exacting from every player they worked with.

By the time I started college, 1973, "Reelin' in the Years" had become a college anthem. And now with the release of Countdown to Ecstasy, kids were bringing the record just to stare at the cover. It was holy ground; it was biblical. It was also cynical and kind of... well... women-hating. They seemed to really be obsessed with women they did not really like. I would come to understand some of how that came about, personal information I am not prepared to share, even though Walter has died. Those heartaches go with him to his grave.

Steely Dan became a part of my life in a much more personal basis in the next few years. That boyfriend from "Living It Up" he practiced Steely Dan solos nonstop. I can sing most of the solo from "Kid Charlemagne." But... I think they were part of my life long before they formed their dildo-named duo. (In case you don't know by now, Steely Dan is a dildo in the book Naked Lunch, by the famous drug addict William Burroughs.) I read that book, too, but I don't really remember the dildo passage.

The duo's first success was as songwriters. Sixties rock "band" Jay and the Americans hired Fagen and Becker as their back-up band. I believe the rest of the group became an early incarnation of Steely Dan. In case you don't remember Jay, he was a handsome all-American guy along the lines of Paul Revere and the Raiders. At least to my 13-year-old brain they were about the same. He sang songs like "Only in America" and "Come a Little Bit Closer," one of those rather dubious lyrics about the morality of certain women.

I moved back to Santa Monica College. We were four of us, hanging on the lawn during breaks, going to clubs on Main Street some nights – Pink Elephant, a newly discovered gay bar, we'd go dance to "I Will Survive" on the jukebox. Turned out one of us had not yet come out of the closet, but that's another story. The best musician of our group loved his Steely Dan, and that was how I came to hear "Bodhisattva," "My Old School," "Pearl of the Quarter." Lines about Annandale and oleanders with pesky stomping bass and drums. I mean these guys knew how to make music. They had a hit on every record – I mean a thing that was played on the radio over and over – that became part of how we saw our collective selves.

I was brought up, you might say, on writing thick with imagery and subtle implication and I loved it. I loved the innuendo, the humor, the sting. The genius was as much in the part we filled in, the lines they didn't write. That was where the sticky stuff of memory made their music a part of our own personal history. I knew about hiding behind the oleanders, heck I grew up in Arizona. (In case the Orb forgot to tell you) It wasn't the specific line, it was the sorrow and fury of the melody, "Bring back the Boston rag. Tell all your buddies that it ain't no drag."

I was only 19, and I wanted it to come back and I didn't even know what it was. I felt the melody, you get me? "Johnny swept the playroom and he swallowed up all he found. It was 48 hours till Lonnie came around." I have often said that so much of what we write seems to be prophetic. Walter lost too many people to drugs. He found too many people laying on the floor. The bed. Too many heartbreaks.

Walter and Donald. Walter Becker, the quiet half, the straight man to Donald Fagen's main man. Donald the Voice, and... Walter. Walter wrote much of the music than the public realizes. As much as Donald. A true partnership. "Done up in blue print blue... It sure looks good on you… Peg."

"What's blue print blue? Like, blue-print paper an architect uses?" – Rickie Lee
"I don't know. I just felt like writing it that way." – Walter B
.

I met Donald Fagan when I was working on my second record, I think. He did some synth stuff one of the tracks. It was so cool to meet him, late one night in New York City at a studio where his producer kept their stuff. But Walter wasn't there. I was kind of glad because Walter scared me. His pictures scared me. I often said he looks like the ugliest guy I ever saw. He looks so mean. Really mean.

So, fate arranged that I should learn a lesson about my presumptions, and the terrible things I might say to nobody in particular. My career in 1989 was… how shall I say… unsure of itself. In search of a lost chord. Waiting in a room with a number. Walter was on a list of potential producers. I came back from living in France, pregnant, moved to the L.A. area. I met Walter there one afternoon; he drove all the way up to Ojai (60 miles) after flying all from Maui, just for the meeting with me. And as it turned out, he was not so ugly after all. He was rather delicate looking. And he had a soft energy, nothing like what I thought I saw in the pictures. A softy. A recovery addict. Hey, me, too. He knew more about music right off the bat than anyone I had met in a long time. He didn't patronize, he didn't condescend, not even a tiny bit, not for one moment.

He respected what I had written, he had listened carefully to everything. He had ideas. He didn't say, "Let's do a Marvin Gaye kind of thing on this." Like the previous ridiculous producer candidate had said. If you don't know what's wrong with saying that, then maybe you should never produce a record. Although nowadays that would be a moot point I guess.

I hired him, and we agreed to start working in September. My previous two records had also begun in September. Hmm. I had to quit nursing my daughter. I spent August readjusting my life, an apartment in town, getting ready to leave my infant and make a different kind of child.

When the record was released, he did all manner of promotion for it. I was sorry for that. This red-headed DJ in Austin, he just wanted to touch the purple of the royal Steely Dan. Walter called him personally. But that DJ had no intention of playing the record for that or any favor. And making artists prostitute themselves to get heard, at that point in his "important" career, it felt so dirty to me. I was sorry he was trying so hard to help me.

Our fight was about producer credit. I wanted credit. I guess I felt like I was contributing in a way that I did not get credit for. Walter came to my room at the Chateau Marmont and said this:

"Rickie, what is a producer? Because whatever it is, you have hired me to be that. That is my title. If you put your name there, what is it that I did? You see, you are the artist. As creative as you are. You do a lot; you do nothing; I am still the producer of that effort. That is my job. Please, don't do this. Don't dilute my title."

I was ashamed. Suddenly I understood how much he had at stake, trying to build a career of his own after Steely Dan. He had crashed and burned from on high. Like me. Me, I wanted some credit from a larger audience, who would never ever give me that credit no matter what I did. What sleazy DJ made a great man dial his number. Well, It had nothing to do with Walter really.

We finished the record [Flying Cowboys] with Walter's favorite engineer, the exasperating Roger [Nichols], a genius who was always making bad jokes. It was a great record. Perhaps still ahead of its time. Too many great songs. Too much pop from a wild outlaw. The theme, a kind of western supernatural... Maybe it went over a few heads. It spawned two hits – "The Horses" and "Satellites" – but not real hits. Just kind of hits. Geffen was disappointed and pulled the plug suddenly in the middle of promoting the record. It was almost gold within six months, but they expected so much more. They didn't even get me a Grammy nod. I mean, really. Mystically it stopped selling about 30,000 short of a retroactive bump. And did not sell another 30,000 for a couple years.

I didn't see Walter again until Steely Dan went on tour for the first time. There he was at the Hollywood Bowl with all the big name cats from the record. I was so proud of them. It was a house full of agents who were there to be seen. No one seemed to give a shit about "The Boston Rag" or "The Royal Scam."

Suddenly, last year, I get a request to open for Steely Dan during their run in New York City. They play at the Beacon Theater every year, a week long. Hit after hit after hit. Played perfectly. I played for 30 minutes. I was fine, not bad, good enough. My friend and virtuoso Mike Dillion played his wild vibraphone with me. And we came off feeling OK.

Mostly, we were walk-in music. That's hard. But backstage Walter and Donald were sweet. Donald was actually friendly. I felt comfortable. I was glad I came.

Next night they invited me to sing some of their songs with them. I sang "Showbiz Kids" with Steely Dan. And they wanted to do "The Horses," but I said no, I can't quit hit those notes in the key change anymore. Walter said no problem. Another time.

As I left Walter hugged me. "We will be playing down your way in the fall, maybe you can come and open for us some more."

