P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 20-05-15, 07:33 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - May 23rd, '15

Since 2002


































"I walked out of Zero Dark Thirty, candidly… I got into it [for] about 15-20 minutes [and then] I left. I couldn’t handle it, because it’s so false." – Senator Dianne Feinstein, D-CA - Select Committee on Intelligence


"I’m still in the music business. I love it. It’s like the mob: Once you’re in, you can’t get out." – Bruce Lundvall


"We're proud of the fact we took these guys on and while rights holders may claim a win on paper, we certainly achieved a result that will dent, if not break, the 'business model' of aggressive rights holders trying to bully the average consumer based on limited evidence of infringement." – iiNet






































May 23rd, 2015




You Can Now Use 'Netflix for Torrents' Popcorn Time in Your Browser
Jamie Condliffe

It’s over a year since Popcorn Time burst on to the scene, allowing you to stream torrents rather than download them. It’s had its ups and downs—but now you can use it in your browser.

The new website, at PopcornInYourBroswer.net, provides much the same service as Popcorn Time always has. Just now it’s in your browser. As we’ve explained in the past, Popcorn time has had a rough ride:

The original, open source PopcornTime project has gone through a lot of ups and downs over the last year. That first project, which allows you to stream torrents from a Netflix-like interface shut down voluntarily under legal pressure almost immediately after launching. Development of the software was carried on by a number of different groups, most notably notably the anonymous coders who have a new closed-source version and now call Popcorn-Time.se home. Their original domain at Time4popcorn.eu was seized last fall.

How long this version will work remains to be seen. Better use it while you can, if illegal piracy’s your bag. Or you could just watch legal torrents . Up to you.
http://gizmodo.com/you-can-now-use-n...-yo-1705451118





Google Tone Broadcasts URLs to Any Device Within Earshot
Tim Hornyak

A new Chrome extension can instantly share URLs among nearby devices, using sound to broadcast the information to microphones.

Google Tone is an experimental feature that could be used to easily share browser pages, search results, videos and other pages among devices in an office, classroom or family setting, according to Google Research.

While it can’t pass through walls or travel beyond earshot, the system is designed to make sharing browser URLs as easy as talking to people nearby.

“The initial prototype used an efficient audio transmission scheme that sounded terrible, so we played it beyond the range of human hearing,” researcher Alex Kauffmann and software engineer Boris Smus wrote in a post on the Google Research blog.

While microphones on laptops and video conferencing devices are optimized for the human voice, the extension incorporates a codec based on dual-tone multi-frequency signaling (DTMF), a system that has long been used in conventional telephony.

Tone works at low volumes and can be used over Hangouts, but it can be affected by speaker volume and microphone sensitivity.

When the extension is installed, an icon of a megaphone appears at the top right in Chrome. With the device’s volume on, sharing a URL is done by clicking the icon.

Users have to be logged into their Google account, and their profile names and photos are displayed alongside the URL in incoming Tone notifications.
http://www.itworld.com/article/29245...n-earshot.html





Coup d'eTorrent: Scammers Hijack a Major File-Sharing Site
Kate Knibbs

RIP, EZTV: One of the largest TV pirating rings is dead. Torrent sites like Kickass and Pirate Bay have also added a warning to EZTV’s files reading: THIS DOMAIN HAS BEEN TAKEN OVER BY SCAMMERS. STAY AWAY.

After EZTV had its IP address suspended, it was purchased by scammers. NovaKing was told he needed a court order to get control of his domain, which may be tricky to do considering the less-than-legal nature of EZTV’s file-sharing.

These still-unknown scammers were able to lock EZTV ringleader “NovaKing” out of his accounts and are continuing to run the non-profit pirating ring as though no fishy coup d’ etorrent had gone down.

Since EZTV had such a sterling reputation in the torrenting community, there’s plenty of suspicion that this hostile takeover is a way to distribute malware, or a precursor to a good ol’ fashioned MPAA honeydick situation. Even if it’s neither of those things, it’s smartest to avoid downloading from a group that has been publicly hijacked for unknown purposes.
http://gizmodo.com/coup-detorrent-sc...-si-1705474925





Swedish Government Wins Legal Case to Seize Pirate Bay Domains

It gets knocked down, but it gets up again
Iain Thomson

The Swedish government has won its case to seize piratebay.se and thepiratebay.se, but the site is already back up under another domain with a new logo to show it isn't beaten.

The new round of whack-a-mole flared up on Tuesday when The Stockholm District Court ruled in a case brought by government prosecutors against Swedish domain registrar Punkt SE. The Court determined that the domains were the property of Pirate Bay founder Fredrik Neij and could be seized as he is a convicted felon.

"The District Court's conclusion is that the domain names are property that can be forfeited," the ruling reads, Torrentfreak reports.

"Fredrik Neij has participated in the [copyright infringement] crimes that have been identified and he is the actual holder of the domain names. It is therefore no obstacle to confiscate domain names from him. The prosecutor's primary claim with respect to Fredrik Neij should be upheld and domain names should be confiscated from him in accordance with the Copyright Act."

The court also ruled that Punkt SE was not responsible for the activities of the Pirate Bay and couldn't be held liable. It awarded the registrar US$42,877 (SEK 332,000) for costs incurred through the litigation.

"We have received the verdict and are of course glad that the court chose to decide according to our view," said .SE public relations manager Elisabeth Nilsson. “We think it is good that this issue has been examined. Now we need some time to read through the verdict and do a thorough analysis before we can make any further comments.”

While the Swedish government is claiming a victory it's a Pyrrhic one at best, considering the payout to the defense and the result. The Pirate Bay was down for dozens of minutes, before springing up again on new domains.

The new site also has a new logo with a not so subtle gesture of rebuke to its opponents. The familiar ship is there, but it's now wreathed with a Lernaean hydra, the mythical beast that grows two extra heads when one is cut off, signifying that it'll take more than court orders to shut the website down.
http://www.theregister.co.uk/2015/05...bay_domai ns/





Canadian Piracy Rates Plummet as Industry Points to Effectiveness of Copyright Notice-and-Notice System
Michael Geist

Canada’s copyright notice-and-notice system took effect earlier this year, leading to thousands of notifications being forwarded by Internet providers to their subscribers. Groups such as the Canadian Recording Industry Association argued during the legislative process that notice-and-notice would “pose a long-term problem”, yet the evidence suggested that the system could be effective in decreasing online infringement. Since its launch, there have been serious concerns about the use of notices to demand settlements and to shift the costs of enforcement to consumers and Internet providers. With Industry Canada officials emphasizing that “there is no obligation for Canadians to pay settlement demands,” it is clear that there is still a need for the missing regulations, including a prohibition on the inclusion of settlement demands within the notices.

While the problems with notice-and-notice must be addressed, the leading notice sender says that they are proving to be extremely effective in reducing piracy rates. In fact, the system has proven so successful that a consortium of movie companies now want the U.S. to emulate the Canadian approach. According to CEG TEK, there have been “massive changes in the Canadian market” under notice-and-notice. They claim that piracy rates have dropped by the following rates in Canada:

• Bell Canada – 69.6% decrease
• Telus Communications – 54.0% decrease
• Shaw Communications – 52.1% decrease
• TekSavvy Solutions – 38.3% decrease
• Rogers Cable – 14.9% decrease

Some of the decrease may be attributable to the inclusion of settlement demands, but the evidence has long suggested that the notices alone have an education effect that leads to a significant reduction in infringement. Within a matter of months, that has apparently been the case in Canada. Given the plummeting Canadian piracy rates, U.S. film companies that once derided the Canadian system now argue that U.S. ISPs should adopt it.
http://www.michaelgeist.ca/2015/05/c...notice-system/





Dallas Buyers Club to Sue Other ISP Customers, Takes Action in Singapore
Alex Zaharov-Reutt

ISPs want the owners of the Dallas Buyers Club movie to pay $108,000 but Justice Nye claims it’s a bit much, while DBC’s owners target other ISPs.

The Dallas Buyers Club saga continues, with several websites reporting the news that ISPs are asking for $108,000 from DBC’s owners to gather the data on the 4700+ IP addresses and the account holders these relate to.

Justice Nye Perram, the Federal Court judge presiding over the case expressed his thoughts that the task could be automated and that the amount requested seemed excessive.

And while iiNet suggested in its blog post that downloaders could be hit with a $10 fee, the question of what uploaders of the movie - which is virtually everyone who used BitTorrent to download the movie as uploading is part of the BitTorrent equation - could pay as-yet undetermined higher fees.

Mashable also pointed out that DBC intends asking other Australian ISPs for the details of alleged downloaders and uploaders as identified by IP addresses, with some of the ISPs contacted stating they would abide by the law and court orders.

CNET and SMH have additional details, while iTWire wrote earlier this week on iiNet’s plan to potentially offer free legal advice to those who receive DBC letters.

Meanwhile, Singapore’s Straits Times newspaper reports that Voltage Pictures is asking Singaporean ISPs for the details of IP address owners who it claims have downloaded the DBC movie.

Finally, Voltage Pictures, the company behind DBC, is itself the subject of copyright infringement claims via Togo, the license holder for Godzilla.

The Hollywood Report says Voltage’s new movie Collasal, which sees a character played by Anne Hathaway somehow mentally connected to a giant lizard create invading Tokyo. Who knew the world needed yet another giant lizard movie. Perhaps Anne Hathaway is secretly one of the lizard people?

In any case, you'd be forgiven for asking: who watches the pirate watchers who themselves may well be doing a bit of alleged intellectual property theft of their own?
http://www.itwire.com/your-it-news/e...n-in-singapore





iiNet Offers Pro-Bono Legal Advice to Dallas Buyers Club Pirates

After fighting Dallas Buyers Club in court over the alleged piracy of its customers, iiNet says it will offer free legal services to those individually targeted through legal action.
Claire Reilly

iiNet will offer free legal advice to customers targeted by Dallas Buyers Club over piracy claims, with the internet service provider saying it "couldn't sit by and have our customers potentially bullied by the process of speculative invoicing."

In a blog post published on the company's website, iiNet Financial Controller Ben Jenkins said a recent Federal Court decision would require the telco to hand over the names and physical addresses of customers alleged to have torrented and infringed copyright on the Oscar-winning film "Dallas Buyers Club."

While conceding this "isn't the best case scenario," iiNet reminded customers that a letter from the film's rights holders, Dallas Buyers Club and Voltage Pictures, wasn't necessarily the end of the road.

"It is important to remember that the Court's findings in this case do not mean that DBC and Voltage's allegations of copyright infringement have been proven," Jenkins wrote. "Any such letter is still only an allegation until an infringement is proven or admitted."

The ISP says it will inform customers if their details are passed on to Dallas Buyers Club and Voltage and this will occur at the same time that those details are handed over. As for what happens next, iiNet is getting on the front foot to assist its customers.

"If you do receive a letter you may want to get legal advice," the blog post read. "iiNet is working with a law firm that has offered to provide pro-bono services for any of our customers. More details will be provided when agreement is reached on that front."

iiNet said damages could come down to as little as AU$10 or "less than a parking ticket" for single instances of infringement -- essentially equivalent "to the fee that would have been paid had the film been lawfully downloaded."

With Dallas Buyers Club going after pirates who torrented the film between April 2 and May 27, 2014, it may be too late for some internet users (iiNet even goes as far as saying that changing ISPs "will not make a difference" in terms of the legal wheels that are in motion). However, the ISP insists that the Dallas Buyers Club court case has seen some positive outcomes.

"Although there are any number of rights holders who can take action like this, given the process and outcome in this case we're hopeful that the strict conditions will reduce the likelihood of similar applications being made in the future," the company said.

"We're proud of the fact we took these guys on and while rights holders may claim a win on paper, we certainly achieved a result that will dent, if not break, the 'business model' of aggressive rights holders trying to bully the average consumer based on limited evidence of infringement."
http://www.cnet.com/au/news/iinet-of...-club-pirates/





U.S. Appeals Court Reverses Part of Apple's $930 Million Verdict vs Samsung
Andrew Chung

A U.S. appeals court on Monday reversed part of a $930 million verdict that Apple Inc (AAPL.O) won in 2012 against Samsung Electronics Co Ltd (005930.KS), saying the iPhone maker's trademark-related appearance could not be protected.

In a highly anticipated ruling stemming from the global smartphone wars, the U.S. Court of Appeals for the Federal Circuit in Washington, D.C., upheld the patent infringement violations found by a federal jury in a court in San Jose, California, as well as the damages awarded for those violations.

Out of the $930 million judgment against Samsung, the appeals court ordered the court in San Jose to reconsider the $382 million portion awarded for trade dress dilution.

Trade dress is a legal term for a trademark on the way a product is packaged or presented. As part of its case, Apple had accused Samsung of diluting its brand and connection with customers by copying the look of its phones.

The appeals court said the features Apple sought to trademark were not eligible for this kind of legal protection because they relate to the functioning of the phone. To grant such protection would give Apple a monopoly on these features forever, the court said.

The 2012 trial was widely watched between the two smartphone titans. The jury found Samsung violated several Apple patents, including those related to iPhone's design and appearance.

Apple was eventually awarded $930 million in damages, but failed in 2013 to convince U.S. District Judge Lucy Koh to ban the sale of the infringing Samsung phones, which are now no longer on the market.

Some observers viewed the litigation as Apple's attempt to curtail the rapid rise of phones using Google Inc's rival Android operating software. Samsung and Apple have since dropped their legal battles, except for another case pending in the same appeals court involving a $120 million verdict in 2014 for Apple on separate smartphone patents.

Samsung said in its appeal that the damages award was excessive and unprecedented. The company argued it should not be forced to pay such a high price for making a "rectangular, round-cornered, flat-screened, touch-screened phone," calling those features "basic."

Apple countered that Samsung was trying to downplay its "shameless copying" of the iPhone design to increase its market share.

Neither company could immediately be reached for comment on Monday's decision.

The case is Apple Inc v Samsung Electronics Co, Ltd, in the U.S. Court of Appeals for the Federal Circuit, No. 14-1335.

(Editing by Jeffrey Benkoe, W Simon and Christian Plumb)
http://www.reuters.com/article/2015/...0O31E020150518





This was Sony Music's Contract with Spotify

The details the major labels don’t want you to see
Micah Singleton

Over the last year the music industry has been in flux as artists, labels, and streaming services jockey over the best way to build the future of their business. Taylor Swift pulled her catalog from Spotify; Tidal launched a new platform owned by artists, not record companies; and Apple is preparing to muscle in on the market with its own offering. The one thing missing from much of this discussion has been the details on how deals get done between these groups, but that is no longer the case.

