P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 04-03-15, 08:31 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - March 7th, '15

Since 2002


































"It’s elegantly vicious." – Kevin Epstein


"Researchers discovered that they could force web browsers to use an form of encryption that was intentionally weakened to comply with U.S. government regulations. They were then able to break the encryption within a few hours." – Jim Finkle






































March 7th, 2015




Republicans’ “Internet Freedom Act” Would Wipe Out Net Neutrality

Internet providers need the freedom to block and throttle Internet traffic.
Jon Brodkin

US Rep. Marsha Blackburn (R-TN) this week filed legislation she calls the "Internet Freedom Act" to overturn the Federal Communications Commission's new network neutrality rules.

The FCC's neutrality rules prohibit Internet service providers from blocking or throttling Internet traffic, prohibit prioritization of traffic in exchange for payment, and require the ISPs to disclose network management practices.

These rules "shall have no force or effect, and the Commission may not reissue such rule in substantially the same form, or issue a new rule that is substantially the same as such rule, unless the reissued or new rule is specifically authorized by a law enacted after the date of the enactment of this Act," the Internet Freedom Act states.

The legislation has 31 Republican cosponsors.

“Once the federal government establishes a foothold into managing how Internet service providers run their networks they will essentially be deciding which content goes first, second, third, or not at all," Blackburn said in an announcement yesterday. "My legislation will put the brakes on this FCC overreach and protect our innovators from these job-killing regulations.”

In the latest election cycle, Blackburn received $25,000 from an AT&T political action committee (PAC), $20,000 from a Comcast PAC, $20,000 from a cable industry association PAC, and $15,000 from a Verizon PAC, according to the Center for Responsive Politics.

Blackburn's legislation would also wipe out the FCC's decision to reclassify broadband as a common carrier service subject to some of the Title II obligations imposed on wireline telephone and mobile voice. But while Internet providers and some Republicans have claimed to support net neutrality rules while opposing Title II reclassification, this bill would not leave any network neutrality rules in place. That's not surprising, given that Blackburn has been trying to get rid of net neutrality rules for years.

Over the past year, Internet providers and Republicans have claimed that they are willing to accept the FCC enforcing net neutrality rules without a Title II classification, even though the FCC did just that in 2010 and still faced a lawsuit from Verizon. (Verizon won that lawsuit a year ago, forcing the FCC to reconsider how its net neutrality rules should be justified legally.) One Republican effort announced in January would enforce a version of net neutrality while gutting the FCC's authority under Title II and Section 706, the latter of which was used by the FCC to preempt state laws that restrict municipal broadband projects. (Blackburn also filed legislation last week to overturn the municipal broadband decision.)

Blackburn's Internet Freedom Act wouldn't even enforce a weaker version of net neutrality, consistent with her past proposals. In 2011, she filed an "Internet Freedom Act" that would have struck down the FCC's original net neutrality rules that were enforced without a Title II reclassification.

In February 2014, long before FCC Chairman Tom Wheeler decided to use Title II, Blackburn introduced another "Internet Freedom Act" that would have prohibited the FCC from issuing any new net neutrality rules.

Blackburn's announcement yesterday notes that she "has been leading the fight against the Obama Administration’s Net Neutrality regulations since they were first proposed in 2010 by Former Federal Communications Commission (FCC) Chairman Julius Genachowski." Blackburn is Vice Chair of the House Energy and Commerce Committee.

Rep. Fred Upton (R-Mich.) and Sen. John Thune (R-S.D.) have discussed legislation to overturn the FCC's vote while keeping some version of net neutrality in place, but they haven't finalized a bill yet.

"We don't really have a Walden bill yet," said Rep. John Shimkus (R-Ill.), who cosponsored Blackburn's legislation, Politico reported today. The Upton/Thune bill is "just theoretical," but the Blackburn bill at least has "some language to address what we think is a problem," Shimkus said.

Upton, the House Energy & Commerce Chairman, told Politico that “there are a lot of people who want a strong expression of opposition to the FCC’s actions, and I expect [the Blackburn bill] will be one of many opportunities to weigh in."

The full text of the FCC's net neutrality rules has not yet been finalized. They will take effect 60 days after publication in the Federal Register. FCC General Counsel Jon Sallet described the process in a blog post Monday.

FCC ready to defend rules in court

Wheeler is expecting lawsuits, but he believes the commission's latest rules rest on strong legal authority. The appeals court decision that overturned previous net neutrality rules faulted the FCC for imposing per se common carrier obligations without classifying Internet providers as common carriers. Classifying them as such "addresses that issue," Wheeler said last week.

Internet providers that today claim they would be happy with net neutrality rules that don't rely on Title II are said to be "furious" with Verizon for challenging a weaker set of rules, allowing them to be replaced with stronger ones. AT&T hinted at that displeasure in a blog post that called the 2010 rules "a bipartisan win."

Back in 2010, AT&T said it preferred to avoid "government intervention" but also praised then FCC Chairman Julius Genachowski "for seeking a fair middle ground." At the time, AT&T said, "Today’s vote, we trust, will put this issue behind us." But thanks to Verizon's intervention, and legislation like Blackburn's latest Internet Freedom Act, the net neutrality debate is far from over.
http://arstechnica.com/business/2015...et-neutrality/





Net Neutrality is Not for Europe
Geoffrey Smith

The European Union is preparing to allow internet providers to run ‘two-speed’ data services, in a sharp contrast to a ruling last week in the U.S. that will enforce ‘net neutrality’.

The Financial Times reported Wednesday that E.U. member states are drawing up proposals that would allow telecoms groups to prioritize certain services to ensure that the network worked properly, in stark contrast to a ruling by the Federal Communications Commission that will effectively ban differentiating the speed of services.

The draft reflects, among other things, the greater lobbying power in the E.U. of the big European telecoms companies that run mobile networks, relative to the (largely U.S.) tech companies that fill those networks with ever more data.

The FT noted that, at this week’s Mobile World Congress in Barcelona, the CEOs of both Vodafone Plc VOD and Deutsche Telekom AG DTEGY both argued for rules that would allow them to give priority to specific ‘essential’ services, like those connected to hospitals or driverless cars.

The proposals, drafted by the Latvian government that currently holds the E.U.’s rotating presidency, still insist on a basic principle of treating all traffic equally, but allow network operators to be “free to enter into agreements” to deliver faster speeds at higher prices.

There’s no guarantee that the proposals will come into force as drafted. E.U. lawmaking is a complicated three-way dance between the presidency, the European Parliament and the European Commission, the union’s secretariat.

European Commissioner Guenter Oettinger said at MWC that he hopes the E.U. will be able to finalize a new law on the subject by the summer. The Commission, as enforcer of the E.U.’s single market, is keen to avoid a situation whereby all 28 states have different rules on regulating Internet speeds.
http://fortune.com/2015/03/04/net-ne...ot-for-europe/





Judge Halts Movie Industry-Backed Probe Against Google
Jeff John Roberts

A federal judge has agreed to put the brakes on an investigation into Google by Mississippi Attorney General Jim Hood after the company complained that Hood’s inquiry was an illegal censorship campaign cooked up by Hollywood.

In a Monday ruling, U.S. District Judge Henry T. Wingate issued an order that will temporarily bar Hood from forcing Google to comply with the terms of a 79-page subpoena.

“Today, a federal court entered a preliminary injunction against a subpoena issued by the Mississippi Attorney General. We’re pleased with the court’s ruling, which recognizes that the MPAA’s long-running campaign to censor the web—which started with SOPA—is contrary to federal law,” Google wrote in an update to an earlier blog post describing the case.

The ruling by Judge Wingate came from the bench, and a written version is expected to follow in the next week or two.

“Google has the better side of the legal arguments,” the judge told the court, according to a spokesperson for the company.

The ruling is a major victory for Google, which filed a lawsuit challenging Hood’s 79-page subpoena in December.

The ostensible goal of the subpoena is to help Hood discover if Google is violating Mississippi laws by exposing internet users to drugs and pornography. Google, however, filed a court challenge on the ground Hood overstepped federal laws that shield internet companies from liability for what others post online.

The case has also taken on an air of intrigue in light of a secret scheme, known as “Project Goliath,” that came to light as a result of the massive hack on Sony in December 2014.

Documents disclosed by the hack suggested that the Attorney General’s campaign against Google was being underwritten by the Motion Picture Association of American, and even involved movie industry lawyers drafting legal papers for the state. The company has characterized the state investigation as a dirty-tricks campaign by the movie industry to promote the goals of a failed anti-piracy law known as SOPA.

Hood has already come under fire for being among Democratic state attorneys general who appear to have been farming out the investigative powers of their offices to private law firms in return for a cut of the profits.

Monday’s ruling does not put an end to Mississippi’s investigation, but rather puts it on hold while the parties file more evidence. Hood has tried to frame his investigation as a populist campaign on behalf of the state’s citizens and argued that Google should pursue its claims of over-stepping in state, not federal court.
https://gigaom.com/2015/03/02/judge-...gainst-google/





White House Proposes Broad Consumer Data Privacy Bill
Natasha Singer

The Obama administration on Friday proposed a wide-ranging bill intended to provide Americans with more control over the personal information that companies collect about them and how that data can be used, fulfilling a promise the president had talked about for years.

But some privacy advocates immediately jumped on the proposed legislation, saying it failed to go far enough, particularly given the broad statements President Obama had made on the issue. They said the bill would give too much leeway to companies and not enough power to consumers.

There are already a number of federal laws, like the Fair Credit Reporting Act and the Video Privacy Protection Act, that limit how companies may use certain specific consumer records. The new proposed bill, the Consumer Privacy Bill of Rights Act, is intended to fill in the gaps between those statutes by issuing some baseline data-processing requirements for all types of companies.

“It applies common-sense protections to personal data collected online or offline, regardless of how data is shared,” the Obama administration said in a statement on Friday, “and promotes responsible practices that can maximize the benefits of data analysis while taking important steps to minimize risks.”

The proposal, at its core, calls on industries to develop their own codes of conduct on the handling of consumer information. It also charges the Federal Trade Commission with making sure those codes of conduct satisfy certain requirements — like providing consumers with clear notices about how their personal details will be collected, used and shared.

Companies that violate those requirements could be subject to enforcement actions by the commission or by state attorneys general.

The administration’s proposal, considered a discussion draft, would need a congressional sponsor before it could be officially introduced. Already, though, industry analysts said that the proposal, along with several other legislative efforts on commercial privacy, was unlikely to be enacted in a Republican Congress.

The White House effort comes during heightened public awareness about both government and commercial data-mining. And the proposal drew sharp reactions.

Some prominent legislators and privacy law scholars said the administration’s effort failed to endow citizens with direct and clear legal rights to control who collects their information and how they use it. And the bill, they say, largely puts companies in charge of defining their own criteria for fair and unfair use of consumers’ personal details.

“Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely upon,” Senator Edward J. Markey, a Massachusetts Democrat who has been investigating consumer-profiling companies called data brokers, said in a statement on Friday.

Companies like Acxiom, a database marketer in Little Rock, Ark., for instance, help marketers target individual consumers by estimated household income, ZIP code, race, ethnicity, social network or interests like “smoking/tobacco” or “gaming-casino.”

Experian Marketing Services, another marketing company, uses data-mining to stratify consumers into socio-economic clusters with names like “small town, shallow pockets” and “diapers and debit cards.”

Armed with that kind of information, advertisers might, say, send smokers ads for the latest air filters. But in a report last year on data brokers, the Federal Trade Commission warned that such profiling could be also used in ways that could “adversely impact consumers.” Third parties, regulators wrote, could potentially use brokers’ information on smokers to decide whether someone was “a poor credit or insurance risk, or an unsuitable candidate for employment or admission to a university.”

The report called on Congress to enact legislation to protect this kind of volatile information by, among other things, requiring companies that serve consumers to obtain consent from individuals before collecting such sensitive details about them.

While the White House’s proposal does not explicitly require companies to obtain affirmative consent to collect health information, it does call on companies to give individuals reasonable means to control the use of their personal data, depending on the context and “in proportion to the privacy risk.”

Microsoft heralded the draft bill as a welcome first step in improving consumer trust in how companies handled their information.

“The White House framework tackles issues that are crucial to build trust and foster innovation,” Brendon Lynch, chief privacy officer of Microsoft, wrote in a blog post on Friday. “Not all will agree with every aspect of the proposal — some will say it goes too far, while others will say it doesn’t go far enough — but it’s a good place to start the conversation.”

But some privacy advocates warned against the bill’s reliance on industry-developed codes of conduct. The process, they contended, would allow companies to define for themselves whether their data-use policies constituted privacy risks to consumers. They also said the bill offered companies loopholes that would help them avoid giving consumers meaningful control over their records and make it difficult for federal regulators to enforce the legislation.

“While it claims to provide rights to consumers, behind its flimsy policy curtain is a system that gives real control to the companies that now gather our information,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a consumer advocacy group in Washington.

A few privacy law scholars said that the draft bill could undermine protections consumers already had. If enacted as currently written, for instance, it could pre-empt stronger laws in a few states that require companies to obtain consumers’ explicit consent before collecting unique biometric information like fingerprints or facial scans.

“It would override state statutes that give people more protection,” said Alvaro M. Bedoya, executive director of the Center on Privacy and Technology at Georgetown University Law Center. “It would be a significant setback for privacy.”
http://www.nytimes.com/2015/02/28/bu...vacy-bill.html





Italy Approves Plan to Boost Broadband Networks

The Italian government approved a plan on Tuesday to bring its high-speed broadband network into line with European Union targets, but it held back from forcing operators to replace their copper-wire networks with fibre-optic cable.

Italy faces growing pressure to strengthen its telecommunications infrastructure and digital sector to help improve the performance of an economy that has been in virtual stagnation for two decades.

"We are creating a plan to give our country the digital infrastructure, the digital highways like any other European country," Industry Minister Federica Guidi told reporters.

The European Commission ranks Italy near the bottom of the 28-member EU in terms of digital economy and online services. A recent report showed that almost a third of the population (31 percent) had never used the Internet.

Although basic fixed broadband is available almost everywhere, only 51 percent of households are subscribers -- the lowest level in the EU -- and only 21 percent of households have access to faster, next-generation networks.

The EU's digital agenda calls for member states to ensure by 2020 that all households have access to internet lines with download speeds above 30 megabits per second and half have access to super-fast 100-megabit connections.

The Italian government has pledged 6 billion euros ($6.71 billion) to build up the networks, which it hopes to boost with private investment from telecoms operators. Guidi said if all worked well, 100-megabit coverage could reach up to 85 percent of households.

While all sides acknowledge the need to upgrade Italy's aging copper-wire internet infrastructure, the cost of installing a new fibre-optic network over a short period has alarmed the telecoms companies.

The government favoured modernising the whole network with fibre optic cable directly into subscribers' homes (so-called fibre-to-the-home, or FTTH).

But operators argue that immediate conversion would be too costly. They prefer boosting the capacity of existing copper-wire connections that run between street cabinets and households (so-called fibre-to-the cabinet or FTTC).

Speculation that the government may order the former monopolist Telecom Italia to switch off its copper network entirely over the next few years caused some alarm in the sector, but Guidi said companies would be left to decide the most appropriate technological solution.

"The choice has been to leave the market, the operators to decide on the most efficient technology," Industry Minister Guidi told reporters.