"I'd love that."

It is September now. That fall will never come. I cannot tell you why his death has hit me so hard. I have seen a few friends go, but they are not close. People I go to see often. Something about this passing hurts.

They brought an education and precision to a conversation taking place in the late Sixties of mostly long drum solos and jams. They brought jazz solos to rock, they made being funny in lyrics cool, and they made being cool more important than being handsome. They were the first college band. That's for sure. And I am nostalgic today for that feeling of all the life being before us, and not behind. All things possible, and not relinquishing to inevitability.

I am Rickie Lee Jones. And I was one of the women Walter Becker took such good care of in his short life. I would want you to know that. He was so funny. And no, I didn't like the soprano sax on "Satellites," but that sound ended up... well, listen to Dave Mathews, for one. Walter knew what he was doing. He planted music. It grows all around us now.
https://www.rollingstone.com/music/n...becker-w501078





Totally Wireless Earbuds Bring the Loud to Stereo Headphone Sales
Ben Arnold

So far, 2017 has been a great year for headphones. Through July, U.S. dollar sales and average prices increased 22 percent, and 18 percent, respectively, over the same period a year ago. A number of new and interesting devices have also debuted this year. Recent products from industry headliners like Bose, Sony, and Beats represent just a few of the innovative headphone devices to come to market in the past year. Sure, much of today’s growth is due to the continued shift to Bluetooth, but the wireless revolution occurring in headphones has given rise to a wave of fresh audio offerings.

Totally wireless earbuds represent a new segment that has come out of the emergence of Bluetooth. Bragi and Doppler Labs were among the first companies making totally wireless earbuds, but the entrance of tech titans like Apple and Samsung (but mostly Apple) has led to a spike in unit sales in the segment. More than 900,000 totally wireless headphone units were sold in the U.S. since the start of the year, according to The NPD Group’s Retail Tracking Service. As fast as this segment has emerged, so have products that go beyond music streaming. Samsung’s headphones-slash-fitness tracker, IconX, features an optical heart rate tracker and 4GB of memory for music storage (eliminating the need for a music player) for those interested in a fitness product. There are also augmented hearing buds like Doppler’s Here Plus and Nuheara’s IQbudz, which are fitted with external microphones to change the sound around the wearer, making it easier to have a conversation in a loud restaurant or to tune out a crying baby on an airplane.

Some products have a loftier goal – making the wireless earbud a computing device for the ear. Since launching in December, Apple’s AirPods have accounted for 85 percent of totally wireless headphone dollar sales in the U.S., according to NPD’s Retail Tracking Service. With a use case centering on frictionless access to Siri and other tasks initiated by voice, AirPods really act as an extension of the iPhone. Apple’s path to leadership in the category is helped by disruptive pricing, brand resonance, and excitement over the W1 chip, which significantly eases Bluetooth connections to iOS and Mac devices. The Dash from Bragi features an ARM Cortex M4 CPU, as well as 27 sensors designed to detect movement and voice input. It is also the first noteworthy headphone brand to partner with IBM Watson. For these products, audio quality remains important, but takes a backseat to new capabilities added on top of the sound experience. With this in mind, it’s not hard to imagine a collection of mobile apps optimized for a voice interface similar to the growing ecosystem of Alexa skills.

Apple’s early domination of the category will continue to challenge competing brands entering the totally wireless market. New entrants will have to provide some differentiation in features, sound quality, or associated services and applications in order to stand out. Consumer reception of wireless earbuds is still forming, even as their use case continues to evolve. As Alexa skills and other voice-first content diversifies, headphones, including totally wireless earbuds, are the leading candidate to be the next piece of hardware to drive digital assistant adoption.
https://www.npd.com/wps/portal/npd/u...adphone-sales/





Junk Call Nightmare Flooded Woman with Hundreds of Bizarre Phone Calls a Day

Kim France gets a lot of calls—but nothing prepared her for receiving 700 a day.
Jon Brodkin

As a real estate agent, Kim France's business depends upon answering calls from unfamiliar numbers. But during a five-day stretch in June, her cell phone was flooded with so many junk calls that it was almost impossible to answer legitimate ones.

"I am in the middle of a cell phone nightmare," France, who lives in Hilton Head Island, South Carolina, told Ars in an e-mail after three days worth of the calls. "My phone started ringing three days ago and has continued to ring every few minutes since then. Each time it is from a different number... I can’t conduct a client call, can’t text because calls coming in interrupt the process, can’t even take photos for the same reason."

On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.

France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.

US consumers receive 2.4 billion robocalls a month, and the ones from spoofed numbers are among the hardest to stop, according to the Federal Communications Commission. Recognizing that today's robocall blocking systems are often useless against spoofed robocalls, the FCC recently called upon carriers to increase their efforts to block them.

France's case posed even greater challenges than usual because she may have been victimized by a targeted attack rather than a run-of-the-mill robocaller. There's also a question about whether the calls received by France were technically "robocalls." But what we know for certain is that the problem of unwanted phone calls remains unsolved, and France's ordeal shows what can happen in an extreme case.

France's efforts fall short

Trying to stop the flood, France put her iPhone in Do Not Disturb mode in order to block initial calls while allowing repeated calls from the same number to come through. But then calls began coming in twice from the same number in order to ring through to her phone, so France had to turn off the setting that allows repeated calls.

Oddly, there were no people or recorded voices on the other end of the line when France answered the calls. Instead of scam attempts, France said the calls consisted of sounds similar to, but not quite like, a fax machine. The robocalls were leaving long voicemails, filling up her voicemail storage and preventing clients from leaving legitimate messages.

"My initial thought was this is definitely just a computer glitch somewhere," France said. Later, she began suspecting that someone might be targeting her in a calculated attempt to disrupt her business. And then, just as suddenly as they started, the calls stopped "out of the blue." Everything went back to normal.

During the five-day deluge, France was worried enough that she contacted the police, a consumer rights attorney, and Verizon Wireless, but the calls continued. Despite her suspicions, the possibility that France was being targeted by a malicious person seemed remote to her—until weeks later, when Ars discussed France's case with the maker of RoboKiller, a new robocall blocking service.

Evidence points to targeted attack

We described France's nightmare to RoboKiller co-creator Ethan Garr and provided him with screenshots from France's phone showing the Caller ID of a few dozen numbers that called her. RoboKiller's tech team then checked its system to find out if it ever blocked any of those numbers.

Instead of merely relying on a blocklist, RoboKiller's technology analyzes the audio fingerprints of calls and can thus block many robocalls from spoofed numbers. Robokiller took first place in a contest the Federal Trade Commission held in 2015 to find the most promising new anti-robocall technologies, and the company has been busy improving its technology ever since. Despite that, RoboKiller had never flagged any of those 36 numbers as suspicious, so it wouldn't have helped France during her five-day robocall deluge.

The Caller IDs were spoofed. In some cases, the Caller IDs mimicked real numbers that may be owned by real people. In most cases, the numbers calling France were totally fake, coming from area codes (like 411) or exchanges that don't exist. In other words, the spoofing attack used many random phone numbers instead of ones that might appear to be legitimate.

Scammers seeking money often spoof local phone numbers so that the victims think it's a valid call. The one targeting Kim France didn't bother—the only apparent goal was disruption.

There's still a possibility that it wasn't a targeted attack and that France's problem was caused by a bug in auto-dialing software used by telemarketers or scammers. It's also possible it was a "fax scam that went awry," Garr said.

