|13-01-16, 09:12 AM||#1|
Join Date: May 2001
Location: New England
Peer-To-Peer News - The Week In Review - January 16th, '16
"I answered the phone as 'Free Palestine Movement.' They said, 'Who?' They said they were trying to reach General Clapper. I said, 'I’m sorry, I have no way of connecting you.'" – Paul Larudee
"My father’s a very wonderful man, and he said, 'Thank you for what you’re doing for my son.' I thought: Shut up, Dad. You’re making me look uncool." – Iggy Pop
"I actually think end-to-end encryption is good for America. I know encryption represents a particular challenge for the FBI. But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor." – General Michael Hayden
January 16th, 2016
Public Rejects 10-Year Jail Sentences for File-Sharing in the UK
The UK public has overwhelmingly rejected government plans to increase the maximum term for online copyright infringement to 10 years.
A consultation by the Intellectual Property Office (IPO) saw 98 percent of respondents argue that the sentence would be too harsh, particularly as it is not seen as “a serious crime.”
While the change would bring online copyright laws in line with those around physical infringement, people responding to this point argue that the level of investment required, and the intent, are not typically comparable.
“Physical requires a sophisticated set up, whereas online can be done quickly, without specialist equipment and sometimes unwittingly,” the IPO document said in summary.
While supporters, including the UK’s leading creative industry bodies, suggest that this would act as “powerful deterrent” to potential infringers, the extent to which people operating at a small scale cause genuine harm has been called into question.
The majority of the 1,032 responses came via a campaign from the UK’s Open Rights Group (ORG).
ORG said of the consultation when it went live:
New proposals to make online copyright infringement punishable by ten years in jail risk punishing users who share links and files online more harshly than ordinary, physical theft.
Overall 1,011 people objected to the new law outlined in the consultation, with just 21 agreeing that the rules should be updated.
In response to this, the government said:
This proposal has clearly struck a chord with many stakeholders, which is reflected in the high number of responses. As a result, the government is now carefully considering the best way forward. However, the government remains committed to tackling those engaged in online criminality.
Jim Killock, Executive Director of ORG, told The Next Web:
Copyright infringement can happen unwittingly, even commercially. Online it is trivial. With this law, there is little definition about what counts as criminal infringement and could therefore trigger threats of criminal charges and jail sentences.
If the government or rights holders want to suggest a harsher punishment, then they should draft something which ensures criminal infringement is limited to deliberate, knowing infringement for substantial commercial gain.
The response to the consultation is not legally binding but the government is clearly mulling over its next move, given the overwhelmingly negative response to the change.
Once Again, Piracy Is Destroying The Movie Industry... To Ever More Records At The Box Office
We seem to end up posting stories like this every year, but it just keeps on happening. Hollywood whines and whines and whines about how piracy is killing the movie business... and then announces yet another record year at the box office.
Recent numbers show that the movie industry just broke the magic $11 billion barrier, generating more revenue than ever before at the North American box office. The revenue for 2015 totals $11.3 billion, which is roughly a 9% change compared to last year.
The worldwide grosses also reached an all-time record according to research from Rentrak, which estimates the global grosses at a staggering $38 billion based on data from 25,000 theaters across the globe.
Of course, sometimes people argue back that this is only because tickets are more expensive and that fewer people are actually buying tickets to go to the theater. About that...
Another sign that business is going well, at least for some, is the increase in the number of tickets that were sold. In 2015 theaters increased their ticket sales by more than 5% in North America.
I imagine that some will respond that this was really only because of the desire to see the new Star Wars flick, but isn't that simply proof that if you deliver what the public wants, they'll pay to go to the theater?
The other response, then, is that the real problem is that the home video market has declined. Sure, but that's the same home video market that Hollywood tried desperately to kill, so I'm not sure that's a legitimate argument if you're defending Hollywood.
But, even if we accept the question of the home video market, I'll just point out that, last I checked, Netflix had a valuation over $45 billion. So, at least Wall Street doesn't seem to be too up in arms about the state of the "home video" market.
Of course, every time we post this kind of thing, we're left asking if Hollywood will finally recognize that, maybe, just maybe, piracy isn't the issue they should be focused on. And it never happens. However, let's be optimistic this year and hope that maybe Hollywood will finally come around to realize that the thing it's been saying will kill it hasn't done anything of the sort.
Nielsen: Music Streams Doubled In 2015, Digital Sales Continue To Fall
2015 was a good year for streaming services, according to Nielsen’s year-end Music report out now. In 2015, on-demand streaming services grew to 317 billion streams – that’s a doubling from 2014, which saw 164.5 billion songs streamed, Nielsen report states.
Also interesting is how the shift to streaming is impacting album sales. Though album sales were still down by 6 percent in 2015, the decline was not as bad as the year prior when they had dropped by 11 percent.
In addition, sales of vinyl grew in 2015. Sales were up 30 percent, and accounted for almost 9 percent of physical album sales.
Of course, streaming services supplant a number of traditional album sales, which is why overall sales continue to drop.
In 2015, digital track sales were also down thanks to streaming’s rise, dropping 12.5 percent to 964.8 million units in 2015 – a decline from 2014’s 1.1 billion units.
Digital album sales didn’t fare as badly, though. Last year, they declined only 2.9 percent to 103.3 million, down from 106.5 million in 2014.
The good news is that “stream equivalent” albums grew. According to Billboard, the increase in songs streamed in 2015 can be translated into 211.5 million stream equivalent albums. (Its methodology involves 1,500 song streams equaling one album.)
That’s an increase of 109.7 million from 2014, or nearly 93 percent higher year-over-year.
It’s worth noting that when Nielsen tracked music streaming over the course of the year, it wasn’t only focused audio services like Spotify. Instead, the measurement firm looked at a variety of both audio and video services, including AOL, Beats (now owned by Apple), Cricket, Google Play, Medianet, Rdio (now acquired by Pandora), Rhapsody, Slacker, Xbox Music, YouTube, and VEVO.
While overall, streaming was up year-over-year to 317.2 billion streams, video streams grew more. In 2015, music video grew 101.9 percent to 172.4 billion streams, while audio streams grew 83.1 percent to 144.9 billion streams.
However, despite the rise of streaming, these services have not yet overtaken radio as the number one way people are discovering new music. Instead, 61 percent report hearing songs first on AM, FM or satellite radio; 45 percent say it’s word-of-mouth that leads to discovery; 31 percent hear songs in movies or in soundtracks; and then streaming clocks in at fourth place, with 27 percent saying they learned of new songs from streaming websites or apps.
In addition to the various streaming metrics, Nielsen’s report also looked at music consumption as whole.
In the U.S., consumers spend 24 hours per week on average listening to music. And of the 91 percent of Americans who listen to music, 75 percent report listening to music online every week, while 44 percent listen on smartphones.
Meanwhile, when it comes to spending on music, live music like concerts (32%) and music festivals (10%) still eat up nearly the majority of spend. Satellite radio accounts for another 11 percent of spending, while paid streaming registers at only 7 percent – behind physical sales (13%) and digital downloads (11%).
Paid streaming’s share is a bit higher, however, with teens and millennials (age 18-34), where it sits at 8 percent and 9 percent, respectively.
When asked why consumers chose to subscribe to a paid service, or opt not to, it appears that cost was a big reason. 83 percent said price of the service was their top factor in their decision to sign up, though ease-of-use and song library were also hugely important.
And when deciding not to subscribe to a service, again cost was the main issue, with 46 percent saying that they wouldn’t subscribe if a service was too expensive. Another notable factor is that many consumers find they can stream music for free, and don’t see the benefit of paying.
That speaks to streaming services’ need to offer more than just an on-demand catalog. They should also be a place where users can learn about new music and artists, like Spotify offers with its “Discover Weekly” playlist and Apple Music provides through its “Beats 1” radio. Streaming services may also need to focus on allowing fans to better connect with artists, buy concert tickets or merchandise, and offer online communities or other music-related content.
And it seems that many consumer still need convincing – 78 percent said they were unlikely to pay for a streaming service in the next 6 months, versus just 9 percent who said they probably would.
A good bit of Nielsen’s report also focused on Adele’s success in 2015. With over 7.4 million year-to-date album sales in just six weeks’ time, Adele and her album “25” were one of the biggest music stories of the year. But notably, Adele and other major stars like Taylor Swift are defining a new category of artists – those who are large enough to eschew streaming services. Adele didn’t make her album available to on-demand streaming services this year, including Spotify, Apple Music or Deezer.
The move followed that of Swift, who withheld “1989” from streaming services, until later releasing it on Apple Music – but only after she used her clout to get Apple to pay artists during Apple Music’s free trial period.
Nielsen’s full report is available online.
Apple to Start Charging for iTunes Radio
Apple Inc said it will soon start charging for iTunes Radio, its music-streaming service that competes with Pandora Media Inc.
ITunes Radio, which was announced in 2013, will no longer be free from the end of January, Apple said in statement.
The ad-supported service, available only in the United States and Australia, will be folded into Apple Music, which costs $9.99 a month.
Beats 1, the global 24/7 radio station, will now be the free music option for listeners.
(Reporting by Anya George Tharakan in Bengaluru; Editing by Leslie Adler)
VLC Now Available for Apple TV: Our First Impressions
VLC is now available for the Apple TV. Just like every other version of VLC, the Apple TV version aims to play video files and streams in "their native formats without conversions". Felix Kühne, lead iOS developer for VLC, writes on his blog:
Today, we are proud to announce VLC on the Apple TV. It’s a full port of VLC media player combined with platform speciﬁc features.
VLC for Apple TV integrates with a plethora of devices and services on your local network and includes a custom way of casting ﬁles directly to the TV from your other computers using a web browser!
I was able to test the VLC Apple TV app for a few hours earlier today, and whilst it is early days yet, I am pretty impressed at what the VLC team has been able to accomplish. Jump the break for all the details and screenshots.
The first tab of VLC for Apple TV is dedicated to discovering services on your local network that might contain media content. So whether its a Windows Share (SMB), DLNA/UPnP media servers, an FTP server, or a Plex server, you'll be able to access it all. If you're already a user of VLC on iOS, any login credentials will sync to the Apple TV, saving you the hassle of having to enter complex passwords with the Siri Remote.
Perhaps one of the neatest features of VLC for Apple TV is how you can use its Remote Playback feature. Enter the URL displayed by the VLC app into a browser on your PC/Mac/iOS device and you'll be able to drag and drop media files onto the webpage. Once you've selected a media file it will instantly start streaming to your Apple TV. Not only that, but it will keep a copy of those video files cached on your Apple TV (until tvOS runs low on space, at which point they are automatically removed). From the Remote Playback webpage, you can also paste URLs for compatible video streams, send multiple items, and control the playback.
As an aside, if you want to delete a video file, simply tap and hold the Siri Remote touchpad until the thumbnails begin to wiggle, then press the Play/Pause button and confirm that you want to delete the item.
Finally, you can also access content by directly entering the URL for a compatible video stream in the Network Stream tab. URLs entered via the Remote Playback webpage and from the VLC app on your iOS devices will also show up on this page.
I spoke to the VLC team and I was told that so far this feature supports adaptive streaming protocols including HLS, Smooth, RTSP, HTTP and FTP. If you need an example, try Radio Bremen or France 24.
I'll start with the one negative; VLC uses its own navigation controls (likely a consequence of being able to play other video formats that Apple doesn't support). But the problem is that VLC's navigation controls don't support the fantastic video preview that tvOS normally displays when you scrub forwards or backwards. So a little dissapointing, but not a huge deal.
What you get instead are some extra features that the standard tvOS navigation/playback controls does not have. That includes the ability to set a custom playback speed, and download subtitles (whilst the video is playing) from OpenSubtitles.org. Those options, plus the ability to navigate by chapter, and pick audio tracks, are available by swiping down from the top of the Siri Remote touchpad. It might just be a small thing, but being able to download subtitles on the fly is a really neat feature.
VLC's press release provides some additional information:
As part of our cross-platform initiative on improving subtitles support and rendering for VLC's forthcoming 3.0 desktop release, VLC on the Apple TV displays any kind of text (srt, SSA, WebVTT, ...) or bitmap subtitles including full support for Right-to-Left languages like Arabic and Hebrew, complex text layout for Malayalam or other Asian languages. For web radio and music playback, we integrated with the community service hatchet.is to show artist imagery and biographies in addition to album artwork.
VLC has a lofty goal for their apps:
Following the VLC goal "VLC plays everything and runs everywhere", you will get every feature and format support you are used to in VLC, and a few Apple TV speciﬁc features.
What that means is that you should be able to play most of the file formats listed here. But given it is the first release of the tvOS app, not everything is supported.
Unfortunately I've already converted most of my video library to a format supported by Apple, so I'm not the best person to test the breadth of VLC for Apple TV's support for obscure video files. Nonetheless, I tried a bunch of m4v, mov, avi and mkv files and VLC handled most without issue.
The only issue I ran into were a few mkv files which couldn't play the "A52 Audio (aka AC3)", so whilst the video played fine, there was no sound. For the record, these files played perfectly on the VLC Mac app. The VLC team tells me that AC-3 is not supported in this initial version but it is a high priority for future releases due to the popularity of the codec.
The VLC team has announced that a key feature they're aiming to add to the VLC iOS and tvOS app is support for cloud services. Support for Dropbox, OneDrive and Box is currently in beta testing and is coming soon to the App Store versions of the apps.
Netflix’s Liberal VPN Policies Are Not Entirely Voluntary, Executive Admits
Global streaming behemoth Netflix has earned reputation points with customers in recent years for its non-judgemental approach to customers’ use of Virtual Private Network (VPN) software to circumvent the region-locking of its content in various countries. In fact the company has now admitted that blocking VPNs as policy might be impossible in any case.
Netflix’s chief product officer Neil Hunt has admitted in an interview that although Netflix does use industry standard technologies to limit the use of proxies, there is no magic solution to VPN geography spoofing. “Since the goal of the proxy guys is to hide the source it’s not obvious how to make that work well.” says Hunt. “It’s likely to always be a cat-and-mouse game. [We] continue to rely on blacklists of VPN exit points maintained by companies that make it their job. Once [VPN providers] are on the blacklist, it’s trivial for them to move to a new IP address and evade.”
This has just become a critical issue for the company; on 6th of January Netflix added 130 countries to its consumer portfolio, and it hasn’t given up on establishing a Chinese presence yet either.
At CES 2015 just over a year ago, Hunt delighted his consumer-base by refuting prior rumours that the company would begin to crack down harder on subscribers who use VPNs to fake their geographic location, stating “People who are using a VPN to access our service from outside of the area will find that it still works exactly as it has always done.”
The language was neutral in terms of how Netflix feels about the practice, which is, to be sure, conflicted. If it instituted more rigid geographic protection of licensed shows, it would have more – possibly even cheaper – high-quality content to attract new customers and maintain its current position as the leading streamer and subscription-based content producer, since content licensers would have greater confidence, justified or not, that they are retaining control over distribution.