The Verge has obtained a contract between Sony Music Entertainment and Spotify giving the streaming service a license to utilize Sony Music’s catalog. The 42-page contract was signed in January 2011, a few months before Spotify launched in the US. Written by Sony Music, the two-year deal — with an optional third year that Sony Music could pick up — reveals how much Spotify must pay in yearly advances to Sony, the subscriber goals that Spotify must hit, and how streaming rates are calculated.

More interestingly, the contract details how Sony Music uses a Most Favored Nation clause to keep its yearly advances from falling behind those of other music labels, how Spotify can keep up to 15 percent of revenues "off the top" from ad sales made by third parties, and the complex formula that determines how much labels get paid per stream.

This contract — like every other contract involving a music label and a streaming service — has been secret until now. Given the myriad ways Sony Music came out as the winner, it’s worth asking who really should shoulder the blame for the lackluster streaming payments that artists like Swift have been complaining about — the labels or the streaming service?

Spotify paid Sony Music up to $42.5 million in advances

In section 4(a), Spotify agrees to pay a $25 million advance for the two years of the contract: $9 million the first year and $16 million the second, with a $17.5 million advance for the optional third year to Sony Music. The contract stipulates that the advance must be paid in installments every three months, but Spotify can recoup this money if it earns over that amount in the corresponding contract year.

But what the contract doesn’t stipulate is what Sony Music can and will do with the advance money. Does it go into a pot to be divided between Sony Music’s artists, or does the label keep it to itself? According to a music industry source, labels routinely keep advances for themselves.

"I’ve worked at the major labels, and I’ve worked at the indies, so I’ve seen both sides of the business," says Rich Bengloff, president of the American Association of Independent Music. "A lot of the time, money that is paid outside of the direct usage doesn’t end up getting shared."

Sony’s Most Favored Nation clause keeps those advances rising

Sony Music’s Most Favored Nation clause is the most intriguing piece of its contract with Spotify. Section 13 essentially makes every major aspect of the contract amendable if any other label has a better deal or interpretation of that aspect than Sony Music. Section 13(2) lists the provisions which can be amended in Sony Music’s contract if a better deal is obtained by another music label, including what constitutes an "active user," the definition of gross revenue, and any improved security provisions. Sony Music can call on an independent auditor once a year to determine whether Spotify has struck a more agreeable deal with any other labels.

Having an MFN clause in a contract is standard for music licensing contracts, according to multiple sources. MFNs have garnered scrutiny in the past, and as part of its merger with EMI in 2012, Universal Music Group had to stop using the clauses in Europe for 10 years. But they remain legal in the US.

Where the MFN clause truly comes in handy for Sony Music is when it’s used in conjunction with section 5, the "annual true-up of advances" clause. This clause makes sure Sony Music’s yearly advances from Spotify are on par with the best deal negotiated by any other label based on the percentage of market share. That means if another music label is getting paid $1 million by Spotify for each percentage of market share it has, and Sony Music is getting $600,000 per market share percentage, Spotify must pay Sony Music the $400,000 difference — known as the adjusted contract period advance — at the end of each contract year.

Spotify can keep up to 15 percent "off the top" from select ad sales revenue

One of the murkiest clauses in the contract is hidden under the contractual definition of gross revenues in section 1(vi)(bb). The clause states that gross revenue includes "actual out-of-pocket costs paid to unaffiliated third parties for ad sales commissions (subject to a maximum overall deduction of 15 percent "off the top" of such advertising revenues)." In English, that means that Spotify can keep up to 15 percent of all advertising revenues generated by the ad sales that are handled by third parties hired by the streaming service.

How much money that amounts to depends on a number of factors, including what percentage of Spotify’s ads are sold by third parties, and if it chooses to keep the full 15 percent to itself. Spotify may also use these funds to recoup the commissions it has to pay to the third-party companies it uses to sell its ads.

But regardless of the amount, it’s money that is not accounted for in Spotify’s gross revenue total, which is split 70/30, with 70 percent going to the labels and publishers and 30 percent to Spotify. Spotify pulled in €98.8 million ($110M) in advertising revenue in 2014. The company has gone to great pains to map out for the public exactly what it pays, in part as a public relations move to try and counter criticisms about what it pays artists. But in that detailed explanation, it never mentions this 15 percent.

Sony Music was given up to $9 million in ad spots on Spotify which it could sell for profit

In addition to the advance Spotify must pay Sony Music, it is also required to give the music label free ad space on its service. The "credit for advertising inventory" clause mentioned in section 14(a) grants Sony Music a total of $9 million in ad space ($2.5 million in the first year, and $3 million and $3.5 million in the subsequent years). And the free ads don’t come at market rates either — they must be given to Sony Music at a heavily discounted rate.

While it's possible Sony Music could use that ad space to promote its own artists, section 14(e) gives the label "the right to resell the credited inventory at prices determined by the label in [the] label’s sole discretion." Section 14(a) also requires Spotify to make an additional $15 million of ads at a discounted rate available for purchase by Sony Music. Sony Music could in effect sell the free ads it has been given for millions, and turn around to buy more ads at a reduced price. But that’s not all — in section 14(p), the contract states Spotify must offer a portion of its available unsold ad inventory to Sony Music for free to allow the label to promote its own artists.

How does Sony Music make money from Spotify?

Of course, the biggest question is how much Sony Music gets paid per stream, and well, it’s complicated. Section 10 shows how Sony Music separated its label fees into three distinct tiers — the ad-supported free tier, online day passes (which no longer exist), and Spotify’s premium service. In each of those segments, Sony Music can pull in a revenue share fee that is equal to 60 percent of Spotify’s monthly gross revenue multiplied by Sony Music’s percentage of overall streams. (So if Spotify earned $100 million in gross revenue, the labels would would get $60 million. If Sony Music made up 20 percent of the streams, it would take home $12 million.)

But there is another far more complex formula that can earn Sony Music even more money from Spotify. The contract has what’s known as the usage-based minimum and per subscriber minimum, covering the free and paid tiers, respectively. If the royalties from usage in any particular month are greater than what is paid out by the revenue share, Sony Music gets that amount instead.

Under the usage-based minimum for the free tier, section 10(a)(1)(ii) stipulates Spotify must pay $0.00225 per stream, thanks to a discount that lasts for the length of the contract. If Spotify somehow missed its growth targets in the preceding month, that number could jump to $0.0025 per stream. These rates only come into play if the usage-based minimum exceeds the revenue sharing model.

The premium tier’s per subscriber minimum takes Sony Music’s label usage percentage and multiplies it by the number of premium subscribers on Spotify, multiplied by $6.00. Once again, this model is used only if the total payout exceeds the revenue share.

While the amount Spotify doles out is often discussed in terms of payment per stream, the contract shows just how complex and variable that payment can be. It’s likely that some months the usage or per subscriber minimum could generate a bigger payout for Sony Music than the revenue share does, especially with a popular new release.

Spotify has argued that while "it is possible to reverse engineer an effective ‘per stream’ average by dividing one’s royalties by the number of plays that generated them... this is not how we measure our payouts internally nor is it a reliable yardstick for Spotify’s value to artists." This contract shows why.

How much do artists get paid?

Even with this contract, it’s still difficult to tell how much artists are getting paid by Spotify.

Sony Music is likely getting considerable payouts from Spotify each year, but what it does when it gets that money — and how much of those payments actually make it down to the artists — is still unknown. Some artists have clauses in their contracts to get a larger share of the streaming revenue, and some artists are still operating under CD-era contracts that only give them 15–20 percent of their streaming revenues.

Spotify has been renegotiating its licensing contract with some music labels, according to sources, and how those deals will shake out is still undetermined. But given the economics of Spotify’s first deal with Sony Music, it’s likely that Sony Music and other labels will ask for an even larger advance from the streaming service.

In the wake of Swift’s departure from Spotify, many musicians rallied to her cause, vilifying streaming services that paid a fraction of a penny per play. But this contract makes it clear — the pay per stream rates aren’t the only issue. According to its financial disclosures, the majority of Spotify’s revenue, around 80 percent, has been flowing out the door to the rights holders. "You can’t squeeze blood from a stone," said David Pakman, the former CEO of eMusic and partner at Venrock. "Your beef can’t be with Spotify anymore." At least not with Spotify alone.

Sony Music and Spotify declined to comment.

Additional reporting by Ben Popper
https://www.theverge.com/2015/5/19/8...otify-contract





Bruce Lundvall, Who Revived Blue Note, Dies at 79
Nate Chinen

Bruce Lundvall, a record executive whose 25-year run at the helm of Blue Note, preceded by top positions at CBS and Elektra, made him one of the most influential figures behind the scenes in recent jazz history, died on Tuesday in Ridgewood, N.J. He was 79.

The cause was complications of Parkinson’s disease, according to a statement released by Blue Note.

Mr. Lundvall’s career in the recording industry encompassed more than half a century, with success across multiple genres. Blue Note had been an important jazz label for decades but had been dormant for years when he revived it under the umbrella of EMI Records in 1984, intent on celebrating its legacy while moving forward.

In “Bruce Lundvall: Playing by Ear,” a biography by Dan Ouellette published by ArtistShare last year, Mr. Lundvall recalled his three-pronged strategy for the label’s revitalization: “We had an important catalog, I could re-sign original Blue Note artists who were still alive and vital, and I had the opportunity to bring in new talent.”

Under his watch, Blue Note became home to pace-setting jazz artists like the singers Dianne Reeves, Cassandra Wilson and Kurt Elling; the saxophonists Joe Lovano and Greg Osby; the guitarists Stanley Jordan, Pat Martino and John Scofield; and the pianists Jacky Terrasson, Jason Moran and Robert Glasper.

He also expanded the label’s stylistic purview, especially after the enormous success of Norah Jones, whose folk-pop-inflected debut album, “Come Away with Me” (2002), sold millions of copies and won eight Grammy Awards. “I don’t know where I would be in the world of music without Bruce as my friend and champion,” Ms. Jones said last year at the Kennedy Center, during a concert celebrating Blue Note’s 75th anniversary.

A jazz idealist but also a business-minded pragmatist, Mr. Lundvall shrugged off criticism of Blue Note’s subsequent forays into adult-oriented pop, as seen in albums by the eminent soul singer Al Green and the singer-songwriters Amos Lee and Keren Ann. His business model embraced the idea that success in one area of a label’s roster helped support other areas that were artistically worthy but less commercially viable.

“The hallmark of his tenure is that he proved that you can do the right thing for the music and the musicians and still run a profitable company,” Don Was, who succeeded Mr. Lundvall as Blue Note’s president, said last year.

Bruce Gilbert Lundvall, a grandson of Swedish immigrants, was born on Sept. 13, 1935, in Cliffside Park, N.J. His father, Howard, was a mechanical engineer. His mother, the former Florence McNeille, came from a family of amateur musicians and encouraged his childhood love of jazz.

He is survived by his wife, Kay; three sons, Tor, Kurt and Eric; a brother, Stephen; a sister, Susan Brodie; and two granddaughters.

In his early teenage years Mr. Lundvall cultivated a young aficionado’s tastes, collecting records and circulating the many jazz clubs on 52nd Street in Manhattan. His attempts to become a jazz musician himself (he played saxophone, trumpet and piano) did not go far, but that was no hindrance to his enthusiasm; he held a jazz salon in his family’s attic in Glen Rock, N.J., calling it Duke’s Club. Later, as a student at Bucknell University, he put on concerts, wrote about jazz in the school newspaper and hosted a weekly radio show.

After serving in the Army in the early years of the Cold War — he did counterintelligence work in Stuttgart, Germany — Mr. Lundvall talked his way into an entry-level job at Columbia Records. He remained there for more than 20 years, moving up the ranks to president of Columbia and then of Columbia’s parent company, CBS Records.

While at CBS, he re-signed Miles Davis and many others. Among his additions to the roster were the tenor saxophonist Dexter Gordon, whose signing in 1976 was the beginning of a twilight renaissance; Herbie Hancock, who was just branching into jazz-funk; and Willie Nelson, whose 1975 Columbia debut, “Red Headed Stranger,” became a No. 1 country album and is now considered a modern classic.

Mr. Lundvall left CBS in 1982 to start Elektra Musician, an imprint of Elektra Records, on which he released the first two albums by the singer Bobby McFerrin, along with albums by the Latin star Rubén Blades and an array of jazz acts, including the group Steps Ahead and the trumpeter Woody Shaw.

His move to EMI was contingent not only on the revival of Blue Note but also on the founding of Manhattan Records, an adult-contemporary label. Among his breakout signings to Manhattan was the pop singer-songwriter Richard Marx.

In an industry rife with egos and sharp elbows, Mr. Lundvall generated an unusual amount of good will. He served as chairman of the Recording Industry Association of America, as chairman of the Country Music Association and as governor of the New York chapter of the National Academy of Recording Arts and Sciences. He received a Grammy Trustees Award in 2011.

Last year he received a lifetime achievement award from the Jazz Foundation of America. He accepted the honor from the trumpeter Wynton Marsalis, whom he had signed twice: to Columbia in the early 1980s and to Blue Note in the early 2000s.

Shortly after Mr. Lundvall was found to have Parkinson’s disease, he stepped down as president of Blue Note in 2010 and was named chairman emeritus. Last year, after several falls at his home in northern New Jersey, he moved to an assisted-living facility. True to form, he organized a jazz festival on the grounds, with proceeds going to the Michael J. Fox Foundation for Parkinson’s Research, and a lineup featuring artists he supported over the years.

“I’m still in the music business,” he said in a phone interview shortly before the festival. “I love it. It’s like the mob: Once you’re in, you can’t get out.”
http://www.nytimes.com/2015/05/21/ar...ies-at-79.html





Wave Broadband Raises $130M to Expand Gigabit Fiber Internet Network Across West Coast
Taylor Soper

The fresh cash comes through a corporate bond led by Deutsche Bank, with participation from Wells Fargo, Sun Trust, and RBC Daniels.

Wave CEO Steve Weed told GeekWire that the money will be used to accelerate the company’s fiber buildout up and down the West Coast, from San Francisco to Canada. An additional 1,500 more miles of fiber will be built by the end of 2015 — nearly double of what was installed in 2014 — which adds to 5,000 miles of existing fiber.

With the new funding, Wave will also offer residential gigabit service to an additional 10,000 folks in Seattle, where it faces competition from CenturyLink and Comcast, among others.

“We are building a next-generation fiber network,” Weed said, noting that Wave’s entire network is now worth more than $2.5 billion.

This is the second time in Wave’s 13-year-history that it has raised outside money, having reeled in $1.1 billion in 2012.