But based on the evidence, it was most likely a targeted attack, the RoboKiller team concluded. There's no financial value from calling someone hundreds of times with fax-like noises—most scams try to extract money from the victim. The noises themselves were likely used to confuse France as to whether the calls were legitimate or not.

"Our theory, and I feel pretty confident, is that this... was someone trying to attack Kim France," Garr said.

No challenge for determined attacker

We don't know if someone had a vendetta against France, or if a dedicated prankster just happened to target a widely available phone number. But in either case, Garr says pulling off such an attack wouldn't have been too difficult.

"My developer said, just to give you an idea, if he wanted to do this to you right now he could set this up in 30 minutes," Garr said.

Searching the Web for "fake fax sounds" quickly turns up websites that provide fax noise files. Using those sound files, a little programming knowledge, and easily available tools, a malicious person could have launched a similar attack.

“I’ve never heard of this”

There are some online services that let you make calls from spoofed phone numbers. While there are legitimate reasons to make such calls, auto-dialing and spoofing can also be used for malicious purposes.

"I know a developer who got so angry at someone one time that he simply wrote some code to call a number a gazillion times and just drive that person crazy," Garr said. (Garr added that he does not condone such behavior.)

RoboKiller owner TelTech runs a spoof calling service, called SpoofCard, but it doesn't allow automated calls and thus almost certainly could not have been used by France's attacker, Garr said. Businesses have long used spoofed Caller IDs so that employees can call customers from a single number, Garr noted. Garr's stepfather, a veterinarian, uses SpoofCard to call patients' owners from home at night without revealing his home phone number. The point is, Caller ID spoofing technology is widespread and easy to use for both legitimate and malicious purposes.

But as easy as it is, the specifics of the France case were new to Garr. That helps explain why RoboKiller doesn’t block the kinds of calls that disrupted France’s real estate business.

"I’ve never heard of this being an issue,” Garr told Ars. “As soon as you sent this, I wondered if we need to block fax noises."

The definition of a robocall

In this article, we're using the word "robocall" to describe the calls received by France, although it's possible they weren't robocalls in a technical sense. A robocall is defined by the Federal Trade Commission as a call in which you "hear a recorded message instead of a live person."

"It is possible that whoever did this to Kim France did play a recorded file of the fax-like sound, but I think it's also possible that they just generated the sound programmatically with each call," Garr said.

Even if they weren't exactly robocalls, there may not be a better word to describe them. "It's more of a DDoS attack over the telephone lines rather than a spam or scam call," he said.

Regardless of the nomenclature, the annoyance level for Kim France was the same. And the perpetrator's use of an autodialer and spoofed numbers is the same problem that robocalling experts and the government are trying to solve.

Attacker is unknown: “This is disturbing”

France was shaken after hearing Garr's conclusion that she was likely the victim of a targeted attack.

"I'm not going to lie, that is a bit disturbing," she said.

But who would have targeted France? A rival real estate agent, or someone else with a grudge? France said she has no idea. "I can’t imagine who would have a grudge against me," she said. "Although I am very successful in this market, I can't think of a single person who has been involved in a transaction with me who might have a bone to pick with me."

The fact that France has no obvious enemies suggests that she might just have been the owner of the wrong phone number at the wrong time. It is possible that someone launching such an attack could choose a victim at random.

Although the robocall nightmare ended after five days, France had no way of knowing that the problem would go away while the calls were happening in full force.

France said she called Verizon about six times, but the carrier merely suggested changing her number. Because of her real estate business, France's phone number is disseminated across hundreds of third-party websites and she said that changing it wasn't a viable option. Starting over with a new number would have seriously disrupted her business, so she tried finding other solutions.

Verizon declined to comment about France's case when contacted by Ars. Verizon launched a new robocall blocking service in late June, but the company charges $3 a month for the service while carriers such as AT&T and T-Mobile offer similar services for no extra charge. The Verizon service likely wouldn't have helped block France's calls anyway.

"I contacted a consumer rights attorney... who specializes in phone call harassment," France told Ars. "He said there's nothing you can do to figure out where these calls are coming from."

Similarly, the police told France they would be unable to help her stop the calls, she said. France said she complained to the FCC, and in return received a form letter explaining what spoofed Caller ID is. Of course, she was already painfully familiar with the topic at that point.

"It crippled my business for five days," France said. "My business was completely brought to its knees because nobody could help me locate the true caller."

Spoofing presents a difficult problem

Adam Doupé, a security researcher and professor at Arizona State University, is fascinated by robocalls because of how difficult they are to stop.

"E-mail spam is more or less solved," Doupé told Ars. "I use Gmail, I get almost zero spam per month. It's insanely low. But people are getting millions of robocalls and the question is why? Why haven't we actually stopped that?"

Like Garr, he also had never heard of a flood of spoofed calls as severe as the one that hit Kim France.

"I haven’t heard of a robocall problem of that magnitude, that sounds pretty intense," Doupé said. "The problem of spoofed calls is incredibly interesting, and it is driving all of our research interests in this area."

Spoofing is easy

The core problem, he noted, is that it's so easy to spoof Caller ID. With e-mail, spam bots have to "make a TCP connection to a mail server, and that means that server was at a specific IP address," he said. To block spam mail, "you can use things like blacklisting or whitelisting or greylisting, all these techniques that rely on knowing where a sender is coming from."

With phone calls, it's not that easy to verify who is on the other end, Doupé said:

Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.

Although many phone calls are now placed with VoIP using the Internet Protocol, VoIP phones are interconnected with the traditional Public Switched Telephone Network [PSTN] so that different types of phones can call each other. The autodialers used by robocallers usually rely on VoIP connections to the PSTN.

"There are VoIP providers you buy service from, and you can access them over Tor to completely hide where you're coming from, and then some of them will allow you to change your caller ID on outgoing calls," Doupé said. "The idea is they are translating your calls from VoIP to SS7 [the signaling protocols used by traditional phones], and when it's making that call, it's basically just accepting whatever it puts in that caller ID number."

Seeking a way to verify Caller ID

Doupé, his PhD student Huahong Tu, and two fellow professors at Arizona State described the challenges of stopping robocalls in a recent paper. They are also developing a potential solution to the problem, with a method to verify ownership of a Caller ID number. The system is described here.

Doupé hopes the caller verification system will eventually be integrated into the core backbone of the SS7 signaling protocol. With Doupé's prototype, an authentication token is added to each message so the call recipient can verify that the caller owns the phone number, similar to the green security lock displayed by Web browsers in the URL bar of HTTPS-enabled websites.

"The idea is you call somebody and simultaneously when you make that call you send them an SMS message with this authentication token," he said. "That way when they receive the call, they can do all the crypto to verify that you actually own this number that you're calling from."

Because of its reliance on SMS, the prototype only works with mobile phones for now.

“Carriers have an obligation to deliver every phone call”

Doupé isn't the only university researcher trying to come up with a system to fight robocalls. For example, researchers at the University of Florida developed a system called AuthentiCall to verify that "received call audio originated from the legitimate source and has not been tampered with by an adversary."

FCC Chairman Ajit Pai has proposed rules that would let carriers block calls in cases when the spoofed Caller ID can't possibly be valid. This includes numbers that aren't valid under the North American Numbering Plan, valid numbers that haven't been allocated to any phone company, and valid numbers that have been allocated to a phone company but haven't been assigned to a subscriber.