On the other hand truly effective geo-blocking would cost Netflix a worryingly unknown proportion of the existing user-base which has brought it to its current prominence. Prior to Netflix’s official presence in Australia, over 200,000 Australians were unofficially estimated to be using the service via VPNs.
In any case several months later Netflix users restarted the rumour-mill upon the publication of new terms of service for subscribers, which added stipulations aimed specifically at VPN users:
‘You may view a movie or TV show through the Netflix service primarily within the country in which you have established your account and only in geographic locations where we offer our service and have licensed such movie or TV show. The content that may be available to watch will vary by geographic location. Netflix will use technologies to verify your geographic location.’
But Netflix is pushing a different long term notion of the future of content streaming, one which is not really technological in nature: the end of regional licensing. If content licensers are faint at the thought, they’re also intrigued by statistics which indicate that Torrent-based piracy drops quite radically wherever Netflix lands. Hunt says:
“When we have global rights, there’s a significant reduction in piracy pressure on that content. If a major title goes out in the U.S. but not in Europe, it’s definitely pirated in Europe, much more than it is if it’s released simultaneously.”
Since Netflix subscribers pay for the service by geographically-linked credit or debit cards, the company – unlikely to believe that such a large percentage of its user-base is constantly itinerant or in migration – can presumably make a very accurate guess as to the number of customers who are using VPNs. And even if Hunt claims that VPN providers switch IP addresses so often as to make rigid enforcement impossible, it is notable that some of the most long-standing VPN IPs are never refused by Netflix, even though challenged by many other routing entities throughout the world, such as CloudFlare.
Netflix 'Unblockers' to be Banned, Making Users Unable to Access Content Outside of Their Own Country
The company has said before that it hopes eventually to make all content available all of the time, and has reaffirmed that as its ultimate plan
Netflix is going to stop the use of “unblockers” on its service, stopping the hugely popular practise that allows access to videos outside users’ country.
The company has long banned accessing content from elsewhere in its terms of service. But it has had a relatively relaxed approach to actually enforcing that ban, until now.
In the coming weeks, “those using proxies and unblockers will only be able to access the service in the country where they currently are,” the company wrote in a blog post. “We are confident this change won’t impact members not using proxies.”
Proxies, VPNs and unblockers all allow users’ computers to pretend that they are in another country, meaning that Netflix is unable to differentiate them from people genuinely in that location. Using them can allow people on the UK version of Netflix to pretend to be in the US, for instance, and gain access to all of that country’s videos.
The company has long said that it wants all of its content to be the same everywhere. It reiterated that argument, saying that if “all of our content were globally available, there wouldn’t be a reason for members to use proxies or “unblockers” to fool our systems into thinking they’re in a different country than they’re actually in”.
"We look forward to offering all of our content everywhere and to consumers being able to enjoy all of Netflix without using a proxy," the company wrote. "That’s the goal we will keep pushing towards."
But that plan can’t happen because of local licensing laws, which mean that permission must be given separately in every country and so the videos on offer in different countries can vary hugely.
It isn’t clear how Netflix will be stopping the use of proxies. As such, it’s impossible to tell how successful it will be or whether it will limit the slightly more complicated techniques of using VPNs.
Netflix Vs. the 20th Century
Yesterday Netflix announced that it is going to be more proactive about blocking VPN users – though it prefers the term ‘proxy’ – from gaining access to the content catalogues of other countries. So if you are a Netflix subscriber in any of the 190 countries that Netflix operates in, and you use proxies to watch Netflix content that is not supposed to be available to your region, apparently the game is up.
There are so many possible futures emerging from this momentous week for the company, wherein it added 130 countries to its global coverage and has now threatened a popular practice it knows underpins its entire business model, that it’s worth a look at the various possible forks leading away from the current internet furore about the news.
Can Netflix detect your VPN in order to block it?
Netflix has no magic tool to determine if you’re using a proxy or not, as chief product officer Neil Hunt admitted in an interview last week. What it does have is the geographical association of your credit card. If, based on the IP address used to log into your account, it sees your New York-based behind zipping all over the world weekly in a manner which makes James Bond look like a shut-in, it can make an intelligent guess that you’re using a VPN to traverse content-licensing regions.
Here’s a truth which no-one at Netflix has admitted, but which must be manifest now to anyone who has used a VPN to regularly access Netflix and surf on the web: the company already knew about those hoary old VPN IP addresses so many were using to log in. Hell, everyone else knew – CloudFlare challenged you while you were using it, Google search made you type in Captchas to continue…all because these dusty IPs were known to be in use by VPN providers in their thousands – or hundreds of thousands.
But Netflix never blacklisted those IPs, because letting users circumvent regional licensing was a core plank of its business model, and a central feature of its global crusade towards the abolition of regional licensing – something which Sony knew a long time ago, and which it rightly guessed was common knowledge among other studios.
Now it is indeed beginning to blacklist these ‘old favourites’. Whether or not the blacklisting will prove a ‘token ban’ on the most frequent offenders or a genuinely concerted effort depends on how Netflix decides to move through that rock and that hard place,
We can expect the VPN providers to fight back with new IPs and techniques, and indeed I believe that this is what Netflix is hoping will happen, so it can show its irate regionally-obsessed content providers that it ‘tried’ without undermining its economic model.
How serious is Netflix about shepherding us back to our own countries?
The company’s new statement of policy about VPN use reflects its typical lack of enthusiasm when being bullied by regional-licensing magnates into stricter safeguards against VPN use. The post reiterates Netflix’s long-term commitment to the abolition or at least massive diminution of regional licensing blockades, whilst paying the company’s customary grudging lip-service to its large-scale entertainment clients.
If Netflix were to decide to capitulate completely to the licensers – which is effectively a suicidal leap for the company – it would surely change its ‘multiple users’ feature, whereby for a few dollars more you can donate logins to your friends and family – or anyone you like. Or just create 2-3 extra profiles which accord with different VPN-country use, and use them yourself.
Offering a slightly cheaper account which mimics Amazon Prime’s and allows no additional concurrent viewers and abolishing multi-user accounts would make VPN profiling even easier for the company. But it would require Netflix to change its policy to match what the BBC enforces about iPlayer: if you’re not in the country you’re from, tough. On holiday? Read a book.
Netflix could alternately make specific VPN-IP provision of its own on a per-country basis – ‘approved’ proxies for holiday makers and business travellers.
But I don’t believe Netflix wants to do any of this. The company has been reliant on the lack of technical apprehension of its major entertainment clients to date. But the major studios have enough money to hire third parties who do understand the problem, and who wouldn’t be fobbed off with all this mani puliti nonsense. So if a consortium or other assembly of studios is planning on making in-house sentries a condition of content licensing, Netflix are in an interesting and challenging position.
This is the same battle between content licensers and consumers that hallmarked consumer ire over the five-region DVD zoning system 15 years ago, and Netflix is currently wincing as the studios bang their collective shoe on the table. If the company’s promise to genuinely invigilate users’ IP addresses is more than a sop to the lawyers, and if the studios would rather return to fighting piracy by lobbying governments to play whack-a-mole with torrent sites, there could be a lot of bottle episodes in season three of Jessica Jones. Netflix is meddling with the primal forces of nature this year, ironically by trying to abolish nations. Where’s your money?
Comcast-Funded Think Tank: Broadband Usage Caps Make Netflix Streaming Better. You're Welcome.
As we've noted for some time, the broadband industry (and all the think tanks and politicians that work for it) have spent the last few years trying to vilify Netflix. That's primarily due to the company's support of net neutrality, but also its opposition to anti-innovative and anti-competitive broadband usage caps. These attacks usually start with the criticism that Netflix now dominates around 37% of peak downstream traffic (as if that's a bad thing), followed by some bizarre and unfounded claim that Netflix should be forced to "pay its fair share" (read: give us a cut of revenues despite us having no legitimate claim to it).
While these assaults had quieted down for a while, Daniel Lyons (not the fake Steve Jobs Daniel Lyons) and the American Enterprise Institute last week came out with a bizarre missive on broadband caps, in which Lyons tries to claim that broadband usage caps are a great way to force Netflix "to become a better corporate netizen." As noted above, Lyons starts by highlighting how Netflix consumes a huge amount of peak Internet capacity:
"Netflix has long reigned as one of America’s most significant Internet-traffic generators. Network equipment company Sandvine reports that the video-streaming company is by far the leader in peak period traffic, responsible for more than 33 percent of all fixed Internet traffic during peak hours — more than twice the share of the next-biggest competitor, YouTube. This means that at times when the Internet is most susceptible to congestion, Netflix alone is responsible for one out of every three packets sent through the network."
For clarity it should be noted that Netflix customers are responsible for this consumption. Netflix consumers who, in the United States, already pay more for bandwidth than consumers in most developing countries. Netflix in turn not only pays for bandwidth, it now pays ISPs for direct interconnection to their networks, after ISPs were accused of intentionally degrading peering points to force its hand. Everybody is paying, and paying, and paying some more -- so it doesn't matter one iota how much bandwidth Netflix is consuming -- because consumers are demanding and (probably over)paying for it.
Back in December, Netflix announced it was making some changes to the way it intelligently encodes its titles. This shift involves encoding titles differently depending on type and genre, since cartoons (with static backgrounds) technically eat less bandwidth than live action movies. The move was prompted by one thing: this month's expansion by Netflix into 130 more countries. Netflix's primary concern? Making sure that networks -- especially of the mobile variety in developing nations -- would have a more consistent and trouble-free viewing experience. It was just a smart, albeit admittedly belated shift in improving the way Netflix operates.
Apparently seeing a flimsy logical opportunity for the ages, Lyons tries to claim that Netflix was forced to improve its efficiency -- solely thanks to the wonder and glory of broadband usage caps:
Usage-based pricing forced Netflix to be more mindful of the size of its digital footprint. Because they face potential overage charges, consumers are becoming more aware of the amount of bandwidth their online activities consume. This leads edge providers such as Netflix to develop more efficient methods of delivery, in response to increased consumer sensitivity. The result is a more efficient operation that benefits everyone by freeing up network capacity — which is like broadband providers improving speeds, but without having to install new network lines."
That's an astonishing, incredible load of bullshit.
Netflix has long allowed capped users to adjust streaming quality to manage consumption, but to claim caps are to thank for these improvements is aggressively dishonest. Lyons and his friends at the AEI are funded by Comcast, the same company that's aggressively expanding utterly unnecessary usage caps on millions of consumers. Those caps have one overarching function: to raise rates on uncompetitive markets, give Comcast's own services an unfair advantage, and to protect Comcast TV revenues from Internet video.
There's clearly some worry on the part of Comcast and its think tank friends that the FCC will finally get off its ass and begin pressing Comcast on its anti-competitive abuse of usage caps, but if this is the best argument the AEI can come up with, Comcast may want to reconsider its disinformation budget for 2016.
Bronx Science Bans Cellphones From Wi-Fi as Students Devour It
Elizabeth A. Harris
When the New York City Education Department lifted a long-held ban on cellphones in school buildings last year, it acquiesced to the omnipresent reality of technology in daily life.
But the change also unleashed tens of thousands of smartphones in the hands of teenagers, eager to gobble away at the nearest Wi-Fi connection like so many hungry termites, eating up their schools’ bandwidth with YouTube streams, Snapchat exchanges and the like. That can leave little capacity for teachers to use the Internet for actual instruction.
Now, at least one school is striking back. At the Bronx High School of Science, the administration has told students not to use the network from their cellphones and has started booting interlopers off, one by one, and blocking their devices from the network.
“We don’t want to exacerbate the problem we already have any more,” Jean Donahue, the principal at Bronx Science, said.
Ms. Donahue noted that the school’s network had been struggling for several years under an increasingly technology-heavy curriculum, and that the Education Department was working with the school to increase its broadband capacity.
“We know,” she added of students’ cellphones, “it doesn’t help.”
Anthony Barbetta, the principal of Townsend Harris, a top high school in Queens, said his school’s network had also seen a cellphone slowdown this year. But so far, he has no plans to address it.
“I definitely think there’s been an impact,” Mr. Barbetta said. “But we haven’t told students they cannot be on the Wi-Fi. I don’t know if that’s enforceable realistically.
“We’re hoping for an upgrade, just like I think everybody else is hoping to get an upgrade.”
Enforcement of the citywide cellphone ban was extremely uneven. At most schools, teachers and administrations looked the other way as long as phones were not flashed directly in front of them. Bags were not searched for contraband phones. But at the many city school buildings with metal detectors, they were not allowed inside.
When Mayor Bill de Blasio’s administration announced last year that schools would be allowed to decide their own cellphone policies going forward, Bronx Science — one of the city’s top high schools, where applicants must pass a test to gain entry — said students could use their phones at lunch and during free periods.
Several Bronx Science students on their way home from school last week said they most frequently used the wireless network to send pictures to their friends on Snapchat, an app they said the school did not block; Facebook, by contrast, was not accessible. This being Bronx Science, some students said they found the wireless most useful for statistics classes, or to use Google Slides to put together school projects.
“A friend once told me he was watching Netflix” at school, said Eugene Park, a senior and Snapchat enthusiast. “Netflix is not blocked, conveniently.”
Miguel Mercado, 16, a junior, said he used the school for YouTube, mostly to listen to music.
“Adele’s good,” he offered by way of example.
A classmate named Phillip, who was standing beside him, gave a snicker.
“What? I like Adele,” Miguel said. “Is there a problem?”
Despite the new rule barring students’ cellphones on the wireless network, Miguel said he was still able to use it on his phone last week. Many of his schoolmates who were unscientifically surveyed said the same.
In 2013, Scott M. Stringer, the Manhattan borough president at the time, criticized the Education Department in a report that said 75 percent of school buildings had excruciatingly slow Internet speeds.
Since then, amid a national push to increase the speed and connectivity of schools, the department has upgraded the wiring at more than 250 school buildings, Devora Kaye, a department spokeswoman, said. Ms. Kaye added that the city plans to spend $650 million over the next three years to further upgrade school technology.
At Bronx Science, Ms. Donahue said she was working with the department to improve the school’s broadband capacity. She added that the department had been quite responsive, helping with short-term upgrades while it works toward a more systemic upgrade.
In the meantime, the school was identifying personal mobile devices one by one and blocking them from the network. (Students are still free to use their own data plans, though many complained of spotty service in the building.)
Just changing the password is not an option, said Phoebe Cooper, an assistant principal at the school, “because the kids will figure it out within days.”
“We tried that,” she explained. “A kid found it, wrote it on his hand and put a picture on Facebook.”
And students seemed fairly certain they could stay ahead of administrators, anyway.
“Give it a month and everyone will be back on,” Kevin Zhang, a senior, said. “It’s mostly for a lack of trying that people aren’t on it now.”