Wave also named longtime exec Steve Friedman as the new executive vice president of fiber design and construction. The company now has 100 employees dedicated to the construction of fiber rollouts. In addition, Wave named former Classmates.com president Harold Zeitz as the company’s new president and COO.

Wave, which employs 1,000 and serves more than 420,000 customers in Washington, Oregon, and California, has made 17 acquisitions since its birth in 2003.

Editor’s note: Wave Broadband is a GeekWire annual sponsor.
http://www.geekwire.com/2015/wave-br...ss-west-coast/





North Carolina Sues FCC for Right to Block Municipal Broadband

Residents stuck with slow Internet while state fights on behalf of private ISPs.
Jon Brodkin

North Carolina has sued the Federal Communications Commission so it can continue enforcing a state law that prevents municipal broadband networks from expanding.

Three months ago, the FCC preempted such laws in both North Carolina and Tennessee. Tennessee filed a lawsuit to save its municipal broadband restrictions in March, and North Carolina has now done the same in a petition filed last week to the US Court of Appeals for the Fourth Circuit.

"Despite recognition that the State of North Carolina creates and retains control over municipal governments, the FCC unlawfully inserted itself between the State and the State’s political subdivisions," North Carolina Attorney General Roy Cooper wrote to the court. Cooper claimed the FCC's action violates the US Constitution; exceeds the commission's authority; "is arbitrary, capricious, and an abuse of discretion within the meaning of the Administrative Procedure Act; and is otherwise contrary to law."

The FCC's North Carolina decision came in response to a petition filed by the City of Wilson, which provides electric service in six counties in eastern North Carolina and broadband service in Wilson County, but is unable to expand its broadband network due to the state law. Wilson's network is "an island of competition surrounded by a sea of little to no options for world-class competitive broadband services," an FCC official said when the commission decided to preempt the state law.

Will Aycock, operations manager of the Wilson municipal broadband system, told WRAL TechWire that "[w]e are aware of the suit," and that "we knew that this would be an ongoing process."

The FCC claims authority to preempt state laws that restrict municipal broadband from Section 706 of the Telecommunications Act of 1996, which requires the FCC to encourage the deployment of broadband to all Americans by using "measures that promote competition in the local telecommunications market, or other regulating methods that remove barriers to infrastructure investment."

About 20 states have laws that protect private Internet service providers from local competition, so court decisions in favor of the FCC could have consequences beyond North Carolina and Tennessee.

“We are confident that our decision to pre-empt laws in two states that prevented community broadband providers from meeting the needs and demands of local consumers will withstand judicial scrutiny," an FCC official told Ars after the Tennessee lawsuit.

Wilson created its broadband network in 2008, three years before North Carolina issued its restrictions.

"North Carolina imposes numerous requirements that collectively have the practical effect of prohibiting public communications initiatives," wrote attorney James Baller, who has been fighting attempts to restrict municipal broadband for years. "For example, public entities must comply with unspecified legal requirements, impute phantom costs into their rates, conduct a referendum before providing service, forego popular financing mechanisms, refrain from using typical industry pricing mechanisms, and make their commercially sensitive information available to their incumbent competitors. Some, but not, all existing public providers are partially grandfathered."
http://arstechnica.com/tech-policy/2...pal-broadband/





Netflix, Dish Urge Court to Uphold FCC’s Net Neutrality Action
Ted Johnson

Netflix and Dish Network are among the almost two dozen companies and public interest groups urging a federal appellate court to deny an effort to halt a central component of the FCC’s net neutrality rules before they go into effect on June 12.

Cogent Communications, COMPTEL, Level 3 Communications, Tumblr, Vimeo, Union Square Ventures, Etsy and Kickstarter also are among the entities that filed a motion with the D.C. Circuit in support of the new rules and the FCC’s move to reclassify the Internet as a Title II telecommunications service.

Major trade associations representing the cable and telecom industry are seeking a stay to prevent the FCC from reclassifying the Internet, which they say will bring outdated and onerous regulation on a thriving and growing industry.

The reclassification is a regulatory maneuver that supporters say is needed to give the FCC a firm legal footing to impose robust net neutrality rules, including ones that prevent Internet service providers from blocking or throttling content or from selling speedier access to their subscribers. The FCC, led by chairman Tom Wheeler, voted 3-2 in February in favor of reclassification and the net neutrality rules.

In their brief to the D.C. Circuit, supporters of the FCC action contend that ISPs have created an “artificial emergency” over the enforcement of the rules, even though companies like Comcast have said in earnings calls that the reclassification won’t affect the way they do business.

The supporters also challenge ISPs’ claims that the Title II reclassification creates a “general conduct” standard that is too vague.

Without the general conduct standard, “ISPs would have virtual carte blanche to circumvent the bright-line prohibitions through techniques such as degrading their connections to the Internet to impede the flow of Internet content, and using discriminatory data caps to favor an ISP’s affiliated services over those of rivals.”

Also signing on to the supporters’ brief were public interest groups like Color of Change, Public Knowledge, Free Press, Demand Progress and the Center for Democracy and Technology.

“A stay would allow ISPs with this gatekeeper power to continue harming consumers and edge providers through service degradation,” the supporters wrote in their brief.
https://variety.com/2015/biz/news/ne...on-1201503796/





Verizon Swallows Net-Neutrality Champion Huffington Post
Leslie Savan

Most of the coverage of Verizon’s planned $4.4 billion acquisition of AOL—and thus of the Huffington Post and other news sites—has been almost giddy about all the moneymaking and technological possibilities. By merging with AOL, Verizon will expand by leaps and bounds into mobile video services and “programmatic ad buying,” bringing America’s largest mobile company “a new kind of energy and talent,” as one venture capitalist enthused. On its end of the pre-nup, AOL will get some much-needed cash and, still crumpled by its disastrous merger with Time-Warner in 2000, some fresh cachet.

And, whether Verizon sells HuffPost (most observers believe it will) or keeps it (AOL CEO Tim Armstrong insists, “AOL’s always going to be an owner of HuffPost”), the deal’s been deemed a win-win for Arianna Huffington. As Lloyd Grove writes, she “sold her digital media company to AOL for an eye-popping $315 million only four years ago, [and] has once again fallen into a giant tub of butter.”

But there hasn’t been nearly as much talk about what this means for the content—you know, the journalism. When a telecom giant at the center of every poli-techno controversy, from net neutrality to NSA spying, owns and is expected to invest millions in one of the world’s most-read news sites, what happens to editorial independence?

Verizon, after all, has its own dedicated page at HuffPost, much of which covers the telecom’s ongoing effort to strangle net neutrality. (Both HuffPost and AOL have been outspoken champions for keeping the web’s playing field level.) And even though the FCC has ruled in favor of the regulations for now, corporate lobbying continues. “Verizon and other major telecom companies have plans to challenge the regs,” Clark Mindock writes at Open Secrets, “But whether or not AOL changes its stance on net neutrality, the fact is that the biggest opponent of net neutrality rules is about to acquire one of the biggest proponents.… And AOL’s D.C. money presence is a drop in the bucket compared to Verizon’s.”

And how free would HuffPost be in the future to report on Verizon’s and other telecom’s involvement in government surveillance of Americans’ phone records? Or on Verizon’s support of the rightwing, Koch-backed policy-maker, the American Legislative Exchange Council (ALEC)? Just days before the Verizon/AOL deal was announced, HuffPost ran a post headlined: “Telecom Sleaze: ALEC and Its Communication’s Funders—AT&T, Verizon, CenturyLink, Comcast and Time Warner Cable.” I’m just guessing, but that could be the last time we see HuffPost casually refer to Verizon as “sleaze.”

Let’s say Verizon does eventually spin off HuffPost (the most likely buyer now is German conglomerate Axel Springer, according to Re/code’s Kara Swisher); the initial Verizon/AOL merger is pending regulatory approval and is many months away. In the interim, will HuffPost tread anymore lightly on Verizon-volatile issues?

For its part, Verizon says it won’t pressure AOL or its properties. A company spokesman told Open Secrets that editorial independence has been discussed and that AOL’s Armstrong is expected to “continue to manage the media properties the way he does today.”

But based on Verizon’s one foray into news, its record on censorship looks dismal. Last fall, when Verizon Wireless started the short-lived tech-news site SugarString, the new editor e-mailed potential writers that “two verboten topics” are “spying and net neutrality.”

Verizon objected to this characterization, saying, “SugarString is open to all topics that fit its mission and elevate the conversation around technology.” But, as the Daily Dot points out, “The company did not clarify the details of ‘its mission.’”

You can feel the fear of Verizon mission creep at the tech news site Engadget. It and TechCrunch are two of the more prominent AOL properties that could soon be Verizon’s. When the acquisition was announced Tuesday, Engadget editor Terrence O’Brien tweeted:

Nothing like waking up to find out you have new corporate overlords.

— Terrence O’Brien (@TerrenceOBrien) May 12, 2015

Later:

To be clear: This changes nothing editorially at @Engadget. We’ll continue to cover Verizon, net neutrality, etc… the way we always have.

— Terrence O’Brien (@TerrenceOBrien) May 12, 2015

Executive editor Christopher Trout was impassioned:

A lot of shit talking going on today. @Engadget is run by humans. Humans with integrity and ethics. Nothing’s changing as long as we’re here

— Christopher Trout (@Mr_Trout) May 12, 2015

By contrast, the response on the editorial side of HuffPost seems, at least on the surface, positively sanguine. “Way too soon to tell, but I’m not worried at all, don’t think this is a story,” one reporter there e-mailed me.

A staff writer (who, like most I contacted, asked to be quoted off the record), e-mailed that he doesn’t know enough to say “What It All Means. But I rather think that the fact that we published this story (http://www.huffingtonpost.com/2015/0...n_7267022.html) soon after news of the deal broke speaks for itself, as does the fact that we very doggedly pursued the story of Tim Armstrong’s decision to alter AOL employee 401(K) plans.”

Why the calm? As another staffer explained to me, whether Verizon keeps or spins off HuffPost, “Either way we’re going to get a lot of money to do what we want, which is analogous to what happened when AOL bought us, only amplified: more editors, big-name hires…and the opportunity to rev the engines a little bit. If Verizon holds on to us, that can be done exponentially. I’m not talking like a corporate cheerleader, I’m just talking objectively.”

Indeed, Lloyd Grove estimates that if Verizon retains HuffPost, there could be “an infusion of a couple of hundred million dollars, which would be good because AOL couldn’t invest anything because they were basically out of cash.”

AOL CEO Armstrong is certainly bullish on HuffPost. He says his goal is to make the site “the largest single media brand in the world,” and he’s already talking about how “the deal may mean better wages and benefits for AOL employees.”

Employees is a key word. When AOL bought the Huffington Post for $315 million, Arianna Huffington didn’t pass a cent onto the thousands of freelance writers who blog for the site for free—as in unpaid, gratis, pro bono. Getting “exposure” was its own paycheck. And regardless of how any Verizon windfall is spent, it’s as unlikely that she’ll start paying bloggers as it is that the politically committed telecom will start giving its journalists 100 percent, total, no-holds-barred editorial freedom. That’s a word for nothing left to lose.
http://www.thenation.com/blog/207449...uffington-post





Internet.org Is Not Neutral, Not Secure, and Not the Internet
Jeremy Gillula, Jeremy Malcolm

Facebook's Internet.org project, which offers people from developing countries free mobile access to selected websites, has been pitched as a philanthropic initiative to connect two thirds of the world who don’t yet have Internet access. We completely agree that the global digital divide should be closed. However, we question whether this is the right way to do it. As we and others have noted, there's a real risk that the few websites that Facebook and its partners select for Internet.org (including, of course, Facebook itself) could end up becoming a ghetto for poor users instead of a stepping stone to the larger Internet.

Mark Zuckerberg's announcement of the expansion of the Internet.org platform earlier this month was aimed to address some of these criticisms. In a nutshell, the changes would allow any website operator to submit their site for inclusion in Internet.org, provided that it meets the program's guidelines. Those guidelines are neutral as to the subject matter of the site, but do impose certain technical limitations intended to ensure that sites do not overly burden the carrier's network, and that they will work on both inexpensive feature phones and modern smartphones.

Compliance with the guidelines will be reviewed by the Internet.org team, which may then make the site available for Internet.org users to access for free, by routing the communication through the Internet.org proxy server. That proxy server allows the sites to be “zero rated” by participating mobile phone operators; allows the automatic stripping out of content that violates the guidelines—such as images greater than 1Mb in size, videos, VoIP calls, Flash and Java applets and even JavaScript; and inserts an interstitial warning if a user attempts to leave Internet.org's zero-rated portion of the Internet, so as to prevent users from accidentally being billed for data charges they may not be able to afford and didn't mean to incur.

We agree that some Internet access is better than none, and if that is what Internet.org actually provided—for example, through a uniformly rate-limited or data-capped free service—then it would have our full support. But it doesn't. Instead, it continues to impose conditions and restraints that not only make it something less than a true Internet service, but also endanger people's privacy and security.

That's because the technical structure of Internet.org prevents some users from accessing services over encrypted HTTPS connections. As we mentioned above, a critical component of Internet.org is its proxy server, which traffic must pass through for the zero-rating and the interstitial warning to work correctly. Some devices, like Android phones running Internet.org's app, have the technical ability to make encrypted HTTPS connections through the proxy server without becoming vulnerable to man-in-the-middle attacks or exposing any data (beyond the domain being requested) to Facebook. Internet.org's Android app can also automatically bring up the interstitial warning directly on the phone by using the app to analyze links (as opposed to Facebook serving the warning via its proxy server).

But most inexpensive feature phones that can't run an Android app don't support phone-based warnings or this sort of proxying of HTTPS connections. For these phones, traffic must pass through Internet.org's proxy unencrypted, which means that any information users send or receive from Internet.org's services could be read by local police or national intelligence agencies and expose its users to harm. While Facebook is working to solve this problem, it's extremely difficult from a technical perspective, with no obvious solution.

Even if Facebook were able to figure out a way to support HTTPS proxying on feature phones, its position as Internet gatekeepers remains more broadly troublesome. By setting themselves up as gatekeepers for free access to (portions of) the global Internet, Facebook and its partners have issued an open invitation for governments and special interest groups to lobby, cajole or threaten them to withhold particular content from their service. In other words, Internet.org would be much easier to censor than a true global Internet.