($1 = 0.8949 euros)

(Reporting by James Mackenzie; Editing by Larry King)
http://uk.reuters.com/article/2015/0...0LZ2J620150303





This Guy Is Creating an All-New Cell Network Built by You
Cade Metz

Steve Perlman wants to turn your apartment into an antenna for his new cellular phone network.

Perlman is a serial Silicon Valley inventor and entrepreneur best known for selling his web TV company to Microsoft for half a billion dollars, and over the last few years, he and his team of engineers have built a contraption that aims to significantly boost the speed of our cellular services. He could license this technology to the big-name wireless carriers, such as AT&T and Verizon, as a way of improving their networks. But that’s not the only option. He can ask you to set it up.

If you install this tiny antenna on your roof, Perlman says, it can receive wireless calls and data not just from your own mobile phone but from mobile phones across the neighborhood. Then it can route these calls and data across your home internet connection towards their ultimate destination. And when it does, he’ll give you a cut of the revenue from this crowdsourced phone network—a network that, thanks to the antenna’s unusual design, could increase wireless speeds several times over.

He calls it the “Uberization” of mobile phone networks, a nod to the controversial startup that can turned anyone into a taxi driver. But it also echoes similar efforts to bootstrap massive WiFi networks via the citizens of the world. As markets for so many things are (slowly) moving towards a kind of “sharing economy,” Perlman believes that working together—combined with his company’s unusual one-to-one technology for cell connections—could make wireless better.

The scheme is a long way from fruition—a very long way—but Perlman is pushing things forward. In February, his company, Artemis, announced that it will soon push its tiny high-speed cellular antennas across about 600 rooftops in San Francisco. It’ll do so through a company called WebPass, which already provides internet service inside many apartment buildings and offices across the city. Basically, once the regulatory issues are ironed out, WebPass will install the antennas, route calls and data over its existing internet connections, and share in the revenue—much as Perlman hopes individuals will do at their own homes.

Perlman will begin pitching homeowners in places like Kansas City, where Google is offering super-fast (and super-reliable) home internet connections through a service called Google Fiber. These connections offer the stability Artemis needs to route calls and data from its tiny antennas.

“We can have citizen installers,” says Perlman, who also helped develop Quicktime, the video software for the Apple Macintosh. “You put these little things on a rooftop. You slap it onto Google Fiber. And we can light up a place like Kansas City in no time at all.”

It’s an audacious undertaking—maybe even quixotic. Given the power of the country’s wireless carriers, the regulatory hurdles, and possible contractual limitations in landline internet services like Google Fiber, it may never work. But Perlman is at least trying to shove cellular networks in a new direction—something they certainly need. And, it so happens, Google is working to push things forward too. If Perlman needs a partner, this is the obvious choice.

The Personal Cell

What makes his plan possible, Perlman says, are the rather unusual antennas he and his company have built. He calls the technology pCell—short for “personal cell.”

These aren’t like traditional cellular antennas. They don’t just blanket an area with a single signal, or cell, that all phones share. Instead, multiple antennas transmit signals that combine to create a “personal cell” that follows you and your phone from place to place. Since you don’t share this signal with anyone else, you have access to much more bandwidth than you typically would on an ordinary cell network. And with enough antennas, you’re less likely to lose a strong signal.

It’s unclear just how well the tech will work in the real world. “There are still questions about its effectiveness—especially when used with other wireless technologies,” says Jim McGregor, who closely follows the cellular market as the founder and principal analyst of a research firm called Tirias. But Perlman says these antennas are also built in a way that lets him readily erect a test network—or even complete network—without help from the AT&Ts and Verizons.

The added trick is that these antennas are relatively small and simple (similar to devices consumer can install in their homes simply to boost their own cell service). That means individuals can easily install them on their own. “You don’t need to have any more skill than you would need to install a satellite dish,” Perlman says. And if you have a reliable fiber internet connection—such as Google Fiber—you can help Perlman bootstrap his network.

Google in the Mix

Rob Gatehouse, the vice president of product management at a wireless antenna maker called Airvana, says his company has explored a similar setup with a “tier one” wireless carrier, and he warns that Perlman may need approval from the internet services that his antennas plug in to (e.g. Google Fiber).

But the government’s new net neutrality rules, unloaded last month, may prevent internet providers from barring such a setup. “Does Google really have to bless what you do with your home internet connection?” says Charles Barr, the CEO of WebPass, the internet provider that’s installing Perlman’s antennas in San Francisco. “If the network is neutral, they shouldn’t be involved.”

Google did not immediately respond to request for comment on whether its terms of service would allow for this sort of arrangement. But it appears that they do not. And Perlman acknowledges he will have to navigate the terms of service for the home and business internet connections his antennas tap into. But as he points out, Google is typically on the side of net neutrality—and like Perlman, it’s interested in improving our wireless networks.

The New SIM

Regardless, Perlman must also ensure that phones can use his antennas. At the moment, phones can’t use his pCells without a new SIM card, the tiny network cards that slip into the back of each device.

In his favor, brand new FCC rules say that if you own a phone outright, you must be allowed to change the SIM. In an apparent effort to comply with this, Apple is now offering a “virtual SIM” on the iPad, the kind of thing that may let you reconfigure your phone for pCell without installing new hardware. In short, much needs to change for Perlman’s plan to work.

But change is already underway. Big wireless carriers, the AT&Ts and Verizons of the world, are losing their market power, and users are gaining. On one end, Apple is giving you a way of seamlessly moving between carriers. And on the other, Perlman is trying to make big, ugly, expensive cell towers obsolete. All he needs is you.
http://www.wired.com/2015/03/perlman/





T-Mobile Will Launch LTE in the Wi-Fi Airwaves in 2016
Kevin Fitchard

T-Mobile came up short compared to Verizon and AT&T in the last 4G spectrum auction, but it looks like it’s found another source of airwaves, and these won’t cost it anything. At Mobile World Congress on Monday, T-Mo revealed that in 2016 it plans to deploy LTE in the unlicensed 5 GHz bands, the traditional home of Wi-Fi, and it’s likely the Wi-Fi industry isn’t going to be very happy about it.

T-Mobile US has never made a secret of its interest in operating in the unlicensed bands, but until now we’ve never had a firm deployment date, and that date is actually pretty darn close.

The country’s fourth largest carrier will use Alcatel-Lucent small cells – which are like big tower-mounted cells, just tinier – embedded with Qualcomm’s radio processing chips and LTE-Unlicensed technology (T-Mobile has tested similar systems from Nokia and Ericsson as well). The carrier plans to start a trial of LTE-Unlicensed this year and then adopt LTE-U’s more technically sophisticated brother LTE-License Assisted Access (LTE-LAA) when it takes that network commercial next year.

I just spouted off a lot of acronyms there, but the key thing you need to know about LTE in the unlicensed bands is it will share the 5 GHz airwaves with Wi-Fi, moving from channel to channel to find a clear path for its 4G transmissions, just as Wi-Fi networks coexist with another in the same spectrum today. The problem is, according to the Wi-Fi industry, LTE won’t necessarily play nicely with the other Wi-Fi networks in the band, potentially forcing Wi-Fi users off of their own spectrum.

This issue is going to come to a head over the next year – it’s already becoming a major topic at MWC this year – as more carriers announce their unlicensed intentions. Basically the mobile and Wi-Fi industry are engaging in an old-fashioned turf war. It’s easy to see why carriers are interested in the unlicensed bands. They have hundreds of megahertz of airwaves they could potentially tap for their 4G networks, which could translate into faster speeds and more capacity for their customers.

But it’s also clear why the Wi-Fi industry isn’t exactly welcoming the carriers with open arms. The unlicensed band is meant to be open and shared, but carriers traditionally aren’t the open and sharing types. They’re accustomed to owning their airwaves and doing with them whatever they please.
https://gigaom.com/2015/03/01/t-mobi...waves-in-2016/





Planet of the Phones

The smartphone is ubiquitous, addictive and transformative

THE dawn of the planet of the smartphones came in January 2007, when Steve Jobs, Apple’s chief executive, in front of a rapt audience of Apple acolytes, brandished a slab of plastic, metal and silicon not much bigger than a Kit Kat. “This will change everything,” he promised. For once there was no hyperbole. Just eight years later Apple’s iPhone exemplifies the early 21st century’s defining technology.

Smartphones matter partly because of their ubiquity. They have become the fastest-selling gadgets in history, outstripping the growth of the simple mobile phones that preceded them. They outsell personal computers four to one. Today about half the adult population owns a smartphone; by 2020, 80% will. Smartphones have also penetrated every aspect of daily life. The average American is buried in one for over two hours every day. Asked which media they would miss most, British teenagers pick mobile devices over TV sets, PCs and games consoles. Nearly 80% of smartphone-owners check messages, news or other services within 15 minutes of getting up. About 10% admit to having used the gadget during sex.

The bedroom is just the beginning. Smartphones are more than a convenient route online, rather as cars are more than engines on wheels and clocks are not merely a means to count the hours. Much as the car and the clock did in their time, so today the smartphone is poised to enrich lives, reshape entire industries and transform societies—and in ways that Snapchatting teenagers cannot begin to imagine.

Phono sapiens

The transformative power of smartphones comes from their size and connectivity. Size makes them the first truly personal computers. The phone takes the processing power of yesterday’s supercomputers—even the most basic model has access to more number-crunching capacity than NASA had when it put men on the Moon in 1969—and applies it to ordinary human interactions (see article). Because transmitting data is cheap this power is available on the move. Since 2005 the cost of delivering one megabyte wirelessly has dropped from $8 to a few cents. It is still falling. The boring old PC sitting on your desk does not know much about you. But phones travel around with you—they know where you are, what websites you visit, whom you talk to, even how healthy you are.

The combination of size and connectivity means that this knowledge can be shared and aggregated, bridging the realms of bits and atoms in ways that are both professional and personal. Uber connects available drivers to nearby fares at cheaper prices; Tinder puts people in touch with potential dates. In future, your phone might recommend a career change or book a doctor’s appointment to treat your heart murmur before you know anything is amiss.

As with all technologies, this future conjures up a host of worries. Some, such as “text neck” (hunching over a smartphone stresses the spine) are surely transient. Others, such as dependency—smartphone users exhibit “nomophobia” when they happen to find themselves empty-handed—are a measure of utility as much as addiction. After all, people also hate to be without their wheels or their watch.

The greater fear is over privacy. The smartphone turns the person next to you into a potential publisher of your most private or embarrassing moments. Many app vendors, who know a great deal about you, sell data without proper disclosure; mobile-privacy policies routinely rival “Hamlet” for length. And if leaked documents are correct, GCHQ, Britain’s signals-intelligence agency, has managed to hack a big vendor of SIM cards in order to be able to listen in to people’s calls (see article). If spooks in democracies are doing this sort of thing, you can be sure that those in authoritarian regimes will, too. Smartphones will give dictators unprecedented scope to spy on and corral their unwilling subjects.

The naked app

Yet three benefits weigh against these threats to privacy. For a start, the autocrats will not have it all their own way. Smartphones are the vehicle for bringing billions more people online. The cheapest of them now sell for less than $40, and prices are likely to fall even further. The same phones that allow governments to spy on their citizens also record the brutality of officials and spread information and dissenting opinions. They feed the demand for autonomy and help protest movements to coalesce. A device that hands so much power to the individual has the potential to challenge authoritarianism.

The second benefit is all those personal data which companies are so keen on. Conventional social sciences have been hampered by the limited data sets they could collect. Smartphones are digital census-takers, creating a more detailed view of society than has ever existed before and doing so in real time. Governed by suitable regulations, anonymised personal data can be used, among many other things, to optimise traffic flows, prevent crime and fight epidemics.

The third windfall is economic. Some studies find that in developing countries every ten extra mobile phones per 100 people increase the rate of growth of GDP-per-person by more than one percentage point—by, say, drawing people into the banking system. Smartphones will remake entire industries, at unheard-of speed. Uber is a household name, operating in 55 countries, but has yet to celebrate its fifth birthday. WhatsApp was founded in 2009, and already handles 10 billion more messages a day than the SMS global text-messaging system. The phone is a platform, so startups can cheaply create an app to test an idea—and then rapidly go global if people like it. That is why it will unleash creativity on a planetary scale.

By their nature, seminal technologies ask hard questions of society, especially as people adapt to them. Smartphones are no different. If citizens aren’t protected from prying eyes, some will suffer and others turn their backs. Societies will have to develop new norms and companies learn how to balance privacy and profit. Governments will have to define what is acceptable. But in eight short years smartphones have changed the world—and they have hardly begun.
http://www.economist.com/news/leader...-planet-phones





Long Island Man Spends 10 Days in Hospital After iPhone Explodes in His Pocket

Erik Johnson is planning legal action against Apple following incident on Valentine's Day.
Ryan Bonner

A Lindenhurst man recently spent more than a week in the hospital after his iPhone spontaneously exploded in his pocket.

Erik Johnson had reportedly just arrived at his cousin’s wake on Valentine’s Day when his iPhone 5c exploded as he bent down to pick up a set of keys he had dropped.

“I felt the burn instantly and a cloud of smoke instantly,” the 29-year-old told News 12 Long Island. “I couldn’t get the phone out of my pocket, so I had to rip my pants off to get the phone away from me.”

Johnson suffered a third-degree burn the size of a football to to his upper left thigh and spent 10 days in a hospital burn unit. He returned home on Tuesday.

The story was first reported by ABC 7. Johnson told the TV station that he heard a pop and then saw smoke coming from his pocket when he reached down to pick up the keys.

Johnson says his leg caught fire and the intensity of the heat melted his pocket shut.

“A couple of people actually said they could smell my body burning,” Johnson told ABC 7.

Apple says it is investigating the incident. Johnson is planning legal action against the electronics giant.

“Even if this only happened this one time, that’s one time too many,” Johnson’s lawyer, Mike Della, said according to the Daily News. “What if this happened to a child?”

There have been other recent reports of exploding iPhones. In October, an Arizona man claimed his iPhone 6 burst into flames in his pocket following a minor rickshaw accident. Last February, a middle school student in Maine suffered minor injuries after her iPhone 5c exploded in her pocket.
http://patch.com/new-york/lindenhurs...s-his-pocket-0





Feds Admit Stingrays Can Disrupt Cell Service of Bystanders

For years the government has kept mum about its use of a powerful phone surveillance technology known as a stingray.

The Justice Department and local law enforcement agencies insist that the only reason for their secrecy is to prevent suspects from learning how the devices work and devising methods to thwart them.

But a court filing recently uncovered by the ACLU suggests another reason for the secrecy: the fact that stingrays can disrupt cellular service for any phone in their vicinity—not just targeted phones—as well as any other mobile devices that use the same cellular network for connectivity as the targeted phone.

Civil liberties groups have long asserted that stingrays are too invasive because they can sweep up data about every phone in their vicinity, not just targeted phones, and can interfere with their calls. Justice Department and local law enforcement agencies, however, have refused to confirm this or answer other questions about the tools.

But in the newly uncovered document—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.

“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity. Any potential service disruption will be brief and minimized by reasonably limiting the scope and duration of the use of the Mobile Equipment.”

The document was previously sealed and only came to light after the defense attorney for a defendant in the case filed a motion last year to dismiss evidence collected by the stingray. It’s the first time the ACLU has seen the FBI acknowledge the stingray’s disruptive capabilities and raises a number of questions about the nature of the disruption and whether the Federal Communications Commission knew about it when it certified the equipment.