AT&T Brings Back Unlimited Data Plans for its DirecTV and U-Verse Subscribers
$100 for a single line, $40 extra for additional smartphones or tablets
AT&T is bringing back unlimited data. The number-two wireless carrier discontinued its original unlimited plans years ago, but it's resuscitating the all-you-can-eat option as a cross-promotion with its DirecTV and U-verse television services.
Unlimited data will cost $100 per month for a single smartphone, and you'll be able to add additional smartphones for $40 per month each. If you bundle four smartphones on a single plan, you'll get a credit that makes the fourth line free. That means you'll be paying a total of $180 per month (excluding taxes and fees) for unlimited data, talk, and text on four lines. Frustratingly, you'll have to pay the full $220 for the first two months before the credit kicks in.
"Cord-cutters need not apply"
Before you get too excited about the new plans, note that you'll have to be a DirecTV or U-verse subscriber to sign up for unlimited data. If you're a cord cutter, don't live in a U-verse market, or can't install a DirecTV satellite dish, you'll have to settle for a standard Mobile Share plan. However, if you do sync up your television service with your AT&T plan, you'll also get another $10 off your bill monthly, per the company's existing promotions.
It's clear where the company is going here: it's leveraging its new DirecTV acquisition and existing U-verse TV services to promote video streaming on the go. While the plan itself doesn't bundle in specific home TV packages, it's designed to work hand-in-hand with DirecTV and U-verse's out-of-home streaming apps. It just so happens that watching lots of video quickly burns up your data allowance — and AT&T's more than happy to offer an unlimited plan to fix that problem. Of course, if you'd rather just watch Netflix and use your AT&T phone separately, you'll have to keep an eye on your data usage. Such is the power of mergers.
Assuming you're a DirecTV or U-verse subscriber, you'll need to take a close look at your usage to see if this unlimited plan makes sense for you. If you have four smartphones, the pricing just about lines up with the 20GB Mobile Share Value data bucket, which costs $200 per month.
"$40-per-month tablet access fee is steep"
That's not too bad, but the pricing gets trickier when you factor in other internet-connected devices. Adding a tablet to the unlimited plan costs a steep $40 per month extra, compared to just $10 on a Mobile Share Value plan. AT&T notes that you can add a tablet for just $10, but it'll only have 1GB of data to work with if you do, compared to full access to the entire data pool on a traditional shared plan. And if you still have someone using a basic cellphone on your plan, it's probably best to avoid unlimited: adding a feature phone to the account costs $25 extra per month, compared to just $15 on the standard plans. Considering feature phones essentially don't use data, the price hike is hard to swallow.
In addition, keep in mind that if you only have one or two heavy users on your account, there's really no need to pay the extra to give unlimited data to every line. However, if you're still holding onto a grandfathered unlimited plan — which requires separate charges for minutes and texts — it might make a lot of sense to upgrade to the modern unlimited plan. Unfortunately, it doesn't appear there's a way to upgrade a single line on a Mobile Share Value plan to unlimited.
""Unlimited" means unfettered access up to 22GB per line"
It's fair to ask just how "unlimited" these unlimited plans are — in the past, AT&T essentially treated its grandfathered unlimited plans as soft-capped 5GB plans. After a complaint from the FCC, AT&T now gives unlimited plans unfettered access to 22GB per line. Over that limit, you'll be subject to slowdowns if network congestion demands it.
As for the competition, most other wireless carriers no longer offer true unlimited data plans, though T-Mobile's similar unlimited plan costs $95 per month for a single smartphone. T-Mobile also offers a separate feature designed to promote mobile video streaming, called Binge On, which doesn't count certain, standard-definition video streams against your data cap. While it's far more limited, T-Mobile's approach doesn't cost any more money to use on an existing plan. However, the service has also drawn the ire of net neutrality advocates.
The new AT&T plans will be available starting tomorrow, and if this one doesn't strike your fancy, AT&T promises that this is just "the first of many integrated video and mobility offers" planned for 2016. Make no mistake: AT&T wants to be your one-stop shop for wireless service and home TV.
AT&T Angry FCC Report Shows Broadband Gaps AT&T Helped Make
Late last week the FCC released a report highlighting how the United States is still lagging when it comes to broadband, especially when it comes to rural markets. AT&T has played a not-so-small role in that; it has been hanging up on millions of unwanted DSL customers in markets it deems unprofitable.
And while that's a for-profit company's prerogative, it has also lobbied for state level protectionist laws that prohibit towns and cities from wiring themselves with broadband, even in cases where AT&T or other ISPs refuse to.
Many of these state laws hinder community broadband operations from expanding, or in some states even from partnering with private companies to improve their broadband fortunes. In short, AT&T lobbyists have taken away a local community's right to vote for itself what its best path forward is when it comes to broadband.
That's why it's a little disingenuous to see AT&T top lobbyist Jim Cicconi whining about the FCC's latest report in a blog post.
"It’s bad enough the FCC keeps moving the goal posts on their definition of broadband, apparently so they can continue to justify intervening in obviously competitive markets," complains AT&T's top policy man. "But now they are even ignoring their own definition in order to pad their list of accomplishments."
AT&T's of course sore because the FCC bumped the minimum definition of broadband to 25 Mbps just about a year ago. As a result, AT&T provides millions of DSL customers heavily capped, expensive Internet service that can no longer even technically be considered broadband.
AT&T's actually fortunate the FCC has historically been lax when it comes to accurate data. At industry behest, the FCC fails to publish broadband pricing data, which would highlight the severe lack of competition in many markets. The FCC's data also relies heavily on ISP claims about coverage that is not independently verified. Given that mega-ISPs like AT&T having a vested interest in convincing everyone there's no broadband industry market failure, you can be fairly certain that the real statistics are probably notably worse than what the FCC's report found.
Were regulators to actually highlight pricing and fact-check carrier coverage claims, the FCC's report would probably look notably worse.
T-Mobile CEO Apologizes to EFF, Still Says Binge On is Pro Net Neutrality
The controversy over T-Mobile’s free-to-binge Binge On data program is not over, and CEO John Legere felt on Monday that he had more explaining to do, especially after blasting the EFF last week while talking to consumers on Twitter. Legere apologized for attacking the EFF, but he did not apologize for Binge On, or his language – in fact, he continued to explain in his lengthy post on T-Mobile’s blog how Binge On is pro net neutrality.
Rather than start with an apology right away, the CEO buried it towards the end of the post, immediately after detailing how Binge On works. Last week, Legere blatantly asked “Who the fuck is the EFF?” in a short video last week, with EFF supporters being quick to explain it to him. The EFF proved that T-Mobile is throttling all video, regardless of whether content providers are enrolled in Binge On or not.
The EFF proved recently that T-Mobile is throttling all video, regardless of whether content providers are enrolled in Binge On or not.
“Look, by now you know that I am a vocal, animated and sometimes foul mouthed CEO,” Legere began his apology. “I don’t filter myself, and you know that no one at T-Mobile filters me either (no, they don’t even try). That means I will sometimes incite a bit of a ‘social media riot’, but I’m not going to apologize for that.”
“I will, however, apologize for offending EFF and its supporters,” he said. “Just because we don’t completely agree on all aspects of Binge On doesn’t mean I don’t see how they fight for consumers. We both agree that it is important to protect consumers’ rights and to give consumers value. We have that in common, so more power to them. As I mentioned last week, we look forward to sitting down and talking with the EFF, and that is a step we will definitely take. Unfortunately, my color commentary from last week is now drowning out the real value of Binge On – so hopefully this letter will help make that clear again.”
He did not use the word “throttling” once in his post, but he did say that Binge On is “optimizing all of your video for your mobile devices.”
At the same time, he made sure he mentioned how T-Mobile supports net neutrality, and that Binge On works in the same spirit.
“But here’s the thing, and this is one of the reasons that Binge On is a VERY “pro” net neutrality capability – you can turn it on and off in your MyTMobile account – whenever you want,” he said. “Turn it on and off at will. Customers are in control. Not T-Mobile. Not content providers. Customers. At all times.”
Earlier in the post, he noted that “T-Mobile is a company that absolutely supports Net Neutrality, and we believe in an open and free Internet. We want to continue to innovate and bring creative new benefits to market for all of our customers. That is who we are. It’s what we do. It will never change.”
For the consumers who watch a lot of videos, Binge On is definitely a great initiative. But, unfortunately, T-Mobile thinks it can simply force poorer quality videos on you, even if you don’t want that. And that’s something Legere is yet to explain properly.
“Most video streams come in at incredibly high-resolution rates that are barely detectable by the human eye on small device screens, and this is where the data in plans is wasted,” he explains in the post, and that’s a reasonable argument. But, then, why is T-Mobile selling smartphones that have Full HD and 2K displays if it doesn’t want customers to enjoy those displays?
ISPs Will be Able to Charge Anything They Want if Republican Bill Passes
Ban on "rate regulation" could even help ISPs avoid complaints about data caps.
Republicans in Congress are advancing a bill that could strip the Federal Communications Commission of authority to protect consumers from unreasonable broadband prices. Democrats and consumer advocates warn that the bill could help Internet service providers overcharge customers and impose unfair data caps.
When the FCC reclassified broadband as a common carrier service in order to impose net neutrality rules, the commission declined to impose traditional rate regulation in which telecommunications providers would have to seek permission before raising prices. But the reclassification allows customers to complain about prices, with the FCC judging on a case-by-case basis whether a price or pricing practice is "unjust" or "unreasonable."
Republicans led a hearing today on a few bills, including the "No Rate Regulation of Broadband Internet Access Act," which would do exactly what its title says by forbidding the FCC from regulating rates charged for Internet service. Republicans have said they're simply trying to put into law a promise made by President Obama and FCC Chairman Wheeler that the commission won't require ISPs to face the rate-of-return regulation traditionally applied to telephone service. Passing a law would prevent future FCC chairpersons from using a different strategy.
But in today's hearing, US Rep. Greg Walden (R-Ore.) made it clear that he wants to go further than that by forbidding the FCC from acting on customer complaints that broadband bills are too high.
"Rate regulation by after-the-fact second-guessing is rate regulation nonetheless," Walden said. "We should assure that the specter of rate regulation of broadband is off the table permanently." Walden is chairman of the House Energy & Commerce Committee's subcommittee on communications and technology.
A background memo from committee majority staff also confirms that Republicans want to stop what they call "after-the-fact ratemaking."
Currently, "the FCC can engage in after-the-fact ratemaking by using enforcement decisions to define the contours of what the FCC deems a 'reasonable' rate," the memo said. The bill "would prohibit the FCC from regulating the rates charged for broadband Internet access service, whether directly through tariffing or indirectly through enforcement actions."
Bill's broad language is trouble, opponents say
Democrats and consumer advocates are trying to prevent the bill from passing. US Rep. Anna Eshoo (D-Calif.), the ranking Democrat on the subcommittee, said she's not in favor of "regulating the monthly recurring rate consumers pay for broadband Internet access."
But Eshoo said that "the commission has an important role to play in consumer protection, which includes the billing practices of the nation's broadband providers." Congress should make sure the legislation has no unintended consequences, she said. Stripping the FCC of authority could help ISPs implement data caps in a discriminatory fashion or adopt future harmful practices that can't be foreseen today, she said.
While the FCC's net neutrality order doesn't ban data caps, the commission reserves the right to decide case-by-case whether a cap prevents consumers from using Internet services or prevents content providers from reaching consumers.
The phrase "rate regulation" is generally used to describe traditional rate-of-return regulation, which the FCC is not imposing on broadband providers, said Harold Feld, an attorney and senior VP of advocacy group Public Knowledge. But the broad language of the No Rate Regulation bill "would permit broadband providers to raise arguments against uncontroversial enforcement of traditional consumer protections, such as fraudulent billing practices," Feld said.
Feld also worries that the bill could prevent investigations into data caps.
Many customers "have complained that Comcast has consistently provided them with inaccurate information about their data consumption, billing them for broadband data they did not use," Feld said. "Would FCC investigation into these complaints count as 'rate regulation' prohibited by the statute?"
Comcast CEO Brian Roberts recently said consumers should be charged for Internet data the same way they're charged for electricity—"the more bits you use, the more bits you pay," he said. But Comcast doesn't want its prices regulated by government the way electric prices are.
The bill's broad language—which "gives no limit to what is meant by 'regulate the rates'"—could also prevent the FCC from taking complaints about interconnection prices ISPs charge video providers and other companies, according to Feld. The threat of complaints has forced ISPs to settle disputes with other network operators, improving Internet quality for customers.
"Such sweeping language may interfere with the FCC’s efforts to reform the Universal Service Fund to bring broadband to rural America and to those who cannot afford broadband," Feld added.
The subcommittee also heard from the Wireless Internet Service Providers Association (WISPA), a group of small ISPs that supports the Republican-sponsored bill.
"Under Title II [of the Communications Act], our charges must be 'just and reasonable, and any party can take us to court if they think that we are violating this standard. This is a very scary proposition for small businesses, who simply will not be able to afford to go through the process of defending frivolous complaints or participating in a lengthy judicial process to adjudicate what is 'reasonable,'" WISPA Legislative Committee Chair Elizabeth Bowles said.
Exemption for small ISPs
The subcommittee also discussed whether Congress should permanently exempt small Internet providers from new transparency requirements in the FCC's net neutrality order. The rules require ISPs to notify customers if a network management practice is likely to degrade service and to disclose information about "promotional rates, all fees and/or surcharges, and all data caps or data allowances."
The FCC hasn't yet decided whether all the disclosure requirements should apply to small businesses, and it has granted a temporary exemption that lasts until at least December 15, 2016. The proposed legislation would permanently exempt small providers and expand the exemption to larger providers than the FCC envisioned. While the FCC defined small providers as those with 100,000 or fewer subscribers, the Republican-sponsored bill would expand the definition to include any provider with fewer than 1,500 employees or 500,000 subscribers.
Republican leadership said the bill is necessary to "provid[e] certainty and regulatory relief to small providers who lack the resources to comply with the enhanced disclosure requirements."
Feld argued that this could harm customers who live in areas where there are only small providers. "Rural broadband subscribers and rural enterprise customers are no less in need of protection from fraud or fly-by-night providers than urban subscribers or urban enterprise customers," he said.
While broadband providers' friends in Congress fight the FCC on their behalf, the broadband companies themselves are suing the FCC to overturn the net neutrality order.
From the Internet's Founders, a Warning
David Clark’s office on the MIT campus is at the top of a tower that looks like a twisted aluminum column. The name plate next to his office door reads “Albus Dumbledore.” And, like the leader of Harry Potter’s wizarding world, Clark knows the Internet’s secrets from the beginning.