While we applaud Facebook's efforts to encourage more websites to provide support for low-end feature phones by stripping out “heavy” content, we would like to see Internet.org try harder to achieve its very worthy objective of connecting the remaining two thirds of the world to the Internet. We have confidence that it would be possible to provide a limited free Internet access service that is secure, and that doesn't rely on Facebook and its partners to maintain a central list of approved sites. Until then, Internet.org will not be living up to its promise, or its name.
https://www.eff.org/deeplinks/2015/0...d-not-internet





Net Neutrality Rules Are Already Forcing Companies To Play Fair, And The Giant ISPs Absolutely Hate It
Karl Bode

The FCC's net neutrality rules don't even go into effect until June 12, but they're already benefiting consumers. You'll recall that the last year or so has been filled with ugly squabbling over interconnection issues, with Level 3 accusing ISPs like Verizon of letting peering points congest to kill settlement-free peering and drive Netflix toward paying for direct interconnection. But with Level 3 and Cogent hinting they'd be using the FCC's new complaint process to file grievances about anti-competitive behavior, magically Verizon has now quickly struck deals with Level 3 and Cogent that everybody on board appears to be happy with.

And it's not just Verizon; Level 3 also quickly managed to strike a new interconnection deal with AT&T, and Cogent CEO Dave Schaeffer recently proclaimed Comcast has also become suddenly more amicable of late, turning on ports for capacity quickly and when needed. Comcast, like AT&T and Verizon, has also suddenly announced a new interconnection deal with Level 3 Comcast says it was "delighted" to sign.

That players in the transit and ISP space are suddenly getting along so wonderfully when ISPs insisted net neutrality rules would result in the destruction of the Internet is nothing short of miraculous. It's almost as if the FCC's new net neutrality rules are already benefiting consumers, companies and a healthy internet alike!

Obviously the threat of having a regulator that actually polices anti-competitive behavior instead of playing deaf, dumb, and blind is going to require an adjustment period for everyone involved. Still, despite evidence the FCC's neutrality rules are working as an anti-competitive deterrent, carriers are still busy claiming the agency is causing "irreparable harm" on the interconnection front. From a joint filing (pdf) from all the major ISP trade groups, including USTelecom, the NCTA and the CTIA:

"Until now, a variety of voluntarily negotiated, individualized arrangements have been used to exchange traffic between networks. But, under the Order, these arrangements are now part of the “telecommunications service” that broadband Internet access providers offer their retail customers, and thus broadband providers—but not their interconnecting counter-parties—are subject to the requirements of Title II. Yet again, however, the FCC did not explain what that means or how broadband providers must act."

While the FCC's rules on interconnection are a bit vague, the agency has made it clear they'll be looking at complaints on a "case by case basis" to ensure deals are "just and reasonable." Since this is new territory, the FCC thought this would be wiser than penning draconian rules that either overreach or contain too many loopholes. This ambiguity obviously has ISPs erring on the side of caution when it comes to bad behavior, which is likely precisely what the FCC intended. Still, companies with a generation of history at being bullies complain this ambiguity lets others...bully them:

"Providers are thus left to negotiate contracts subject to sweeping statutory mandates without knowing what decisions could lead to enforcement action. Already, providers face demands for significant changes to interconnection agreements. The parties making those demands are threatening to file enforcement actions if their demands are not met. This distortion in what had been a well-functioning private negotiation process is irreparable harm."

And by "well functioning private negotiation process," the ISPs clearly mean one in which they were able to hold their massive customer bases hostage in order to strong arm companies like Netflix into paying direct interconnection fees. One in which regulators were seen but not heard, while giant monopolies and duopolies abused the lack of last mile competition. Yes, the FCC's actions have been so brutish and aggressive, they've resulted in a cease fire across the interconnection front to the benefit of video customers and internet users everywhere. Will the nightmare ever end?
https://www.techdirt.com/blog/netneu...-hate-it.shtml





The FCC Warns Internet Providers They’re on the Hook Now for User Privacy
Brian Fung

Don't misuse your customers' personal information.

That's the warning federal regulators are sending to Internet providers such as Comcast and Verizon, in a reminder that they and other broadband companies are now bound by some of the strictest privacy regulations on the books.

The notice stems from the Federal Communications Commission's new net neutrality policy. Drawing from the same law that regulates legacy phone service, net neutrality prohibits the sharing of your subscriber records with third parties unless you give explicit permission to your carrier.

At a time when customer data has become the way many Internet businesses make a living, these rules represent a significant check on Internet providers — many of which also dream of selling content online.

"The Commission has found that absent privacy protections, a broadband provider’s use of personal and proprietary information could be at odds with its customers’ interests," said the FCC in its advisory Wednesday.

Although the FCC hasn't revealed many specifics on how the privacy rule will be enforced on Internet providers, it's encouraging them to come forward with any questions they might have — a move that will be viewed as a sign of good faith, according to the agency.

One question that immediately jumps to mind is this: How will the FCC view a program such as AT&T's GigaPower Internet Preferences? The service offers you a discount on the company's fastest Internet plans so that AT&T can monitor your browsing activity and, in turn, serve you targeted advertising.

If you're signing up for Internet Preferences, you're opting-in to this tracking. Perhaps in doing so, you've given AT&T your permission to share your customer data. But many consumers may unknowingly sign up for Internet Preferences simply because it reflects, as AT&T puts it, the "best pricing." In which case, can you really say permission was granted?

It's enforcement questions like these that will ultimately determine how strong the government's net neutrality rules really are.
http://www.washingtonpost.com/blogs/...-user-privacy/





Millions of Android Phones Don't Completely Wipe Data

Flawed factory reset leaves data accessible.
Allie Coyne

Weaknesses in the factory reset function within Google's Android mobile operating system mean data from more than 500 million phones can be discovered despite being wiped, researchers have found.

Cambridge University researchers Laurent Simon and professor Ross Anderson studied the security feature - which is baked into the Android OS and allows users to wipe devices - and found data could be recovered from phones that had been factory-reset.

Recovering data was even possible with full-disk encryption switched on, the researchers discovered.

Simon and Anderson found the file storing decryption keys on devices was not erased during the factory reset. WIth access to that file, an attacker could recover the "crypto footer" to brute-force the user’s PIN offline and decrypt the device.

The researchers estimated that 500 million Android devices may not fully wipe device disk partitions. As many as 630 million phones may not wipe internal SD cards.

Five "critical failures" were outlined in the researchers' Security Analysis of Android Factory Resets paper:

• no Android support for proper deletion of data partition in devices running 2.3.x;
• incomplete upgrades pushed by vendors to flawed devices;
• no driver support for proper deletion shipped by vendors in newer devices;
• no Android support for proper deletion of the internal and external SD card in all OS versions; and
• fragile full-disk encryption up to Android v4.4 (KitKat).

Twenty-six second-hand Android phones running versions 2.3 to 4.3 of the operating system, sold by five handset makers, were tested.

The researchers found that all retained at least partial amounts of data from contacts information, images and video, SMS, email, and data from third-party apps like Facebook.

They were able to recover Google authentication tokens in all devices with flawed factory reset, and were able to access master tokens in 80 percent of cases.

To test their findings, they used one of the recovered master tokens from a reset to restore the credential file.

"After the reboot, the phone successfully re-synchronised contacts, emails, and so on," they wrote.

"We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account."

For Android users wanting to ensure their data is completely wiped from their device, the researchers suggested turning on full-disk encryption where it is offered, and protecting the phone with a strong password - a minimum of 11 characters, symbols, upper and lower case letters.

They also suggested users reset their phone and fill up a partition of interest with random-byte files, in order to overwrite all unallocated space, via a third-party non-privileged app.

The researchers warned however that there were still risks in that approach - the third-party app that would fill the partition with random-byte files would have to be installed manually, otherwise the Google token stored on the file system would not be erased.

More technical users with privileged access could overwrite the entire partition bit by bit to provide logical sanitisation, the researchers said.

"This method does not provide thorough digital sanitisation, since the flash is overprovisioned to handle physical wear and tear of the medium – but an attacker cannot recover data using public APIs exposed by the Linux kernel," they wrote.

"Furthermore, the over-provisioning could differ even for instances of the same device, for example if different grades of flash were used."

"Since we are concerned only with massively scalable attacks, we did not consider this issue further, but firms with high assurance requirements might have to unless they can use encryption."
http://www.itnews.com.au/News/404310...wipe-data.aspx





Tech Giants Don’t Want Obama to Give Police Access to Encrypted Phone Data
Ellen Nakashima

Tech behemoths including Apple and Google and leading cryptologists are urging President Obama to reject any government proposal that alters the security of smartphones and other communications devices so that law enforcement can view decrypted data.

In a letter to be sent Tuesday and obtained by The Washington Post, a coalition of tech firms, security experts and others appeal to the White House to protect privacy rights as it considers how to address law enforcement’s need to access data that is increasingly encrypted.

“Strong encryption is the cornerstone of the modern information economy’s security,” said the letter, signed by more than 140 tech companies, prominent technologists and civil society groups.

The letter comes as senior law enforcement officials warn about the threat to public safety from a loss of access to data and communications. Apple and Google last year announced they were offering forms of smartphone encryption so secure that even law enforcement agencies could not gain access — even with a warrant.

“There’s no doubt that all of us should care passionately about privacy, but we should also care passionately about protecting innocent people,” FBI Director James B. Comey said at a recent roundtable with reporters.

Last fall, after the announcements by Apple and Google, Comey said he could not understand why companies would “market something expressly to allow people to place themselves beyond the law.”

FBI and Justice Department officials say they support the use of encryption but want a way for officials to get the lawful access they need.

Many technologists say there is no way to do so without building a separate key to unlock the data — often called a “backdoor,” which they say amounts to a vulnerability that can be exploited by hackers and foreign governments.

The letter is signed by three of the five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden. The signatories urge Obama to follow the group’s unanimous recommendation that the government should “fully support and not undermine efforts to create encryption standards” and not “in any way subvert, undermine, weaken or make vulnerable” commercial software.

Richard A. Clarke, former cyber#security adviser to President George W. Bush and one of three review group members to sign the letter, noted that a similar effort by the government in the 1990s to require phone companies to build a backdoor for encrypted voice calls was rebuffed. “If they couldn’t pull it off at the end of the Cold War, they sure as hell aren’t going to pull it off now,” he said.

Comey, he said, “is the best FBI director I’ve ever seen,” but “he’s wrong on this [issue].”

Congress, too, is unlikely to pass legislation that would require technology companies to develop keys or other modes of access to their products and services in the post-Snowden area.

Lawmakers on both sides of the aisle have expressed skepticism toward the pleas of law enforcement agencies. Rep. Ted Lieu, a California Democrat with a computer science degree, called backdoors in software “technologically stupid.”

Ronald L. Rivest, an inventor of the RSA encryption algorithm (his name is the “R” in “RSA”), said standards can be weakened to allow law enforcement officials access to encrypted data. “But,” he said, “you’ve done great damage to our security infrastructure if you do that.”

The issue is not simply national, said Rivest, a computer science professor at MIT who signed the letter. “Once you make exceptions for U.S. law enforcement, you’re also making exceptions for the British, the French, the Israelis and the Chinese, and eventually it’ll be the North Koreans.”

The signatories include policy experts who normally side with national-security hawks. Paul Rosenzweig, a former Bush administration senior policy official at the Department of Homeland Security, said: “If I actually thought there was a way to build a U.S.-government-only backdoor, then I might be persuaded. But that’s just not reality.”

Rosenzweig said that “there are other capabilities” that law enforcement can deploy. They will be “less satisfying,” he said, but “they will make do.”

Privacy activist Kevin Bankston organized the letter to maintain pressure on the White House. “Since last fall, the president has been letting his top law enforcement officials criticize companies for making their devices more secure and letting them suggest that Congress should pass pro-backdoor legislation,” said Bankston, policy director of the New America Foundation’s Open Technology Institute.

“It’s time for Obama to put an end to these dangerous suggestions that we should deliberately weaken the cybersecurity of Americans’ products and services,” he said. “It’s time for America to lead the world toward a more secure future rather than a digital ecosystem riddled with vulnerabilities of our own making.”
http://www.washingtonpost.com/world/...2a4_story.html





Senate Blocks Bill on N.S.A. Collection of Phone Records
Jennifer Steinhauer

After vigorous debate and intense last-minute pressure by Republican leaders, the Senate on Saturday rejected legislation that would curb the federal government’s bulk collection of phone records.

With the death of that measure — passed overwhelmingly in the House earlier this month — senators then scrambled to hastily pass a short-term measure to keep the program from going dark when it expires June 1 but failed. The disarray in Congress appeared to significantly increase the chances that the government will lose systematic access to newly created calling records by Americans, at least temporarily, after June 1.

“This is a high-threat period,” said Senator Mitch McConnell of Kentucky, the majority leader, who was felled in his efforts to extend the program even for a few days by the junior senator for his home state, Rand Paul.

The Senate will reconvene on May 31 to try again. But any extension is far from certain to get approval from the House, which is in recess until June 1, with at least one member threatening to block it.

“Any extension is going to be problematic in the House,” said Representative Adam B. Schiff of California, the ranking Democrat on the House Intelligence Committee. Mr. Schiff noted that many of the votes against the measure in the House were by members who didn’t think it went far enough. The matter is likely to come up after the one-week recess.

Under the bipartisan House bill, which passed 338 to 88 last week, the Patriot Act would be changed to prohibit bulk collection by the National Security Agency of metadata charting telephone calls made by Americans.

However, while the House version of the bill would take the government out of the collection business, it would not deny it access to the information.

The measure failed in the Senate 57 to 42, with 12 Republicans voting for it, shortly after midnight because Mr. Paul, a candidate for the White House, dragged the procedure out as he had promised to do in fund-raising messages.

Another bill, which would have extended the program for two months, also failed.

Even if both chambers do agree to an extension of the statute, the program might still lapse. President Obama would have to make the legal and political decision to ask the nation’s intelligence court for a new order authorizing the bulk phone logs program, and a Federal District Court judge on the court would have to agree that he was authorized to issue such an order, even though a federal appeals court recently ruled that the statute cannot be legitimately interpreted to permit bulk collection.

Still, while a short-term lapse in the bulk phone records collection could have large political repercussions, it might have only a limited operational impact on counterterrorism investigations. Throughout the lifetime of the once-secret program, which began in October 2001, it has never been the difference maker in thwarting any terrorist attack, according to testimony and government reports.

Senator Patrick J. Leahy, Democrat of Vermont, slowly and painstakingly brought nearly every member of his caucus to support the House bill, losing only Senator Angus King, an independent representing Maine. But Senator Mike Lee, Republican of Utah, who was the point man for his side of the aisle, was unable to convince a handful of wavering Republicans to support the bill and defy Mr. McConnell, who with many senior Republicans on the Intelligence Committee spoke out against the measure.