The FCC also proposed a fine of $120 million against an alleged scammer who "apparently made 96 million spoofed robocalls during a three-month period" in order to trick people into buying vacation packages. The alleged spoofing allowed robocalls to appear as if they came from local numbers.

Another FCC effort seeks public comment on a plan to create a database of reassigned numbers. This proposal isn't specifically about spoofed numbers, but it illustrates the difficulties of preventing Caller ID spoofing. In its call for public comments, the FCC asked, "Is there a risk that a repository of disconnected or aging numbers effectively could become a list of available numbers to be spoofed by fraudulent robocallers if such bad actors gain access to this information? How could that risk be mitigated?"

Carriers attempting to block robocalls must consider both technical and regulatory implications.

"Carriers have an obligation to deliver every phone call," Doupé said. This means that rules allowing carriers to block robocalls must have some limitations to guarantee that legitimate calls go through.

"If you're being a little bit more cynical, you may see that even though these are spam and robocalls, [the carriers are] still getting paid for accepting those calls," Doupé said. "Somebody is paying to make those calls. If you think about e-mail, Google is not getting paid to receive all your spam e-mails and they don't have an obligation to deliver every e-mail you receive."

RoboKiller tries to disrupt scammers

The current incarnation of RoboKiller is about six months old and is for iPhones only (it costs $1.99 a month). When an iPhone user has RoboKiller installed and declines a call, the call is forwarded to RoboKiller's systems. RoboKiller operates "answer bots" that talk to the robocallers to determine whether a call is legitimate.

"We have answer bots that talk back to robots, which drives the telemarketers crazy," Garr said. "At first, the answer bots were really only effective and fun with live telemarketers. With robocalls, it's not that much fun to hear a robot talk to a robot. Now we've figured out when to play the DTMF tones, like 'press 1 to get to an operator,' and we're getting to humans."

If, for example, there is a robocall operation impersonating the IRS, the RoboKiller system will flag the number and prevent it from calling anyone else who uses Robokiller, Garr said.

But since robocallers call from many spoofed numbers, RoboKiller uses an audio fingerprinting system that can identify a specific scam even when it's coming from multiple numbers.

"The first person in our entire network who gets a call from this [spoofed] number, unfortunately that call will get through to them," Garr said. But once RoboKiller matches the scam with the new number, no one else will get the spam call from that number.

"Basically, in real time we update the lists for everybody," he said.

What could France have done?

But as noted previously, even RoboKiller wouldn't have helped France in June. Garr did, however, offer a few suggestions for people who experience this type of harassment in the future.

His first advice is to "weather the storm."

"As soon as you realize what is happening, stop answering the phone, and tell your friends and family to contact you through a different medium for the next few days," Garr said.

Such a decision was difficult for France because she needs to accept phone calls from unknown numbers in order to perform her real estate duties. But even in extreme cases, the incessant calls aren't likely to last more than a few days.

"It is unlikely that anybody is going to make harassing calls to your number indefinitely," Garr said. "Scammers and spammers change their numbers very often—most numbers are active for just two hours. Kim's attack lasted a long time, but even someone trying to do such an attack is likely fearful that if they do it forever they will get caught, and it is probably costing them a little bit to do this consistently."

Using Do Not Disturb mode and not allowing repeated calls from the same number can help weather the storm. "This isn't great if you have clients who call you from outside of of your address book, but it will temporarily allow you to use your phone with the people you know while the assault is happening," Garr said.

This is a good strategy in multiple scenarios. Garr knows someone whose own phone number was recently spoofed as part of a robocall spam. The people who received those robocalls got mad and started calling her back.

"It literally was ringing every time she hung up and it was people who were angry at her," Garr said. "A telemarketer had spoofed her number, so it wasn't that she was getting robocalls, it was that somebody else had spoofed her number to make the calls, and people were calling her number back."

Phone subscribers are allowed to have their own numbers blocked by phone companies in such situations, to prevent the reputational damages that come from robocallers spoofing one's number. But that's a fairly extreme step, so it may not be one's preferred option. With Garr's friend, waiting it out did the trick—the problem had nearly disappeared by the next day.

As France discovered, contacting authorities isn't likely to stop a robocall deluge. But it's still an important step to take, according to Garr: "Calling your carrier and local law enforcement may not help much in the short term, but it's worthwhile to have a paper trail in case the attack is part of a larger effort to harass you."

For France, at least, the five-day nightmare was a one-time event only.

"With all my fingers and toes crossed, I am happy to say that the crippling of my cell phone, and therefore my business, has not returned," she said. "I fear that I am suffering from PTSD though. Every time a number flashes up on my display that I do not recognize, the hair on the back of my neck stands up."

Now two months later, France is still surprised that there was no viable solution to her robocall problem, other than waiting for it to go away.

"I just feel like there has got to be something that could be done to protect consumers from this type of crime," she said. "Being told that no one can do anything for me was the most shocking part to my story."
https://arstechnica.com/information-...e-calls-a-day/





Huawei Unveils Faster Phone Chip it Says Can Beat Apple, Samsung
Eric Auchard

Huawei [HWT.UL] aims to use artificial intelligence-powered features such as instant image recognition to take on rivals Samsung and Apple when it launches its new flagship phone next month, a top executive said on Saturday.

Richard Wu, chief executive of Huawei’s consumer business, on Saturday revealed a powerful new mobile phone chip Huawei is betting on for its upcoming flagship Mate 10 and other high-end phones to deliver faster processing and lower power consumption.

Huawei will launch the Mate 10 and its sister phone, the Mate 10 Pro, in Munich on Oct. 16, Wu confirmed. He declined to detail new features, but the phones are expected to boast large, 6-inch-plus full-screen displays, tech blogs predict.

Artificial intelligence (AI) built into its new chips can help make phones more personalised, or anticipate the actions and interests of their users, Wu said.

As examples, he said AI can enable real-time language translation, heed voice commands, or take advantage of augmented reality, which overlays text, sounds, graphics and video on real-world images phone users see in front of them.

Wu believes the new Kirin 970 chip’s speed and low power can translate into features that will give its phones an edge over the Apple iPhone 8 series, set to be unveiled on Sept. 12, and Samsung’s range of top-line phones announced this year. Huawei is the world’s No. 3 smartphone maker behind Samsung and Apple.

“Compared with Samsung and Apple, we have advantages,” Wu said in an interview during the annual IFA consumer electronics fair in Berlin. “Users are in for much faster (feature) performance, longer battery life and more compact design.”

The company asserts its newly announced Kirin 970 chip will preserve battery life on phones by up to 50 percent.

Huawei describes the new chip as the first Neural Processing Unit (NPU) for smartphones. It brings together classic computing, graphics, image and digital signal processing power that have typically required separate chips, taking up more space and slowing interaction between features within phones.

Most importantly, Huawei aims to use the Kirin chips to differentiate its phones from a vast sea of competitors, including Samsung, who overwhelming rely on rival Snapdragon chips from Qualcomm, the market leader in mobile chip design. Among major phone makers, only Apple and Huawei now rely on their own core processors.

The 970 is designed by Huawei’s HiSilicon chip design business and built using the most advanced 10 nanometre production lines of contract manufacturer TSMC.

Reporting By Eric Auchard; Editing by Ros Russell
https://uk.reuters.com/article/uk-hu...-idUKKCN1BD0SB





A Key White House Science Council is Still Vacant — but the Trump Administration Doesn’t Plan to Kill it

Months later, there’s still no one sitting on the President’s Council of Advisors on Science and Technology.
Tony Romm

A White House council that’s supposed to study everything from nanotechnology to biological warfare has sat dormant for more than seven months under President Donald Trump — but the administration says it’ll staff up and resume its work soon.