“We clearly couldn’t anticipate how big it was going to be,” Clark says. “Whenever I go back and read things that I wrote or others in the group wrote about planning for the future we consistently underestimated what was going to happen. “
Clark and Harvard professor Yochai Benkler, one of the legal experts that shaped the Internet’s development, have issued a warning in joint papers published in the American Academy of Arts and Sciences’ magazine, Daedalus. More than three decades after the worldwide communications network was born, Clark and Benkler say they’re deeply concerned that the Internet is headed in a dangerous direction that its founders never intended.
Looking back, Clark wonders if he and other founders should have left behind guidance on how the Internet should grow up.
“Not constraints, not rules, but guidance, advice — like, ‘don’t be stupid,’” he says.
As it is, Clark thinks the Internet has fallen in with a bad crowd, to some extent. Most people now access the Internet through one of its corporate friends — like Google, Facebook, and Apple. As gatekeepers, those companies hold the power — information about our daily lives that helps them sell us things.
Clark says people need to remember he and others built the Internet so no one would need a gatekeeper. It was supposed to be an idealistic society of equals, where every user had the same amount of power.
“One of the most exhilarating observations of the first decade or two of the public Internet was that things that were impossible, became possible,” says Benkler, who started studying the Internet in the early 1990s.
Back then, Benkler was thrilled by the way it overturned old power structures, like broadcast media. On the Internet, anyone could send an email or post a video without asking permission. At the time, Benkler was across town from Clark, studying property law as a student at Harvard.
“I was working on the homestead act of 1862,” he says. “Seriously!”
Benkler realized the Internet was like a new Louisiana Purchase — a huge amount of new property suddenly open for adventurous homesteaders to stake a claim.
So he switched tracks. Using the Homestead Act as a guide, Benkler helped create a legal framework that protected the Internet from being gobbled up and claimed by corporations.
And then, smart phones came along. And Steve Jobs created the iPhone.
“I think there’s very little doubt that Steve Jobs in particular was someone who had a vision of a more controlled experience that viewed consumers as people who needed a well-controlled, well-structured environment to thrive in,” Benkler says. “That was part of his genius, and that was part of his threat.”
Benkler was surprised by the extent to which people were willing to give up their privacy. That’s what they were doing, he says, by using cell phones with apps as gatekeepers to the Internet. Gatekeepers that collect information and use it to nudge people to do things.
“I might not chose to buy this set of things, go to this set of events, look in on this set of news media, but nonetheless that’s the direction I ended up being nudged in from these day by day interactions that I never even noticed,” Benkler says. “Look six months from now, and this is the new me. And the new me is partly me, but it’s also the me that these companies wanted for me. That I see as a real threat.”
Benkler wants people to guard against that threat by being vigilant and critical. He says they need to log in as multiple users, browse the web privately, and use free, open source software, like Firefox.
Clark suggests the public needs to fund a new group of web designers, like the group who built the Internet — but this time they’d be developing things like apps for smart phones that don’t collect data.
“The question I think is whether we want to leave the Internet to whatever the private sector chooses to make it or whether we want to take some control over it,” he says. “I think it’s important enough we need to take some control of it.”
Clark says people like him, who helped create and shape the Internet — and who remember what it had the potential to be — will only be around for so long.
“There’s a cohort of people who have sort of grown up with the Internet,” he says. “And as we retire or move away or go into other activities, and we know that we’re getting older, we have to sort of wonder what the values are of the young people who are taking over the Internet.”
Regardless of all his fears, Clark’s hopeful for the future those young people will create. The Internet is growing up, he says, and in the end, he has to let it.
Two Months After FBI Debacle, Tor Project Still Can’t Get an Answer from CMU
Ars Q&A: We sit down with Tor Project's new executive director, Shari Steele.
It's been quite a few months for the Tor Project. Last November, project co-founder and director Roger Dingledine accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.
The FBI dismissed things, but the investigation in question is a very high-profile matter focused on members of the Silk Road online-drug marketplace. One of the IP addresses revealed belonged to Brian Farrell, an alleged Silk Road 2 lieutenant. An early filing in Farrell's case, first reported by Vice Motherboard, said that a "university-based research institute" aided government efforts to unmask Farrell.
That document fit with Ars reporting from January 2015, when a Homeland Security search warrant affidavit stated that from January to July 2014, a “source of information” provided law enforcement “with particular IP addresses” that accessed the vendor-side of Silk Road 2. By July 2015, the Tor Project managed to discover and shut down this sustained attack. But the Tor Project further concluded that the attack resembled a technique described by a team of Carnegie Mellon University (CMU) researchers who a few weeks earlier had canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.
As this high-stakes situation continued to play out, the Tor Project was also looking for help. Faced with an increased demand and more government scrutiny in the wake of the Snowden leaks, 2015 saw Tor engage in a five-month search for a new executive director, someone who could "be the face and voice of the organization, to educate the public about privacy and encourage wider adoption of its tools, and could court donors to help sustain the organization and fund development of its tools," as Wired put it. And in December, Tor ended its year by hiring Shari Steele, previously the EFF executive director for 15 years.
As Steele prepares for her first year leading the Tor Project, she was kind enough to sit down last month in San Francisco with Ars for an extended chat on everything from the CMU situation and funding to the Tor community at large. What follows is the transcript of our conversation that has been lightly edited for clarity (or heavily edited, in the case of any of our clumsy questions).
Ars: You are a longtime person in the world of privacy and surveillance. How is Tor going to change now that you're at the helm?
Steele: One of the big things that Tor is looking to do is change its public perception and also to be able to be responsive to the things that the Tor Project itself thinks are the most important things to be working on rather than what its funders think are important.
The two biggest things I want to work on: First is to build up an infrastructure and second is to build up the reputation of the organization and bring in money from alternative sources. A significant amount of the money right now is coming from various US government grants. That's great that there's money coming in, but most of that is restricted money, and you have to work on the specific things that are talked about in the proposal and the grant issuance. So we're looking to find some additional funding sources. There's a big crowdfunding going on right now to get individual donations.
I noticed Laura Poitras at the top of my Tor Browser the other day.
Yes, Laura was the first champion that we had out there, but you should be paying attention. There's all sorts of really interesting people that have been released and are going to be released as champions, all wearing our “This is what a Tor champion looks like” shirts.
You mentioned changing the public perception of Tor. I feel like in journalist, academic, activist circles that we roll in, it's great. It's a tool for privacy, for anonymity, for making sure the government isn't tracking what you're doing and making sure miscreants writ large are not tracking you. But I feel like that's—I don't want to say divorced from—but maybe separate from the perception the public at large has. Many have only heard of Tor because that's how you access Silk Road or the deep, dark, scary Web. Is that the perception you mean?
That's exactly what I mean. And it's kind of crazy. I'm going to take off my Tor hat for a second. As someone who has observed Tor for years and years from the outside, it's actually kind of mind-blowing, the difference between what the project is actually about, the service, and how essential it is to the infrastructure of freedom versus the public's reaction to it is and how it has been received in papers. That really is one of the things that I'm hoping to change.
These are brilliant technologists who are doing the work of the angels, and they are doing important stuff. If you talk to any of them, I don't recall a single solitary person I've met who is in this for the Dark Net. Everyone here wants to make the world a better place and sees this as an essential freedom tool; [Tor technologists] think of themselves as freedom fighters. It's really weird that the public perception is so completely out of touch with what this project is really about.
So how do you change that?
One of the ways is to teach the members of the organization themselves that they have nothing to be defensive about. I think when these kinds of attacks happen, the community gets extremely defensive and tends to blow up negative stories in ways. They should just let that stuff slide and put some positive stories out there and be able to talk about how it's helping journalists do their jobs and it's helping activists in parts of the world where their governments would kill them if they knew who they were. So, it really starts by talking to reporters like you who are going to get the story out there.
Is it just a marketing issue? Does there just need to be more Tor stickers on buses? What does that look like?
In a way it's a reputational kind of thing. The reality is that to the people who are working on Tor, is great. It is a freedom-enhancing project. The people who are working on it, they understand that is their mission. That is what they're about. So it really is a perception thing; we have to change the perception.
I don't think stickers on buses is the way to do it, but I think coupling ourselves to stories that are positives stories—about revolution and about personal privacy and about people using Tor for medical research and for all sorts of ways that Tor is being used for positive ways. Let's talk about that more instead of talking about the Dark Net.
So you are the new head of the Tor Project, how much do you use Tor in your regular non-work life?
Personally, I use it maybe 10, 20 percent of the time. I know that there are people out there that are using it a lot of the time. But for me as much as I might hate Flash, there are times that I need to watch something on YouTube. I can't do 100 percent of the things that I need to do on Tor. Even Craigslist blocks a lot of Tor access, so I have to shuffle circuits to hit one that will work. How much do you use it for yourself in day to day life?
There's a sort of fantasy—how will Tor grow, what would that look like if we had unlimited resources, and how would we make that more accessible—and the fantasy is that maybe someday it's built-in to a privacy option on regular apps that you use. You wouldn't normally have it turned on, and instead when you do your Google search, you would click a switch and say “I would like to browse privately now”—that would be Tor. That's kind of the way we're thinking about it.
Before I came to Tor, I wasn't a big Tor user, but I was a big Tor supporter. I don't know if you know, but there was a time early in Tor's career that EFF actually sponsored Tor, so I always recognized the importance of it. But like you, most of my communications aren't deeply private. Most of my communications, I don't think of it that way. There are lots of people in the Tor community that do private things all of the time. But this very week, they've been giving me all kinds of new tools that I've never used before.
Signal and Mumble. So I'm getting set up with all these new tools because the way that the community talks to itself is through private channels. I think it's a good thing for me to get up to speed, though I'm not so sure that in my non-Tor life I will use private communications. But I'm learning, I'm a newbie, and I'm learning and I think it's good for me to come in from this perspective.
There were two big Tor incidents that happened in this past year that I'd love to hear your thoughts on. There's a whole situation involving setting up a Tor node in New Hampshire, in a library, and both the police and DHS freaking out.
Basically there are these librarian activist types who wanted to set up Tor relay in libraries. But when this library tried to do it, the local police freaked out a little bit. Then Homeland Security Investigations read it on Ars and freaked out a little bit. The library board ended up voting to restore it, but there was a little chaos beforehand.
It sounds like—and this it the first time I'm reading it, I haven't read it deeply—this was one of those cases where the local law enforcement didn't understand what Tor was and how it was being used. They had that immediate knee-jerk reaction of: “Oh my God, it's private, it must be evil.”
Let's talk more about the other situation—the CMU thing. Researchers possibly in cahoots with the government in some way actively tried to break Tor for law enforcement purposes. That sent a lot of shock waves amongst our readership and amongst the Tor usership I would imagine. Now that some time has passed, are you able to say more about what has happened, and what, if anything, Tor can do about it?
With the recent story, the frustrating part about it is that CMU isn't talking to Tor. Tor isn't getting the actual facts of what happened. The FBI clearly got information from CMU that helped with the arrest. That part of it, we know. Whether that happened through legal process or not, we don't know. CMU came out after the story hit and said they there was a subpoena, and they were responding to a subpoena. So that may or may not be true.
Clearly CMU takes federal money in order to do research that is attacking Tor, and Tor knows about that. So how deeply was CMU involved? Whether CMU actually did the searches for the FBI, or provided the FBI with the vulnerability, we don't know the details.
Can you talk about what you just said a moment ago, that CMU and Tor don't talk to each other?
They always used to talk to each other. With this particular event, CMU is not talking to Tor. Tor has tried on multiple occasions, particularly when the abstract for the paper first got published, to find out, 'what's the vulnerability, let's get it plugged!' But CMU, they are not talking. Obviously there are individuals at CMU who are friends of ours that we still talk to, but the researchers who are involved in this have not been returning our phone calls.
Still now. And this is a little bit of a concern that this is going to affect CERT, because that comes out of CMU. So again, I'm still getting up to speed, but the normal way that I would want to respond to this: When we get first get wind that CMU is an active participant, I would immediately want to have that conversation with CMU and find out what they're doing and how they're doing it. Then I'd want to plug that vulnerability as soon as possible and not let the FBI be able to use it first before we figure out what's going on.
It's very frustrating because CMU is a friend, they should be a friend, we're all working in the same space and we should be all working together. It's very frustrating that our friends are actually attacking the network. The fact that they found people who are engaging in criminal activity, it feels slightly better, but not really because everybody was exposed. The vulnerability made it such that anyone who was using the network could have been identified. That's just not OK, and [CMU] should have realized that and should be appreciative of that.
I imagine that if I was in your shoes, I would be concerned that something like this would happen not just in the US, but it might happen in other countries as well. Correct me if I'm wrong, but I think it's a well-known known vulnerability that if you control enough nodes, you control the network. X number of the network wouldn't be that hard for a state actor, I assume.
Yes, that is a known vulnerability on Tor. We've always been watching that. But we now have some serious things in place to pay attention to when a bunch of new nodes are all showing up from the same location or from something similar. It could be disguised if we didn't identify when all the new nodes are coming from the same place, but there are alarms now that go off. In fact, the CMU stuff, they saw the new nodes coming on and it didn't see it as a threat at the time. Now it gets elevated to threat level. So today, hopefully we'll be able to catch at least that vulnerability. It's a cat and mouse game where we're constantly going to have to be vigilant about that.
But is something like that... of all of the things that keep you up at night, that worry you as the head of this important project, it would strike me that this would probably be at the top of the list. Is that an accurate understanding?
So I could certainly I can tell you that's what keeps Nick [Mathewson, Tor's co-founder] and Roger [Dingledine, Tor's director] up at night. I trust Nick and Roger. I'm not a technologist. So yes, vulnerabilities of the network would make me very, very upset. But that's not the area where I have expertise. So the stuff that's going to keep me up at night is making sure that none of the Tor developers are feeling like they're being beat up.
There's been a whole lot of negative trolling that's been happening, and I really want to make that stop. Making sure that the project has the money to do the work that they want to do. Making sure that there is the infrastructure so that Nick and Roger aren't approving each individual purchase of a roll of tape. That's the stuff I'm focused on.
You mentioned that the largest portion of funding comes from, correct me if I'm wrong, the State Department?
That is correct.
I think it was in The Washington Post that I read, which crystallized it in a way that I hadn't thought about before. They said that the State Department wants Tor for activists and people living in repressive regimes. And then you have another arm of the US government that's actively trying to break it, actively trying to surveil it, actively trying to infiltrate it, and do all kinds of nefarious things. So you have different arms of the government fighting each other.
Not even necessarily different arms, but within the State Department there is offensive and defensive. The same branch of the government can be both trying to defend the network and trying to go out there and attack other people. Yeah, it's pretty psychotic, actually.
So when you said you want to move away from government funding sources…
That's not exactly what I said. The first thing is to get alternative funding sources and to diversify the funding sources. It may be that at some point we say or we want to say, 'let's shed these funding sources.' But right now we've got a good stable network that has been been funded in this way. We're not throwing any of the funding sources away. We're looking to get additional funding sources.