“We think the fact that stingrays block or drop calls of cell phone users in the vicinity should be of concern to cell service providers, the FCC, and ordinary people,” says Nate Wessler staff attorney with the ACLU’s Speech, Privacy, and Technology Project. “If an emergency or important/urgent call (to a doctor, a loved one, etc.) is blocked or dropped by this technology, that’s a serious problem.”

Stingrays are mobile surveillance systems the size of a small briefcase that impersonate a legitimate cell phone tower in order to trick mobile phones and other mobile devices in their vicinity into connecting to them and revealing their unique ID and location. Stingrays emit a signal that is stronger than the signal of other cell towers in the vicinity in order to force mobile phones and other devices to establish a connection with them and reveal their unique ID. Stingrays can then determine the direction from which the phone connected with them, data that can then be used to track the movement of the phone as it continuously connects to the fake tower.

Although stingrays are designed to recognize 911 calls and let them pass to legitimate cell towers without connecting to the stingray, the revelation from the FBI agent raises the possibility that other kinds of emergency calls not made to 911 may not get through.

Law enforcement agencies around the country have been using variations of the stingray since the mid-90s to track the movement of suspects in this way. The technology is used by the FBI, the Secret Service, the U.S. Marshals Service, Customs and Border Patrol agents and the Drug Enforcement Agency as well as local law enforcement agencies in more than a dozen states.

But the secrecy around their use has been extreme, due in part to non-disclosure agreements that law enforcement agencies sign with the companies that make stingrays.

Stingrays Cloaked in Secrecy

Authorities in several states have been caught deceiving judges and defense attorneys about how they use the controversial technology or have simply used the devices without obtaining a warrant in order to avoid disclosing their use to a court. In other cases they have withheld information from courts and defense attorneys about how the stingrays work, refraining from disclosing that the devices pick up location data on all systems in their vicinity, not just targeted phones. Law enforcement agencies have even gone so far as to intervene in public records requests to prevent the public from learning about the technology.

The revelation in the court document is therefore significant and also begs the question: Who else knew about this capability and for how long? The Federal Communications Commission is responsible for certifying equipment that operates on radio frequencies to make sure that devices comply with certain technical standards and do not cause radio interference. If the companies that make stingrays failed to disclose the disruption of service to the federal agency, it would mean the devices had potentially been approved under false pretenses.

The Harris Corporation in Florida—the leading maker of stingrays for law enforcement in the U.S. and an aggressive proponent of secrecy around their use—has already been singled out for a questionable statement the company made to the FCC in a 2010 email. In the correspondence, a Harris representative told the FCC that the technology was used by law enforcement only “in emergency situations.” But according to records the ACLU obtained from the police department in Tallahassee, Florida, in nearly 200 cases that the equipment was used since 2007 only 29 percent of these involved an emergency. Stingrays are regularly used in day-to-day criminal investigations to track suspected drug dealers, bank robbers and others.

The FCC certified stingray equipment from Harris in April 2011 and March 2012.

Asked whether the company disclosed the stingray’s disruptive capabilities to the FCC when it sought certification, an FCC official told WIRED, “We can’t comment on how the devices operate because that information is confidential in accordance with the FCC’s application process.” She said Harris had specifically “requested confidentiality in the application process.”

She also said that if “wireless customers experiencing unexplained service disruptions or interference” report it to the FCC, the agency will “investigate the causes.”

How Stingray Disruption Works

The case in which the FBI disclosed the service disruption is ongoing and involves a defendant named Claude Williams who was suspected of participating in a string of armed bank robberies. In July 2012, the FBI’s Scimeca submitted an application for a warrant to use a stingray to track Williams’s phone.

Although Scimeca was seeking authorization to use a stingray, he referred to it alternatively as mobile pen register and trap and trace equipment in his application. The nomenclature is important because the ACLU has long accused the government of misleading judges by using this term. Pen registers record the numbers dialed from a specific phone number, while trap and trace devices record the numbers that dial into a particular number. But stingrays are used primarily to track the location and movement of a device.

Although Scimeca disclosed to the magistrate that the equipment could disrupt phone service, he didn’t elaborate about how the disruption might occur. Experts suspect it has something to do with the “catch-and-release” way stingrays work. For example, once the stingray obtains the unique ID of a device, it releases it so that it can connect to a legitimate cell tower, allowing data and voice calls to go through.

“As each phone tries to connect, [the stingray] will say, ‘I’m really busy right now so go use a different tower. So rather than catching the phone, it will release it,” says Chris Soghoian, chief technologist for the ACLU. “The moment it tries to connect, [the stingray] can reject every single phone” that is not the target phone.

But the stingray may or may not release phones immediately, Soghoian notes, and during this period disruption can occur.

Disruption can also occur from the way stingrays force-downgrade mobile devices from 3G and 4G connectivity to 2G to get them to connect and reveal their unique ID and location.

In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.

“Depending on how long the jamming is taking place, there’s going to be disruption,” says Soghoian. “When your phone goes down to 2G, your data just goes to hell. So at the very least you will have disruption of internet connectivity. And if and when the phones are using the stingray as their only tower, there will likely be an inability to receive or make calls.”

“A Grave Threat to Privacy”

Concerns about the use of stingrays is growing. Last week, Senator Bill Nelson (D—Florida) sent a letter to the FCC calling on the agency to disclose information about its certification process for approving stingrays and any other tools with similar functionality. Nelson asked in particular for information about any oversight put in place to make sure that use of the devices complies with the manufacturer’s representations to the FCC about how the technology works and is used.

Nelson also raised concerns about their use in a remarkable speech on the Senate floor. The Senator said the technology “poses a grave threat to consumers’ cellphone and Internet privacy,” particularly when law enforcement agencies use them without a warrant. He also noted that invasive devices like the stingray will inevitably force lawmakers to come up with new ways to protect privacy.

His combative speech marks the first time a lawmaker has called out the controversial technology in the public chamber. But his speech was also remarkable for another reason: Nelson’s state of Florida is home to the Harris Corporation, and the company is his second biggest campaign donor.
http://www.wired.com/2015/03/feds-ad...ce-bystanders/





Telstra Backflips on Refusing Customer Access to Metadata
Ben Grubb

Telstra has become the first Australian telco to offer its subscribers similar access that law-enforcement and intelligence agencies have to their private phone metadata, backflipping on its previous position of refusing them access to it.

Starting April 1, Telstra will give their customers access to a limited set of their "metadata" for a fee — information about who they've called, the time, location and duration. It does not include the content of a communication, such as the detail of what you said or wrote in an email or SMS.

But the scheme won't give customers access to information about another party to a communication with them, such as who called them (this information is collected though, and can be handed over to law-enforcement agencies).

Still, the move will provide customers with much more access than they otherwise would've had through Telstra's MyAccount portal or through their monthly bills, with information including "the actual location of the cell tower an outgoing call was connected to when the call was made" being made available.

The fee to get the data will depend on how far back into Telstra records you request, Telstra said.

"Simple requests are expected to cost around $25, while detailed requests covering multiple services across several years will be charged at an hourly rate. This is the same practice of cost recovery that is applied to requests from law enforcement agencies," a statement on Telstra's website published on Friday said.

"This new approach is all about giving you a clearer picture of the data we provide in response to lawful requests today."

The decision to allow subscribers access to their metadata follows this writer lodging a complaint with Australia's federal Privacy Commissioner, Timothy Pilgrim, following Telstra's refusal to provide access to his metadata under the Privacy Act. The Act gives Australian citizens a right of access to their "personal information" from a company, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.

It was argued that while Telstra regularly provides the Australian Taxation Office, spy agency ASIO and numerous other Australian law-enforcement agencies access without a warrant to any customers' metadata, it should also be obligated to provide it to its own customers under privacy laws.

Since the complaint was lodged over 20 months ago, Telstra has argued that it shouldn't have to provide its customers with access.

Despite this, it has handed over access to some metadata over the time of the complaint, but not all of the information it provides to law-enforcement. For example, it has argued that to provide incoming call record logs (who has called a customer) would be in breach of that person's privacy.

If access to such logs were ever provided, it could help track down pesky telemarketers.

This writer has argued that if the other party is using caller ID, then the number should be provided.

Telstra has also previously failed to provide internet-related metadata it might have on its systems, such as IP address logs. But Friday's announcement made no mention of this data.

The Privacy Commissioner heard this writer's complaint in a hearing late last year and is imminently expected to release his decision.

Meanwhile, the Abbott government recently adopted a recommendation of the Parliamentary Joint Committee on Intelligence and Security — which scrutinised Australia's upcoming "data retention" laws — that will cement current privacy laws, forcing telcos to provide access to customer metadata.

The telcos, through industry body group the Communications Alliance, have said they are unhappy with this requirement.

The upcoming retention laws, which Prime Minister Tony Abbott wants passed by the end of this month, will force all Australian telcos to store for two years customer metadata for access by law-enforcement agencies. It's argued the laws are required because telcos are regularly deleting metadata which the agencies say is crucial in investigating crime.

The retention regime is estimated by PricewaterhouseCoopers to cost anywhere between $188.8 million and $319.1 million to establish. But the government has yet to say exactly how much it is prepared to commit to it, raising the prospect of higher internet fees passed on by telcos to customers.

Following this writer's request for access to this data, Wilson da Silva, a science journalist and a former editor-in-chief of science magazine Cosmos, argued that allowing people access to their metadata might actually improve their lives.

"Being able track your own everyday movements [with metadata], and match #them with your entire digital footprint, might ... bring you countless health and lifestyle benefits, such as predicting the onset of heart disease or depression," he said.

The request for access in Australia followed German politician Malte Spitz successfully suing his telco in 2011 to get his metadata.

He published it to show constituents just how invasive having all of your metadata stored was in the wake of mandatory data retention in his country.
http://www.smh.com.au/digital-life/c...06-13wv1g.html





CIA to Make Sweeping Changes, Focus More on Cyber Ops - Agency Chief
Mark Hosenball

The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.

Brennan said he is creating new units within the CIA, called "mission centres," intended to concentrate the agency's focus on specific challenges or geographic areas, such as weapons proliferation or Africa.

The CIA director said he also is establishing a new "Directorate of Digital Innovation" to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.

Historically, electronic eavesdroppers at the National Security Agency have been at the cutting edge of digital innovation within the U.S. government. But the CIA felt that it had to reorganize to keep up with the technological "pace of change," as one official put it.

Brennan said the new digital directorate will have equal status within the agency with four other directorates which have existed for years.

"Our ability to carry out our responsibilities for human intelligence and national security responsibilities has become more challenging" in today's digital world, Brennan said. "And so what we need to do as an agency is make sure we’re able to understand all of the aspects of that digital environment."

Brennan briefed a small group of reporters on the changes on Wednesday, on the condition they did not publish until he told CIA employees on Friday.

Stepping up the CIA's expertise in cyberspace may help it counter technological innovations and sophisticated use of social media by militant groups such as Islamic State. It could also mitigate what U.S. officials have said is damage to intelligence gathering caused by former NSA and CIA contractor Edward Snowden.

The 10 new "mission centres" will bring together CIA officers with expertise from across the agency's range of disciplines to concentrate on specific intelligence target areas or subject matter, Brennan said.

Competition between spy agencies and between units within agencies has led to "stove piping" of information that should have been widely shared and to critical information falling through bureaucratic cracks, Brennan and other U.S. intelligence officials said.

"I know there are seams right now, but what we’ve tried to do with these mission centres is cover the entire universe, regionally and functionally, and so something that’s going on in the world falls into one of those buckets," Brennan said.

The CIA currently operates at least two such interdisciplinary centres, covering counter-terrorism and counter-intelligence.

Reaction to the CIA reorganization was mostly positive, although some veterans acknowledged it will likely prompt bureaucratic friction within the spy agency.

"I think that this will strengthen the CIA significantly over time," former CIA acting director and deputy director Michael Morell said.

"There are short term costs...A lot of things to work out," Morell added. "And there are going to be...senior people with heartburn."

Sen. Richard Burr, chairman of the Senate Intelligence Committee, praised Brennan's moves.

"This reorganization was driven not by any institutional failure, but by the realization that the world has changed over the course of the last 70 years. In many ways, the Director’s proposal is long overdue," Burr said in a statement.

Created in 1947, the CIA is divided into four major directorates. Two - the Directorate of Science and Technology, which among other activities invents spy gadgets, and the Directorate of Support, which handles administrative and logistical tasks - will retain their names.

The Directorate of Intelligence will be renamed "Directorate of Analysis" to reflect its function as the home of agency experts who collate and analyse information from secret and open sources, Brennan said.

The National Clandestine Service, home of front-line agency undercover "case officers," who recruit spies and conduct covert actions, will be renamed Directorate of Operations, which is what it had been called for most of the agency's history.

(Editing By Warren Strobel and Grant McCool)
http://uk.reuters.com/article/2015/0...0M223520150306





What NSA Director Mike Rogers Doesn’t Get About Encryption
Julian Sanchez

At a New America Foundation conference on cybersecurity Monday, NSA Director Mike Rogers gave an interview that—despite his best efforts to deal exclusively in uninformative platitudes—did produce a few lively moments. The most interesting of these came when techies in the audience—security guru Bruce Schneier and Yahoo’s chief information security officer Alex Stamos—challenged Rogers’ endorsement of a “legal framework” for requiring device manufacturers and telecommunications service providers to give the government backdoor access to their users’ encrypted communications. (Rogers repeatedly objected to the term “backdoor” on the grounds that it “sounds shady”—but that is quite clearly the correct technical term for what he’s seeking.) Rogers’ exchange with Stamos, transcribed by John Reed of Just Security, is particularly illuminating:

Quote:
Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…

Mike Rogers (MR): That would be your characterization. [laughing]

AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.

MR: I’ve got a lot of world-class cryptographers at the National Security Agency.

AS: I’ve talked to some of those folks and some of them agree too, but…

MR: Oh, we agree that we don’t accept each others’ premise. [laughing]

AS: We’ll agree to disagree on that. So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?

MR: So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response.

AS: Well, do you believe we should build backdoors for other countries?

MR: My position is — hey look, I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this.

AS: So you do believe then, that we should build those for other countries if they pass laws?

MR: I think we can work our way through this.

AS: I’m sure the Chinese and Russians are going to have the same opinion.

MR: I said I think we can work through this.
I’ve written previously about why backdoor mandates are a horrible, horrible idea—and Stamos hits on some of the reasons I’ve pointed to in his question. What’s most obviously disturbing here is that the head of the NSA didn’t even seem to have a bad response prepared to such an obvious objection—he has no serious response at all. China and Russia may not be able to force American firms like Google and Apple to redesign their products to be more spy-friendly, but if the American government does their dirty work for them with some form of legal backdoor mandate, those firms will be hard pressed to resist demands from repressive regimes to hand over the keys. Rogers’ unreflective response seems like a symptom of what a senior intelligence official once described to me as the “tyranny of the inbox”: A mindset so myopically focused on solving one’s own immediate practical problems that the bigger picture—the dangerous long-term consequences of the easiest or most obvious quick fix solution—are barely considered.