Mr. McConnell wanted to extend the program as it exists, but realized this week that he had nowhere near the votes to get that done. On Friday, he held a last-minute session before an extensive vote on a trade package to twist senators’ arms and to convince them that a short-term extension would allow a compromise to be hammered out in June.

The debate over the federal program, which became intense after the government’s extensive surveillance efforts were exposed by Edward J. Snowden, was complicated by a federal appeals court ruling last week that found the N.S.A.’s bulk collection of phone records illegal.

Democrats rose to complain angrily after the vote Friday. “Let’s be clear,” said Senator Barbara Boxer, Democrat of California. “We tried to protect this country and Republicans rejected it.”
http://www.nytimes.com/2015/05/24/us...veillance.html





NSA Planned to Hijack Google App Store to Hack Smartphones
Ryan Gallagher

The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals.

The surveillance project was launched by a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team, which includes spies from each of the countries in the “Five Eyes” alliance — the United States, Canada, the United Kingdom, New Zealand and Australia.

The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012.

The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google. (Google declined to comment for this story. Samsung said it would not be commenting “at this time.”)

As part of a pilot project codenamed IRRITANT HORN, the agencies were developing a method to hack and hijack phone users’ connections to app stores so that they would be able to send malicious “implants” to targeted devices. The implants could then be used to collect data from the phones without their users noticing.

Previous disclosures from the Snowden files have shown agencies in the Five Eyes alliance designed spyware for iPhones and Android smartphones, enabling them to infect targeted phones and grab emails, texts, web history, call records, videos, photos and other files stored on them. But methods used by the agencies to get the spyware onto phones in the first place have remained unclear.

The newly published document shows how the agencies wanted to “exploit” app store servers — using them to launch so-called “man-in-the-middle” attacks to infect phones with the implants. A man-in-the-middle attack is a technique in which hackers place themselves between computers as they are communicating with each other; it is a tactic sometimes used by criminal hackers to defraud people. In this instance, the method would have allowed the surveillance agencies to modify the content of data packets passing between targeted smartphones and the app servers while an app was being downloaded or updated, inserting spyware that would be covertly sent to the phones.

But the agencies wanted to do more than just use app stores as a launching pad to infect phones with spyware. They were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.

The project was motivated in part by concerns about the possibility of “another Arab Spring,” which was sparked in Tunisia in December 2010 and later spread to countries across the Middle East and North Africa. Western governments and intelligence agencies were largely blindsided by those events, and the document detailing IRRITANT HORN suggests the spies wanted to be prepared to launch surveillance operations in the event of more unrest.

The agencies were particularly interested in the African region, focusing on Senegal, Sudan and the Congo. But the app stores targeted were located in a range of countries, including a Google app store server located in France and other companies’ app download servers in Cuba, Morocco, Switzerland, Bahamas, the Netherlands and Russia. (At the time, the Google app store was called the “Android Market”; it is now named Google Play.)

Another major outcome of the secret workshops was the agencies’ discovery of privacy vulnerabilities in UC Browser, a popular app used to browse the Internet across Asia, particularly in China and India. Though UC Browser is not well-known in Western countries, its massive Asian user base, a reported half billion people, means it is one of the most popular mobile Internet browsers in the world.

According to the top-secret document, the agencies discovered that the UC Browser app was leaking a gold mine of identifying information about its users’ phones. Some of the leaking information apparently helped the agencies uncover a communication channel linked to a foreign military unit believed to be plotting “covert activities” in Western countries. The discovery was celebrated by the spies as an “opportunity where potentially none may have existed before.”

Citizen Lab, a human rights and technology research group based at the University of Toronto, analyzed the Android version of the UC Browser app for CBC News and said it identified “major security and privacy issues” in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM card numbers and unique device IDs that can be used to track people.

Citizen Lab alerted UC Browser to the security gaps in mid-April; the company says it has now fixed them by rolling out an update for the app. A spokesperson for UC Browser’s parent company, Chinese e-commerce giant the Alibaba Group, told CBC News in a statement that it took security “very seriously and we do everything possible to protect our users.” The spokesperson added that the company had found “no evidence that any user information has been taken” — though it is not likely that surveillance of the leaking data would have been detectable.

The case strikes at the heart of a debate about whether spy agencies are putting ordinary people at risk by secretly exploiting security flaws in popular software instead of reporting them so that they can be fixed.

According to Citizen Lab Director Ron Deibert, the UC Browser vulnerability not only exposed millions of the app’s users to surveillance carried out by any number of governments — but it could also have been exploited by criminal hackers to harvest personal data.

“Of course, the security agencies don’t [disclose the information],” Deibert said. “Instead, they harbor the vulnerability. They essentially weaponize it.” Taking advantage of weaknesses in apps like UC Browser “may make sense from a very narrow national security mindset,” Deibert added, “but it’s at the expense of the privacy and security of hundreds of millions of users worldwide.”

The revelations are the latest to highlight tactics adopted by the Five Eyes agencies in their efforts to hack computers and exploit software vulnerabilities for surveillance. Last year, The Intercept reported that the NSA has worked with its partners to dramatically increase the scope of its hacking attacks and use of “implants” to infect computers. In some cases, the agency was shown to have masqueraded as a Facebook server in order to hack into computers.

The Intercept and CBC News contacted each of the Five Eyes agencies for comment on this story, but none would answer questions on record about any of the specific details.

A spokesperson for Canada’s Communications Security Establishment said that the agency was “mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” adding that it “does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada.”

British agency Government Communications Headquarters said that its work was “carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate.”

Australia’s Signals Directorate said it was “long-standing practice” not to discuss intelligence matters and would not comment further.

New Zealand’s Government Communications Security Bureau said that it has “a foreign intelligence mandate” and that everything it does is “explicitly authorised and subject to independent oversight.”

The NSA had not responded to repeated requests for comment at time of publication.
https://firstlook.org/theintercept/2...tores-spyware/





Hackers Build a New Tor Client Designed to Beat the NSA
Patrick Howell O'Neill

Anonymity’s toughest adversaries are hackers with the full-force and backing of Beijing, London, and Washington, D.C.

With the threat of powerful intelligence agencies, like the NSA, looming large, researchers have built a new Tor client called Astoria designed specifically to make eavesdropping harder for the world's richest, most aggressive, and most capable spies to track Tor users from start to finish.

Tor, the world’s most popular anonymity network, works like this: A user fires up the client and connects to the network through what's called an entry node. To reach a website anonymously, the user’s Internet traffic is then passed encrypted through a so-called middle relay and then an exit relay (and back again). That user-relay connection is called a circuit. The website on the receiving end doesn’t know who is visiting, only that a faceless Tor user has connected.

An eavesdropper shouldn’t be able to know who the Tor user is either, thanks to the encrypted traffic being routed through 6,000 nodes in the network.

But something called "timing attacks" change the situation. When an adversary takes control of both the entry and exit relays, research shows they can potentially deanonymize Tor users within minutes.

A full 58 percent of Tor circuits are vulnerable to network-level attackers, such as the NSA or Britain’s Government Communications Headquarters (GCHQ), when they access popular websites, according to new research from American and Israeli academics. Chinese users are the most vulnerable of all to these kinds of attacks, with researchers finding 85.7 percent of all Tor circuits from the country to be vulnerable.

Even though Tor is designed to provide complete anonymity to its users, the NSA’s position means they can potentially see and measure both traffic entering the Tor network and the traffic that comes out. When an intelligence agency can see both, simple statistics help an autonomous system at their control match the data up in a timing attack and discover the identity of the sender.

Anonymity over.

This kind of threat has been known to Tor developers for over a decade. They’ve been trying to make eavesdropping difficult for spy agencies for just as long.

To counter the threat, American-Israeli researchers built Astoria, a new Tor client focused on defeating autonomous systems that can break Tor’s anonymity.

Astoria reduces the number of vulnerable circuits from 58 percent to 5.8 percent, the researchers say. The new solution is the first designed to beat even the most recently proposed asymmetric correlation attacks on Tor.

Designed to beat such attacks, Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool, at its foundation, is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.

Astoria adroitly considers how circuits should, according to the researchers, be made “when there are no safe possibilities,” how to safely balance the growing bandwidth load across the Tor network, and how to keep Tor’s performance “reasonable” and relatively fast even when Astoria is in its most secure configuration.

All this while under the unblinking gaze of the world’s best intel services.

Defeating timing attacks against Tor completely isn’t possible because of how Tor is built, but making the attacks more costly and less likely to succeed is a pastime that Tor developers have dedicated a decade to. Astoria follows in those footsteps.

By choosing relays based on lowering the threat of eavesdropping by autonomous systems and then choosing randomly if no safe passage is possible, Astoria aims to minimize the information gained by an adversary watching an entire circuit.

“In addition to providing high-levels of security against such attacks, Astoria also has performance that is within a reasonable distance from the current Tor client,” the researchers wrote. “Unlike other AS-aware Tor clients, Astoria also considers how circuits should be built in the worst case—i.e., when there are no safe relays that are available. Further, Astoria is a good network citizen and works to ensure that the all circuits created by it are load-balanced across the volunteer driven Tor network.”

In an upgrade aimed at making Tor even more usable for the average person, the newest Tor Browser allows a sliding scale of security that balances speed and usability with strong security preferences.

Similarly, Astoria provides multiple security options. However, it's both most effective and most usable when at its highest security level, the researchers say, so "Astoria is a usable substitute for the vanilla Tor client only in scenarios where security is a high priority."

You can read the full research paper here.
http://www.dailydot.com/politics/tor...attack-client/





HTTPS-Crippling Attack Threatens Tens of Thousands of Web and Mail Servers

Diffie-Hellman downgrade weakness allows attackers to intercept encrypted data.
Dan Goodin

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web."

It wasn't supposed to be this way

Ironically, Diffie-Hellman is supposed to provide an additional layer of protection because it allows the two connected parties to constantly refresh the cryptographic key securing Web or e-mail sessions. The so-called perfect forward secrecy that Diffie-Hellman makes possible significantly increases the work of eavesdropping because attackers must obtain the key anew each time it changes, as opposed to only once with other encryption schemes, such as those based on RSA keys. Logjam is significant because it shows that ephemeral Diffie-Hellman—or DHE—can be fatal to TLS when the export-grade ciphers are supported. Logjam is reminiscent of the FREAK attack that also allowed attackers to downgrade HTTPS connections to 512-bit cryptography.

According to this informational site established by the researchers, only Internet Explorer has been updated to protect end users against Logjam attacks. The researchers said they have been working with developers of major browsers and that Chrome, Firefox, and Safari are also expected to implement a fix that rejects encrypted connections unless the key material contains a minimum of 1024 bits. Updates are expected to be available in the next day or two, and possibly much sooner. Information on vulnerable end-user e-mail programs wasn't available at the time this post was being prepared.

According to the researchers, an estimated 8.4 percent of the top 1 million Web domains are vulnerable, and 3.4 percent of HTTPS-supported websites overall are susceptible. E-mail servers that support simple mail transfer protocol with StartTLS, secure POP3, and IMAP are estimated to be vulnerable in 14.8 percent, 8.9 percent, and 8.4 percent of the cases respectively.

To exploit vulnerable connections, attackers must use the number field sieve algorithm to precompute data. Once they have completed that task, they can use it to perform man-in-the-middle attacks against vulnerable connections in real time. Using academic-level hardware, the researchers required just two weeks to generate data needed to attack the two most commonly called prime numbers 512-bit Diffie-Hellman uses to negotiate ephemeral keys. Those two data sets allow the attackers to compromise about 92 percent of sites supporting the export cipher. It wouldn't require much additional work to generate data needed to attack the remaining sites.

Snowden revelations revisited

The work required to precompute data needed to attack 768- and 1024-bit primes is orders of magnitude harder, but the researchers said the load is nonetheless within the means of state-sponsored eavesdroppers. In a research paper titled Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, the researchers speculate the technique may be the means the National Security Agency reportedly uses to routinely break millions of encrypted connections. Documents leaked by former NSA subcontractor Edward Snowden revealed the mass crypto attacks but didn't say how they're carried out. Besides attacking HTTPS-protected Web and e-mail sessions, the researchers said, the same technique may be used to break SSH and VPN connections, too.

"The technical details of our attack have also let us look at some of the leaked NSA documents in a new light, and give an explanation consistent with the documents and our experiments of how the NSA might be breaking certain crypto protocols on a wide scale," Nadia Heninger, a scientist at the University of Pennsylvania and an author of the paper, wrote in an e-mail.

In the short term, the researchers recommend all server administrators disable support for the DHE_EXPORT ciphersuites that allow Diffie-Hellman connections to be downgraded. The researchers have provided a guide with step-by-step instructions for securely deploying Diffie-Hellman in TLS. And of course, they also strongly encourage all end users to install browser and e-mail client patches that enforce minimum restrictions on the primes used to negotiate ephemeral keys. Over the longer term, they say, developers should transition to so-called elliptic curve Diffie-Hellman key exchange, since the scheme is less vulnerable to precomputed attacks.

Logjam continues a trend begun a few years ago of using catchy words or phrases to name vulnerabilities or the attacks that exploit them. Thankfully, this vulnerability disclosure wasn't accompanied by a logo, and the dedicated website offers a wealth of important information without any hype. Halderman told Ars the name is a pun on the "discrete log" mathematical operation used to break the weak keys. "But the name is also an allusion to the fact that these '90s-era export ciphers are part of an immense amount of technical debt that's built up in our crypto protocols," he added in an e-mail. "There's just too much dead wood that's accumulated over the years."
http://arstechnica.com/security/2015...-mail-servers/





Full Disclosure : 4096 RSA Key in the Strongset Factored.
Mircea Popescu

As you may or may not know, No Such lAbs (trading on MPEx as S.NSA) has been for a while using BISP hardware to run Phuctor, a RSA key factorization service.

As you can see, it employs bleeding edge Greek technology from 2`500 years ago, in the shape of Euclid's GCDi to try and find common factors among keys. Since there's about 4 million keys (a little under) in the bundle of publicly known keys that it is processingii, if you're even vaguely mathematically literate and even marginally aware of what exactly theoretical RSA promises, you would on the strength of this introduction expect a key to be factored just a little before Elvis comes back as the Queen of England. So did we. So did everyone else.iii

Imagine my surprise, and Stan's surprise, and everyone's surprise - including your own once you find that yes, it has broken a pair of keys.

And it didn't even need the whole 4 million set - only a shade shy of 200k. If we were to liniarly extrapolate - which we won'tiv - that'd mean we'll see dozens more before all of this is said and done.