But is the idea that you want to expand the pot, or is the idea that you don't want to be so reliant on a single source?
I guess what I was trying to drive at was if it was my job to promote Tor in Iran, in China, or in Russia, having it be attached to the State Department might be bad, might be a black mark on that. Because if I'm an activist living in Iran doing anything at all, in any way associated with the US government, that's viewed with a great deal of skepticism. Is that part of that equation?
It's part of the equation, but we have a funding model right now and you can't just drop it without losing all your funding. So the first step is to get additional funding sources and see how it goes.
You're right, I can't deny that there are lots of people within the Tor community, and lots of people who either are users of Tor or would be users of Tor, who are concerned about the fact that so much of the money—or any of the money—is coming from US government sources. But the reality is that is where the money is coming from. And the organization needs money in order to survive. So we're going to take this step-by-step and try to expand the funding sources and then there might be conversation about how we do things. But we're very, very grateful for our current funding sources.
I don't mean to imply that you're not grateful. I just could see that as a longer term strategy from the outside. My family is from Iran, and I know a little bit about the Iranian activism community. I know that yeah, if you're an Iranian activist, doing anything that touches the US government is really really really sketchy.
I get it. And I understand. I think we're on the same page. This isn't a brand new thing that's starting up from scratch. We're talking about what's the evolution and that's as best as I can predict.
You talked about marketing and expanding the use of Tor, the story of Tor. Are there other things from a technology perspective? Are there other things that you would be anticipate coming in 2016?
That's the stuff that I'm really not up to speed. Ask someone who really has a handle on all the tech stuff. That's the stuff that I'm still getting brief on.
Where would you like Tor go in the next three to five years?
I would like to see Tor funded to the point where they're not funded in the way they grow the network based on funding priorities. I would like to see Tor respected as a freedom-enhancing technology, and I'd like to see the world not throwing negative stuff in there along with it. I want them to get that this is really important.
I would like to see everybody who is working on the Tor Project feel united and unified in the way that they feel they are being taken care of by the project. There is a mix of employees and contractors and volunteers, and I'm still getting a sense of if those people who are in those categories want to be in those categories.
How many paid staff does Tor have?
I think I'm number 10.
Really? That's crazy. I knew it was small, but I didn't know it was that small.
Tor has done a great job of maximizing the community. The project is probably twice as big as the finances show that it is. That is something that I want to look at. I want everyone who is working on Tor, and I want everyone to feel like they're being appreciated.
The Silk Road’s Dark-Web Dream Is Dead
Not so long ago, the Silk Road was not only a bustling black market for drugs but a living representation of every cryptoanarchist’s dream: a trusted trading ground on the Internet where neither the government’s laws nor the Drug War they’ve spawned could reach. Today, that illicit narco-utopia is long gone, its once-secret server in an evidence storage room and its creator Ross Ulbricht fighting a last ditch appeal to escape life in prison.
But more than two years since the FBI’s Silk Road takedown, the dark web markets Ulbricht inspired are suffering a less tangible but more fundamental kind of failure: the Silk Road’s dream has died, too.
Over the last year, buyers and sellers in the dark web’s underground economy have been shaken again and again when the cryptographically hidden marketplaces they use to trade contraband goods ranging from drugs to stolen credit cards to forgeries have suddenly disappeared. More often than not, those disappearances involve the sites’ administrators running off with a significant chunk of their customers’ money. The Silk Road’s purported ideology of enabling only victimless crime has vanished. Fears of law enforcement surveillance, and suspected vulnerabilities in tools like Tor meant to protect the anonymity of site administrators have eroded the incentive to create a longterm trusted business.
The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.
Dark web market admins are learning that “if you’re trustworthy, you stay up for a while, the heat increases, and eventually you get nailed by the feds,” says Nick Weaver, a Berkeley computer science researcher who has studied the Silk Road and other dark web markets. Instead, more and more markets are opting to “exit scam,” stealing the bitcoins users have stored in escrow and in their on-site accounts and going offline without warning. “The most viable exit strategy,” Weaver says, “is to rip and run.”
The latest series of black market disruptions began with the vanishing of the most popular Silk Road descendant, Evolution, in March of last year with as much as $12 million worth of its users’ bitcoins. No sooner had its competitor Agora adopted the site’s refugee merchants than it announced it would return users’ funds and go offline too, citing a need to revamp its security; it had likely been spooked by new details about an attack on Tor hidden services, as well as the FBI’s mass takedown of dark web markets in late 2014. In the chaos of those two sites going offline, buyers and sellers scrambled to lesser-known markets like Abraxas, Amazon Dark, Blackbank and Middle Earth. All of them subsequently disappeared, too, likely having pulled their own exit scams.
Now it looks as if Alphabay, the latest reigning top market with over 50,000 listings of “drugs and chemicals” for sale and 12,000 “fraud” products like stolen online accounts and credit cards, may be cashing in on users’ misplaced trust, too. An endless stream of complaints on Reddit’s “darknetmarkets” page and Alphabay’s own Tor-protected user forum accuse the site of intermittently stealing users’ bitcoins and deflecting the blame to weak password or a phishing schemes. (Alphabay’s moderators didn’t respond to WIRED’s request for comment on the string of thefts.)
“There are numerous reports of AlphaBay funds going missing and shady behavior from AlphaBay administration,” writes one popular online drug vendor known by the name GrandWizardsLair, explaining his decision to no longer sell on the site. “Should have listened when people said AlphaBay is a scam site,” wrote another user whose bitcoins disappeared. “An expensive lesson learned.”
All of that online turmoil hasn’t necessarily sent the dark web’s buyers back to street dealers, says Nicolas Christin, a computer science researcher at Carnegie Mellon who’s published some of the most thorough measurements of the dark net markets. He says that the overall revenue of the anonymous online drug trade has hovered around $100 million a year regardless of repeated scams or law enforcement takedowns. But that sales figure has plateaued after years of fast growth, he says, perhaps in part because dark web drug buyers aren’t as happy or confident as they once were. “We’re starting to find the limits of these anonymous marketplaces,” Christin says. “Economically, it’s stable: it seems like whenever a marketplace goes down, another one picks up the pieces. Ideologically, it’s very different now. There’s no longer much of a sense of camaraderie.”
As so often happens with revolutions, reality caught up with utopia.
Christin argues that the dark web markets have been in a state of ethical decline since the moment Ross Ulbricht was arrested in late 2013. Ulbricht had, at least in theory, restricted the Silk Road’s sales to only “victimless” contraband, positioning the site as the seed of a non-violent anarcho-capitalist revolution. (Never mind the six murder-for-hires of enemies he’s been accused of commissioning in secret.) He treated his users as a community, and wrote them love letters and ideological manifestos. All of that made him a trusted administrator whose political ideals assured his followers that he wouldn’t rip them off for a quick bitcoin. “What we’re doing isn’t about scoring drugs or ‘sticking it to the man.’ It’s about standing up for our rights as human beings and refusing to submit when we’ve done no wrong,” Ulbricht wrote to me using his pseudonym, the Dread Pirate Roberts, before his arrest in 2013. “Silk Road is a vehicle for that message … All else is secondary.”
But as so often happens with revolutions, reality caught up with utopia. After Ulbricht’s arrest in late 2013 and the takedown of the Silk Road 2 (founded by several of Ulbricht’s staff members) a year later, the ideological bent of the dark web crumbled. Evolution, a new drug market created by former administrators of a credit card fraud site, took over, with none of the Silk Road’s prohibitions on fraud or stolen goods. Today Alphabay offers its buyers a similar array of hacked credit cards and accounts. Given that these sites cater to actual thieves, it should have been expected that they’d eventually resort to defrauding their customers, too, Christin points out. “They’re not ideologically motivated,” says Christin. “They’re in it to make money. When the temptation gets high, it shouldn’t come as a surprise that they take what’s on the table.”
For careful dark web customers, cryptographic tools do exist to avoid exactly the sorts of bitcoin-stealing scams that have plagued the Silk Road’s descendants. A bitcoin feature known as multi-signature transactions allows buyers to put money in an escrow account that requires sign-off from two out of three parties—the buyer, the seller, and the site itself—to retrieve the funds. Unlike the traditional, centralized escrow used by the Silk Road, no single party of those three can spontaneously choose to run off with the money. A new, fully decentralized marketplace known as OpenBazaar would go much further, allowing people to buy and sell products with bitcoin through a peer-to-peer system, with no central server that could be raided by the site’s admins or seized by law enforcement.
But dark-net market observers remain skeptical of those solutions to the underground economy’s trust issues. OpenBazaar remains in a beta prototype state for now, with only a few hundred users running test transactions on its network. And multi-signature transactions require just enough effort and technical know-how—it involves copying multiple bitcoin addresses into certain bitcoin wallet programs to generate that multi-signature escrow address—that the vast majority of dark web consumers still haven’t bothered to figure them out, says Berkeley’s Weaver. And if they do, he warns that there may be so few multisignature transactions in the larger bitcoin economy that those next-gen drug deals would by highly visible on the blockchain, bitcoin’s public ledger of all the cryptocurrency’s movements. Savvy law enforcement agents might use that data to filter out and track the dark web’s drug deals to individual computers, just as they tracked $13.4 million bitcoins from the Silk Road to Ross Ulbricht’s laptop. “The usability of [multisignature transactions] is awful,” he says. “And even if people did use them, they have this problem of glowing on the blockchain.”
All of that has contributed to a kind of stagnation in dark web market innovation, says a figure named Gwern, who served as one of the pseudonymous moderators of Reddit’s darknetmarkets forum until he stepped down from the position last summer. Gwern noted in a goodbye post to Reddit’s dark web market community that the scene simply wasn’t evolving fast enough to keep up with its constant cycles of broken trust, security failures and petty theft. “I was originally lured in by the fascination of watching a small cryptopunk revolution, and I was hopeful that it would go beyond the [original Silk Road] model into multisig and beyond,” he wrote in the lengthy message, using “multisig” as shorthand for multisignature transactions. “Instead, [that] business model has proven remarkably durable despite the constant wearying turmoil of exit-scams and hacks and…there seems to be little chance that things will change substantially soon.”
That lack of evolution has made what was once a kind of sci-fi, online drug-buying wonderland into a collection of sketchy criminal sites that more than ever mirror the offline black markets they were meant to replace. The dark web markets are “still there, just…boring,” Gwern sums up in an email. “The resplendent dream has been replaced by a dirtier reality.”
Algorithms Claim to Hunt Terrorists While Protecting the Privacy of Others
Computer scientists at the University of Pennsylvania have developed an algorithmic framework for conducting targeted surveillance of individuals within social networks while protecting the privacy of “untargeted” digital bystanders. As they explain in this week’s Proceedings of the National Academy of Sciences (PNAS), the tools could facilitate counterterrorism efforts and infectious disease tracking while being “provably privacy-preserving”—having your anonymous cake and eating it too.
“The tension between the useful or essential gathering and analysis of data about citizens and the privacy rights of those citizens is at an historical peak,” the researchers begin. “Perhaps the most striking and controversial recent example is the revelation that US intelligence agencies systemically engage in ‘bulk collection’ of civilian ‘metadata’ detailing telephonic and other types of communication and activities, with the alleged purpose of monitoring and thwarting terrorist activity.”
Other conflicts mentioned by the Penn group include issues around medical data and targeted advertising. In every case, the friction is between individual privacy and some larger purpose, whether it’s corporate profits, public health, or domestic security. Can we really have both?
Probably not, but we might not have to live with an “all or nothing” approach to privacy either. This is what we have now, according to the researchers: either every person has a right to privacy or no person does. What they propose instead is a population divided and classified. This is already sounding pretty ominous, but let’s hear them out.
“There is a protected subpopulation that enjoys (either by law, policy, or choice) certain privacy guarantees,” the researchers write. “For instance, in the examples above, these protected individuals might be nonterrorists, or uninfected citizens (and perhaps informants and health care professionals). They are to be contrasted with the ‘unprotected’ or targeted subpopulation, which does not share those privacy assurances.” Still ominous.
There is an interesting and useful question at the root of this: Given a network, probably a social network, modeled as a graph (the graph theory sort of graph), how can we search for the things we want (terrorists, people spreading infections around) without revealing information about the population we don’t want to know anything about?
“At the highest level,” the group writes, “one can think of our algorithms as outputting a list of confirmed targeted individuals discovered in the network, for whom any subsequent action (e.g., publication in a most-wanted list, further surveillance, or arrest in the case of terrorism; medical treatment or quarantine in the case of epidemics) will not compromise the privacy of the protected.”
The algorithms are based on a few basic ideas. The first is that every member of a network (a graph) comes with a sequence of bits indicating their membership in a targeted group. If say, the number two bit was set in your personal privacy register, then you might be part of the “terrorist” target population. For an algorithm searching a network for targets, it doesn’t just get to ask to reveal every network member’s bits. It has a budget of sorts, where it can only reveal so many bits and no more. The algorithms work to optimize this scenario such that as many bits-of-interest are revealed as possible.
It does this optimization via a notion known as a statistic of proximity (SOP), which is a quantification of how close a given graph node is to a targeted group of nodes. This is what guides the search algorithms.
Using real social networks with stochastically (randomly) generated, artificial target groups, the Penn team found that they could indeed search a network for targeted members while not revealing information about individuals in privacy-protected populations.
“Our work is of course not a complete solution to the practical problem, which can differ from our simple model in many ways,” the group concludes. “Here we highlight just one interesting modeling question for future work: Is it possible to give rigorous privacy guarantees to members of the protected population when membership in the targeted population is defined as a function of the individuals’ private data? In our model, we avoid this question by endowing the algorithm with a costly ‘investigation’ operation, which we assume can infallibly determine an individual’s targeted status—but it would be interesting to extend our style of analysis to situations in which this kind of investigation is not available.”
Cops Say They Can Access Encrypted Emails on So-Called PGP BlackBerrys
Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.
“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email. The NFI is a body that assists law enforcement in forensic evidence retrieval, and which, according to its website, deals with most of the forensic investigations in criminal cases in the Netherlands.
The news first emerged when Dutch blog “misdaadnieuws.com,” or Crime News, published apparent documents sourced from the NFI in December last year. According to that report, deleted messages can be recovered and encrypted emails read on these devices. The process is carried out with a piece of forensics software made by private company Cellebrite.
PGP-encrypted BlackBerrys are sold by a number of online vendors, and are advertised as being particularly more suited for sensitive communications than the standard models on offer. “We use PGP encoding as protocol for sending and receiving messages,” the site of one vendor, TopPGP, reads. Another seller, called GhostPGP, says that the company “offers the only proven, time-tested means of communicating securely in total anonymity with PGP-encrypted email.”
It appears that organized criminal groups may make use of these sort of devices. In March 2014, Australian outlet ABC reported that encrypted BlackBerrys were linked to a series of killings, one of which was a murder of a Hells Angels biker. The Sydney Morning Herald added that police officers have traveled to BlackBerry’s headquarters seeking advice on how to access encrypted data on the phones.