What we also see, however, is a hint to why officials like Rogers and FBI Director James Comey seem so dismissive of the overwhelming consensus of security professionals and crypographers that it’s not technically feasible to implement a magical “golden key” that will permit the “good guys” to unlock encrypted data while leaving it secure against other adversaries. No doubt these officials are asking their own experts a narrow, technical question and getting a narrow, technically correct answer: There is a subfield of cryptography known as “kleptography” that studies the design of “asymmetric backdoors.” The idea is that the designer of a cryptographic algorithm can bake into it a very specific vulnerability that depends on a lengthy mathematical key that is too large to guess and cannot be easily reverse-engineered from the algorithm itself. Probably the most famous example of this is the vulnerability in the Dual Ellipitic Curve algorithm NSA is believed to have inserted in a widely-used commercial security suite. More prosaically, there is the method companies like Apple use to control what software can run on their devices: Their processors are hard-coded with the company’s public key, and (in theory) will only run software signed by Apple’s private developer key.

So there’s a sense in which it is technically feasible to do what NSA and FBI would like. There’s also a sense in which it’s technically possible for a human being to go without oxygen for ten minutes—but in practice you’ll be in for some rude surprises unless you ask the follow up question: “Will the person be left irreparably brain damaged?” When Comey or Rogers get a ten minute briefing from their experts about the plausibility of designing “golden key” backdoors, they are probably getting the technically accurate answer that yes, on paper, it is possible to construct a cryptographic algorithm with a vulnerability that depends on a long mathematical key known only to the algorithm’s designer, and which it would be computationally infeasible for an adversary to find via a “brute force” attack. In theory. But to quote that eminent cryptographer Homer Simpson: “I agree with you in theory, Marge. In theory, communism works. In theory.”

The trouble, as any good information security pro will also tell you, is that real world systems are rarely as tidy as the theories, and the history of cryptography is littered with robust-looking cryptogaphic algorithms that proved vulnerable under extended scrutiny or were ultimately impossible to implement securely under real-world conditions, where the crypto is inevitably just one component in a larger security and software ecosystem. A measure of adaptability is one virtue of “end to end” encryption, where cryptographic keys are generated by, and held exclusively by, the end users: If my private encryption key is stolen or otherwise compromised, I can “revoke” the corresponding public key and generate a new one. If some clever method is discovered that allows an attacker to search the “key space” of a cryptosystem more quickly than was previously thought possible, I can compensate by generating a longer key that remains beyond the reach of any attacker’s computing resources. But if a “golden key” that works against an entire class of systems is cracked or compromised, the entire system is vulnerable—which makes it worthwhile for sophisticated attackers to devote enormous resources to compromising that key, far beyond what it would make sense to expend on the key for any single individual or company.

So maybe you don’t want a single master key: Maybe you prefer a model where every device or instance of software has its own corresponding backdoor key. This creates its own special set of problems, because now you’ve got to maintain and distribute and control access to the database of backdoor keys, and ensure that new keys can’t be generated and used without creating a corresponding key in the master database. This weak point—key distribution—is the one NSA and GCHQ are purported to have exploited in last week’s story about the theft of cell phone SIM card keys. Needless to say, this model also massively reduces the flexibility of a communications or data storage system, since it means you need some centralized authority to generate and distribute all these keys. (Contrast a system like GPG, which allows users to generate as many keys as they need without any further interaction with the software creator.) You also, of course, have the added problem of designing your system to resist modification by the user or device owner, so the keys can’t be changed once they leave the manufacturer.

As I’ve argued elswhere, the feasibility of implementing a crypto backdoor depends significantly on the nature of the system where you’re trying to implement it. If you want backdoors in an ecosystem like Apple’s, where you have a single manufacturer producing devices with hardcoded cryptographic keys and exerting control over the software running on its devices, maybe (maybe) you can pull it off without too massive a reduction in the overall security of the system. Ditto if you’re running a communications system where all messages are routed through a centralized array of servers—assuming users are willing to trust that centralized hub with access to their most sensitive data. If, on the other hand, you want backdoors that are compatible with a decentralized peer-to-peer communications network that uses software-generated keys running on a range of different types of computing hardware, that’s going to be a much bigger problem. So when Mike Rogers asks his technical experts whether Apple could realistically comply with a mandate to provide backdoor access to encrypted iPhone data, they might well tell him it’s technically doable—but that doesn’t mean there wouldn’t be serious problems implementing such a mandate generally.

In short, Rogers’ dismissive attitude in the exchange above seems like prime evidence that a little knowledge can indeed be a dangerous thing. He’s got a lot of “world class cryptographers” eager to give him the—very narrowly technically accurate—answer he wants to hear: It is mathematically possible to create backdoors of this sort, at least on certain types of systems. The reason the rest of the cryptographic community disagrees is that they’re not limiting themselves to giving a simplified five-minute answer to the precise question the boss asked, or finding an abstract solution to a chalkboard problem. In other words, they’re looking at the bigger picture and recognizing that actually implementing these solutions across a range of data storage and communications architectures—even on the dubious premise that the global market could be compelled to use broken American crypto indefinitely—would create an intractable array of new security problems. We can only hope that eventually one of the in-house experts that our intelligence leaders actually listen to will sit the boss down for long enough to break the bad news.
http://www.cato.org/blog/what-nsa-di...out-encryption





Google Quietly Backs Away from Encrypting New Lollipop Devices by Default

Encrypted storage will only be required in "future versions of Android."
Andrew Cunningham

And Google says it doesn't have the keys to give to law enforcement.

Last year, Google made headlines when it revealed that its next version of Android would require full-disk encryption on all new phones. Older versions of Android had supported optional disk encryption, but Android 5.0 Lollipop would make it a standard feature.

But we're starting to see new Lollipop phones from Google's partners, and they aren't encrypted by default, contradicting Google's previous statements. At some point between the original announcement in September of 2014 and the publication of the Android 5.0 hardware requirements in January of 2015, Google apparently decided to relax the requirement, pushing it off to some future version of Android. Here's the timeline of events.

Loud announcement, quiet backtracking

Google's decision to encrypt new Lollipop devices by default was reported widely, in both tech-focused and mainstream publications.

“For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement,” Google spokeswoman Niki Christoff told The Washington Post in September. “As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on.”

Google reaffirmed the statement in an October blog post about Lollipop's security features. Encryption of the userdata partition would occur "at first boot," and it would be "on by default from the moment you power on a new device running Lollipop."

For a while, the only new devices we had that ran Lollipop were Google's own Nexus 6 and Nexus 9, both of which were indeed encrypted by default. Older devices that were upgraded to Lollipop—a number of older Nexus devices, the 2014 Moto G, and a handful of others—didn't enable encryption by default, even when you performed a full reset of the phone. This made some amount of sense; suddenly encrypting devices that weren't designed with encryption in mind could impact performance and cause complaints.

A little over three months after Lollipop's release, we're finally beginning to see new devices from third parties. One is the second-generation Moto E. Its userdata partition is not encrypted by default. Ars Reviews Editor Ron Amadeo tells me that new Galaxy S6 demo units at Mobile World Congress aren't encrypted by default either.

We asked both Motorola and Google about this, and we eventually discovered what was going on. The latest version of the Android Compatibility Definition document (PDF), the guidelines OEMs must follow to create Google-approved Lollipop devices, includes a subtle change in policy. Here's the relevant passage, emphasis Google's:

9.9 Full-Disk Encryption

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data patition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.


In short, devices are required to support encryption, but it's still up to OEMs to actually enable it; this is exactly what Google was doing in KitKat and older versions (PDF, see section 9.9). Full-disk encryption is expected to become a requirement in some future Android version, but it remains optional in Lollipop despite Google's earlier statements.

What happened?

We've asked Google why it relaxed that requirement after publicizing it so prominently, but the company hasn't responded to our inquiry as of this writing. We'll publish an update if it does.

Here's what we think is most likely. Lollipop's encryption requirement made headlines again in November, this time because it had a huge impact on the new Nexus 6's performance. Our review of the Nexus 6 showed that the new phone could be slower than the old Nexus 5 in certain tasks, and AnandTech supplied additional numbers that showed just how severe the performance impact was.

Those reports were circulated pretty widely—Google "Lollipop encryption" and stories about the slowdown dominate the first page. By the time the compatibility definition document was updated in January, full-disk encryption was no longer a required feature.

Our best guess at this point is that the encrypted-by-default requirement was relaxed to give OEMs more time to prepare their hardware for the transition. The performance problems can be offset by using faster flash memory, faster file systems like F2FS, and chips that are better at encrypting and decrypting data quickly, but phones and tablets take long enough to design that OEMs will need time to make these changes. Whether the change in policy was prompted by external pressure or an internal decision isn't clear, but the performance explanation makes the most logical sense.

If you want encryption on your Android phone now, you'll still have to enable it yourself. Unfortunately, even though this compatibility document was published over a month ago, most publications and Android users still believe that Lollipop will encrypt their devices by default. Google needs to make it clear that it has changed its policy.
http://arstechnica.com/gadgets/2015/...es-by-default/





Apple Plans Fix Next Week for Newly Uncovered Freak Security Bug

Apple Inc and Google Inc said on Tuesday that they have developed fixes to mitigate the newly uncovered 'Freak' security flaw affecting mobile devices and Mac computers.

The vulnerability in web encryption technology could enable attackers to spy on communications of users of Apple's Safari browser and Google Inc's Android browser, according to researchers who uncovered the flaw.

Apple spokesman Ryan James said the computer had developed a software update to remediate the vulnerability, which would be pushed out next week.

Google spokeswoman Liz Markman said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive those upgrades.

Google typically does not directly push out Android software updates. Instead they are handled by device makers and mobile carriers.

The Washington Post reported that the bug left users of Apple and Google devices vulnerable to cyber attack when visiting hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov. http: (wapo.st/18KaxIA)

Whitehouse.gov and FBI.gov have been fixed, but NSA.gov remains vulnerable, the paper cited Johns Hopkins cryptographer Matthew D. Green as saying.

A group of nine researchers discovered that they could force web browsers to use an form of encryption that was intentionally weakened to comply with U.S. government regulations that ban American companies from exporting the strongest encryption standards, according to the paper.

Once they caused the site to use the weaker export encryption standard, they were then able to break the encryption within a few hours. That could allow hackers to steal data and potentially launch attacks on the sites themselves by taking over elements on a page, the newspaper reported.

Markman said that Google advises all websites to disable support for the less-secure, export-grade encryption.

"Android's connections to most websites - which include Google sites, and others without export certificates - are not subject to this vulnerability," she added.

The group of researchers dubbed the flaw Freak, for "Factoring RSA-EXPORT Keys," according to a website where they described the vulnerability: www.smacktls.com.

(Reporting by Jim Finkle; Editing by Christian Plumb, Bernard Orr)
http://uk.reuters.com/article/2015/0...0LZ2GC20150303





Microsoft Warns Windows PCs Also Vulnerable to 'Freak' Attacks
Jim Finkle

Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered "Freak" security vulnerability, which was initially believed to only threaten mobile devices and Mac computers, Microsoft Corp warned.

News of the vulnerability surfaced on Tuesday when a group of nine security experts disclosed that ubiquitous Internet encryption technology could make devices running Apple Inc's iOS and Mac operating systems, along with Google Inc's Android browser vulnerable to cyberattacks.

Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the "Freak" vulnerability.

The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption.

If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said on Tuesday.

The Washington Post on Tuesday reported that whitehouse.gov and fbi.gov were among the sites vulnerable to these attacks, but that the government had secured them. (wapo.st/18KaxIA)

Security experts said the vulnerability was relatively difficult to exploit because hackers would need to use hours of computer time to crack the encryption before launching an attack.

"I don't think this is a terribly big issue, but only because you have to have many ducks in a row," said Ivan Ristic, director of engineering for cybersecurity firm Qualys Inc.

That includes finding a vulnerable web server, breaking the key, finding a vulnerable PC or mobile device, then gaining access to that device.

Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it was investigating the threat and had not yet developed a security update that would automatically protect Windows PC users from the threat.

Apple said it had developed a software update to address the vulnerability, which would be pushed out to customers next week.

Google said it had also developed a patch, which it provided to partners that make and distribute Android devices.

"Freak" stands for Factoring RSA-EXPORT Keys.

(Reporting by Jim Finkle; Editing by Jonathan Oatis and Richard Chang)
http://uk.reuters.com/article/2015/0...0M220T20150306





You Can Now Call or Text Anyone with End-to-End Encryption, for Free
Kashmir Hill

For years, smartphone users have been out of luck if they wanted to call or text everyone in their address books for free using encryption. iPhone users could send each other encrypted texts with iMessage, and free apps existed to help Android users communicate with each other securely. But there was no way to send secure messages from an iPhone to an Android phone, or vice versa, unless you signed up for a monthly subscription plan and got the person you wanted to communicate with to sign up for it too.

That’s changing today, as San Francisco-based Open Whisper Systems is adding encrypted texting to its encrypted calling iPhone app Signal, with the release of Signal 2.0. Now, no matter which smartphone you own, you’ll be able to call or text any other smartphone for free with end-to-end encryption turned on. To have a conversation that’s protected from hackers, wiretappers, or the communication platform itself, the people that are part of the conversation just have to download a free app.

Signal is compatible with Open Whisper System’s years-old Android offerings—secure calling app Redphone and secure texting app TextSecure—meaning the creation of an ecosystem for secure communications that didn’t previously exist as a free option.

“Eventually we’ll have one app called Signal on Android, iPhone and desktop,” says Open Whisper Systems founder Moxie Marlinspike, a well-known developer in the cryptography community. “We want to develop apps that are a joy to use where the cryptography is invisible. Apps that are better than their insecure competitors.”

Signal 2.0 comes at a controversial time. Last month, the Intercept reported that intelligence agencies had compromised the security built into millions of smartphones by stealing encryption keys from Gemalto, one of the world’s largest SIM card manufacturers. With those keys, the NSA and its British equivalent GCHQ, which allegedly masterminded the theft, could theoretically tap data, texts, and calls from phones with a Gemalto SIM card without notifying a phone company or going through a legal process. (This method wouldn’t work for communications that were getting an additional encryption layer from an app like Signal.)

“Every time [Intercept parent company] First Look publishes a story, our installs go up,” says Marlinspike. “It’s well-documented that calls and messages you send over [phone networks] are not private. Things like Signal are a way to have private communication from your phone and also a better experience. Sending media messages to your friends will be frictionless and high quality and a lot better than sending MMS.”

Marlinspike set off a huge debate within the crypto community last week by suggesting that GPG—a long-used encryption protocol many use for e-mail—should be killed off because it’s too burdensome for normal users. It’s “a glorious experiment that has run its course,” he wrote, calling for easier, simpler tools for users that have encryption built in.

I used to dream of a world where everyone would install GPG. Now I dream of a world where I can uninstall it: http://t.co/eRZ0hdlmgx

— Moxie Marlinspike (@moxie) February 24, 2015

Open Whisper Systems, a non-profit supported by donations, grants and even government funding (from the State Department) releases its apps for free and open-sources its code in the hope that other messaging platforms will adopt it. Only one big company has done so thus far. Last year, WhatsApp, the messaging behemoth owned by Facebook, added the TextSecure protocol to the Android version of its app meaning that hundreds of millions of people sending WhatsApp messages between Android phones suddenly had end-to-end encryption. “The most effective way for us to enable ubiquitous end-to-end encryption in messaging is to create technology anyone can use,” says Marlinspike. “We don’t want to compete with Facebook Messenger. The net result is more effective if we do it open-source.”

Marlinspike doesn’t disclose user numbers, but says Open Whisper Systems’ apps are “used all over the world.” He is especially pleased by its popularity in Brazil, where media have recommended his apps as a great option for free global calling and texts. “What’s awesome is they don’t mention encryption and privacy,” says Marlinspike. “They just like that the apps are simple and free.”