Chartered in its modern form in 2000, the President’s Council of Advisors on Science and Technology long has operated as the White House’s main interface with academics, industry experts and others who can help shape the government’s approach on a wide array of complex, cutting-edge issues.

Under Trump, though, there’s no one on the council, known as PCAST. It’s one of many science-and-tech advisory arms at the White House that’s still severely depleted in staff, a series of vacancies made all the more striking by the president’s previous push to cut federal research spending.

In the meantime, PCAST’s charter, technically, is set to run out: Obama’s executive order authorizing the council expires at the end of September.

At the moment, a spokesman for Trump’s tech team told Recode the president is on track to sign his own executive order re-establishing PCAST this month. The process of staffing it will then fall to the leader of the White House’s other research team, the Office of Science and Technology Policy. But that office, known as OSTP, still has no director, and the president has offered no timeline for when he’ll nominate someone for the job.

Even then, filling the ranks of PCAST might prove especially difficult in the coming months.

For one thing, Trump’s approach to science issues, including his move to withdraw the United States from a major international carbon emissions reduction pact, has drawn opposition from the academic and business communities. And Trump’s other recent, controversial actions and comments — from his moves on immigration to remarks about Charlottesville, Va., in August — already had prompted many tech executives to cease advising the White House.

Amid the turmoil, veterans of the last administration’s science-and-tech team stress the group is essential.

“The PCAST under Obama wrote more than 20 or 25 reports that dealt with recommendations to the president on matters of pressing concerns related to science and technology,” said Cristin Dorgelo, a former chief of staff at OSTP, in an interview this week.

Under Obama, PCAST included the likes of Eric Schmidt, the executive chairman of Google’s parent company, Alphabet; Eric Lander, a top academic at MIT; Maxine Savitz, a former leading executive at Honeywell; Christine Cassel, the planning dean of Kaiser Permanente School of Medicine; and Craig Mundie, a former Microsoft executive. It tackled a range of issues, like advanced manufacturing, big data, health IT and more.

For Dorgelo and others, though, there initially was reason to believe that the Trump administration considered nixing PCAST altogether. The uncertainty arose from a report published quietly by the Congressional Research Service, lawmakers’ personal think tank of sorts, earlier this month.

Much of PCAST’s budget currently comes from another part of the government, the Department of Energy’s Office of Science. Its involvement is a long story — blame it on Congress — but the DOE office is actually one that Trump has targeted for cuts, largely because of its work on climate change. That’s reflected in the DOE’s budget request in 2018, which also included this note: “The PCAST advisory committee has dissolved and [the DOE Office of Science] is not aware of any plans to reform this committee in FY 2018.”

The White House, however, says PCAST isn’t going anywhere, though there’s fear it might just have fewer dollars and staff than in the past. If that ultimately pans out, Dorgelo said it would be severely limiting for the science and tech advisory council, which relied on those funds to bring together academics and industry experts outside of Washington, D.C. “OSTP would find it near impossible to operate the committee ... without the support of DOE funding,” she said.
https://www.recode.net/2017/9/2/1623...ce-tech-vacant





Trump Quietly Nominates Mass Surveillance Advocate To “Protect” Your Privacy Rights
Carey Wedler

Though outrage over mass surveillance swept the United States after Edward Snowden’s revelations in 2013, there is little discussion of these invasive practices just four years later.

This apathy comes despite former President Barack Obama’s move to expand to information sharing between agencies just days before Trump took office and after the Trump administration signaled its desire to continue widespread surveillance.

Amid this lack of attention toward the NSA, the president recently nominated a staunch advocate of mass surveillance to chair one of the few barriers standing between intrusive government spying and the American people’s privacy. The Privacy and Civil Liberties Oversight Board (PCLOB) was created in 2004 at the recommendation of the 9/11 Commission and was intended “to help the executive branch balance national security priorities with individual rights,” the Intercept reported earlier this year.

“PCLOB is supposed to have five members, no more than three of whom come from the same political party; to employ a full-time chairperson; to have regular access to the 17 intelligence agencies; and to publish unclassified versions of its evaluations of U.S. espionage powers.”

However, as of March of this year, the board was down to just one part-time member, and this lack of personnel rendered it largely impotent.

“But with just one part-time board member left, after another member’s term ended last week, the agency has very few formal powers to police the so-called ‘deep state’ until President Trump nominates a new board,” the Intercept reported pursuant to emails they obtained regarding the remaining single member.

Though the board had been deteriorating before Trump became president, it may now be further undermined as a result of his recent appointment.

On August 25, the president announced his nomination of Adam I. Klein to chair the PCLOB. According to the White House release discussing this nomination:

“Mr. Klein is the Robert M. Gates Senior Fellow at the Center for a New American Security, where his research centers on the intersection of national security policy and law. He previously served as a law clerk to Justice Antonin Scalia of the U.S. Supreme Court and Judge Brett M. Kavanaugh of the U.S. Court of Appeals for the D.C. Circuit.”

Though the often loathed late Antonin Scalia was considered somewhat of a defender of the 4th amendment, Klein fails to offer a strong buffer between intrusive policies and the American people.

Though Klein co-authored an advisory report for the incoming Trump administration advocating a balance between privacy and security, the paper criticized Edward Snowden and lamented the disintegration of trust in government his leaks helped to foster:

“The post-Snowden backlash has impeded law enforcement and intelligence gathering, harmed the U.S. technology industry’s competitiveness in international markets, and created diplomatic friction with important allies. Most importantly, many Americans remain skeptical that their government respects their digital privacy.”

Though the authors go on to highlight the importance of the leaks in bringing the issue of surveillance to the forefront — and continuously pay lip service to “privacy” — the authors’ emerging goal appears to focus on getting Americans to trust surveillance. Though they do advocate some reforms, they stress the importance of spying staples like the controversial Foreign Intelligence Surveillance Act (FISA) courts and affiliated Section 702 surveillance program, which will expire at the end of this year unless Congress reauthorizes it. Section 702 authorizes the broad collection of data, and though it allegedly applies to foreigners, it also sweeps up the data of Americans.

They also highlight reform efforts like the USA Freedom Act, which ultimately did little to scale back the foundational framework of mass surveillance and simply added an extra step to the government’s process of obtaining data. Digital rights group Electronic Freedom Foundation (EFF) ultimately pulled their support for the bill because it believed the reforms offered were insufficient. Another example of reforms they cite is Obama’s Presidential Policy Directive 28, which, according to EFF, offered “no significant change to the actual surveillance the U.S. has been conducting.” Where Klein and his associates claimed PPD-28 marked “a commitment still unequaled by any other country,” EFF argues “the U.S. is ten years behind Europe in requiring their government agencies to protect the privacy of noncitizens when government actions affect them.”

Further, in a defense of Section 702 Klein published in the Wall Street Journal this July, he contended that 9/11 occurred because the government did not have a powerful enough surveillance apparatus. He praised the FBI for foiling terror attacks (conveniently omitting the reality that the FBI has made a habit of entrapping unstable individuals, encouraging them to commit terror attacks, and then claiming credit for foiling said plots).

Klein also uses court decisions to justify his support of warrantless searches:

“Courts have found that this practice comports with the Constitution. In November 2015, the Foreign Intelligence Surveillance Court held that the Fourth Amendment does not require the FBI to get a warrant before conducting routine database checks, which include some 702 data.”