The vendor of that device was Canada-based Phantom Secure, the brochure of which claims “no information is required with purchase” of one of the phones, and that “Your data connection and device are not registered to you.”
Very little information is available regarding the specific technique that the NFI use to access encrypted communications on custom BlackBerrys.
The Crime News report says that out of 325 encrypted emails recovered from a device, only 279 were deciphered, and that the workaround is only applicable when law enforcement have physical access to the device. Documents published by Crime News mention a BlackBerry 9720, a model of BlackBerry that was released in August 2013.
Essed from NFI would not elaborate on the capability against PGP BlackBerrys, nor when the body acquired it. When presented with a list of questions, Essed said, “by answering these we would provide criminals with exactly the information they would need in order to eventually get around our research method. We would like to prevent that and therefore have been very reserved with our explanation towards the press.”
When contacted by Motherboard, Jay Phillips, from encrypted BlackBerry seller SecureMobile.ME, pointed to a blog post on the SecureMobile site dated August 2014, which details two methods of obtaining data from a mobile device.
One of them, known as chip-off, involves removing a memory chip from the circuit board and making a dump of the data it contains. If “content protection” is turned on—BlackBerry's feature for encrypting data—the analyst will extract the hash of the device's password, and then attempt to brute force it, according to the blog post. The post claims that SecureMobile products are unaffected by chip-off because they have been paired with BlackBerry Enterprise Server (BES).
“We wrote about this years ago. This affects ALL mobile devices including Android offerings! Weak passwords will ALWAYS be the weak link," Phillips said.
“Content protection is on by default for all our units,” Phillips continued. “This has been the case since day one. Without it, the devices are easily cracked. [BlackBerry] devices can still be brute forced via chip-off.”
“It could possibly be that Cellebrite has found a way to brute force without a chip-off: this I have not verified,” Phillips continued, who recommended using a strong password to secure data on the device. (Crime News writes that the length of the password used for sending and opening PGP messages is not relevant to the decryption process.)
A representative from GhostPGP wrote in an email, “We have not been affected. Our services are completely secure and have never been compromised.”
Meanwhile, TopPGP told Motherboard, “We use the latest PGP encryption at this moment that its almost impossible to be decrypted. Our customers are very happy with the level of security provided by TopPGP.com.” Requests for comment to Phantom Secure and Phantom Encrypt, two other PGP BlackBerry vendors, went unanswered.
It's unclear whether other law enforcement bodies have the ability to obtain encrypted communications from custom BlackBerrys. A spokesperson for the UK's National Crime Agency told Motherboard in an email that “To preserve the integrity of our investigations, we don't routinely confirm or deny the use of specific tools or techniques.”
A spokesperson from the Federal Bureau of Investigation wrote in an email “I would not be able to comment on our capabilities in regards to specific companies or communications providers.” He then pointed to BlackBerry’s recent post entitled “The Encryption Debate: a Way Forward,” in which John Chen, the company’s CEO, writes that “privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.”
The Drug Enforcement Administration had much the same stance, and a representative told Motherboard via email, “I'm afraid I can't comment on your question. As I'm sure you can appreciate, confirming or denying this capability provides information on tactics, techniques and procedures that we can't discuss.”
The Royal Canadian Mounted Police did not respond to a request for comment.
French Government Considers Law that Would Outlaw Strong Encryption
Patrick Howell O'Neill
The French Parliament is considering a legislative provision that would ban strong encryption by requiring tech companies to configure their systems so that police and intelligence agencies could always access their data.
The amendment to the vast "Digital Republic" bill was introduced in the French National Assembly, parliament's lower house, by eighteen politicians from the conservative Republican Party.
The Digital Republic bill, which covers everything from net neutrality to the online publication of scientific research, will be examined and debated this week along with 400 amendments to it.
The anti-encryption amendment is largely seen as a response to the two deadly Paris terrorist attacks in 2015, despite the fact that the attackers repeatedly used unencrypted communications in the leadup to the killings.
Authorities still don't fully know how the terrorists planned their operations, but the ISIS-inspired militants signaled the start to the Nov. 13 attacks through unencrypted text messages. They also traded unencrypted phone calls with senior operatives elsewhere in Europe. French authorities say that some blind spots remain due to encrypted messaging services like Telegram.
In the weeks since the November attacks, the French government has come under sustained criticism for sacrificing liberty for security. The country has been in a state of emergency for two months, a legal status that gives President François Hollande vast new law-enforcement powers.
The Digital Republic bill came just as the Netherlands issued a statement in favor of strong encryption, promising not to weaken it for investigative purposes.
It's unclear whether the encryption amendment would have prevented either of the paris terrorist attacks.
“The attackers were all known to the police and intelligence services!" the security researcher calling himself "the Grugq" told the Daily Dot. "Al Qaeda fretted constantly about finding 'clean skins,' new terrorists who weren’t known to security forces. ISIS publishes a magazine featuring an interview and [a] huge photograph of the cell leader’s face. Then they send him into Europe and he does just what he said he would do in his interview. There is little that can be blamed on encryption here."
Encryption is technology that scrambles data so that only those people who have the keys can unscramble it. It is part of many commonplace Internet activities like commerce and communications.
Many Apple iOS and Google Android devices are now encrypted by default, a move that has reignited a global debate over privacy and encryption because of the technology's use by cybercriminals, terrorists, and sexual predators. Encryption advocates point to its use by human rights activists, journalists, governments, and tech companies seeking to avoid surveillance and hackers.
The new French bill briefly praises encryption’s role in protecting user data but immediately pivots to criticizing the effects of strong encryption on state security forces.
"France must take the initiative and force device manufacturers to take into consideration the imperative of access for law enforcement officers, under the control of a judge and only in the case of an investigation, to those devices," the legislation reads, according to a translation by Khalil Sehnaoui, a Middle-East security specialist and founder of Krypton Security. "The goal is to avoid that individual encryption systems delay the advancement of an investigation."
Technologists and open-Internet advocates disagree, arguing that strong encryption—which even the tech companies themselves cannot break—is a crucial part of online privacy and security.
Tech executives like Apple CEO Tim Cook warn that building weaknesses into cryptography will help hackers and hurt average Internet users.
"Let me be crystal clear: Weakening encryption or taking it away harms good people who are using it for the right reason," he argued last year.
Cook and a bevy of tech executives met with U.S. officials last week to discuss how to fight terrorists on social media; encryption briefly came up at the meeting, according to a senior administration official.
No Backdoors But UK Government Still Wants Encryption Decrypted On Request…
Yesterday the U.K. Home Secretary, Theresa May, spent two hours giving evidence to a joint select committee tasked with scrutinizing proposed new surveillance legislation.
The draft Investigatory Powers Bill, covering the operation of surveillance capabilities deployed by domestic security and law enforcement agencies, is currently before parliament — with the government aiming to legislate by the end of this year.
During the committee session May was asked to clarify the implications of the draft bill’s wording for encryption. Various concerns have been raised about this — not least because it includes a clause that communications providers might be required to “remove electronic protection of data”.
Does this mean the government wants backdoors inserted into services or the handing over of encryption keys, May was asked by the committee. No, she replied: “We are not saying to them that government wants keys to their encryption — no, absolutely not.”
Encryption that can be decrypted on request
However the clarity the committee was seeking on the encryption point failed to materialize, as May reiterated the government’s position that the expectation will be that a lawfully served warrant will result in unencrypted data being handed over by the company served with the warrant.
“Where we are lawfully serving a warrant on a provider so that they are required to provide certain information to the authorities, and that warrant has been gone through the proper authorization process — so it’s entirely lawful — the company should take reasonable steps to ensure that they are able to comply with the warrant that has been served on them. That is the position today and it will be the position tomorrow under the legislation,” said May.
“As a government we believe encryption is important. It is important that data can be kept safe and secure. We are not proposing in this bill to make any changes in relation to the issue of encryption. And the legal position around that. The current legal position in respect of encryption will be repeated in the legislation of the bill. The only difference will be that the current legal position is set out in secondary legislation and it will be, obviously, in the bill,” she added.
May was pressed specifically on the implications of the legislation for end-to-end encryption. Her comments on this point provide little reassurance that the government either appreciates the technical nuance involved (i.e. that properly implemented end-to-end encryption would mean a company is unable to decrypt data itself, and therefore unable to comply with such an expectation), or is not intentionally seeking to undermine — or at very least obfuscate — the legal position around end-to-end encryption.
In the instance where a company that has implemented end-to-end encryption tells the authorities it is unable to provide data, what will the bill’s reference to removing electronic protection mean in practice, May was asked?
“What we are saying to companies… is that when a warrant is lawfully served on them there is an expectation that they will be able to take reasonable steps to ensure that they can comply with that warrant. i.e. that they can provide the information that is being requested under that lawful warrant in a form which is legible for the authorities,” she repeated.
The weight of the bill’s requirement, as it stands, appears to rest on what is meant by the phrase “reasonable steps”. And whether removing end-to-end encryption would be considered a reasonably required step by the law. It’s unclear at this stage what the law will consider reasonable, and the lack of clarity on this point appears intentional — as a way for the government to side-step the issue of end-to-end encryption without explicitly stating whether the technology effectively offers a workaround to the legislation or not.
And indeed, in other answers to the committee, May revealed that other instances of ‘untightened’ language in the bill are intentional — in order for the legislation to provide “flexibility”, as she put it. Such as to allow definitions to be broad enough to accommodate advances in technology, for example.
Clarity vs flexibility
“It’s a balance between trying to ensure that legislation is so drafted that it is clear for people but that it isn’t so drafted that it actually mean that it will only have a very, very limited life — precisely because definitions will move on and there will be developments,” she said.
At another point in the session, the lack of clarity about exactly what bulk datasets are — and the Home Office’s ongoing refusal to provide the committee with a list of these (their public existence was only revealed last March) — is also apparently intentional, with May again using the word flexibility when asked about these.
Here she seemed to mean affording agencies the wiggle-room of operational secrecy necessary not to tip off criminals about the sorts of lists they might be looking at. (Although she gave one example of a bulk dataset being a list of people with firearms licences.)
During the session, she also rejected general criticism that the bill’s language is uncertain, arguing that the definition of the so-called Internet Connection Records (ICRs) — i.e the requirement that ISPs and other communications service providers (CSPs) log a list of websites visited by every user for a full year — has, for example, been tightened up.
But asked by the committee to give her own definition of what an ICR is — “in terms that might be understandable by a layperson” — she offered only “an equivalence” explanation, describing it as: “When you have somebody who is accessing a particular site… or is using the Internet for a particular communication, you wish to be able to identify that. You’re not trying to find out whether they have looked at certain pages of a website, which is where I think the confusion may arise because of what people felt was in the draft Communications Data Bill.
“It is simply about that access to a particular site or the use of the Internet for a communication,” she added.
May rejected the suggestion put to her by the committee that a sunset clause or regular review might be an appropriate way to ensure expansive investigatory powers do not shift, over time, to become disproportionate — arguing specifically that CSPs need the certainty that a non-bookended bill provides if they are to put in place infrastructure to enable the collection of ICRs.
Internet connection records
May fielded a lot of questions about ICRs, including whether they might not result in producing far too much data of limited utility, as well as on the costs of implementing them, the security challenges of storing so much sensitive data, and the technical feasibility of being able to capture the sort of data the agencies are after via this method.
“The confidence we have [on technical feasibility] comes from the discussions that we’ve been having with [communications service providers],” she said. “We have had numerous discussions with them about how access to ICRs may be achieved.
“The discussions we’ve had with them have been about some of these technical issues — about access. And obviously there are different ways in which different providers approach the way they operate but we are confident from those discussions that it will be technically feasible for us to be able to ensure that there is access to the information that’s necessary.”
On the costs point, May said the previously mentioned £247 million figure to reimburse ISPs/CSPs’ costs for retaining and storing ICR data is “indicative” — adding: “We are obviously still in discussion with individual CSPs about the ways in which these capabilities would be provided.”
The committee noted it had previously heard from multiple CSPs expressing doubts that the £247 million figure would cover the costs of implementing ICRs across multiple providers. And the Home Secretary was challenged on whether there would be “sufficient resource” to meet the requirements the bill proposes to place on CSPs.
She agreed to provide the committee with “further indications” of technical feasibility and costs. “We do provide reasonable cost recovery,” she added. “That’s been a long-standing policy of the U.K. government where we are requiring these companies to do things in order to have this sort of access.”
She also agreed to provide the committee with additional operational examples of why ICRs are necessary as an investigatory power.
On the point about the usefulness of ICR data itself, May was asked to respond to other evidence heard by the committee that, for example, smartphones being constantly connected to the Internet will mean that collecting a list of connected services would offer only a very muddy intelligence signal.
Do you see a danger that you’ll just collect a vast amount of data of limited utility in the end, she was asked? May said the government’s aim is to have “a more targeted approach” to handle “this issue of volume of data”, going on to argue that recording individual connections/sessions will not generate an unmanageable volume of data.
“I don’t think there’s going to be that volume of data in the much more targeted approach we will take,” said May, contrasting the IP bill ICR proposals with a prior attempt, in Denmark, to mandate telcos store data on users.
“We will have a more targeted approach. Which I think we believe will reduce that overall volume of data recorded and reduce the risk that connections are missed,” she said, adding: “I’m reliably informed that the Danish implementation was based around sampling every 500th packet, rather than recording individual Internet connections or sessions. Which is what we propose to do.”
On the issue of how the government would enforce requirements set out in the IP bill on overseas communications providers May said it is an issue the Home Office is looking at.
“There are certain aspects of this legislation where we are looking at extraterritoriality. But there are requirements that we will be issuing — obviously there will be data retention notices that will be issued to communications service providers in relation to requirement for them to hold data in a way that enables that to be accessible.”
“We do repeat the position that we put into DRIPA that has always been asserted by all governments in relation to the ability to exercise a warrant against a company that is offering services in the U.K. and abiding by the law of the U.K.,” she added later.
Judicial oversight as privacy safeguard
On the overarching point about the risks to individuals’ privacy by sledgehammer measures that propose to monitor U.K. citizens in bulk, May say the safeguard against this is the double-lock mechanism that involves both judicial and minister review of warrants.
“The double lock authorization is there where there are processes which are intrusive into an individual,” she argued.
On the judicial component of the double-lock May was asked by the committee whether these judicial powers will be just narrow “process checks” or also allow for judges to also assess the necessity and proportionality of warrants. She said there will be scope for judges to scrutinize the merits of a warrant — not just do a process check — but said it will be open to judges to choose which type of approach they take on a case-by-case basis.