And it's not even an ancient 1024 bit key. No, it's a spiffy, relatively recent 4096 bit key, made 2011-09-22 and owned by someone in all likelyhood you know, or at any rate have heard of. Yes, that's right - the key's in the GPG strong set.

It is our sad duty to inform Mr. H. Peter Anvin (hpa) that his key with fingerprint 51EA B526 D875 4202 2AA1 BC85 E99E F4B4 5122 1121 is factorizable. And the first factor - get a load of this - is 231. Which... yes, 231 = 3 * 77. Way, way, way too small to be appearing here. How exactly it got past Pollard-rho and why exactly is 231 a factor in RSA keys is beyond the scope of this writing and sadly something we had not the time to investigate.

Which brings us to the most bitter part of this entire discussion : the server hosting phuctor suddenly became inaccessible yesterday. It returned, apparently untouched, after the DC rebooted it. While this may be simple coincidence, we have at the present time no way to ascertain whether it is or it is not. Consequently, the originally intended, civilised process of emailing the victim, keeping things quiet for a while to give them time to update and so on is not practicable : for all we know others unknown are at the current time in possession of the same information we have. On the balance of these considerations, it is my decision that all this must be published immediately, with apologies to everyone on the receiving end.

Nevertheless : emergency testing of all deployed RSA key generators must be undertaken now, to verify why exactly they would produce weak keys. Of special interest is, of course, the mechanism employed by Mr. Anvin himself, but one should not limit himself to that alone.

Let the scramble begin!

Update : Another pair was found. This also has one member in the strong set, but its owner is, apparently, luckier.

Update II : Amusingly enough, it seems Hacker News hand-diddled their story list to remove this discussion. Way to go Ydumbinator crew!

Update III : Because half the interest seems to be for some reason along these lines - here, that's how being on popurls, twitter etc looks like :

bw-trilema-today

The server load was never above 0.5 ; Apache (unoptimized) chuggling quietly along, really nothing sensational to report. Even with all the software rot, hardware has progressed sufficiently since a decade ago so as to render "slashdotting" a historical relic rather than a fact of life. So it goes.
http://trilema.com/2015/full-disclos...gset-factored/





About the Supposed Factoring of a 4096 Bit RSA Key

News about a broken 4096 bit RSA key are not true. It is just a faulty copy of a valid key.
Hanno Böck

Earlier today a blog post claiming the factoring of a 4096 bit RSA key was published and quickly made it to the top of Hacker News. The key in question was the PGP key of a well-known Linux kernel developer. I already commented on Hacker News why this is most likely wrong, but I thought I'd write up some more details. To understand what is going on I have to explain some background both on RSA and on PGP keyservers. This by itself is pretty interesting.

RSA public keys consist of two values called N and e. The N value, called the modulus, is the interesting one here. It is the product of two very large prime numbers. The security of RSA relies on the fact that these two numbers are secret. If an attacker would be able to gain knowledge of these numbers he could use them to calculate the private key. That's the reason why RSA depends on the hardness of the factoring problem. If someone can factor N he can break RSA. For all we know today factoring is hard enough to make RSA secure (at least as long as there are no large quantum computers).

Now imagine you have two RSA keys, but they have been generated with bad random numbers. They are different, but one of their primes is the same. That means we have N1=p*q1 and N2=p*q2. In this case RSA is no longer secure, because calculating the greatest common divisor (GCD) of two large numbers can be done very fast with the euclidean algorithm, therefore one can calculate the shared prime value.

It is not only possible to break RSA keys if you have two keys with one shared factors, it is also possible to take a large set of keys and find shared factors between them. In 2012 Arjen Lenstra and his team published a paper using this attack on large scale key sets and shortly after that Nadia Heninger and a team at the University of Michigan also published research on that. This uncovered a lot of vulnerable keys on embedded devices, but these were mostly SSH and TLS keys. Lenstra's team however also found two vulnerable PGP keys. For more background you can watch this 29C3 talk by Nadia Heninger, Dan Bernstein and Tanja Lange.

PGP keyservers have been around since quite some time and they have a property that makes them especially interesting for this kind of research: They usually never delete anything. You can add a key to a keyserver, but you cannot remove it, you can only mark it as invalid by revoking it. Therefore using the data from the keyservers gives you a large set of cryptographic keys.

Okay, so back to the news about the supposedly broken 4096 bit key: There is a service called Phunctor where you can upload a key and it'll check it against a set of known vulnerable moduli. This service identified the supposedly vulnerable key.

The key in question has the key id e99ef4b451221121 and belongs to the master key bda06085493bace4. Here is the vulnerable modulus:

c844a98e3372d67f 562bd881da8ea66c a71df16deab1541c e7d68f2243a37665 c3f07d3dd6e651cc d17a822db5794c54 ef31305699a6c77c 043ac87cafc022a3 0a2a717a4aa6b026 b0c1c818cfc16adb aae33c47b0803152 f7e424b784df2861 6d828561a41bdd66 bd220cb46cd288ce 65ccaf9682b20c62 5a84ef28c63e38e9 630daa872270fa15 80cb170bfc492b80 6c017661dab0e0c9 0a12f68a98a98271 82913ff626efddfb f8ae8f1d40da8d13 a90138686884bad1 9db776bb4812f7e3 b288b47114e486fa 2de43011e1d5d7ca 8daf474cb210ce96 2aafee552f192ca0 32ba2b51cfe18322 6eb21ced3b4b3c09 362b61f152d7c7e6 51e12651e915fc9f 67f39338d6d21f55 fb4e79f0b2be4d49 00d442d567bacf7b 6defcd5818b050a4 0db6eab9ad76a7f3 49196dcc5d15cc33 69e1181e03d3b24d a9cf120aa7403f40 0e7e4eca532eac24 49ea7fecc41979d0 35a8e4accea38e1b 9a33d733bea2f430 362bd36f68440ccc 4dc3a7f07b7a7c8f cdd02231f69ce357 4568f303d6eb2916 874d09f2d69e15e6 33c80b8ff4e9baa5 6ed3ace0f65afb43 60c372a6fd0d5629 fdb6e3d832ad3d33 d610b243ea22fe66 f21941071a83b252 201705ebc8e8f2a5 cc01112ac8e43428 50a637bb03e511b2 06599b9d4e8e1ebc eb1e820d569e31c5 0d9fccb16c41315f 652615a02603c69f e9ba03e78c64fecc 034aa783adea213b

In fact this modulus is easily factorable, because it can be divided by 3. However if you look at the master key bda06085493bace4 you'll find another subkey with this modulus:

c844a98e3372d67f 562bd881da8ea66c a71df16deab1541c e7d68f2243a37665 c3f07d3dd6e651cc d17a822db5794c54 ef31305699a6c77c 043ac87cafc022a3 0a2a717a4aa6b026 b0c1c818cfc16adb aae33c47b0803152 f7e424b784df2861 6d828561a41bdd66 bd220cb46cd288ce 65ccaf9682b20c62 5a84ef28c63e38e9 630daa872270fa15 80cb170bfc492b80 6c017661dab0e0c9 0a12f68a98a98271 82c37b8cca2eb4ac 1e889d1027bc1ed6 664f3877cd7052c6 db5567a3365cf7e2 c688b47114e486fa 2de43011e1d5d7ca 8daf474cb210ce96 2aafee552f192ca0 32ba2b51cfe18322 6eb21ced3b4b3c09 362b61f152d7c7e6 51e12651e915fc9f 67f39338d6d21f55 fb4e79f0b2be4d49 00d442d567bacf7b 6defcd5818b050a4 0db6eab9ad76a7f3 49196dcc5d15cc33 69e1181e03d3b24d a9cf120aa7403f40 0e7e4eca532eac24 49ea7fecc41979d0 35a8e4accea38e1b 9a33d733bea2f430 362bd36f68440ccc 4dc3a7f07b7a7c8f cdd02231f69ce357 4568f303d6eb2916 874d09f2d69e15e6 33c80b8ff4e9baa5 6ed3ace0f65afb43 60c372a6fd0d5629 fdb6e3d832ad3d33 d610b243ea22fe66 f21941071a83b252 201705ebc8e8f2a5 cc01112ac8e43428 50a637bb03e511b2 06599b9d4e8e1ebc eb1e820d569e31c5 0d9fccb16c41315f 652615a02603c69f e9ba03e78c64fecc 034aa783adea213b

You may notice that these look pretty similar. But they are not the same. The second one is the real subkey, the first one is just a copy of it with errors.

If you run a batch GCD analysis on the full PGP key server data you will find a number of such keys (Nadia Heninger has published code to do a batch GCD attack). I don't know how they appear on the key servers, I assume they are produced by network errors, harddisk failures or software bugs. It may also be that someone just created them in some experiment.

The important thing is: Everyone can generate a subkey to any PGP key and upload it to a key server. That's just the way the key servers work. They don't check keys in any way. However these keys should pose no threat to anyone. The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key.

However you won't be able to easily import such a key into your local GnuPG installation. If you try to fetch this faulty sub key from a key server GnuPG will just refuse to import it. The reason is that every sub key has a signature that proofs that it belongs to a certain master key. For those faulty keys this signature is obviously wrong.

Now here's my personal tie in to this story: Last year I started a project to analyze the data on the PGP key servers. And at some point I thought I had found a large number of vulnerable PGP keys – including the key in question here. In a rush I wrote a mail to all people affected. Only later I found out that something was not right and I wrote to all affected people again apologizing. Most of the keys I thought I had found were just faulty keys on the key servers.

The code I used to parse the PGP key server data is public, I also wrote a background paper and did a talk at the BsidesHN conference.
https://blog.hboeck.de/archives/872-...t-RSA-key.html





CubeiTz Ltd - The World's First One Million Bit Encrypted File-Sharing Software
Press release

Experts now agree that computers and data centres will never be safe from hackers and data theft. The solution is to simplify and strengthen encryption on all devices.

CubeiTz announces the launch of a new data encryption technology for business and domestic users, which delivers an incredible one million-bit security solution - making it over 7,000 times more secure than connecting to your online bank.

Increasingly, hackers are targeting both consumers and enterprises. From celebrity pictures in iCloud to Sony Pictures entertainment, Ebay to Home Depot, the risk of data being compromised is growing. CubeiTz addresses this head on with the most powerful encryption software available - a seismic jump from the industry standards of 128 and 256-bit encryption.

CubeiTz has been developed to address growing concerns around data security, whether on device or in the cloud. CubeiTz encrypts your files at source with 1 million-bit encryption, ensuring files stored with your external cloud providers (Dropbox, iCloud, Box etc) are safe from prying eyes. Even locally encrypted data stored on your machine, USB flash drives and external hard drives are safe from theft or hackers.
With emphasis upon ease of use, set-up and encryption key management, the CubeiTz team have created the perfect solution for current and future encryption.

Existing cryptography is very focused and specific, for example one product may protect web connections, another the files on your USB keys and another your store login details. Our solution solves this problem by building a protected area ensuring anything running within CubeiTz and anything that it's connected to is encrypted.

The 3 main components at risk from vulnerabilities are corporate data, communications and the applications themselves.

CubeiTz is an encryption layer that encapsulates all 3 components to protect them from information theft. Our Apps not only protects the information, but also makes the applications work seamlessly across all supported platforms

CIO, CTO & Developer Resources

With a patent pending on the process and the architecture, an API will be released allowing developers to create applications that fit inside the encrypted environment. We aim to make this the industry standard for protected apps, data and communications, as well as safe secure storage for important documents for domestic users such as driving license, birth certificates, passports and account statements.

CubeiTz launches with their first product Data Guard with an impressive roadmap of products to follow.

• Data Guard -
• Protects data on you computer and external storage devices.
• Protects data stored in the cloud.
• Share 1 million bit encrypted files.
• Encrypted instant messaging.
• Create your own unique interface.

CubeiTz has been developed by a team that includes David Duke, renowned IT security expert, who has developed many secure systems for government & military worldwide and is an industry spokesman on all levels of security.

"We have been developing the product for three years and now we are ready to go to market. The timing seems all the more apt given the size of data breaches we are seeing everyday across all walks of life. CubeiTz is a solution to a very real and significant problem." commented Mr Duke.

Sean Kearney, Chief Executive of CubeiTz added, "Not only have we developed a product to be proud of. The opportunity is global, with the markets infinite, which is why CubeiTz have partnered with Data Select as one of our chosen Sales and Distribution partners for both Enterprise and Retail customers.

Roy Taylor, Senior Vice President of Distribution for Data Select added, "CubeiTz is one of the most exciting products I've seen. Its applications are limitless in terms of file sharing and security, for businesses and consumers. Imagine if an employee loses a memory stick or a laptop it will no longer be the data disaster it would have been. If your laptop is stolen don't worry about your personal data falling in to the wrong hands. And for professional organisations, share data safely without fear of it being intercepted in the cloud".

CubeiTz is available as a one-month free trial from cubeitz.com, then for purchase via Data Select and Expansys online.
http://www.sys-con.com/node/3334985





How 1990s Encryption Backdoors Put Today's Internet in Jeopardy
Patrick Howell O'Neill

What happens when the government deliberately weakens and attacks encryption?

In the midst of a renewed debate on American encryption laws, research released on Tuesday reveals two new cyberattacks collectively known as Logjam that affect tens of thousands of the most popular websites. It also shows how Bill Clinton-era encryption laws and George W. Bush-era NSA attacks on encryption have made the Web less secure today, and it likely disproves the U.S. government's promise that it makes all crucial Internet vulnerabilities public.

The first part of the Logjam attack, like the Freak bug before it, allows an attacker to downgrade vulnerable connections to relatively weak 512-bit encryption that can be easily eavesdropped on or modified by a third party.

This is a direct consequence of 1990s American laws that limited the strength of exported encryption to 512 bits. The laws were designed so that American spies could more easily eavesdrop on foreign targets. The restrictions were eventually lifted after much resistance, but the consequences are still felt today due to widespread use of the weaker encryption.

"Logjam is once again a very clear reminder of why weakening cryptography is a very bad idea," researcher J. Alex Halderman said in a phone interview. "The vulnerability is a direct result of weakening cryptography legislation in the 1990s. Today, thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software."

The second facet of the Logjam attack shows that higher-grade cryptography of up to 1024-bits are vulnerable and likely current under attack by state-sponsored hackers, like those at the National Security Agency.

As a result of state-sponsored hacking attacks as well as the use of low-quality cryptography being used on a significant scale across the Internet, tens of thousands of the world's most popular websites, about 8.4 percent, are vulnerable to attack. Also vulnerable are tens of thousands of email servers and 66 percent of virtual private networks (VPNs), which are specifically designed to protect a user's privacy from eavesdroppers.