However, both the FISA court and Section 702 have been thoroughly lambasted by privacy experts and advocates. Though some advocates stop short of calling FISA rulings “rubber stamps” despite their near universal approval of warrant requests, some less disputed problems are the court’s total secrecy and the lack of any type of defensive presence during proceedings; they are conducted by a judge and the prosecution.

As for Section 702 of FISA, the ACLU shared its pitfalls in a letter to the House Judiciary Committee in February expressing the organization’s opposition to the policy absent meaningful reforms. The letter read:

“In its current form, Section 702 fails to comply with the government’s obligations under the Constitution and international law — and its sweeping nature results in the collection of information from individuals who pose no threat to national security. Indeed, although the government has not provided comprehensive statistics on the use of Section 702, a Washington Post analysis of over 160,000 intercepted emails likely collected under Section 702 was striking: 90% of individuals swept up in the surveillance were not the intended target, and nearly half of the files examined contained information or details related to a U.S. citizen or resident.”

Klein showed no such concerns. Though he said in his op-ed that Congress was “right to examine the privacy implications of Section 702; powerful tools require powerful constraints,” he refused to disavow the demonstrably invasive policy. He wrote:

“But members concerned about 702 should focus on bolstering the program’s oversight and transparency—by strengthening judicial review and requiring more transparency about how prosecutors use 702 information—rather than creating barriers to information-sharing within the intelligence community.”

Make no mistake; though Klein advocates a balance between national security and privacy — and is likely genuine in his rhetoric — he routinely comes down on the side of government surveillance. Considering Trump’s previous actions and rhetoric, Klein’s appointment is nothing short of predictable. After all, while campaigning for the presidency, Trump made it clear he sided with the unconstitutional widespread practices.
http://theantimedia.org/trump-mass-s...e-privacy/amp/





Here’s the Complete List of Tech CEOs Supporting the Repeal of DACA
Matt Burns

1)
2)
3)

(There are none.)

Meanwhile, here’s how the leaders of tech’s biggest companies have responded to the repeal.

Drop us a comment below if you see any tech leader who supports the repeal of Deferred Action for Childhood Arrivals and we’ll update our list.
https://techcrunch.com/2017/09/05/he...epeal-of-daca/





Lenovo Settles Charges it Sold Laptops with Compromised User Security

Lenovo Inc, a major laptop maker, has agreed to pay $3.5 million and make changes in how it sells laptops in order to settle allegations it sold devices with pre-loaded software that compromised users’ security protections.

The agreement with Connecticut, the Federal Trade Commission and 31 other states was announced on Tuesday.

The software, called VisualDiscovery, was installed on hundreds of thousands of laptops beginning in August 2014 in order to deliver pop-up advertisements. The software also blocked browsers from warning users when they tried to access malicious websites.

The software was also able to access consumers’ sensitive information, like Social Security numbers, the FTC said. That information was not sent to Superfish, which sold VisualDiscovery, the FTC said.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” Acting FTC Chairman Maureen Ohlhausen said in a statement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

Lenovo said in a statement that it stopped selling the pre-loaded software in early 2015.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company said.

“To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications,” the company said in an email statement.

As part of the settlement, Lenovo agreed to get consumers’ consent before installing this type of software, the FTC said.

Reporting by Diane Bartz; Editing by Paul Simao
https://www.reuters.com/article/us-l...-idUSKCN1BG21U





In Emergency Meeting, Virginia Elections Board Votes to Scrap All Touch-Screen Voting Machines
Graham Moomaw

The Virginia State Board of Elections voted Friday to discontinue use of all touch-screen voting machines throughout the state because of potential security vulnerabilities, forcing 22 cities and counties to scramble to find new equipment just weeks before voting begins for the November gubernatorial election.

Behind closed doors at an emergency meeting in Richmond on Friday afternoon, the board heard about specific vulnerabilities identified after a cybersecurity conference this summer in Las Vegas, where hackers showed they could break into voting machines with relative ease.

After the July Defcon conference, Virginia’s Department of Elections asked the state’s IT agency to review the security of touch screens still in use in the state. Details of that review were kept confidential, but they caused the elections board to speed up the end of touch screens, which were already scheduled to be phased out of Virginia elections by 2020.

Most Virginia localities — including the city of Richmond and Henrico, Chesterfield and Hanover counties — have already transitioned to optical-scan systems, in which voters fill out bubbles on a paper ballot that is fed into a scanner.

In a memo on touch-screen machines prepared for the board, the Department of Elections said the Virginia Information Technologies Agency, or VITA, found that “each device analyzed exhibited material risks to the integrity or availability of the election process.”

The password for a touch-screen machine used in Virginia was publicized after the July hacking conference, the memo said, and one report indicated that one vendor with machines in Virginia uses a single password for all machines. The memo also notes that, unlike optical systems, touch screens leave no paper trail that can be used in post-election audits.

Before last year’s presidential election, Virginia officials stressed that all touch-screen machines were secure because they aren’t connected to the Internet.

Several localities raised misgivings about the move, defending the integrity of their systems and arguing that they’ll now have little time to shop around for the new equipment to fulfill an unfunded mandate.

The cities and counties that still use touch screens are scattered throughout the state. Most are rural localities, including several in far Southwest Virginia, that may not have been able to afford to buy optical-scan machines after state officials made clear that touch screens should be on the way out.

In an interview, Elections Commissioner Edgardo Cortés acknowledged that the short time frame could put localities under the gun. However, 10 of the 22 localities that still use touch screens, either as their primary voting method or for more limited uses, have already begun buying new equipment, Cortés said. That leaves 12 that will have to start from scratch, but Cortés said the rapid swap is “doable” and worth the “hiccups” that may come with new equipment.

“The risk of keeping the old equipment in place is much greater than implementing a new system,” Cortés said.

Officials did not immediately provide a full list of the 12 localities likely to be most strained by the decision. The 13 localities with no plans to buy new equipment as of Thursday night, one of which apparently came up with a plan before Friday’s meeting, contained roughly 190,000 of the state’s 5 million active voters.

Cortés noted that several localities transitioned away from WinVote touch-screen machines after a similar 2015 decertification just 55 days before the June primary election that year. The state is 60 days out from the Nov. 7 election for governor, lieutenant governor and attorney general, as well as all 100 seats in the House of Delegates.

In letters to the board, several local officials acknowledged the heightened sensitivities to possible Russian hacking, but argued an eleventh-hour equipment swap may be an overreaction.

“To decertify this equipment prior to this November’s election would be like screaming ‘fire’ in a crowded movie theatre,” Norfolk election officials wrote in a letter to the state. “We want a smooth and successful gubernatorial election. We do not want to discourage the integrity of our voting process or systems or open the door for litigation.”

The Virginia Association of Counties sent the board a letter saying many localities were concerned about the potential for “unanticipated expenditures” in the middle of their budget years. The organization also passed along a low-tech security solution proposed by Washington County: sealing the machines with “tamper-proof tape” and having sheriff’s deputies escort them to polling places.

Elections board Chairman James Alcorn said he and his colleagues were faced with two options: go through the logistical difficulty of swapping out the machines or plow ahead with equipment that may not be secure.

“Neither one of those are necessarily ideal situations to be in,” Alcorn said.

In an interview before the meeting, board member Clara Belle Wheeler said she was concerned scrapping the machines could “disenfranchise” voters by sowing confusion with little time to educate election workers or voters. But after hearing the security concerns in the closed session, Wheeler announced she would vote to decommission the machines.