“One of the advantages that one has with judicial review principles is that it gives the judicial commissioners a degree of flexibility as to how they approach particular cases, depending on the impact on the individual of what it is is that they’re looking at. And so they will be able to make an assessment and a judgement as to how they wish to approach the evidence that is before them,” she said.
“The Secretary of State looks at necessity and proportionality of the warrantry. So it will be open to the senior high court judge to look at necessity and proportionality but they will be able, under the judicial review provisions, to have the flexibility to determine the way in which they look at that decision.”
“It will be up to the judge… to determine how they approach any particular issue,” she added. “There may well be circumstances in which they might apply a lighter touch approach to reviewing a Secretary of State’s decision. And others in which they will in fact look more at necessity and proportionality.
“The whole point of the double-lock authorization is that both parties have to agree to the warrant being applied. And if the judicial commissioner decides that the warrant should not be applied — having looked at it, and applied the tests that they need to apply — then obviously it can’t be operated.”
May was also probed on the bulk powers provisions in the bill, and challenged to respond to criticism that security analysts are in fact ‘drowning in too much data’ because of such mass harvesting processes — and that bulk collection is therefore counterproductive when it comes to helping national security.
She stridently rebutted the view that measures in the bill constitute mass surveillance — asserting: “We do not collect all the data, all of the time” — before going on to argue that “bulk collection” is necessary to ensure there is a “haystack” of data available to be filtered for intelligence in the first place.
“There are a variety of ways in which of course the agencies are careful and do look to target how they deal with data. But if the suggestion is that you cannot collect any bulk data whatsoever, or have access to any bulk datasets whatsoever, then you’re going to miss the opportunity,” she said.
“It would be wrong to give the impression that we are collecting all of the data all of the time… But bulk capabilities are important because you do need — if you’re going to be able to investigate a target — you need to be able to acquire the communications in the first place and when the target is overseas bulk interception obviously is one of the key means, and indeed it may be the only means, by which it’s possible to obtain communications.”
“It isn’t the case that it is always used in an untargeted way,” she added. “Of course when we look, when particular incidents have taken place, we look at the systems that are in place to ensure that we can make the way we operate as effective as possible. Because there’s a very fundamental reason to be able to have access to this information, to be able to deal with this information; it is about keeping people safe and secure.”
May was also pressed on when operational cases will be published for the various bulk powers set out in the bill — such as bulk equipment interference powers (aka mass hacking capabilities) — with the committee noting prior warnings by QC David Anderson, who conducted the government’s independent review of terrorism legislation last summer, that there’s a risk of the legislation being unpicked at the European level without robust justification being made for such capabilities.
On this point the Home Secretary agreed to write to the committee with further explanation of why the bulk powers are necessary.
She was also probed on whether the bill afforded agencies with the ability to apply for so-called thematic warrants — potentially covering “a very large number of people and therefore cannot be classed as targeted”. “The answer is no,” she said. “It will not be possible to use a thematic warrant against a very large group of people.”
“The purpose of the thematic warrant is for example circumstances in which perhaps there’s a kidnap, there’s perhaps a threat to life, and there’s only certain information available and it’s necessary because of the pace at which something is developing to be able to identify the group of people who are involved with that particular criminal activity as being within the thematic warrant,” she added.
May was also asked about concerns that security agencies might workaround the legal framework set out in the IP bill by obtaining information from other countries, or vice versa, with one committee member noting “there isn’t very much in the bill about these issues” — and suggesting it could prove a sizable loophole for what is supposed to be a transparent legal framework for the operation of secretive state surveillance powers.
“We do look at the handling arrangements that are in place when we are sharing material with overseas partners. It’s clause 41 of the draft bill that sets out that before intercept material is shared with an overseas authority the issuing authority sharing the material must be satisfied that they’ve got appropriate handling arrangements in place to protect the material. Equivalent to those that apply under clause 40,” said May.
“There will be codes of practice [in the case of U.K. agencies receiving data shared by overseas countries],” she added. “We’ve been very clear that in terms of ensuring that where information is obtained it is done so against an appropriate legal framework. And that there are provisions in place that ensure that the agencies operate and only obtain information where it is lawful for them to do so.”
The questioner followed up by asking where do we find that legal framework — wondering whether it is down to a series of international treaties, some of which may not be in the public domain? May did not give a clear answer on this, saying only: “There are various aspects to the legal framework against which the agencies operate,” before suggesting she could again write to the committee to provide more information on this point.
The evidence session was the last one the committee will hear. It will now begin compiling its recommendations — with a report due to be published by mid February.
Snooper's Charter: Cafes and Libraries Face Having to Store Wi-Fi Users' Data
Theresa May gives first hint costs may far exceed £240m estimate as it emerges even small-scale providers could be targeted
Alan Travis Home
Coffee shops running Wi-Fi networks may have to store internet data under new snooping laws, Theresa May has said.
Small-scale networks such as those in cafes, libraries and universities could find themselves targeted under the legislation and forced to hand over customers’ confidential personal data tracking their web use.
The home secretary has also given her first hint that the costs of her snooper’s charter are likely to go far beyond the official £240m estimate. May told peers and MPs that talks were under way with internet and phone companies over costs and their technical capacity to deliver the measures, after being told that Vodafone, O2 and EE had testified that each company could each spend that amount alone in implementing the proposed surveillance law.
During nearly two hours of questioning by the joint parliamentary scrutiny committee on her bill, the home secretary revealed that small-scale internet providers would not be excluded from the requirement to store their customer’s internet records for up to 12 months.
“I do not think it would be right for us to exclude any networks,” she told MPs and peers. “If you look at how people do their business these days, it is on the move.”
May rejected demands from the information commissioner and from the defence and security industries that there should be a “sunset clause” on the legislation ensuring it would be revisited within five to seven years to cope with the rapid pace of technological change. She insisted the bill was “technology neutral” and fit for a rapidly changing technological world.
The home secretary had no answer when questioned by MPs and peers as to how she would enforce legal notices requiring overseas internet and technology companies, such as Apple, Facebook, Twitter and Google, to store their customers’ communications data records for 12 months and to hand them over to British police and security agencies on request. May said they were still examining issues of “extra-territoriality”.
She did, however, attempt to reassure the scrutiny committee that judicial commissioners, to be appointed to operate a “double-lock” authorisation process on intercept and bulk interception warrants, would have sufficient flexibility to examine decisions taken by cabinet ministers to order intrusive snooping operations.
The scrutiny committee has had only two and a half months to examine the 300-page bill which is being introduced in the wake of disclosures by the whistleblower Edward Snowden, uncovering mass surveillance and bulk collection programmes operated by Britain’s GCHQ and the National Security Agency in the US. The committee is to produce its pre-legislative scrutiny report by 9 February before the bill is given a Commons second reading.
The issue of the costs faced by the internet and phone companies in complying with the bill’s requirements to collect, store and retain for 12 months all their customers’ communications data tracking their individual use of the web, email and mobile phones could prove a serious difficulty for the Home Office.
The Labour MP David Hanson raised the issue with May, saying that Vodafone, EE, O2 and Three had testified in evidence that they could each spend £240m alone and were troubled about their current capacity to deliver compliance with the legislation on budget and on time. O2 had said the costs involved will be “huge”, while EE said that if there was any cap or limit on the government reimbursing their costs for storing the data involved, it could make things very difficult.
May made clear that the government had agreed to underwrite the costs involved in the companies’ complying with the bill on a “cost recovery basis”. She said the Home Office was in talks with the companies but insisted that the initial estimate had not been “plucked out of the air”.
She said: “We have provided some indicative figures. We are still in discussion with individual communication service providers about ways in which these capabilities are to be provided. We will have reasonable cost recovery when we require these companies to provide these capabilities.”
May said that she had spoken to the companies about the sums of money involved and the technical feasibility and that they had been responsive.
Ex-NSA Chief Defends End-to-End Encryption, Says ‘Backdoors’ Will Make Us Less Secure
No one will ever accuse the National Security Agency of being champions of privacy. But General Michael Hayden, a former Director of the NSA, does see some value in preserving secure end-to-end encryption on the web without giving government agencies their own “backdoors” they can use to break it in the name of intelligence gathering. Per CNN, Hayden told a cybersecurity conference in Florida this week that breaking encryption would not make Americans safer even if encrypted communications do pose new challenges for intelligence and law enforcement agencies.
“I actually think end-to-end encryption is good for America,” Hayden said. “I know encryption represents a particular challenge for the FBI. But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor.”
Hayden went on to explain that even if there were some merits to banning the use of end-to-end encryption, he was skeptical of the government’s ability to actually enforce such a law.
“When was the last time you saw the success of legislation designed to prevent technological progress?” Hayden asked rhetorically. “It’s just not gonna happen.”
Major tech companies including Apple, Google, Microsoft and Facebook have all come out in favor of maintaining secure end-to-end encryption that does not have any backdoor for government access. Their argument is that encryption is so vital to making secure transactions on the web that anything that undermines it will be a net harm to consumers.
The FBI has been on the other side of the debate and late last year director James Comey explained that his agency could not read communications between a suspected terrorist and his partners overseas because he was using encrypted communications.
“In May, when two terrorists attempted to kill a whole bunch of people in Garland, Texas, and were stopped by great local law enforcement … that morning before one of those terrorists went to attempt mass murder, he exchanged 109 messages with an overseas terrorist,” Comey explained. “We have no idea what he said because those messages were encrypted. And to this day, I can’t tell you what those messages said with that terrorist 109 times the morning of that attack. That’s a big problem, and we have to grapple with it.”
However, it seems that while Hayden is sympathetic to this argument, he also sees that breaking encryption could do more harm than good, even if it does give law enforcement agencies a temporary boost in intelligence gathering.
Questions Linger as Juniper Removes Backdoored Dual_EC RNG
Juniper Networks announced late Friday it was removing the suspicious Dual_EC_DRBG random number generator from its ScreenOS operating system.
And while that’s heralded as a positive move considering Dual_EC’s dubious origins, there remain important and unanswered questions about Juniper’s decision to include what is considered to be a backdoored random number generator in its NetScreen VPNs, and why a number of strange coding and engineering decisions were made that could have facilitated the decryption of secure traffic.
The networking giant said it was not only removing Dual_EC, but also the ANSI X9.31 algorithm from ScreenOS starting with an upcoming release sometime in the first half of this year. The announcement comes just shy of a month after Juniper said it had found unauthorized code in ScreenOS that allowed for the decryption of NetScreen firewall traffic and a second issue that allowed for remote unauthorized access to NetScreen appliances via SSH or telnet.
Juniper said it brought in third-party help to investigate its code and determined that no other “unauthorized code” lives in either ScreenOS or Junos OS.
“The process examined Junos OS source code in ‘hot spots’ where one may expect to find code similar to the code found in ScreenOS,” Juniper said in its advisory on Friday. “The hot spots include VPN code, encryption code, and authentication code. We also inspected our build environments for any evidence of tampering or unauthorized access.”
In the meantime, at last week’s Real World Crypto conference at Stanford University, a team of crypto experts presented a number of revelations, including the news that Juniper’s use of Dual_EC dates to 2009, perhaps 2008, at least a year after Dan Shumow and Neils Ferguson’s landmark presentation at the CRYPTO conference that first cast suspicion on Dual_EC being backdoored by the NSA. Shumow’s and Ferguson’s work showed that not only was Dual_EC slow compared to other pseudo random number generators, but it also contained a bias. The bias means that the random numbers generated by the algorithm aren’t so random and likely have a relationship with a second set of numbers that enable whomever knows that second set of numbers to predict the output of the PRNG after collecting a minimal amount of output (32 bytes).
Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, told Threatpost that he and his colleagues on this investigation looked at dozens of versions of NetScreen and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output.
“And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.”
Checkoway said that Juniper’s introduction of the bug, which was discovered by researcher Willem Pinckaers, broke the way that the code had worked in ScreenOS 6.1 and earlier.
“It’s very bizarre. I’ve never seen anything like that before where gone from something that was working and written in a standard manner to something as strange as this,” he said. It’s that bug that enabled another attacker to replace the Dual_EC constant—thought to belong to the NSA—with their own constant.
“The very presence of Dual_EC enabled a third party to simply change a constant and make it so they were able to decrypt VPN traffic,” Checkoway said, adding that Juniper’s patch reverted the constant back from the attacker-supplied one, to a Juniper-supplied constant. “I take it that Juniper thought the previous code there was intended functionality.”
While Juniper’s decision to use Dual_EC enabled this second attack, Checkoway said there’s no justifiable security or engineering reason to have done so in the first place.
“Basically, whoever changed the code needed to change just a small portion of Juniper code, a tiny fraction of their code. Whereas had Juniper not used Dual_EC, they would have had to do something much bigger,” Checkoway said. “Juniper’s use of this bad random number generator really enabled the subsequent attack.”
Juniper, in the meantime, quickly patched the two vulnerabilities by removing the so-called “unauthorized code;” Juniper representative Danielle Hamel refused to comment further and pointed Threatpost to the company’s various blog posts explaining the situation.
The scenario harkens back to the documents leaked by NSA whistleblower Edward Snowden, in particular the NSA’s Project BULLRUN, which explains the NSA’s subversion of Dual_EC and eventually the revelation that RSA Security was allegedly paid $10 million by the NSA to use the algorithm in its products.
“One of the interesting things about using Dual_EC as a backdoor mechanism versus the unauthorized access SSH backdoor, is that with Dual_EC, it’s just a series of what looks like mistakes or bad engineering choices that coincidentally leads to their software being vulnerable,” Checkoway said. “There are so many coincidences: the introduction of Dual_EC, the bug, the change in the nonce from 20 bytes to 32, which is really the ideal size for running this attack.”
Et tu, Fortinet? Hard-Coded Password Raises New Backdoor Eavesdropping Fears
Discovery comes a month after competitor Juniper disclosed unauthorized code.
Less than a month after Juniper Network officials disclosed an unauthorized backdoor in the company's NetScreen line of firewalls, researchers have uncovered highly suspicious code in older software from Juniper competitor Fortinet.
The suspicious code contains a challenge-and-response authentication routine for logging into servers with the secure shell (SSH) protocol. Researchers were able to unearth a hard-coded password of "FGTAbc11*xy+Qqz27" (not including the quotation marks) after reviewing this exploit code posted online on Saturday. On Tuesday, a researcher posted this screenshot purporting to show someone using the exploit to gain remote access to a server running Fortinet's FortiOS software.
Ralf-Philipp Weinmann, a security researcher who helped uncover the innerworkings of the Juniper backdoor, took to Twitter on Tuesday and repeatedly referred to the custom SSH authentication as a "backdoor." In one specific post, he confirmed he was able to make it work as reported on older versions of Fortinet's FortiOS.
In a statement, Fortinet officials rejected the backdoor characterization. They wrote:
This issue was resolved and a patch was made available in July 2014 as part of Fortinetıs commitment to ensuring the quality and integrity of our codebase. This was not a "backdoor" vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external. All versions of FortiOS from 5.0.8 and later as well as FortiOS 4.3.17 and later are not impacted by this issue.