Not everyone is a fan of super-easy, free encryption apps. There is a heated battle under way globally over “the right to encrypt.” End-to-end encryption means that communications cannot be tapped by outsiders, including law enforcement, who have started asking for a “golden key” to access such system despite warnings that it would make the systems insecure. The F.B.I. has complained for years that the Internet is “going dark”—in other words, becoming encrypted, making it harder for the intelligence community and law enforcement to pursue digital leads.

Last week, a Brazilian county judge threatened to ban WhatsApp because the company was unable to give law enforcement messages from a user who was suspected of forcing underage users to send him naked photos of themselves. In the U.S. and in the U.K., officials have said that technology companies—such as Apple and Google—that put security software into their smartphones so that the content can only be decrypted with a user’s PIN are making the world a more dangerous place.

Marlinspike says that people who want to use encryption for nefarious reasons already know how to do so. “People engaged in that kind of activity already have the tools they need,” he says. “They’re just cumbersome to use, so it’s ordinary people like ourselves that are the victims of mass surveillance, since we’re not willing to use difficult and complex tools for our everyday communication.”

The Signal texting app functions like any messaging app, with the ability to add photos and send group messages. But it does have one privacy feature that you don’t usually see with a messaging app: an option to “enable screen security.”

This feature would make it harder to pull information from a forensic examination of the phone. Frederic Jacobs, a co-lead developer on Signal with Christine Corbett, explains: “When you switch apps or bring any app on iOS to the background, a screenshot of the application is done. That will then be displayed in the app switcher when you see the preview of the last statuses of the apps you last launched. The fact that the operating system takes a screenshot has security implications and some users might prefer to prevent that screenshot from being stored on their device, so we have a workaround that prevents that screenshot to be taken by the operating system.”
The no-screenshot option is turned off by default, but it’s another reason law enforcement isn’t going to love this app, or the secure cross-platform communication it enables. (Except when they themselves are using it.)
http://fusion.net/story/56778/signal...d-texts-calls/





How to Sabotage Encryption Software (And Not Get Caught)
Andy Greenberg

In the field of cryptography, a secretly planted “backdoor” that allows eavesdropping on communications is usually a subject of paranoia and dread. But that doesn’t mean cryptographers don’t appreciate the art of skilled cyphersabotage. Now one group of crypto experts has published an appraisal of different methods of weakening crypto systems, and the lesson is that some backdoors are clearly better than others—in stealth, deniability, and even in protecting the victims’ privacy from spies other than the backdoor’s creator.

In a paper titled “Surreptitiously Weakening Cryptographic Systems,” well-known cryptographer and author Bruce Schneier and researchers from the Universities of Wisconsin and Washington take the spy’s view to the problem of crypto design: What kind of built-in backdoor surveillance works best?

Their paper analyzes and rates examples of both intentional and seemingly unintentional flaws built into crypto systems over the last two decades. Their results seem to imply, however grudgingly, that the NSA’s most recent known method of sabotaging encryption may be the best option, both in effective, stealthy surveillance and in preventing collateral damage to the Internet’s security.

“This is a guide to creating better backdoors. But the reason you go through that exercise is so that you can create better backdoor protections,” says Schneier, the author of the recent book Data and Goliath, on corporate and government surveillance. “This is the paper the NSA wrote two decades ago, and the Chinese and the Russians and everyone else. We’re just trying to catch up and understand these priorities.”

The researchers looked at a variety of methods of designing and implementing crypto systems so that they can be exploited by eavesdroppers. The methods ranged from flawed random number generation to leaked secret keys to codebreaking techniques. Then the researchers rated them on variables like undetectability, lack of conspiracy (how much secret dealing it takes to put the backdoor in place), deniability, ease of use, scale, precision and control.

Here’s the full chart of those weaknesses and their potential benefits to spies. (The ratings L, M, and H stand for Low, Medium and High.)

A bad random number generator, for instance, would be easy to place in software without many individuals’ involvement, and if it were discovered, could be played off as a genuine coding error rather than a purposeful backdoor. As an example of this, the researchers point to an implementation of Debian SSL in 2006 in which two lines of code were commented out, removing a large source of the “entropy” needed to create sufficiently random numbers for the system’s encryption. The researchers acknowledge that crypto sabotage was almost certainly unintentional, the result of a programmer trying to avoid a warning message from a security tool. But the flaw nonetheless required the involvement of only one coder, went undiscovered for two years, and allowed a full break of Debian’s SSL encryption for anyone aware of the bug.

Another, even subtler method of subverting crypto systems that the researchers suggest is what they call “implementation fragility,” which amounts to designing systems so complex and difficult that coders inevitably leave exploitable bugs in the software that uses them. “Many important standards such as IPsec, TLS and others are lamented as being bloated, overly complex, and poorly designed…with responsibility often laid at the public committee-oriented design approach,” the researchers write. “Complexity may simply be a fundamental outcome of design-by-committee, but a saboteur might also attempt to steer the public process towards a fragile design.” That kind of sabotage, if it were found, would be easily disguised as the foibles of a bureaucratic process.

But when it comes to a rating for “control”—the ability to distinguish who will be able to exploit the security weakness you’ve inserted—the researchers label implementation fragility and bad number generation as “low.” Use a bad random number generator or fragile crypto implementation, and any sufficiently skilled cryptanalysts who spot the flaw will be able to spy on your target. “It’s clear that some of these things are disastrous in terms of collateral damage,” says paper co-author University of Wisconsin computer scientist Thomas Ristenpart. “If you have a saboteur leaving vulnerabilities in critical system that can be exploited by anyone, then this is just disastrous for the security of consumers.”

In fact that low “control” rating applies to every other method they considered except one: what the researchers call “backdoor constants,” which they rate as “high.” A backdoor constant is one that can only be exploited by someone who knows certain unguessable values. A prime example of that type of backdoor is the random-number generator standard Dual_EC_DRBG, used by crypto firm RSA and revealed in leaks by Edward Snowden in 2013 to have been sabotaged by the NSA.

Dual_EC’s backdoor required the snooper to know a very specific piece of information: the mathematical relationship between two positions on an elliptic curve built into the standard. Anyone with that knowledge would be able to generate the seed value for its random number generator and thus the random values needed to decrypt messages. But without that information the backdoor would be useless, even if you knew that it existed.

That sort of “backdoor constant” trick can be hard to spot, which is why the paper gives it a “high” score in undetectability. Though cryptographers, including Schneier himself, suspected as early as 2007 that Dual_EC might have had a backdoor, no one could prove it—and it remained in use—until Snowden’s revelations. Once discovered, on the other hand, that sort of backdoor is nearly impossible to explain away, so it gets low marks for deniability. But given that a backdoor like Dual_EC creates the least potential for collateral damage of any method named in the study, Schneier describes the technique as “close to ideal.”

That’s not to say the cryptographers like it. Encryption, after all, is meant to create privacy between two people, not two people and the creator of a perfectly designed, secure backdoor. “This is still a problem for people who are potentially victimized by the NSA itself,” says University of Wisconsin researcher and paper co-author Matthew Fredrikson.

In fact, Schneier attributes Dual_EC’s discretion not to the NSA’s care for internet users’ security, but rather its focus on stealth. “Collateral damage is noisy, and it makes you more likely to be discovered,” he says. “It’s a self-serving criteria, not an issue of ‘mankind is better off this way.'”

Schneier says the goal of the researchers’ paper, after all, isn’t to improve backdoors in crypto. It’s to better understand them so that they can be eradicated. “Certainly there are ways to do this that are better and worse,” he says. “The most secure way is not to do it at all.”

Here’s the full paper: Surreptitiously Weakening Cryptographic Systems
http://www.wired.com/2015/02/sabotag...re-get-caught/





How Superfish’s Security-Compromising Adware Came to Inhabit Lenovo’s PCs
Nicole Perlroth

Until its advertising software was discovered deep inside Lenovo personal computers two weeks ago, a little company called Superfish had maintained a surprisingly low profile for an outfit once named America’s fastest-growing software start-up.

In 2013, Superfish revenues had increased more than 26,000 percent over the previous three years to $35.3 million. It had advertising deals with some of the biggest names in e-commerce — Amazon, eBay and Alibaba among them.

But as the start-up, based in Palo Alto, Calif., searched for new income sources last year, it landed a deal with Lenovo, the world’s largest PC maker, to put its software — often called adware — on several Lenovo consumer PCs.

That deal has proved disastrous. Not only has it called into question the business practices of both Lenovo and Superfish, it has shined an unflattering light on makers of this sort of advertising technology.

Superfish’s software, a security researcher revealed, was logging every online movement of the people using those Lenovo machines and hijacking the security system that is supposed to protect online communications and commerce. The Department of Homeland Security even warned Lenovo PC users to remove the software because of the risk it presented.

Superfish’s technology, security experts now say, is a particularly aggressive example of the targeted advertising technology that tracks consumers’ online movements without their knowledge.

What made its adware particularly bad, experts say, is that it fooled Lenovo customers into thinking that private sessions with their email service, or bank — secured with encryption that is often represented by the tiny padlock that appears in their web browser — were private, when Superfish, and potentially hackers, could see everything.

“The padlock is a means of telling you that who you are talking to is who you think you are talking to. Superfish made that mechanism ineffective,” said Jonathan Mayer, a lawyer and computer science graduate student at Stanford University who specializes in digital privacy.

Superfish was co-founded by Adi Pinhas and Michael Chertok, two veterans of the video surveillance industry. Their first start-up, Vigilant Technology, worked with casinos, prisons and governments and used algorithms to scan video footage from surveillance cameras in search of suspicious activity.

In 2006, the two began exploring the possibility of applying similar computerized methods to visual searches. They called their new start-up Link-It. Much in the same way that Google is a search engine for text, Siri for voice, and music discovery apps like Shazam help people match songs they hear on the radio to an artist and song title, Superfish aimed to be a “visual search” engine for images.

With 12 Ph.D.s on staff and 10 patents for visual search technology, the company’s software crawls the web, using mathematical models to catalog, analyze and match images of plants, dogs or furniture to the exact flower, dog breed or home goods retailer. At one point, they worked with Samsung on a proof-of-concept visual search engine on Samsung cellphones, but a formal partnership was never consummated.

In 2009, the co-founders said, they renamed the company Superfish.

Five years later, Superfish had accumulated partnerships with more than 100,000 retailers that paid the company through “affiliate” programs, in which retailers gave Superfish a cut of each sale its software encouraged. As Superfish tracks products that appeal to people on the web, its technology serves ads of similar or identical products from its retail partners.

Last year, Superfish began experimenting with new sources of revenue. It released a series of free “LikeThat” mobile apps at the iTunes and Android store, such as LikeThat Décor, an app that allows design aficionados or interior designers to snap shots of furniture so that Superfish can locate the same, or similar, products online.

The start-up’s executives say they approached Lenovo, based in China, early last year about the possibility of loading their VisualDiscovery software onto its PCs at the factory.

The pitch, Lenovo’s executives recall, was that Superfish could “improve our consumer experience” by serving its customers more relevant ads.

“The motivation was to enhance the experience,” Peter Hortensius, Lenovo’s chief technology officer said in an interview last week. If a consumer was hovering his mouse over a vase, Mr. Hortensius said, Superfish technology would register his interest in the vase and could show a similar vase, or the same vase at a cheaper price, from a different retailer.

“That was the idea at least,” Mr. Hortensius recalled.

Neither Lenovo nor Superfish will discuss the financial terms of the deal.

Industry experts say that when software is preloaded onto a machine, the hardware maker is usually paid a fee per machine. In the case of adware, they suspect Lenovo was also paid a cut of any Superfish ad revenue generated on their PCs. Lenovo executives will only say that its revenues from the deal were “financially insignificant.”

After Lenovo began putting Superfish software onto its consumer PCs last September, consumers were soon complaining in online forums that their web experiences were buggy.

Peter Horne, who has worked in the financial services technology industry for 25 years, noticed that the adware was buried so deep in the machine’s operating system that antivirus scanners couldn’t find it.

In an interview, Mr. Hortensius said Lenovo’s customers were given the chance to opt out of Superfish when they started their machines, but customers do not recall any opt-in language. Even after Mr. Horne wiped his new Lenovo PC and rebuilt it, his PC was still calling back to Superfish’s servers.

Worse still, Superfish’s technology was hijacking the third-party certificate authorities that are used to guarantee the security of encrypted connections between users’ browsers and websites like Bank of America and Google. To circumvent web protections, Superfish served up its own certificate with the help of an Israeli company, Komodia, which specializes in intercepting encrypted communications, so it could insert ads.

By doing so, Superfish left Lenovo users vulnerable to hackers. “Websites, such as banking and email, can be spoofed without a warning,” a Homeland Security alert read.

In an email, Mr. Pinhas said Superfish was not aware of any security issues with its Lenovo adware until the news broke two weeks ago. He said the Lenovo partnership was the only time Superfish adware had been preloaded into hardware and that it was the first time the company had worked with Komodia, which helped it circumvent web encryption to insert its ads.

Mr. Pinhas also maintains that Superfish does not log any personal information on its servers. Citing pending lawsuits, Mr. Pinhas said he could not say more.

Lenovo is now facing its own lawsuits — one accuses Lenovo and Superfish of trespassing on personal property and violating wiretap laws — and even angry hackers. For several hours last Wednesday, hackers defaced Lenovo’s website, replacing its contents with images of bored teenagers.

Two days later, Lenovo announced a pledge for “cleaner, safer PCs” and said it would eliminate unnecessary adware from its PCs and clearly post what all preloaded software does.

“We are not confused as to the depth that this has caused people not to trust us,” Mr. Hortensius said. “We will do our best to make this right. In the process of that, I think we will come out stronger.”

He added, “But we have a long way to go to make this right.”
http://www.nytimes.com/2015/03/02/te...novos-pcs.html





How Blackphone Turned A Security Fail Into A Win

The privacy phone gets a new model—and some new mojo.
Adriana Lee

Last year, privacy-focused Blackphone got a dubious distinction: It became known as the locked-down phone that supposedly got hacked in just 5 minutes.

Things have changed. Now, it’s a whole mobile product line geared for companies (and perhaps paranoid individuals), a brand-new acquisition for encryption services firm Silent Circle, and a multi-million dollar enterprise with nearly $750 million in device sales.

The group introduced its latest devices this week at Mobile World Congress—the Blackphone 2 smartphone and its first tablet, currently dubbed Blackphone+. But what was really on display was the company’s uncanny knack for turning a well-publicized security flub into a win.

Meet Blackphone 2 And Blackphone+

As far as upgrades go, the 5.5-inch Blackphone 2 looks like a decent successor to last year’s original 4.7-inch Blackphone.

Like most second-generation phones, version 2 offers several hardware improvements, including a faster 64-bit 8-core processor, more memory (3GB), a bigger battery and a larger display. The phone also ties into Citrix's Mobile Device Management, so IT departments can manage employees’ company-supplied or BYO (“bring your own”) phones. Blackphone 2 is priced at $630 (unlocked) and slated for a July release. Soon after, it will be joined by the company’s first tablet, the 7-inch Blackphone+, sometime this fall.