“It was enlightening,” Wheeler said.

Though the vote at the hastily arranged board meeting was unanimous, Wheeler said she was concerned with the last-minute nature of the meeting. Board member Singleton McAllister was traveling in California on Friday and had to dial in to the meeting remotely, and Wheeler said she didn’t hear from anyone in state government about the issue until Tuesday.

“This board member can’t function without information,” Wheeler said. “And I didn’t have it on this subject.”

Culpeper County Registrar James Clements, who estimated replacing machines could cost his county up to $250,000, said he has no concerns about his equipment being susceptible to hacking. But Clements said before the meeting that if the board voted to scrap the machines, Culpeper would respond as needed.

“I’ve sworn an oath to do it. So it’s certainly doable,” Clements said. “But is it consistent with the mission of my office? Or even the department’s mission? That’s open to interpretation.”
http://www.richmond.com/news/virgini...12621ec7e.html





Hackers Lie in Wait after Penetrating US and Europe Power Grid Networks

Intrusion into power companies' operational networks is a dramatic escalation.
Dan Goodin

Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.

The incursions detected by security firm Symantec represent a dramatic escalation by a hacking group dubbed Dragonfly, which has been waging attacks against US and European energy companies since at least 2011. In 2014, Symantec reported that Dragonfly was aggressively establishing beachheads in a limited number of target networks, mainly by stealing the user names and passwords used to restrict access to legitimate personnel. Over the past year, the hacking group has managed to compromise dozens of energy firms and, in a handful of cases, install backdoors in the highly sensitive networks the firms use to supply power to the grid.

"What's most concerning is we now see them intruding on operational networks of energy companies," Eric Chien, technical director of Symantec's security response and technology division, told Ars. "Before, we were talking about them being one step away, and what we see now is that they are potentially in those networks and are zero steps away. There are no more technical hurdles for them to jump over."

The escalation is troubling because operational networks—sometimes called electric security perimeters in the energy industry—can often wield significant influence over the stability of the electric grid they're responsible for. In the Northeast Blackout of 2003, a contributing cause was the failure of a system in an operational network that tracked the health of the grid in real time. When a separate fault occurred, the grid supplying electricity to 55 million people shut down.

At a minimum, attackers who have control of a company's operational network could use it to become de facto operators of the company's energy assets. That control includes the ability to turn on or off breakers inside the companies' infrastructure and hijack systems that monitor the health of the grid. That's an unsettling scenario, but there's a more troubling one still: the attackers might also be able to use their control of multiple grid-connected operational networks to create the kinds of failures that led to the Northeast Blackout of 2003. Chien said Symantec has recently issued private warnings to more than 100 energy companies and organizations, including the North American Electricity Reliability Corporation and the US Department of Homeland Security. On Wednesday, it was expected to publish a public warning here.

The Symantec report stressed that simply removing malware from infected networks wasn't enough to counter the threat because in many cases the attackers have the credentials and other data needed to regain control. Wednesday's report provides a variety indicators energy companies can use to tell if their networks have been compromised by Dragonfly. It also lists several best practices for avoiding future compromises, including the use of long, randomly generated passwords that can't be guessed when attackers get ahold of the corresponding cryptographic hash.

Wouldn't be the first time

If Symantec's worst fears were to materialize, it wouldn't be unprecedented. In December 2015, a hack attack on a power distribution center just outside Kiev, the capital of Ukraine, caused about 225,000 people to lose power for as long as six hours. It was the world's first known instance of someone using hacking to generate a real-world power outage. Almost to the day one year later, a hack attack on a Ukrainian power transmission facility caused a smaller number of Kiev residents to lose power for about an hour. Researchers have attributed the attacks to a hacking group dubbed Sandworm.

In the 2015 attack, Sandworm used a revamped version of a tool known as BlackEnergy to break into the corporate network of the targeted power companies and from there to collect passwords and other data that would allow the hackers to penetrate the supervisory control and data acquisition systems the companies used to generate and transmit electricity. Sandworm then used the access to open circuit breakers that cut power. In 2016, Sandworm was back with a new piece of malware dubbed Crash Override by some researchers and Industroyer by others. The custom malware was designed specifically to attack electric grid systems by using the same arcane technical protocols that individual systems rely on to communicate with one another.

Dragonfly, by contrast, uses a completely different set of tools, leading Chien to believe the two groups are completely separate. Both the earlier Dragonfly campaigns in 2013 and 2014 and the group's more recent attacks relied solely on backdoors and remote access trojans. From there, the attackers might use their access to operational networks to manually control the breakers in much the way Sandworm did in the 2015 attack. It's also possible Dragonfly might deploy an as-yet unseen piece of malware that automates malicious functions similarly to how Crash Override did.

Dragonfly uses a combination of tactics to infect targets. One tactic involved using the publicly available Phishery toolkit to send targets a Microsoft Word document that was programmed to download a template from a predetermined server controlled by the attackers. The server would then query the downloading computer for SMB credentials that many corporate networks use to restrict access to verified users. In many cases, the downloading computers would respond and in the process provide the attackers with the user name and a cryptographic hash to the targeted network. Researchers with Cisco Systems described the so-called template injection attack in July.

Another Dragonfly infection technique relied on so-called watering hole attacks, in which attackers infected websites known to be frequented by energy company personnel. Dragonfly members would then infect targets when they visited the booby-trapped sites. Yet another tactic was the use of fake Adobe Flash updates that installed backdoors.

Little is known for sure about the people who make up Dragonfly. Text strings embedded into some of their code contains both Russian and French words, an indicator that one or both of those may be false flags intended to deceive investigators. Timestamps found in the malware used in the earlier Dragonfly campaigns suggested the group mostly worked Monday through Friday between what would be the hours of 9 am to 6 pm in Eastern Europe. Timestamps in the malware used in the latest campaign suggested roughly the same hours and region, but the data is far too limited to draw any conclusions. The use of publicly available malware and administrative tools such as PowerShell, PsExec, and Bitsadmin also make attribution difficult.

"What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems," Symantec researchers wrote in Wednesday's report. "What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so."
https://arstechnica.com/information-...grid-networks/





A Powerful Solar Storm is Headed Toward Us, Bringing Hazards and Rare Light Shows
SM

The Space Weather Prediction Center has upgraded a geomagnetic storm watch for September 6 and 7 to a level only occasionally seen, but scientists say it’s nothing to be too alarmed about.

They do recommend looking for an unusual display of the aurora—the northern lights caused by a disturbance of the magnetosphere—in areas of the U.S. not used to seeing them.

“The big takeaway from this level of storming would be just increased chance of seeing the aurora, really in the upper tier of the United States,” says Robert Rutledge, lead of operations at the center, which is part of the National Oceanic and Atmospheric Administration. (Here’s an animation of the CME from NASA’s Solar Dynamics Observatory.)

The storm could pose an “elevated radiation risk to passengers & crew in high-flying aircraft at far north or south latitudes,” a NOAA warning says, and intermittently impact high-frequency RF communications, which may require some transpolar flight routes to divert to lower geomagnetic latitudes (a shift that would cost the airlines more). But currently, says Rutledge, the storm isn’t expected to interfere with flights or any other human activity here on earth or in space. There’s a slim chance of isolated interfere with high-precision GPS readings, but those issues usually only arise with stronger storms, he says.

The so-called G3 level storm is the result of what’s called a coronal mass ejection, where magnetic interactions on the sun launch part of its outer atmosphere of superheated plasma into space. When that burst of radiation gets near earth–barreling toward us at a million miles per hour, it takes about two days to make the journey–its magnetic field interacts with Earth’s, Rutledge says.