According to the exploit code, the undisclosed authentication works on versions 4.3 up to 5.0.7. If correct, the surreptitious access method was active in FortiOS versions current in the 2013 and 2014 time frame and possibly earlier, based on this rough release history. The weakness was eventually patched, but so far, researchers have been unable to locate a security advisory that disclosed the alternative authentication method or the hard-coded password. While one researcher told Ars the exploit no longer works in version 5.2.3, that release is still suspicious because it contained the same hard-coded string.
"So a lot of parts of this auth mechanism are still in the later firmware," said the researcher, who asked not to be named. The most recent version of FortiOS 5.4.0, which was released this month.
At this point, it's too early to definitively identify the suspect routine as a backdoor that was planted for the purpose of providing unauthorized access. Still, there's little doubt the code had precisely that effect. Given the revelations that unauthorized eavesdropping code resided in Juniper software for some three years, it's feasible the now-patched routine was unauthorized as well. Fortinet officials should give a thorough and transparent accounting soon to clear up the uncertainty.
Teen Hacks U.S. Intelligence Chief’s Online Accounts
The U.S. Director of National Intelligence, James Clapper, has now joined the CIA’s John Brennan in having his personal online accounts hacked.
The government official’s office confirmed the attack but did not disclose further details. “We are aware of the matter and we reported it to the appropriate authorities,” said DNI spokesman Brian Hale.
A teenage hacker known as ‘Cracka’ has claimed responsibility for the hack, reporting that he had infiltrated Clapper’s home telephone, online accounts and his personal email, as well as his wife’s Yahoo account.
According to reports, Cracka had managed to change the settings on Clapper’s Verizon Fios account so that any calls to his home number were redirected to the Free Palestine Movement group in California. The computer programmer pointed to his support for the Palestinian movement as the inspiration behind his hacking campaigns.
“I just wanted the gov to know people aren’t f*****g around, people know what they’re doing and people don’t agree #FreePalestine,” Cracka told Motherboard.
At least five callers from various U.S. locations, including New York, Minnesota, Virginia and Maryland, expecting to speak with Clapper were rerouted and heard the voice of Paul Larudee, the activist group’s co-founder, instead.
“I answered the phone as Free Palestine Movement […] They said, ‘Who?’ They said they were trying to reach General Clapper,” reported Larudee. “I said, ‘I’m sorry, I have no way of connecting you.’”
One caller was Vonna Heaton, a Ball Aerospace and Technologies executive and former NSA worker, who rang at 2:52pm on Monday afternoon. The phone line was restored back to Clapper by 5pm.
‘Crackas with Attitude’, with which Cracka associates himself, was the hacking group which broke into Brennan’s email account last October by tricking a Verizon employee into revealing his personal information. The group reset Brennan’s AOL email password and was able to track down a list of social security numbers for top government officials.
The ‘Crackas’ claim to be teenage high school students.
U.S. Military Will Soon Begin Testing NSA's New, Post-Snowden Security Measures
Patrick Howell O'Neill
The U.S. military will closely review the NSA's security measures as concerns mount that foreign adversaries and independent hackers are targeting the American government in cyberspace.
The audit, scheduled to begin sometime this month, was revealed in a letter from the Defense Department assistant inspector general to the 17-member U.S. intelligence community.
"We will determine whether National Security Agency processes and technical controls are effective to limit privileged access to National Security Agency systems and data and to monitor privileged user actions for unauthorized or inappropriate activity," Carol Gorman, the Pentagon's assistant inspector general, wrote in the letter.
Unlike most other three-letter intelligence agencies, the NSA is formally housed within the Defense Department.
The military's decision to launch the audit could be the result of the Edward Snowden leaks that began in 2013 and exposed the lax security procedures at the agency responsible for many of the country's most sensitive secrets. Snowden used his position as a systems administrator to access classified documents beyond his clearance level.
The new audit, the first in a series of tests of the NSA's upgraded security measures, will occur at agency offices around the country. Congress mandated the audit with a provision in the "classified annex" to the intelligence community's 2016 budget, an unpublished provision of the bill detailing classified operations.
NSA Says New Phone Spying Program Meets Privacy Safeguards
A new system for collecting domestic telephone records meets several privacy and civil liberties benchmarks, the U.S. National Security Agency said on Friday.
The program, which some Republican presidential hopefuls have criticized because they say it puts Americans at greater risk of attack by Islamic State and other violent groups, has satisfactorily complied with eight privacy safeguards that include transparency, oversight, data minimization and use limitation since its implementation in November, according to a report released by the NSA’s Civil Liberties and Privacy Office.
The NSA ended its daily vacuuming of millions of Americans’ phone metadata, meaning the numbers and time stamps of calls but not their content, late last year after Congress passed a law reforming some of the government’s surveillance practices.
A presidential review committee found that the bulk data collection, exposed in 2013 by former NSA contractor Edward Snowden, was an ineffective tool in fighting terrorism. The data collection was also criticized by privacy advocates and tech companies wary of broad government surveillance.
Under a replacement program that took effect on Nov. 29, NSA and law enforcement agencies must get a court order and ask communications companies like Verizon Communications to authorize monitoring of call records of specific people or groups for up to six months.
While some Republicans vying for the White House have criticized the shutdown of the bulk program, other Republican contenders have defended it.
Senator Ted Cruz of Texas has defended his vote in favor of NSA reforms by saying that the new program actually is capable of collecting a greater percentage of calls than the old one, due to technical upgrades.
Some privacy advocates expressed skepticism at Friday’s report, given the level of secrecy shrouding the U.S. intelligence community.
“The USA FREEDOM Act ended bulk collection, but this report leaves us guessing just how good a job it did,” said Robyn Greene, policy counsel with Open Technology Institute at the New America, a Washington think tank.
The other four privacy principles that have been complied with are individual participation, purpose specification, data quality and data security.
(Reporting by Dustin Volz; Editing by Jonathan Weber and Leslie Adler)
Trend Micro Flaw Could Have Allowed Attacker to Steal All Passwords
Trend has patched that problem and another remote execution flaw
A discovery by a well-known Google security researcher provides further proof how antivirus programs designed to shield computers from attacks can sometimes provide a doorway for hackers.
Tavis Ormandy, an information security engineer with Google, wrote he found bugs in Trend Micro's antivirus product that could allow remote code execution by any website and steal all of a users' passwords.
The security firm has confirmed it has released an automatic update that fixes the problems.
"As part of our standard vulnerability response process we worked with him to identify and address the vulnerability," wrote Christopher Budd, global threat communications manager at Trend Micro, in an email on Monday. "Customers are now getting protections through automatic updates."
Ormandy posted emails he exchanged with Trend officials, occasionally expressing his frustration that the company wasn't moving fast enough.
"So this means anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction," Ormandy wrote. "I really hope the gravity of this is clear to you, because I'm astonished about this."
In 30 seconds, Ormandy wrote he found one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager.
Overall, Ormandy wrote that he found over 70 APIs exposed to the Internet, not all of which he had investigated for security issues. He suggested Trend should hire an external consultancy to audit the code.
Antivirus applications run with high-level privileges on operating systems, which means that exploiting a vulnerability can give an attacker deep access to a computer.
Dozens of serious vulnerabilities have been found in the last seven months in antivirus products from vendors including Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes.
Smartwatches Can Be Used to Spy on Your Card's PIN Code
Wearable devices can be used as motion-based keyloggers
French student and software engineer, Tony Beltramelli, has published his master thesis called Deep-Spying: Spying using Smartwatch and Deep Learning, in which he presents a new attack method that allows attackers to extract sensitive information like credit card or phone access PIN codes from motion sensors in wearable devices.
Mr. Beltramelli's research, while at the University of Copenhagen, Denmark, expanded on previous work done by Romit Roy Choudhury, Associate Professor at ECE Illinois, who showed how wearable devices (a Samsung Gear Live smartwatch) can be used to log keystrokes on a keyboard.
Focusing only on 12-key keypads helps attackers achieve more accurate results
In Mr. Beltramelli's research, he narrowed down the attack surface to 12-key keypads, usually found on ATMs and the touch display of your smartphone, when using a PIN lock.
Using an RNN-LSTM (Recurrent Neural Network - Long Short-Term Memory) deep learning algorithm, he trained an artificial neural network capable of interpreting data from a smartwatch's motion sensor and later making an analogy to each PIN pad's keys.
To prove his theories in practice, Mr. Beltramelli created a smartwatch application for a Sony SmartWatch 3, which he used to record accelerometer and gyroscope sensor data.
Because of the watch's technical limitations, he wasn't able to send the data directly to a server, but to a nearby Android device (LG Nexus 4) (via Bluetooth), which then relayed it to a server for further analysis.
Using an algorithm that combined Java, Python, and Lua code, he was able to sift through all the data, eliminate noise movements, and detect patterns for various events, like when the user moves and taps his finger on a phone's touchscreen to unlock a PIN-protected phone, or when the user enters a PIN code on an ATM's keypad.
The algorithm is capable of both keylogging and touchlogging
"This architecture can achieve touchlogging and keylogging with a maximum accuracy of 73% and 59%, respectively," Mr. Beltramelli explained.
"Moreover, the system is still able to infer keystrokes with an accuracy of 19% when trained and evaluated with datasets recorded from different keypads," he also added. "This result suggests that an attacker could log keys from a wide range of devices even if its classifier is trained with measurements from a different compromised device."
For now, everything is theoretical, but to advance his work, he also made the app and server-side code available on GitHub.
While PIN-logging attacks via smartwatches may be a theoretical attack at this point, it may be the time to start wearing your smartwatch on the hand you don't use to enter PINs. Or, you could just be more careful what apps you install on your smartwatch, and avoid letting attackers have a foothold on your device in the first place.
Iggy Pop on David Bowie: ‘He Resurrected Me’
Iggy Pop, whose solo recording career began with two albums produced by David Bowie, said in an interview this week that he had still not fully processed Mr. Bowie’s death, at 69, on Sunday.
“The friendship was basically that this guy salvaged me from certain professional and maybe personal annihilation — simple as that,” said Mr. Pop, who is 68. “A lot of people were curious about me, but only he was the one who had enough truly in common with me, and who actually really liked what I did and could get on board with it, and who also had decent enough intentions to help me out. He did a good thing.”
He added, “He resurrected me.” Mr. Pop reflected: “He was more of a benefactor than a friend in a way most people think of friendship. He went a bit out of his way to bestow some good karma on me.”
They had lost touch after 2002, when Mr. Bowie hoped to sign Mr. Pop to his new record label — he was under contract elsewhere — and schedule conflicts prevented Mr. Pop from performing at the Meltdown festival in London that Mr. Bowie was curating.
Mr. Pop met Mr. Bowie in 1971, a period of excess when “we were all pretty bad but he was at least viable,” Mr. Pop said. In 1976, Mr. Bowie invited Mr. Pop to travel along with him as a “fly on the wall” on the tour following the release of Mr. Bowie’s album “Station to Station.” Onstage, Mr. Bowie portrayed his Thin White Duke character while flooded in white light.
“He was really disciplined,” Mr. Pop said. “That was at a time when it might be 700 people in Albuquerque, it might be 15,000 at the Garden, it might be 300 people in Zurich, etc. He did a great show every night. I don’t care where it was.”
After the tour, Mr. Bowie produced Mr. Pop’s 1977 solo debut album, “The Idiot,” while traveling in France and Germany and working together on songs — often with Mr. Bowie providing music and perhaps a title and Mr. Pop completing it with melodies and lyrics. “He subsumed my personality, lyrically, on that first album,” Mr. Pop said. He compared Mr. Bowie with the character in George Bernard Shaw’s “Pygmalion” and the musical “My Fair Lady.”
At times, Mr. Pop said, it was like having “Professor Higgins say to you: ‘Young man, please, you are from the Detroit area. I think you should write a song about mass production.” (He did: “Mass Production.”)
Mr. Pop’s “Nightclubbing,” a song on “The Idiot” that reflected postconcert club excursions across Europe with Mr. Bowie, was recorded with a cheap synthesizer and an early drum machine, the only equipment available after a recording session had been packed up. “He said, ‘I can’t put out a record with that,’” Mr. Pop recalled. “I said, ‘But I can.’ And he smiled, and he realized this was a playground for him. I always tried to encourage his worst impulses in those directions. I was a fan.”
When Mr. Bowie moved to Berlin, Mr. Pop occupied a room in Mr. Bowie’s apartment there “over the auto parts store,” he said. The title song for Mr. Pop’s next album, “Lust for Life,” germinated in that apartment.
Mr. Pop and Mr. Bowie, seated on the floor — they had decided chairs were not natural — were waiting for the Armed Forces Network telecast of “Starsky & Hutch.” The network started shows with a call signal that, Mr. Pop said, went “beep beep beep, beep beep beep beep, beep beep beep,” the rhythm, which is also like a Motown beat, that was the foundation for “Lust for Life.” Mr. Pop recalled, “He wrote the [chord] progression on ukulele, and he said, ‘Call it “Lust for Life,” write something up.’”
Mr. Bowie “saw me sometimes, when he wanted to voice it that way, as a modern Beat or a modern Dostoyevsky character or a modern van Gogh,” Mr. Pop said. “But he also knew I’m a hick from the sticks at heart.”
By contrast, Mr. Bowie was “worldly,” Mr. Pop said. “I learned things that I still use today. I met the Beatles and the Stones, and this one and that one, and this actress and this actor and all these powerful people through him. And I watched. And every once in a while, now at least, I’m a little less rustic when I have to deal with those people.”
Mr. Bowie made a point of visiting Mr. Pop’s parents in Detroit, where they were living in a trailer. “He came to my parents’ trailer, and the neighbors were so frightened of the car and the bodyguard they called the police,” Mr. Pop said. “My father’s a very wonderful man, and he said, ‘Thank you for what you’re doing for my son.’ I thought: Shut up, Dad. You’re making me look uncool.”
Until next week,
Current Week In Review
Recent WiRs -
January 9th, January 2nd, December 26th, December 19th
Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.
"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black
|Thread Tools||Search this Thread|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Peer-To-Peer News - The Week In Review - July 16th, '11||JackSpratts||Peer to Peer||0||13-07-11 06:43 AM|
|Peer-To-Peer News - The Week In Review - July 9th, '11||JackSpratts||Peer to Peer||0||06-07-11 05:36 AM|
|Peer-To-Peer News - The Week In Review - January 30th, '10||JackSpratts||Peer to Peer||0||27-01-10 07:49 AM|
|Peer-To-Peer News - The Week In Review - January 16th, '10||JackSpratts||Peer to Peer||0||13-01-10 09:02 AM|
|Peer-To-Peer News - The Week In Review - December 5th, '09||JackSpratts||Peer to Peer||0||02-12-09 08:32 AM|