What this means for the average Web user is that encryption that was meant to keep you safe and your data private—technologies like HTTPS, SSH, and VPNs—is likely being broken by the millions by the NSA, not to mention other countries with the resources to do so.

Earlier this year, Der Speigel revealed Edward Snowden leaks that showed the NSA could passively decrypt VPN traffic, but they didn't explain how. The Logjam researchers spent months diving into the Snowden papers and are now asserting that, after millions of dollars of investments on the part of American intelligence, Logjam is how the NSA likely attacks encryption across the Web.

The NSA's likely use of the Logjam attack to break millions of encrypted connections runs counter to the U.S. government's promise that it makes public the vast majority of discovered zero-day exploits (i.e. vulnerabilities previously unknown and unpatched by the software vendor).

Why is low-quality cryptography used so widely? Two reasons: It takes time and money to fix with an upgrade to stronger encryption, of course, and many experts didn't think anyone could successfully break it.

"The issue is that, before Snowden went the press, there were many smart computer experts who were happy to dismiss the idea that the NSA was doing anything like this," says Christopher Soghoian, principal technologist at the American Civil Liberties Union.

"If you had a conversation with engineers building your systems and said that the NSA is probably monitoring everything we do, they'd probably write you off as paranoid," he adds. "A lot of people weren't interested in upgrades and fixes because they thought the threat wasn't realistic."

There's a stark difference in the way security and cryptography was handled before and after Snowden. The consequences of pre-Snowden naivete are still with us today.

All major Web browsers are affected by Logjam. Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack, according to the researchers. Internet Explorer has already been upgraded.

Research team: NSA may be able to decrypt connections to 66% of VPN servers. Totally nuts. https://t.co/m8QkuNdiD2
— Christopher Soghoian (@csoghoian) May 20, 2015

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," Halderman told Ars Technica. "That's exactly what the U.S. did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web."

Attacking even higher grade encryption, up to 768- or 1024-bit, is within the capabilities of state-supported hackers, including America's National Security Agency, the Logjam researchers say.

If the NSA has and is quietly exploiting a crypto flaw in most VPN traffic, the White House zero day policy is a joke http://t.co/QcUQYGX3AK
— Christopher Soghoian (@csoghoian) May 20, 2015

"In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break," the researchers explained. "We conclude that moving to stronger key exchange methods should be a priority for the Internet community."

The new research provides a strong answer to critical questions raised by Snowden's leaks that showed the NSA breaking millions of encrypted connections. Experts have long wondered how, and the Logjam attack is a powerful explanation.

Logjam came to light just hours after the biggest tech companies on Earth, including Google, Apple, Facebook, Twitter, and more wrote an open letter to President Obama urging him to oppose any legal mandates for backdoors in encryption.

"We decided it was time for the Internet community ... to draw a line in the sand," said Kevin Bankston, policy director at the New America’s Open Technology Institute, which organized the letter. "We're calling on Obama to put an end to these dangerous suggestions that we should deliberately weaken the cybersecurity of American products and services."

Many of the biggest companies involved in the letter were aware of this vulnerability before it was released to the public, so that they could fix it. The timing of the letter immediately followed by the disclosure of this new attack hardly seems like a coincidence.

Instead, it's the next move in an increasingly political battle over the future of encryption. On the other side of the fight are people like FBI Director James Comey who want to legally mandate inserting backdoors into encryption by American companies, like Apple's iOS and Google's Android mobile operating systems, which encrypt users' devices by default.

Experts have long argued that the consequences of such legislation would make the Internet less secure. Logjam is the cybersecurity community's proof that it does.

"The backdoor might have seemed like a good idea at the time," J. Alex Halderman said. "Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy.”

"Any unintentional flaws that are created as a part of this process will not be discovered for months or years after the fact," Soghoian said. "The take home for this story is that encryption is really difficult. It’s really hard for technical experts to get these things right under the best circumstances. Trying to build it with government restrictions is impossible."

You can read the research in full here:
http://www.dailydot.com/politics/log...vulnerability/





Paranoid Defence Controls Could Criminalise Teaching Encryption

The government's Defence Trade Controls Act effectively makes teaching encryption a criminal act and considers even a simple calculator as a potential weapon.
Daniel Mathews

You might not think that an academic computer science course could be classified as an export of military technology. But under the Defence Trade Controls Act – which passed into law in April, and will come into force next year – there is a real possibility that even seemingly innocuous educational and research activities could fall foul of Australian defence export control laws.

Under these laws, such “supplies of technology” come under a censorship regime involving criminal penalties of up to ten years imprisonment. How could this be?

The story begins with the Australian government’s Defence and Strategic Goods List (DSGL). This list specifies goods considered important to national defence and security, and which are therefore tightly controlled.

Regulation of military weapons is not a particularly controversial idea. But the DSGL covers much more than munitions. It also includes many “dual-use” goods, which are goods with both military and civilian uses. This includes substantial sections on chemicals, electronics and telecommunications, among other things.

Disturbingly, the DSGL risks veering wildly in the direction of over-classification, covering activities that are completely unrelated to military or intelligence applications.

To illustrate, I will focus on the university sector and one area of interest to mathematicians like myself: encryption. But similar considerations apply to a wide range of subject material, and commerce, industry and government.
Encryption: an essential tool for privacy

Encryption is the process of encoding a message so that it can be sent privately. Decryption is the process of decoding it, so that it can be read. Encryption and decryption are two aspects of cryptography, the study of secure communication.

As with many technologies subject to dual-use regulation, the first question is whether encryption should be covered at all.

Once the preserve of spies and governments, encryption algorithms have now become an essential part of modern life. We use them almost every time we go online.

Encryption is used routinely by consumers to guard against identity theft, by businesses to ensure the security of transactions, by hospitals to ensure the privacy of medical records, and many other organisations. Given that email has about as much security as a postcard, encryption is the electronic equivalent of an envelope.

Encryption is perhaps dual-use in the narrow sense that it is useful to both military/intelligence agencies as well as civilians. But so are other relatively mundane technologies like cars.

Moreover, since the Edward Snowden revelations —- and even much earlier for those who were paying attention – essentially everyone knows they are subject to mass surveillance by the US National Security Agency, along with its Five Eyes partners, including Australia.

While states have no right to privacy, an individual’s right to privacy is considered a fundamental human right. And in today’s world, encryption is essential for individual citizens to safeguard this human right. Strict control of encryption as dual-use technology, then, would not only be a misuse of state power, but would represent the curtailment of a fundamental right.

How the DSGL covers encryption

Nonetheless, let’s assume for the purposes of argument that there is a justification for regarding at least some aspects of cryptography as dual-use, and consider how the DSGL covers encryption.

The DSGL contains detailed technical specifications. Very roughly, it covers encryption above a certain “strength” level, as measured by technical parameters such as “key length” or “field size”.

The practical question is how high the bar is set: how powerful must encryption be in order to be classified as dual-use?

The bar is currently set low. For instance, software engineers debate whether they should use 2,048 or 4,096 bits for the RSA algorithm. But the DSGL classifies anything over 512 bits as dual-use. In reality, the only cryptography not covered by the DSGL is cryptography so weak that it would be imprudent to use.

Moreover, the DSGL doesn’t just cover encryption software: it also covers systems, electronics and equipment used to implement, develop, produce or test it.

In short, the DSGL casts an extremely wide net, potentially catching open source privacy software, information security research and education, and the entire computer security industry in its snare.

Most ridiculous, though, are some badly flawed technicalities. As I have argued before, the specifications are so imprecise that they potentially include a little algorithm you learned at primary school called division. If so, then division has become a potential weapon, and your calculator (or smartphone, computer, or any electronic device) is a potential delivery system for it.

These issues are not unique to Australia; the DSGL encryption provisions are copied almost verbatim from an international arms control agreement. What is unique to Australia is the strict level of regulation.

Criminal offences for research and teaching?

The Australian Defence Trade Controls Act (DTCA) regulates the DSGL and enacts a censorship regime with severe criminal penalties.

The DTCA prohibits the “supply” of DSGL technology to anyone outside Australia without a permit. The “supply” need not involve money, and can consist of merely providing access to technology. It also prohibits “publishing” DSGL technology, but after recent amendments, this offence only applies to half the DSGL: munitions, not dual-use technologies.

What is “supply” then? The law does not define the word precisely, but the Department of Defence suggests that merely explaining an algorithm could constitute “intangible supply”. If so, then surely teaching DSGL material, or collaborating on research about it, would be covered.

University education is a thoroughly international and online affair – not to mention research – so any such “supply”, on any DSGL topic, is likely to end up overseas on a regular basis.

Outside of academia, what about programmers working on international projects such as Tor, providing free software so citizens can enjoy their privacy rights online? Or network security professionals working with overseas counterparts?

Examples of innocuous, or even admirable, activities potentially criminalised by this law are easily multiplied. Such activities must seek government approval or face criminal charges -— an outrageous attack on academic freedom, to say the least.

There are exemptions, which have been expanded under recent amendments. But they are patchy, uncertain and dangerously limited.

For instance, public domain material and “basic scientific research” are exempted. However, researchers, by definition, create new material not in the public domain. And according to the Australian Bureau of Statistics, “basic scientific research” is a narrow term, which excludes research with practical objectives. Lecturers, admirably, often include new research in teaching material. In such circumstances none of these exemptions will be of assistance.

Another exemption covers supplies of dual-use technology made “preparatory to publication”, apparently to protect researchers. But this exemption will provide little comfort to researchers aiming for applications or commercialisation, and none at all to educators or industry. A further exemption is made for oral supplies of DSGL technology, so if computer science lecturers can teach without writing (giving a whole new meaning to “off the books”) they might be safe.

There is no explicit exemption for education. None for public interest material. And indeed, the government clearly envisions universities seeking permits to teach students DSGL material – and, by implication, criminal charges if they do not.

On a rather different note, the DTCA specifically enables the Australian and US militaries to share technology.

Thus, an Australian professor emailing an American collaborator or postgraduate student about a new applied cryptography idea, or explaining a new variant on a cryptographic algorithm on a blackboard in a recorded lecture broadcast over the internet — despite having nothing explicitly to do with military or intelligence applications — may expose herself to criminal liability. At the same time, munitions flow freely across the Pacific. Such is Australia’s military export regime.

Brief reprieve

There is nothing wrong in principle with government regulation of military technology. But the net is cast too broadly in the DSGL, especially in the case of encryption. The regulatory approach of the DTCA’s permit regime is effectively one of censorship with criminal penalties for breaches.

The result is vast overreach. Even if the Department of Defence did not exercise its censorship powers, the mere possibility is enough for a chilling effect stifling the free flow of ideas and progress.

The DTCA was passed in 2012, with the criminal offences scheduled to come into effect in May 2015. Thankfully, emergency amendments that passed into law in April this year have provided one year’s reprieve.

Despite those amendments, the laws remain paranoid. The DSGL vastly over-classifies technologies as dual-use, including essentially all sensible uses of encryption. The DTCA potentially criminalises an enormous range of legitimate research and development activity as a supply of dual-use technology, dangerously attacking academic freedom —- and freedom in general —- in the process.
https://theconversation.com/paranoid...cryption-41238





Asian Submarine Network Operator Hit by Major System Hack
Alice MacGregor

Undersea cable company Pacnet, recently acquired by Australian telecommunications giant Telstra, confirmed today that it has been the victim of a cyberattack targeting its email and administration systems and potentially exposing sensitive data of thousands of business and government customers.

Telstra said that an unauthorised third party had been able to gain access to the Pacnet business management systems through a malicious software installed via a vulnerability on an SQL server. The hack had taken place just weeks before Telstra acquired the Asian internet service provider for $550mn (approx. £350mn) on 16th April this year. The telecom company confirmed that it had not been aware of the hack when it signed the deal in December 2014.

According to Telstra it is still unclear whether personal information of Pacnet customers had been exposed to theft, but it did suggest that had it been the intent of those behind the attack the opportunity was certainly there.

“We have no evidence that data was taken from the Pacnet corporate network,” said Mike Burgess, corporate security and investigation CIO at Telstra.

“Whilst we will look into who was behind the breach we may never know as attribution is very difficult. We have not had any contact from the perpetrators nor do we know the reason behind this activity,” he added.

Telstra revealed that the Australian Federal Police had been among the Pacnet client list, but has refused to provide comment on any of the other affected accounts.

Pacnet, a Hong Kong and Singapore-based company, owns approximately 28,000 miles of submarine fibre networks in the Asia Pacific region and provides internet protocol virtual private network (VPN) services in China.

The acquisition has enabled Telstra to break into the rapidly growing Chinese network management industry, spurred by demand for cloud computing services and remote access to corporate email systems and servers.
http://thestack.com/asian-submarine-...or-hack-200515





UK Government Quietly Rewrites Hacking Laws to Give GCHQ Immunity

Changes to the Computer Misuse Act were secretly introduced over a year ago.
Sebastian Anthony

The UK government has quietly passed new legislation that exempts GCHQ, police, and other intelligence officers from prosecution for hacking into computers and mobile phones.

While major or controversial legislative changes usually go through normal parliamentary process (i.e. democratic debate) before being passed into law, in this case an amendment to the Computer Misuse Act was snuck in under the radar as secondary legislation. According to Privacy International, "It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner's Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes... There was no public debate."

Privacy International also suggests that the change to the law was in direct response to a complaint that it filed last year. In May 2014, Privacy International and seven communications providers filed a complaint with the UK Investigatory Powers Tribunal (IPT), asserting that GCHQ's hacking activities were unlawful under the Computer Misuse Act.

On June 6, just a few weeks after the complaint was filed, the UK government introduced the new legislation via the Serious Crime Bill that would allow GCHQ, intelligence officers, and the police to hack without criminal liability. The bill passed into law on March 3 this year, and became effective on May 3. Privacy International says there was no public debate before the law was enacted, with only a rather one-sided set of stakeholders being consulted (Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, police, and National Crime Agency).

Applicants will have their character, family history—and conscience—vetted.

Despite filing its complaint back way back in 2014, Privacy International wasn't told about the changes to the Computer Misuse Act until last week; until after the new legislation became effective. The UK government is allowed to do this, of course, but it's a little more underhanded and undemocratic than usual.