Both run Blackphone’s PrivatOS software, a variation on Android designed as an extra layer of protection between users and the big, bad outside world. When apps unnecessarily ask for personal data, like contacts or location, Blackphone can intercept the request, blocking or obscuring it. The software can even fool the app into thinking the user granted access, even if he or she didn't.

“You can take an Android device, you can root it, introduce [similar] features, and after months, you can have something like Blackphone,” said Javier Agüera, Blackphone’s founder and now a chief scientist at Silent Circle. “Or you can have an out-of-the-box device, with everything set up by security specialists, that’s enterprise ready and configured the way you need it.”

PrivatOS boasts new virtualization feature called “Spaces,” which offers separate “work” and “personal” modes, the ability to add profiles and an app store vetted by Blackphone. The technology's encryption protocols also save keys on the device itself, not some unknown remote server. The phone's price includes two years of security services that guards against unsafe WiFi networks, private browsing, and secure cloud file storage.

Sounds like a lot of protection, at least, it's more than most users are accustomed to getting. It all goes back to Blackphone's mission: The company wants to safeguard people. It seems sincere—even though a hacker actually did manage to breach those walls last year.

Turning Hackers Into BFs

At hacking convention DefCon last year, CTO Jon “Justin” Sawyer of Applied Cybersecurity LLC told Blackphone that he managed to get past its security to root its device. What’s more, he tweeted the exploit, which landed on BlackBerry sites and other tech blogs.

Sawyer found a couple of weak spots in the software, including a hole in the remote wipe feature that let the security expert access the device and grant himself system privileges. He was able to give himself access to core parts of the phone. But what gets less attention, the execs said, is that the company had already patched the hole.

Sawyer essentially attacked an old, outdated version of the software. Even so, the incident and publicity could have humiliated Blackphone right out of the market. It didn't. Instead, the company is milking it.

The team thanked Sawyer for the discovery and sent him a bottle of wine. Then it enlisted others to scope out any other vulnerabilities.

According to Vic Hyder, Silent Circle’s chief strategy officer, Blackphone recently launched a bug bounty program to reward people for finding security glitches—from $128 to more, depending on the severity. (Bounties are fairly common in the tech industry; even big companies like Facebook, Google and Microsoft offer rewards to bug hunters.)

“[It] makes them part of the solution, instead of part of the problem,” Hyder said. "It brings everybody in as a participant.” Even Sawyer, now a friend of Blackphone, helps out by looking for other vulnerabilities. The company publishes all of its source code, to help make it easier for people to find holes.

So far, Hyder estimates that the company has paid out about $15,000 to $20,000 in bounties.

Throwing Shade

"Nothing is hack-proof,” admits Daniel Ford, chief security officer.

However, he says his company can help guard against certain types of attacks. “Targeted attacks are completely different than mass surveillance,” he said.” There’s little Blackphone or anyone can do against the former, such as last year’s breach at Sony Pictures—which may have been a specific retaliation for The Interview, a comedy that poked fun at North Korea.

Ultimately, if a hacker wants your data badly enough—whether it’s a criminal or a NSA agent—he or she has innumerable tools that can help get it. No platform can hold up against that, he explained.

But when it comes to broader mass surveillance, Ford said Blackphone can step in and offer more protection. "This is where our commitment is: If there is a vulnerability that was disclosed publicly, we will fix it in less than 72 hours,” he said. “We have done so every time. That is our goal … the last time, it took only 6 hours.”

"Samsung had two critical vulnerabilities that was released two weeks ago,” he added, calling out one of his archrivals in the enterprise market, albeit for a vulnerability in its TV business. Still, he couldn't resist poking at Samsung's overall attitude toward security: "They have not even started to address it,” he said.
http://readwrite.com/2015/03/05/blac...mwc-spin-hacks





Documents Reveal New Zealand's Pacific Spy Role
Rob O'Neill

Summary:New Zealand's Government Communications Security Bureau has targeted the entire communications of nearly two dozen countries, new documents from NSA whistleblower Edward Snowden suggest.

New Zealand spy agency the Government Communications Security Bureau (GCSB) has collected the entire email, phone, and social media communications of its close Pacific neighbours, new revelations from NSA whistleblower Edward Snowden suggest.

The communications, from nearly two dozen countries, were reportedly harvested and shared with the US National Security Agency (NSA), helping flesh out that agency's global spying agenda.

The GCSB was focusing on what is referred to as "full take" collection, allowing the NSA to use its XKeyscore search engine to trawl the communications content and metadata for intelligence.

The latest reports, which reveal an escalation in New Zealand's Pacific spying role since 2009, are the product of cooperative reporting by journalist Nicky Hager from the The New Zealand Herald and Glenn Greenwald's website The Intercept.

The spying activity reportedly centred around a spy base in the top of the South Island at Waihopai. The New Zealand Herald reported a British intelligence document as saying:

"GCSB have given us access to their XKS [XKeyscore] deployments at Ironsand [Waihopai], a GCSB comsat [communications satellite] site which is rich in data for the South-Pacific region. Specifically, we can access both strong selected data and full-take feed from this site."

Earlier reports suggested that two New Zealand Sunday newspapers were also involved in the reporting, meaning further revelations are likely.

However, if New Zealand has been spying on some of its closest friends -- countries such as Tonga and Samoa that do not pose a security threat -- then the government has some explaining to do.

One motivation for the so-called "Five Eyes" spying alliance to target the Pacific could be that China has been steadily building its presence in the region.

The reports further suggests that the communications of government agencies, ministers, officials, and international organisations in the region fall into the dragnet.

On Wednesday, New Zealand's prime minister attempted to pre-empt fallout from the anticipated reports.

John Key said the fact that New Zealand agencies gather intelligence is obvious, and that New Zealanders expect them to in the interests of security.

He advised New Zealanders not to believe Hager.

"Last time he came out with all this stuff, he was categorically wrong. He'll be wrong this time as well, because information changes, we review things all the time, different actions are taken," he said.

Key said he isn't going to go into detail, but such intelligence information has been gathered over successive governments and "for really, really good reasons".

"We don't do that loosely or randomly, and actually, those situations change dramatically."

Last September, Greenwald travelled to New Zealand to headline a pre-election event dubbed the "Moment of Truth" alongside Kim Dotcom; however, the attacks on the New Zealand government's spying programs largely misfired.

Instead of mass surveillance, Dotcom's failure to produce evidence to support his claims that the prime minister had lied and colluded with Hollywood to get him extradited to the US dominated media attention.

Greenwald accused the government of implementing a plan to intercept New Zealanders' communications.

Top-secret documents appeared to show that the GCSB and NSA cooperated to implement Phase I of the surveillance program code named "Speargun", involving the installation of cable access equipment into the Southern Cross Cable, New Zealand's main cyberlink to the rest of the world.

Phase II of Speargun was to involve the insertion of metadata probes into those cables, a report on The Intercept said.

In response, Key has declassified documents to show, he said, that no such mass surveillance program was ever launched. He said Speargun had been aborted and replaced with a cybersecurity system called Project Cortex.

"Claims have been made tonight that are simply wrong, and that is because they are based on incomplete information," Key said.
http://www.zdnet.com/article/documen...ific-spy-role/





Tony Abbott Puts Pressure on Labor to Pass Mandatory Data Retention Laws
Daniel Hurst

Martin Place siege shows that law enforcement needs stronger measures to tackle the threat of terrorism, prime minister says.

Warrentless metadata requests and information handed over to authorities are currently required to be reported by telecommunications companies, but that will no longer be required under the new bill.

AFP chief Andrew Colvin says police are working closely with the telecoms industry to decide what data should be retained.


Tony Abbott has sought to put pressure on the Labor opposition to pass mandatory data retention laws swiftly, but conceded the cost and technical details were still not finalised.

The prime minister visited the Australian Federal Police (AFP) headquarters in Melbourne on Thursday to campaign for the proposal to store people’s phone and email records, three weeks before a bipartisan committee examining the legislation is due to complete its report.

“I hope it’s a unanimous report and then let’s get this legislation dealt with as quickly as we can,” he said during a media conference alongside the AFP commissioner Andrew Colvin.

“I believe that in the wake of the attack on the policemen here in Victoria, in the wake of the Martin Place siege, in the wake of the Charlie Hebdo atrocity, the public want protection, and this gives the public the protection they have a right to expect.”

Labor said it would not rush parliamentary scrutiny, while the Greens accused Abbott of invoking national security in a desperate attempt to save his embattled leadership.

“This is, I think, breathtakingly cynical action by the prime minister to salvage the dying days of his leadership by standing in front of an AFP banner to try to pretend that he can make the community safer,” the Greens senator Scott Ludlam said.

The government wants to require internet service providers (ISPs) and telcos to store customers’ phone records and communication activity such as email recipients for two years, arguing that access to such information is critical to law enforcement.

But the joint parliamentary committee on intelligence and security – which is due to report to parliament on 27 February – has been told government officials were yet to establish an accurate estimate of the full cost of implementing the scheme.

And Colvin said police were “working with industry very closely at the moment” on exactly which data would be included in the scheme.

The AFP chief said he did not want his officers to have to rely on luck when carrying out investigations – a reference to the current practice of companies storing customer data based on business needs rather than working to a national standard.

Abbott has told the opposition leader, Bill Shorten, the government wants parliamentary debate to begin in the lower house on 2 March and for the bill to pass both houses in mid-March.

After being briefed about metadata during his visit to AFP offices on Thursday, Abbott conducted a joint media conference and stressed the need for the “absolutely vital” legislation to pass the parliament “as quickly as is humanly possible”.

But he said the government was still working with the telecommunications sector on the cost of implementing the scheme – to which the government has offered to contribute.

“Even if the costs are in the order of a couple of hundred million, you’ve got to remember that this is a $40bn plus sector,” Abbott said. “So, the costs involved are comparatively modest and, obviously, we the government are prepared to work with the sector to ensure that we bear our fair share of the costs as well.”

Shorten said Labor had worked with the Coalition on national security issues, but would not serve the public interest “by rushing laws through the parliament” without adequate scrutiny.

“The great thing about our parliament which has served Australia’s interests well for over a century, a federation, is that you have parliamentary committees which examine draft legislation for all the pros and cons,” the opposition leader said.

“That process is underway. The government know this. The government have got members on the committee. The government agreed to this committee process. Just because the government is having its internal political upheavals and focused on themselves, is not a reason to throw our parliamentary system overboard.”

Ludlam said questions remained about the coverage and effectiveness of the proposed scheme, and it was not clear whether the costs would be known before the legislation was debated.

He said the prime minister was “effectively blackmailing” Labor and the crossbenchers to agree to a proposal that had not faced adequate scrutiny.

Ludlam drew a distinction between targeted surveillance and mass surveillance, noting that the gunmen involved in the Sydney siege and the Paris attacks had already been known to security authorities.

In a letter to Shorten, dated 22 January, Abbott called for continued bipartisanship and said police and security agencies had advised him “that metadata and related telecommunications information played an important role in the response to the Lindt Cafe siege and has been integral to the investigation following the recent terrorist attacks in France”.
http://www.theguardian.com/technolog...retention-laws





Bill Shorten Slams Tony Abbott for Politicising Metadata Retention Laws
Ben Grubb

Bill Shorten says he is disappointed with the way the Abbott government has sought to politicise debate about national security and data retention legislation, hinting that Labor's bipartisan approach to national security laws could be at risk.

The Opposition Leader has written to Prime Minister Tony Abbott, urging the government to take into account a number of "significant" concerns relating to the data retention bill that have been brought to the attention of a parliamentary committee examining it.

Among the concerns are press freedom, the cost of the scheme and exactly what data will be stored under it.

The letter, obtained by Fairfax Media, comes despite reports last week that Labor would "roll over" and support the bill as long as there were amendments in it that protected whistleblowers and journalists.

If passed in its current form, the bill would require Australian internet and phone companies, such as Telstra, Optus, Vodafone and iiNet, to store for two years customer "metadata" for warrantless access by law-enforcement and intelligence agencies to fight crime and terrorism.

Data retained about phone calls under the scheme would include who you have called, who has called you, the start and finish time of the call, and the duration – but not the contents. The IP address allocated to your internet connection would also be stored so that agencies can trace back those who breach laws online.

Civil liberties and privacy groups have largely said that the scheme is not needed and would amount to mass surveillance on the population. Meanwhile, law-enforcement and intelligence agencies say access to metadata is "crucial" and that they will go blind without data retention.

While telcos are not presently required to store metadata, they are required to hand over to authorised agencies that request it any metadata they have, without any judicial oversight. In the last financial year, metadata was disclosed more than half a million times.

"I am disappointed that recent media briefing has sought to politicise the development and consideration of anti-terrorism legislation," Mr Shorten wrote to Mr Abbott in a letter dated February 9.

"This is at odds with a responsible and bipartisan approach to such important issues."

Mr Shorten's letter to Mr Abbott follows one sent by the Prime Minister to Mr Shorten, subsequently leaked to The Australian, in an apparent attempt to put pressure on Labor to pass the third tranche of national security laws in an expedited timeframe.

Mr Abbott's letter, dated January 22, urged Labor to support the data retention bill and requested that it be passed by Parliament no later than March 26, which is just 38 days away.

In his letter, Mr Abbott spoke of how he had "reluctantly" agreed to delay introducing the legislation for debate until after the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS) reported on the new laws on February 27.

But Mr Shorten said a number of issues remained that required considered parliamentary oversight.

"In the hundreds of submissions received by the PJCIS, and at the public hearings of the committee, a number of significant matters and concerns regarding the bill have been brought to the attention of the committee," Mr Shorten wrote.

PJCIS committee members are currently debating what recommendations, if any, to include in their report to government. If the Coalition-dominated committee can't agree on unanimous recommendations, there could be a dissenting minority report from Labor.

The PJCIS hasn't had a dissenting minority report since at least 2006, when it was reviewing the listing of the Kurdistan Workers Party (PKK) as a terrorist organisation.

Costs

Among the issues with the data retention scheme, Mr Shorten outlined in his letter how the costs of it were still unknown. Also unknown was how much money the government was willing to pour into it and how much money the industry would have to bear as well as the Australian public if costs were passed on.

"Although the costs of the scheme to individual service providers may be commercial in confidence, no such claim can be made about the aggregate cost of the scheme to the Australian community," Mr Shorten wrote.

In October last year, the Attorney-General's Department commissioned Pricewaterhouse Coopers to estimate the total cost of setting up a data retention scheme. To date, the government has argued that it can't be released because it relates to cabinet deliberations and contains confidential information.

Despite this, Fairfax Media understands the government is considering releasing the aggregate figure soon. It's understood it will say the costs will be anywhere between $100 million and $300 million.

Mr Shorten said the bill should not be debated until costs were made public.

"It would be unreasonable to expect Parliament to debate the bill without senators and members being aware of the cost of the legislation to the Australian taxpayer and the impact on industry," Mr Shorten wrote.

Communications Minister Malcolm Turnbull has previously stated that the government expected "to make a substantial contribution to both the cost of implementation and the operation of this scheme", but has not put a number on the exact figure.

Mr Turnbull introduced the bill into Parliament last year after he appeared to take over public commentary of it from Attorney-General George Brandis following the attorney's disastrous explanation of metadata.

Press freedom

Mr Shorten also expressed concern in his letter about the lack of protection for journalists when it came to having their phone records and internet data accessed during leak investigations.

While noting a joint submission provided to the PJCIS on behalf of a number media organisations including Fairfax Media, Mr Shorten said concerns about the erosion of press freedom should "ideally be addressed in this bill to avoid the need for additional amendments or procedures to be put in place in the future".