“The geomagnetic storm is a result of that process,” he says. “That’s what causes the auroras, where it’s dumping energy into the atmosphere.”
A warning from NOAA’s spaceweather.gov. Image: NOAA

The sun’s magnetic activity operates on a roughly 11-year cycle, and activity of this intensity takes place for about 100 total days of that cycle. But we’re currently experiencing the downside of a not particularly strong solar activity cycle, so storms like this are not frequent. A similar magnitude storm was last seen in May, Rutledge says.

A CME is on it's way to Earth. Impact expected tomorrow afternoon (UTC time) – Moderate G2 storming is likely

More: https://t.co/LVNAs1pfhU pic.twitter.com/qngltBU2s5

— SpaceWeatherLive (@_SpaceWeather_) September 5, 2017

Northern U.S. and Canadian residents hoping to catch a glimpse of the aurora will get their best shot on Wednesday night and early Thursday, and the Space Weather Prediction Center posts 30-minute forecasts of the colorful sky phenomenon’s intensity.

“It’s a mid-range event, but if it’s a chance to see the aurora in the northern tier of the lower 48, we’ll certainly take it,” Rutledge says.

Meanwhile, his agency’s National Hurricane Center is preparing for a far more dangerous storm: this week Irma is expected to bring catastrophic winds and potential storm surges to the U.S. Virgin Islands, Puerto Rico, Dominican Republic, the Florida Keys, and the UK territory of Turks and Caicos.
https://www.fastcompany.com/40463031...cations-aurora





Wind Energy Is One of the Cheapest Sources of Electricity, and It's Getting Cheaper

A comprehensive survey of the wind industry shows wind energy is routinely purchased in bulk for just two cents per kilowatt-hour—and turbines are only getting cheaper, bigger, and better
Robert Fares

Earlier this month, the U.S. Department of Energy (DOE) released the latest iteration of its annual Wind Technologies Market Report, which pulls together a wealth of data to track trends in the cost, performance, and growth of wind energy.

The report found that U.S. wind energy will continue to be one of the lowest cost electricity generation technologies available, with the long-term wind electricity price available through a power purchase agreement coming in at about half the expected cost of just running a natural gas power plant.

Furthermore, stiff competition from both natural gas and solar energy are poised to push the wind industry to achieve even lower prices and higher performance through the development of bigger turbines tailored to maximize their output even in regions with less than optimal wind speeds.

This post will review a few of the major U.S. wind energy trends tracked in the DOE report. For a full rundown, I suggest you check out the full report and associated slide deck.

Wind Energy Is One of the Cheapest Sources of Electricity in the United States

While the all-in price of wind energy directly depends on the wind speeds at a particular site, examining national trends in the installed cost of wind energy definitively shows that wind energy has become an extremely inexpensive source of electricity.

The average U.S. consumer pays about 12 cents per kilowatt-hour for electricity. That price includes the cost of generating power, the wires that deliver it from generators to our homes, and the cost of running the utility business. The actual cost of electricity generation alone is something like 2 to 4 cents per kilowatt-hour — that’s the price that wind energy has to compete with to be successful.

Based on data compiled in the Wind Technologies Market Report, wind energy consistently comes in at or below the going market rate for electricity. Wind energy is often purchased in large blocks through a long-term contract called a power purchase agreement (PPA). The figure below shows the historic price of wind energy PPA contracts since 1996. The diameter of each circle is the size of the wind farm built in megawatts, and the height of the circle on the y-axis is the contract price in dollars per megawatt-hour (or dollars per 1000 kilowatt-hours).

In recent years, an enormous amount of wind energy has been procured at or below a price of 20 dollars per megawatt-hour — or just 2 cents per kilowatt-hour. That is competitive with typical wholesale electricity market prices by any measure.

But it’s important to note that the price of wind energy offered through a PPA is an all-in price that includes the effect of subsidies such as the federal wind production tax credit, which provides a tax subsidy of 18 to 23 dollars per megawatt hour of energy produced. When you exclude the production tax credit and look at the levelized cost of energy (LCOE) from interior wind, it still comes in at an extremely competitive cost of less than 50 dollars per megawatt-hour (5 cents per kilowatt-hour). For comparison, the Energy Information Administration estimates a best-in-class combined cycle natural gas power plant has an LCOE of about 54 dollars per megawatt-hour (5.4 cents per kilowatt-hour). So even when you account for the effect of the federal wind production tax credit, wind energy remains an extremely competitive generating resource.

Competition Is Driving Wind to Be Cheaper, Bigger, and Better

One of the benefits of wind energy becoming fully competitive with conventional fossil-fuel electricity generation is that it places significant pressure on the wind industry to continually improve the cost and performance of their wind turbines to stay one step ahead of the competition.

Industry data show that wind turbines deployed in 2016 has larger diameter rotors, which allow them to capture more wind overall, and higher hub heights, which allow them to capture the more-steady winds available at higher altitudes. The average rotor diameter in 2016 was 108 meters, a 13 percent increase over the previous 5-year average, while the average hub height in 2016 was 83 meters, up 1 percent over the previous 5-year average. As a result, the average generating capacity of newly installed wind turbines in the United States in 2016 was 2.15 megawatts, up 11 percent from the average over the previous 5 years.

What About Integration Costs Associated with Wind Variability?

At this point you might be asking, what about all the costs associated with wind variability? Don’t we need storage to manage fluctuations in wind energy output? Unfortunately, there are no short answers to what the costs of integrating a variable source of electricity like wind are. The answer is a definitive “it depends.”

One thing we can do is look at how the amount of wind forcibly turned down, or curtailed, by grid operators has changed as the amount of wind energy on the grid has increased. The figure below shows both wind penetration rates and wind curtailment rates between 2008 and 2016 for seven U.S. independent system operators (ISOs).

When you look at the total change in wind penetration and wind curtailment across all seven ISOs, curtailment has actually decreased even though wind penetration has significantly increased. This doesn’t mean that the costs of integrating wind are not significant. In fact, a big reason curtailment has decreased since its peak is 2009 is that regions have been investing in large-scale transmission lines to pipe wind power from the plains to the cities, and better balance wind power output with demand. In the Electric Reliability Council of Texas (ERCOT) region, for example, utilities invested $7 billion in transmission lines linking windy West Texas to the eastern and central cities — significantly reducing curtailment. Like all investments in transmission lines, those costs were spread throughout the entire customer base, so they are not reflected in the cost of wind energy shown in the charts above. But when you spread a billion-dollar investment across millions of customers, the cost incurred per customer is relatively modest.

As the exceptionally low price of U.S. wind energy drives further wind farm installations, it will be interesting to see how U.S. grid operators manage the challenge of integrating wind energy with the rest of the grid. So far, at least, they’ve been successful. But policymakers and regulators should be cognizant of the need for new transmission capacity and other grid upgrades to integrate wind as more turbines are installed in more places. Identifying the lowest cost investments to integrate the most renewable energy is not a simple task — but it will become increasingly vital as renewables throw off the "alternative energy" label and become a major contributor to the U.S. electricity supply.
https://blogs.scientificamerican.com...tting-cheaper/

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

September 2nd, August 26th, August 19th, August 12th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
__________________
Thanks For Sharing
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - November 24th, '12 JackSpratts Peer to Peer 0 21-11-12 09:20 AM
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 08:58 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)