According to Privacy International's legal experts, the amended Computer Misuse Act "grants UK law enforcement new leeway to potentially conduct cyber attacks within the UK." Following Snowden's leaks throughout 2013 and 2014, a cynical person might see this new legislation as something of an insurance policy: under the previous Computer Misuse Act, the courts might have found GCHQ's hacking activities within the UK to be illegal—now they're on more solid ground.
http://arstechnica.co.uk/tech-policy...gchq-immunity/





Phone-Hacking Victims Win Damages from Trinity Mirror Group

Eight mostly celebrity victims of phone-hacking won a total of 1.2 million pounds in damages from Britain's Trinity Mirror newspaper group on Thursday in the first civil lawsuit related to the tabloid scandal to conclude in court.

The victims were actress Sadie Frost, retired footballer Paul Gascoigne, BBC executive Alan Yentob, three actors from TV soap operas, a TV producer and a flight attendant who had dated England footballer Rio Ferdinand.

Trinity Mirror, owner of the Daily Mirror and Sunday Mirror tabloids, said it was considering an appeal against the High Court ruling.

"We have said all along that we would pay full, fair and proper compensation to the claimants and that is not in dispute," a spokeswoman said.

"However, damages need to be proportionate to compensation awarded in previous cases of physical and mental suffering ... Our current view is that the basis used for calculating the damages is incorrect."

Trinity Mirror shares were down 1.9 percent at 11.37 a.m.

The eight claimants sought damages after reporters seeking scoops listened to their voicemail messages, leading in some cases to salacious stories and to the victims suspecting those close to them of leaking information to reporters.

Frost was awarded 260,250 pounds, Gascoigne 188,250 pounds and Yentob 85,000 pounds.

The awards were larger than those given to victims in out-of-court settlements, and Frost's was believed to be the single biggest privacy damages payout since the phone-hacking scandal broke, according to the Guardian newspaper.

Trinity Mirror said last July it had set aside 4 million pounds over the first six months of the year to cover the cost of dealing with and settling phone-hacking claims.

Thursday's High Court ruling was the first time that a civil lawsuit related to phone-hacking has been decided by a judge. Previous damages claims against both Trinity Mirror and Rupert Murdoch's News UK group (NWSA.O) were settled out of court.

The phone-hacking scandal erupted in 2011 when it was revealed that some staff at Murdoch's News of the World tabloid had routinely listened to private voicemail messages to generate scoops, prompting Murdoch to shut down the 168-year-old paper.

Police have been conducting a vast investigation into phone-hacking and other suspected illegal practices by tabloid newspapers. At first the focus was mostly on Murdoch's titles, but it later widened to the Trinity Mirror newspapers.

The group has said it was cooperating with the Metropolitan Police Service investigations.

Piers Morgan, a former editor of the Mirror who went on to become a well-known TV presenter in the United States, has been questioned by police twice in connection with their investigations. He has denied any involvement and has not been charged.

An eight-month criminal trial into hacking at the News of the World resulted in a conviction for conspiracy to intercept messages for former editor Andy Coulson, who had gone on to work as Prime Minister David Cameron's communications chief.

Rebekah Brooks, another former News of the World editor who had risen to be the boss of Murdoch's entire British newspaper arm, was acquitted of all charges in the same trial.

(Reporting by Estelle Shirbon; editing by Stephen Addison)
http://uk.reuters.com/article/2015/0...0O617Q20150521





‘CIA Put Positive Spin On Torture for the Movie Zero Dark Thirty’

A PBS documentary shows that CIA backed the film to help rewrite the narrative on torture
Narayan Lakshman

The U.S. Central Intelligence Agency (CIA) leaked propaganda material to the team of Zero Dark Thirty to build a positive spin on how its brutal torture programmes yielded intelligence used to find and kill Osama bin Laden, according to evidence shown in a documentary film this week.

In Secrets, Politics and Torture, which premiers on Tuesday on the PBS Frontline channel, internal memos of the CIA show that the Agency deliberately chose to back the film by Kathryn Bigelow given its likely success at the Oscars, and the opportunity it presented to rewrite the narrative on whether torture yielded any valuable intelligence.

Picking favourites

In one memo apparently authored by ex-CIA Spokesperson Marie Harf, the discussion focusses on “picking favourites.”

Ms. Harf wrote, “I know we don’t ‘pick favourites,’ but it makes sense to get behind the winning horse… Mark and Kathryn’s movie is going to be the first and the biggest. It’s got the most money behind it and two Oscar winners on board.” Sure enough, the 2012 film went on to win critical acclaim, receiving nominations in five categories at the 85th Academy Awards, and winning in one of them. It also scooped up multiple Golden Globe Award nominations and a Best Actress award.

The documentary reveals some senior members of Congress serving on intelligence committees had serious reservations about the film’s narrative on how the intelligence obtained — using torture techniques like water-boarding on Guantanamo Bay inmates — was of actual value in the May 2011 raid in which bin Laden was killed. Democrat and California Senator Dianne Feinstein was one such lawmaker.

As Chair of the Senate’s Select Committee on Intelligence since 2009, she had intimate knowledge of the Agency’s torture programmes and was in fact leading the fight against the CIA’s attempts to recast the efficacy of the programmes.

In the PBS documentary, she said, “I walked out of Zero Dark Thirty, candidly… I got into it [for] about 15-20 minutes [and then] I left. I couldn’t handle it, because it’s so false.”

For years, lawmakers such as Senators Feinstein and Mark Udall have fought to bring to light a parallel narrative to the one pushed by the CIA.

In December 2014, they succeeded, the PBS documentary notes, with the publication of the Committee’s review of the “enhanced interrogation” techniquesof the CIA, a report that found these methods to be “brutal and far worse” than the CIA let on, and further, that it was ineffective, detrimental to national security and did not help find bin Laden in Abbottabad, Pakistan.
http://www.thehindu.com/news/interna...cle7224458.ece





Microsoft Study Claims Technology Shortens Our Attention Span
Yoni Heisler

A new study from Microsoft shows that our attention spans may be dwindling. The culprit? Technology.

In a report that may not surprise anyone, a new study from Microsoft reveals that our attention spans are at an all-time low, and the culprit, not surprisingly, is the ubiquity of technology which now touches every corner of our lives 24/7.

Indeed, you can thank the iPhone for ushering in the smartphone era and creating a world where most of us remain tethered to our devices, lest we miss a text message or the latest sports scores.

According to Microsoft's study, which was conducted via EEG scans, the average attention span dropped from 12 seconds in 2000 to 8 seconds in 2013. To put that data into context, the average attention span of a goldfish is about 9 seconds, according to the study.

Medical Xpress adds:

The researchers also found that those volunteers who used their digital devices more than others, tended to have more trouble focusing in situations where it was required to function. They also noted that early adopters or users who have used digital devices quite heavily have learned over time to front-load their attention, allowing large amounts of information to flow in and to be processed, before switching their focus to something else, resulting in an increase in bursts of high attention. The researchers suggest this means they are better at determining what information they want to focus on and which to ignore.

So I suppose this is the silver lining of it all; while our attention spans may be somewhat diminished, we are sometimes able to counteract that by devoting an inordinate amount of attention to certain tasks for short periods of time.

The full research report can be downloaded over here.
http://www.networkworld.com/article/...tion-span.html





Teachers Using Pens and Paper in the Classroom “Not Fair” to Students, Microsoft Official Says
Stephen Hui

Pens and paper have no place in the modern classroom. And chalkboards? They should be banished from our schools too.

That’s what Lia De Cicco Remu, director of Partners in Learning at Microsoft Canada, told the Georgia Straight ahead of the Microsoft Summit 2015 in Vancouver, which is set to be attended by around 200 teachers.

“When was the last time you used a piece of chalk to express yourself?” De Cicco Remu, a former teacher, asked by phone from Toronto. “Kids don’t express themselves with chalk or in cursive. Kids text.”

On May 23, the Microsoft Summit will take place at UBC’s Point Grey campus. LEARNstyle CEO DJ Cunningham is slated to be the keynote speaker.

Tickets for the education-focused event, which includes interactive demonstrations and hands-on workshops featuring Microsoft products, cost $25.

“It’s a way for teachers to get the professional development they need to bring relevant teaching practices into the classroom right now, because our kids are getting killed,” De Cicco Remu said. “They’re not getting the teaching style that they need for now and for the future. We’re still teaching them the way we did a hundred years ago.”

According to De Cicco Remu, both teachers and students are already using the latest digital technology to communicate outside of the classroom. She asserted that teachers need to “start rolling with the way these kids communicate”.

“We need to go to them to understand what they’re doing and to teach them how to direct that in a way that’s going to lead to their success in the future. Right now, we’re in the midst of this very difficult shift, because we don’t get it and we’re trying to understand it. That, for a teacher, can be terrifying.”

De Cicco Remu argued that good pedagogy must be “layered” with the appropriate technology to be relevant to students. She highlighted Office 365 and OneNote as Microsoft products well-suited for the classroom.

“Why do you expect a kid to go to school and sit in the same seat everyday with pens and paper?” De Cicco Remu asked. “When they come home, they’ve got all these devices and they’re gaming and they’re doing all this great stuff online, and the expectation at school is to do something radically different. Would you want to do it? I wouldn’t want to do it.”

Asked what today’s classroom should look like, De Cicco Remu cited that of Zoe Branigan-Pipe, a teacher in Hamilton, Ontario. De Cicco Remu noted Branigan-Pipe teaches in a “hub” featuring 3-D printers, computers, couches, and Lego.

“She talks about authentic learning places,” De Cicco Remu said. “So classroom—what classroom? Learning is anytime, anywhere. Kids are learning everywhere. As long as they have that device and they have that connectivity to the cloud, they can do their work anywhere. So that’s why the tools become so important.”
Courtesy Microsoft Canada

De Cicco Remu pointed out that the role of teachers is changing from “sage on the stage to facilitator to activator”. This kind of teaching and learning requires “open spaces”, she maintained.

“Our schools are like jails—brick walls, colourless, not very engaging or exciting,” De Cicco Remu said.

Throwing out pens, paper, and chalkboards—not to mention print textbooks—doesn’t mean that schools should abandon writing all together, according to De Cicco Remu. With a stylus and a tablet, kids can still cognitively benefit from the digitized practice of “inking”, she explained.

For teachers skeptical about new technology’s place in the classroom, she has a message.

“Shift or get off the pot,” De Cicco Remu said. “Seriously, it’s not fair to the kids. It’s tough at the outset to understand and learn all these tools, but you’re doing a disservice to our students and these kids’ futures if you don’t. And that’s your job.”
http://www.straight.com/life/452561/...-official-says





A Pencil Shop, for Texting the Old-Fashioned Way
Molly Young

About 500 years after a graphite deposit was discovered in England and sliced into the first pencils, a store devoted to pencils has opened in Lower Manhattan. If the enterprise seems belated, well, it is. Who uses a pencil anymore?

Pencils are like fax machines and margarine: They do a job, sure, but other things do the same job better — pens, email and butter, respectively. You can write a letter in pencil, but it’s more adult to write in pen. You can solve a crossword in pencil, but it’s more courageous in pen.

And yet, here’s the thing: Being in the presence of an obsessive hobbyist is intoxicating. Any kind of hobbyist, no matter what the locus of her attention.

The monomaniac at the helm of C. W. Pencil Enterprise is Caroline Weaver, a 24-year-old Natalie Wood look-alike with a pencil tattooed on her forearm. Her store is the size of a juice box, with a checkered floor and jars of yellow button chrysanthemums sprinkled around. With its spanking newness and luminous blocks of color, the place looks like an Edward Hopper canvas. (Or, as the website Racked put it: “This Fancy Pencil Store Is Begging to Be Instagrammed.”)

And it really does sell mostly pencils. Which is insane, but in an entrancing way, as if Captain Ahab opened a boutique of whale trinkets.

On the first day I visited, Ms. Weaver sat behind the counter, springing up often to highlight the virtues of this or that pencil. “This was John Steinbeck’s favorite pencil,” she said of a Blackwing 602 ($2). Its slogan, printed on the shaft, is “Half the Pressure, Twice the Speed.”

When I asked which pencil she used most, Ms. Weaver indicated a marbled Creamsicle-colored number with “Made in India” stamped on the side (30 cents). “I also like this one at the moment,” she said, offering a pencil from the century-old company Caran d’Ache ($4.50). “It’s made of beechwood.” There was no eraser on the pencil; instead, a shiny nub lacquered with a Swiss cross gleamed at one end. (Possible subtext: The Swiss don’t make mistakes.)

For those who prefer the whiff of lily-of-the-valley to graphite, a package of scented pencils ($8) from Portugal smells like a rich lady’s hand soap. For Sudoku enthusiasts, Ms. Weaver recommends a pencil with an ultrafine-tip eraser ($2).

The store is organized with the space-saving rigor of a ship’s cabin. Pencils are displayed upright in glass jars labeled with their origin: Japan, Germany, France, the Czech Republic, Tennessee. Framed vintage advertisements on the wall depict the likes of Booth Tarkington shilling his favorite pencils. (Tarkington’s advice to young writers: “Use pencils. Write on thick paper. Sharpen two or three dozen rather soft pencils before you work. Use pencils with erasers on them — and use the erasers!”)

An elegant woman lifted a pencil with a crabbed grip. “Samantha, remember when you wrote like this?” she asked a younger woman.

“I still do, Mom,” came Samantha’s withering reply.

On a second visit, the store was overseen by a different woman who knew just as much about pencils. To a young lady seeking a gift, she urged experimentation. Would the young lady like to try a triangular pencil? How about a chubby pink pencil that functioned as a low-tech highlighter? A pencil shaped like a cigarette, to freak out the customer’s mother?

To a man interested in writing sheet music, she recommended an antique IBM pencil, designed to show up dark when scanned by an early computer, and so suited to someone who may be scanning his musical inventions on a 2015-era machine.

I asked the man why he’d chosen that particular pencil. “Because it’s cool,” he said. “And how often can you buy a functional thing from the 1950s in mint condition for $5?”

Good point.

The “functional” part of his reply is especially apt. Because pencils have a credible use, this single-minded store is able to transcend its novelty status. It’s more like a guitar shop than, say, a place devoted solely to popcorn or ice cream sandwiches (both of which are actual stores that exist within a five-block radius of this one).

If you make a purchase (and it’s hard not to, given that you can pay with pocket change), your goods will be wrapped in a box and tied up with string.

Henry David Thoreau could stick his hand into a bin of pencils and grab exactly 12 in one swoop, a “Rain Man”-like skill that impressed his friend Ralph Waldo Emerson. I bought 12 pencils from C. W. Pencil Enterprise in honor of the Transcendental trinomials. The total cost: $12.
http://www.nytimes.com/2015/05/21/fa...ioned-way.html

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

May 16th, May 9th, May 2nd, April 25th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 06:04 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)