The media organisations' submission outlined concerns that the bill did not include sufficient checks and as a consequence may erode freedom of the press, Mr Shorten said.

Final data set

Mr Shorten also said the government should "immediately" release the data set so that the PJCIS, telcos and the general public were aware of what data would be stored under the regime.

Although the government has released what it calls a draft data set, it has not been finalised.

Mr Shorten also raised objections previously brought up in public PJCIS hearings, which noted that the data set could be changed at any time because it is part of the "regulations" of the bill, which can be changed by the attorney-general of the day without parliamentary oversight.

"The bill proposes that the data set be defined by regulation, however other submitters have argued strongly that as a matter of of transparency and accountability the data set should be included in the bill itself," Mr Shorten said. "This will be a further important matter for the PJCIS to consider."
http://www.smh.com.au/digital-life/d...16-13ftkm.html





Police Could Charge a Data Center in the Largest Child Porn Bust Ever
Justin Ling and Matthew Braga

It could be the largest child porn investigation ever conducted.

Canadian police say they’ve uncovered a massive online file sharing network for exploitative material that could involve up to 7,500 users in nearly 100 countries worldwide.

But unlike past investigations into the distribution of child porn, which typically involve targeting suspects individually, police have instead seized over 1.2 petabytes of data—more than four times the amount of data in the US Library of Congress—from a data center responsible for storing the material, and may even attempt to lay criminal charges against its operators, too.

“What we are alleging is occurring is that there are individuals and organizations that are profiting from the storage and the exchange of child sexual exploitation material,” Scott Tod, Deputy Commissioner of the Ontario Provincial Police (OPP), told Motherboard at a conference late last month, after speaking to a crowd of defence specialists. “They store it and they provide a secure website that you can log into, much like people do with illegal online gaming sites.”

According to Tod, targeting data centers and their corporate directors is an “innovative” method that police are considering in the fight to end the sharing of child porn—but charges will likely hinge on the degree to which employees knew such activity was taking place.

“There's no proactive obligation to investigate what happens on your service," said Tamir Israel, a staff lawyer at the Canadian Internet Policy & Public Interest Clinic (CIPPIC). “If you do become aware that something is there, there's a reporting obligation. But usually data centers aren't actively looking through their stuff, so it's reasonable to say that they wouldn't have come across that."

Unsurprisingly, many specifics of the ongoing investigation—including names of the companies involved—remain unclear.

What we do know is that police traced users trading child sexual exploitative material online to a file sharing service, which was hosted by an Ontario company with millions of dollars in profits. Police then proceeded to seize over 1.2 petabytes of data—about 1,200 terabytes, or just under one million gigabytes. The volume of information is so expansive that in order to store and analyze the data safely and securely, police had to purchase storage hardware similar to what was used by Canadian military forces in Afghanistan. To access the files, many of which are password protected, the cops developed password-cracking software in-house that is slowly sifting through the mountain of information.

The case is still in its early stages, and it’s too soon for police to know how many people, or even who, will be charged. But if Tod’s operation is ultimately a success, it could set a new precedent for how police go after those who share child pornography, and the companies that enable its distribution.

“This is the first investigation of this scale, to my knowledge—in North America, if not worldwide,” Tod said.

A new approach

Experts say that targeting the infrastructure used to distribute child pornography, rather than going after the individuals who download it, is a recent change in tactics for police.

"What I've traditionally seen is very targeted investigations," said Hanni Fakhoury, senior staff attorney at the Electronic Frontier Foundation, and a former US federal public defender who has represented people in similar cases. "Agents will go undercover on some peer to peer site and see files that are available for sharing, and they'll engage a person and trade photos with them. Or they'll see that the person is sharing child pornography files and take investigative steps to uncover that specific individual and arrest them. That's very common, that's bread and butter how these sorts of cases are done."

“What is new is this approach that says, you know what, there's a web hosting server out there that hosts a lot of child porn. It also hosts other stuff that we're not interested in, but it hosts a lot of child porn, so we're going to take down that whole host,” Fakhoury said.

It’s unclear, at this point, which data center police targeted—except that, according to Tod, it netted $18 million dollars in revenue over a three-month period during which police had been keeping track. While Tod said that the company’s profits aren’t all from illicit material, their servers contained 1.25 petabytes of data that interested police, much of which they believe is child pornography.

For the sake of comparison, data hosting giant Rapidshare claimed to host 10 petabytes of data as of 2009. When it closed in 2012, Megaupload was said to have 28 petabytes in data in storage. In 2013, the entirety of Facebook consisted of 250 petabytes.

Meanwhile, Project Spade, a previous child pornography investigation that spanned Canada, Australia, Germany and the US, included 350 arrests and 45 terabytes of data seized. Operation Delego, arrested 52 people internationally for distributing 142 terabytes of child pornography.

This case appears set to blow previous investigations out of the water.

"It could be that there are [petabytes] of child pornography images, but that is a lot. But more likely it's some of that and a bunch of other stuff mixed in. But it's hard to know,” said Israel.

Tod said that the data they’ve seized contains roughly 1.5 million compressed folders, or RAR files. Some of those files contain child pornography, but police don’t yet know how much. The information was copied from hard drives seized by the police—and many, if not all, of those RAR files were password protected.

The OPP has even developed custom password-cracking software in-house to assist in gaining access to the files, which Tod said can cycle through 500,000 possibilities per second. “I don’t know if that’s good or bad,” he confessed to the military crowd. "[But] I don't think that our technology is any more significant ... or different from what our security partners use."

“Volumes that we've never seen before”

In recent years, child pornographers have gone to great lengths to evade capture. Some have taken to the anonymized confines of the darknet to shield themselves. Motherboard reported in January on the increasingly complex means through which the pornographers hide their craft behind encryptions guaranteed by the Tor network.

Nevertheless, Ontario police managed to identify 7,500 unique IP addresses from nearly 100 countries from the data seized. To date, they’ve identified 2,200 American users, 843 from Germany, 534 in Japan, 457 within Russia, 394 in Canada, 380 in the United Kingdom, and 374 inside France.

"That's huge,” Fakhoury said. “I'm used to seeing cases where they go after one person, or 40, 50, 100 people, but 7,500 people is staggering. So they better have really compelling proof that those 7,500 people were visiting the hosting site to access child porn."

Tod says he's unsure of how many could actually face charges.

"We're not making any assumptions of how many are actually criminally guilty at this time, or criminally responsible. But we're certainly a size of information that's being traded that we know is illegal material of volumes that we've never seen before,” Tod said.

Ontario police are working alongside the US Department of Homeland Security, and expect to involve other police forces worldwide. US law enforcement officials declined to comment for this story.

Tod said that while the investigation began in Ontario, there are now components in five other locations worldwide.

David Fraser, a lawyer and digital privacy expert at the Halifax, Nova Scotia firm McInnes Cooper, said he’s never heard of an investigation of this magnitude and scope, but that it doesn’t necessarily imply a privacy concern. “As long as they follow the proper procedures, I would hope that they would be able to take it down and prosecute anybody involved in this significant crime,” he said.

That means that the OPP will need specific warrants to analyze and use most of the information contained within the hard drives seized. Under Canadian law, police do not have carte blanche to search and use every piece of data on a hard drive merely because it is in their physical possession, and will need to tread carefully to avoid charges of running an unlawful search.

“Is this overkill? And what percentage of the data they seized is actually contraband child porn? And what percentage of it contains totally legitimate stuff?” asked Fakhoury. “If you're receiving so much stuff that you need military grade equipment to sift through it and sort through it maybe you're receiving too much stuff."

And prosecuting those who were in possession of the hard drives—likely, the owner of the data centre—may well spark debate over whether or not is reasonable to hold those who house data liable for what their customers put on those servers, too.

“Legitimate businesses operating in Canada have the right to assume that their customers are acting lawfully unless they have strong reason to believe otherwise,” said Fraser. “Even then that does not make them complicit in their customers' activities.”
http://motherboard.vice.com/read/pol...porn-bust-ever





Revenge Porn Boss Wants Google to Remove His “Identity Related” Info

Craig Brittain wants links to stories of FTC dinging his site wiped from search.
David Kravets

What do you do if you're a revenge porn site operator and the Federal Trade Commission has barred you from publishing nude images of people without their consent?

You demand that Google remove from its search engine links to news accounts about the FTC's action and other related stories, citing "unauthorized use of photos of me and other related information."

Craig Brittain—the former operator of revenge porn site IsAnybodyDown.com—is invoking the Digital Millennium Copyright Act (DMCA) in a bid to remove 23 links in all—an irony-filled DMCA takedown request that Google is ignoring. One of the links renders the FTC's press release in January about its enforcement against Brittain. Another is a link to Ars' story about the FTC's move: "Sleazy 'revenge porn' site is banished to settle federal charges."

In addition to claims that the links contain "unauthorized" information about him, Brittain asserts "unauthorized use of statements and identity related information. Unauthorized copying of excerpts from isanybodydown.com. Using photos which are not 'fair use.'"

Site posts leaked nude photos without consent, charges $250 to take them down.

The DMCA requires Internet companies like Google to remove links to infringing content at a rights holder's request or face legal liability. In this instance, fair use and general First Amendment principles are on Google's and the media's side.

Brittain's takedown requests likely wouldn't even qualify for removal in Europe under the "right to be forgotten" ruling from the European High court in May. The decision requires search engines to take down "inadequate, irrelevant, or no longer relevant” materials from search results upon request by EU citizens.

The FTC complaint against Brittain alleged that "he used deception to acquire and post intimate images of women, then referred them to another website he controlled, where they were told they could have the pictures removed if they paid hundreds of dollars."

Brittain did not immediately respond to a request for comment.
http://arstechnica.com/tech-policy/2...-related-info/





Pharming Attack Targets Home Router DNS Settings
Michael Mimoso

Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings.

Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email.

Researchers at Kaspersky Lab have been watching this trend for some time, reporting in September on a particular campaign in Brazil targeting home routers using a combination of drive-by downloads and social engineering to steal banking and other credentials to sensitive web-based services.

Messaging security company Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies, Oi, also known recently as Telemar Norte Leste S/A.

Users were sent a phishing email warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites host code that carries out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco.

The pages contain iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also try to brute force the admin page for the router using known default username-password combinations. Once the attackers have access to the router, they’re able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS.

“Setting a functioning DNS server as the secondary will allow DNS requests from clients in this network to resolve even if the malicious DNS becomes unavailable, reducing the chance that the user will notice an issue and contact their telecom’s Customer Support line for assistance, which could lead to the discovery and eventual removal of the compromise,” Proofpoint said in its advisory.

Via this method, the attacker bypasses the need to own public DNS servers in order to redirect traffic, and have an easier path to man-in-the-middle attacks, which they can use to sniff traffic, in this case for banking credentials, or email.

“It’s elegantly vicious,” said Kevin Epstein, vice president, advanced security and governance at Proofpoint. “It’s an attack that, based on the way it’s constructed, is almost invisible. There are no traces on the laptop other than the [phishing] email and unless you’re a security pro logged into the router and know what the DNS is supposed to be, you can look at it and not realize it’s been compromised.”

The best defense is to change the router password, especially if it’s still the default provided by the ISP.

The potential for trouble extends well beyond this small campaign in Brazil; any router secured with default credentials is susceptible to this attack and a plethora of others. Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily.

“It’s not a limited pharming campaign; it’s massive,” he said.

Router hacks have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer during DEF CON, a hacking contest called SOHOpelessly Broken focusing on router vulnerabilities, yielded 15 zero-day vulnerabilities that were reported to vendors and patched.

While in this case, the attackers targeted banking credentials for online accounts, Proofpoint’s Epstein said he can see that scope expanding.

“As far as motive, the [proof of concept exploits] we saw seem financially motivated, which is typical of most cybercrime, but the technique is generally applicable,” he said. “If you wanted to harvest a bunch of traffic for a DDOS attack or get into a company, this is a way to do it and gain complete man-in-the-middle control over the user.”
http://threatpost.com/pharming-attac...ettings/111326





uTorrent Silently Installing Bundled Bitcoin Mining Software
Sean Keach

BitTorrent client uTorrent has come under fire from users after it emerged the software’s latest update comes bundled with Bitcoin mining software.

The piece of software, named Epic Scale, is a Bitcoin miner that purports to use your ‘unused processing power to change the world.’

According to one user, the software is ‘easily noticeable by the increased CPU load when the computer is idle.’

Unfortunately, the problem lies in the fact that users say they weren’t asked they wanted the software to be installed, although it must be noted that the uTorrent team flatly denies that silent installs have occurred.

UPDATE: Since this story broke we've dug a little deeper into the installation process and story behind Epic Scale. Read: Epic Scale and uTorrent: Bitcoin mining 'riskware' investigated

A thread on the uTorrent forums by user ‘Groundrunner’ says: “There was no information about this during installation and I did opt out of your other bundled software.”

The issue specifically relates to uTorrent version 3.4.2 build 28913 (32-bit), which is the company’s most recent update.

Another user, dubbed ‘Adrenelized’, said there was ‘never a warning about it’, despite installing uTorrent completely fresh to his or her system.

uTorrent's forum is now inaccessible citing "This account has been suspended". This could be down to the excessive traffic following the Epic Scale news.

A senior manager for customer support at uTorrent did reply to the thread, explaining that it designs its software to ensure partner software downloads ‘don’t occur without approval by the user’.

“Epic Scale is a great partner for us to continue to generate revenue for the company, while contributing funds to good causes,” wrote the uTorrent employee.

“Feel free to delete this folder. You certainly won’t see any persistent auto-reinstalls of the software, it will be gone from your machine for good.”

This may not be the case however. Several users have said that the program does not uninstall completely via Add/Remove Programs, nor by removing the ProgramData\Epicscale folder.

Epic Scale is currently a cryptocurrency miner, but it has future plans to also contribute CPU cycles to other initiatives like Genome mapping.

It’s an ill-timed addition to uTorrent as bundled software however, as laptop manufacturer Lenovo was recently lambasted for its own user-unapproved software bundle of the Superfish program that left user data vulnerable to attack.

Update:

We asked BitTorrent Inc., the company that created uTorrent, for a comment on the matter. Here is the response:

"Like many software companies, we have partner offers in our install path and our policy is that they are strictly optional. We aim to work with partners that would appeal to our tech-forward user base. This is the case with Epic Scale, they are lite-coin based and charity focused. They have a great story and you should consider doing a post on what they are trying to achieve.

In terms of user complaints in our forums, we always take these claims seriously. We highly value our users, they are a passionate and tech savvy group. In the last 24 hours we have received less than a dozen inquiries out of several million offers.

We have reviewed the issue closely and can confirm there is no silent install happening. We are continuing to look at the issue. But this is most likely these users accepted the offer during install."

Update #2:

As BitTorrent has suggested that the complaining users are mistaken, we asked BitTorrent whether it could do more to improve transparency in the uTorrent installation process. This was the response:

"As with any such offer from any software vendor there is a clear "Accept" and "Do Not Accept" button on this offer."

Giving BitTorrent the benefit of the doubt, there are three clear scenarios that could have caused this situation. Either the users are collectively mistaken; there is a lack of transparency in the software installation, leading to confusion amongst users; or there is a software fault whereby users are experiencing issues not otherwise intended by BitTorrent.
http://www.trustedreviews.com/news/u...ining-software





Chrome is Blocking uTorrent as Malicious, Harmful Software
Brandon Morgan

Google Chrome is one of the most popular web browsers available for free these days, though it has an unfortunate side effect for some people recently. According to a recent report on TorrentFreak, the web browser is blocking downloads from the popular download client uTorrent. Anyone who attempts to download the software will receive an error saying the software is malicious and harmful. This led many to believe the website was hacked, which has happened in the past, but no one can confirm whether this is the case or not.

There are millions of new downloads each month for uTorrent, making it the most used BitTorrent client available. That fact makes this information worth noting, as hundreds, if not thousands, of new installs were blocked by Google Chrome recently. The web browser simply warned the user that is was malicious and being blocked. No further explanation was given, though it generally isn’t in cases such as this. Chrome believed it to be a risk to the client, though.

The version of uTorrent being blocked was the most stable release from the software company, which makes these even more odd. Chrome offers the option for users to restore the file, but not without offering yet another warning as to the potential malicious nature of the download in question. The browser is convinced this software is harmful. Be warned, however, that could be the case, though it may not be, too.

The first reports flooded in in late January for the latest stable release. The website managed to scan the software with more than 50 of the most popular antivirus software available, but found no active threats within the download itself. According to Google’s safe browsing diagnostic page, however, uTorrent was involved in a malware distribution issue in previous months, though no details as to what this malware was had been given.

This is not the first time uTorrent has been blocked by Chrome, unfortunately. The same thing happened late last year when a malware blocking feature was in beta on the web browser. BitTorrent managed to resolve this issue quite quickly, but it is unclear whether the most recent blockade will be fixed as fast.
http://www.jbgnews.com/2015/02/chrom...re/270503.html





Genetic Data Tools Reveal How Pop Music Evolved In The US
…and show that The Beatles didn’t start the 1964 American music revolution after all

The history of pop music is rich in details, anecdotes, folk lore. And controversy. There is no shortage of debate over questions about the origin and influence of particular bands and musical styles.

But despite the keen interest in the evolution of pop music, there is little to back up most claims in the form of hard analytical evidence.

Today that changes thanks to the work of Matthias Mauch at Queen Mary University of London and a few pals who have used the number crunching techniques developed to understand genomic data to study the evolution of American pop music. These guys say they have found an objective way to categorise musical styles and to measure the way these styles change in popularity over time.

The team started with the complete list of US chart topping songs in the form of the US Billboard Hot 100 from 1960 to 2010. To analyse the music itself, they used 30-second segments of more than 80 per cent of these singles — a total of more than 17,000 songs.

They then analysed each segment for harmonic features such as chord changes and for the quality of timbre, whether guitar or piano or orchestra based, for example. In total, they rated each song in one of 8 different harmonic categories and one of 8 different timbre categories.

Mauch and co assumed that the specific combination of harmonic and timbre qualities determines the genre of music, whether rock, rap, country and so on. However, the standard definitions of music genres also capture non-musical features such as the age and ethnicity of the performers, as in classic rock or Korean pop and so on.

So the team used an algorithmic technique for finding clusters within networks of data to find objective categories of musical genre that depend only on the musical qualities. This technique threw up 13 separate styles of music.

An interesting question is what these styles represent. To find out, the team analysed the tags associated with each song on the Last-FM music discovery service. Using a technique from bioinformatics called enrichment analysis, they searched for tags that were more commonly associated with songs in each music style and then assumed that these gave a sense of the musical genres involved.

For example, they found that style 1 was associated with soul tags, style 2 with hip hop, style 3 with country music and easy listening, style 4 with jazz and blues and so on.

Finally, they plotted the popularity of each style over time.

The results make for fascinating reading. They found that the frequency of style 4 (jazz, blues etc) declined from 1960 onwards. Styles 5 and 13, which relate to rock music, fluctuate throughout this time. And style 2 (rap) is rare before 1980 but expands rapidly after that and becomes the dominant genre for the next 30 years before declining in the late 2000s.

The data allows them to settle some long standing debates among connoisseurs of popular music. One question is whether various practices in the music industry have led to a decline in the cultural variety of new music.

To study this issue, Mauch and co developed several measures of diversity and tracked how they changed over time. “We found that although all four evolve, two — diversity and disparity — show the most striking changes, both declining to a minimum around 1984, but then rebounding and increasing to a maximum in the early 2000s,” they say. Beyond that, their conclusion was clear. “We find no evidence for the progressive homogenisation of music in the charts,” they say.

Instead, they say that the evolution of music between 1960 and 2010 was largely constant but punctuated by periods of rapid change. “We identified three revolutions: a major one around 1991 and two smaller ones around 1964 and 1983,” they say.

The characters of these revolutions were all different with the 1964 revolution being the most complex. This consisted of an increase in popularity of styles 1, 5, 8, 12 and 13 which were enriched at the time for soul and rock-related tags. At the same time, styles 3 and 6 declined, enriched for tags such as doowop.

The 1983 revolution is associated with an increase in popularity of songs with tags such as new wave, disco and hard rock and a decline in soft rock and country tags.

The 1991 revolution is associated with the rise of rap-related tags.

Another question hotly debated by music commentators is how British bands such as the Beatles and The Rolling Stones influenced the American music scene in the early 1960s. Mauch and co are emphatic in their conclusion. “The British did not start the American revolution of 1964,” they say.

The team say the data clearly shows the revolution underway before The Beatles arrived in the States in 1964. However, British bands certainly rode the wave and played an important part in the way the revolution occurred.

That’s fascinating work. Because musicians copy, repeat and modify song styles they like, this leads to a clear pattern of evolution over time. So it should come as no surprise that techniques developed for the analysis of genetic data should work on music data as well. “The selective forces acting upon new songs are at least partly captured by their rise and fall through the ranks of the charts,” they say.

And there is much work to be done. Mauch and co point out that these number crunching techniques are quit general and so could be widely applied to cultural phenomenon, provided the data is available.

For the moment, they have their sights set on further music analysis. Their next task is to gather data going further back in time. “We are interested in extending the temporal range of our sample to at least the 1940s — if only to see whether 1955 was, as many have claimed, the birth date of Rock’n’Roll,” they say.

Worth waiting to find out!
https://medium.com/the-physics-arxiv...s-48ad60bf495b





Why Audiophiles Are Paying $1,000 for This Man’s Vinyl
Rene Chun

How much would you pay for an original copy of The Beatles’ Abbey Road? If you shop at Better Records, the answer is plenty: $650. Other staples from the heyday of vinyl command equally astronomical prices. Fleetwood Mac’s eponymous LP: $500. The Police’s Synchronicity: $350. Even kitsch like The B-52s is a sticker shocker at $220.

And that’s the cheap stuff. Prices for wish list titles like The Who’s Tommy, Pink Floyd’s The Wall, and The Beatles’ White Album would make a military contractor blush: $1,000.

Price gouging? Not according to Better Records owner Tom Port. He thinks a thousand bucks is a bargain to hear a classic rock opus sound better than you’ve ever heard it sound before—stoned or sober.

“I’d like to charge $1,500, because that’s what I think these records are worth,” he says. “But I don’t, because the customers balk.”

This is what passes for fiscal restraint in the world of high-end audio: drawing the line at three figures for mass-produced records that sold in the millions, the same dorm room relics easily found in milk crates at tag sales. But Port insists that his meticulously curated discs are special. Unlike many record dealers, he doesn’t peddle the usual dreck pocked with scratches and pot resin. He traffics strictly in “hot stampers,” the very best of the best.

Hundreds of factors determine what a vintage record will sound like, from the chain of ownership and whether it’s been properly stored to the purity of the vinyl stock and the quality of the equipment that produced it. One factor many serious record collectors fixate on is the quality of the stampers, the grooved metal plates used to press a lump of hot vinyl into a record album. Like any metal die, these molds have a finite lifespan. The accumulation of scratches, flaws, and other damage resulting from the tremendous mechanical stress a stamper is subjected to—100 tons of pressure during a production run—leads to a gradual loss of audio fidelity in the finished records. To ensure the best sound quality, some boutique companies that press heavy vinyl today limit their stampers to 1,000 pressings. In contrast, during the peak of the vinyl boom, major labels churned out as many as 10,000 copies on a single stamper. It’s preferable to have a record pressed early in a production run, before the metal exhibits signs of wear, rather than toward the end, right before a fresh stamper is slapped on.

Tom Port thinks a thousand bucks is a bargain to hear a classic rock opus sound better than you've ever heard it sound before—stoned or sober.

Nab an early pressing of an iconic title produced under ideal conditions, take really (really) good care of it for 40 years, and maybe it’ll be judged a hot stamper worth four figures.

Scott Hull, a recording engineer who owns Masterdisk, one of the world’s premier mastering facilities, compares producing a vinyl record to making wine. “Each pressing of the grape, and each pressing of the disc, is unique,” Hull says. “Hundreds of subtle things contribute to each pressing being different. Everything matters, from plating the lacquers to various molding issues to the quality of the vinyl pellets.”

Selling these artifacts at these prices requires more than a list of customers with too much disposable income. It takes hard work, chutzpa and catalog copy that ignites neural brush fires in the amygdala.

Consider these tasting notes for the Rolling Stones’ Emotional Rescue ($230): “A killer pressing … serious punch down low, superb clarity, all the extension up top and a HUGE open sound field … you’ll have a hard time finding any Stones record that sounds this good period!” Confirmation bias? Probably. Port had me at “killer pressing.”

Although Better Records offers jazz, blues, classical, and the occasional genre novelty (faux-Polynesian exotica is a recurring guilty pleasure), invariably it’s nostalgic classic rock albums like that Stones semi-classic from 1980 that become hot stampers.

But finding such pristine and aurally transcendent records isn’t easy.

Hot or Not?

The painstaking process begins by scouring the used market—from Salvation Army bins to eBay—for a dozen or more clean copies of an album. Next comes the obligatory spa regimen: a three-step enzyme wash followed by a deep groove vacuuming with two record cleaning machines, one of them an $8,000 Odyssey RCM MKV, an instrument the size of an airline beverage cart handcrafted by persnickety Germans.

Grunt work completed, the hot stamper king and his minions meet in the Better Records listening room for a round of tests dubbed a “Shootout.”

By the standards of your stereotypical tube-loving, power-junkie audiophile, the amp Port uses as the hub of his Shootout machine is shockingly ordinary: a 1970s Japanese integrated transistor amp rated at a feeble 30 watts per channel, a typical thrift-store find. “I use a low-power, solid state amp because it doesn’t color the music,” he explains. “Tubes make everything sound warm and add distortion. That can sound nice, but I need accuracy.”

The other components are much more upscale. The Legacy Focus speakers have been modded with Townshend Super Tweeters, for example, and the turntable sports a Tri-Planar Precision Tonearm and a Dynavector 17D3 cartridge. Everything has been carefully selected for sonic neutrality. This isn’t about conjuring mega-bass or shimmering highs. The goal is flat frequency response, getting as close as possible to the sound on the original master tape. Nothing added or subtracted. The total price for Port’s shootout rig comes to $35,000.

When the shootout finally gets underway, lights are dimmed, eyelids fall and ears peak. With each cut sampled, the usual things are carefully pondered: presence, frequency extension, transparency, soundstage, texture, tonal correctness, and an elusive quirk called “tubey magic” (seriously). Every element is scrutinized in granular detail. If opinions diverge or memories fail, reference copies are pulled from the archive to check benchmarks. It’s tedious work. Deciding whether Side B of Emotional Rescue is a “Mint Minus Minus” (7 on a scale of 1-10), or a “Mint Minus to Mint Minus Minus” (8-9), requires dedication, stamina and intense focus. When the grades are tabulated, a sonic pecking order emerges:

Hot stampers (great sound/expensive)
Super hot stampers (really great sound/really expensive)
White hot stampers (insanely great sound/insanely expensive)

It’s tempting to dismiss hot stampers as pseudoscience, like cryogenically treated speaker cables, power amp fuses zapped with Tesla coils, and every other confidence scheme devised to separate affluent middle-aged audiophiles from the contents of their wallets. Talk to enough studio engineers and record plant technicians, though, and it becomes apparent that the aural disparity between records that Tom Port prattles on about really does exist.

Industry experts agree that copies of the same album can, and often do, sound different; sometimes a little, sometimes a lot. Not just from copy to copy, and from side A to side B, but from track to track, and, yes, even within the same track. In fact, vinyl records made on the same stamper, during the same production run also can vary in sound quality. Other copies, bearing different record labels, pressed in different countries, using different equipment and personnel, will impart their own sonic flavor, which only muddles the issue further.

“There’s actually little reason why any two discs should sound the same,” says Masterdisk’s Scott Hull. “A grading system based on the different significant factors makes sense: surface noise, relative distortion during playback, and things like skips and major pops.” Before this becomes a hot stamper endorsement, Hull lowers the boom: “Saying one disc is wrong and another is right is very controversial. Only the producer, the mastering, and cutting engineers really know what that record was supposed to sound like.”

Most members of hobbyist web forums who discuss vinyl records are vehemently anti-hot stamper. It's the exorbitant markup, of course, that provokes all the outrage.

The textbook example of good mastering gone bad is the 1969 Atlantic Records release of Led Zeppelin II. The first pressing, mastered by a young Bob Ludwig, beats every other pressing and reissue by a wide margin. This record is easily identified by scanning the matrix, a product code located in the run-out area next to the label. There, etched in the dead wax are the letters “RL/SS,” shorthand for Robert Ludwig/Sterling Sound. Known among dealers as the “hot mix,” it has such energy and dynamic range that when it was released it caused the needles on cheap record players to literally jump out of the grooves. This happened when Ahmet Ertegun, the president of Atlantic Records, brought a copy home to his daughter. Judging the record defective, he immediately ordered a new pressing with the signal dialed down and compressed. Ludwig would later lament that this version “sounded puny and aghh!”

Still, like everything else having to do with manufacturing vinyl records, there are no rules or absolutes. A desirable matrix isn’t foolproof. It’s only a good omen. A random hot mix of Led Zeppelin II may sound fantastic, but some of the 200,000 “RL/SS” copies that were pressed sound better than others. This is what keeps Better Records in business and earns Tom Port a comfortable six-figure income. A Led Zeppelin II white hot stamper is $1,000.

If there is one question that needs to be asked at this point, it is this: Who actually buys these things?

The Collectors

Although there are currently 117 testimonials posted on the Better Records website, the success of this bold enterprise hinges on 20 to 30 “preferred customers” who spend as much as $100,000 a year on hot stampers. These clients are wealthy audiophiles with a penchant for classic rock who like nothing better than to sit in an overstuffed wing chair sipping Pétrus and reading Tom Port’s vivid descriptions of the latest shootout winners.

Bill Pascoe, a full-time political consultant and part-time audiophile, is one such customer. Like all hot stamper addicts, he was initially skeptical. The gateway LP for him was Steely Dan’s Aja. Port’s notes boasted that it crushed the lavishly praised Cisco 180-gram Aja reissue. Pascoe was dubious. But as a Washington power broker, he could certainly afford $130 to find out.

If you're going to spend tens of thousands of dollars on hardware, why wouldn't you pay a few hundred for the software? Hot stamper collector Roger Lawry

“After the first track, I said, ‘My God, there’s something to this!'” That was eight years ago. Today, Pascoe owns more than 100 hot stampers. “I’m not a recording engineer,” he says. “All I know is that Tom’s records sound better.”

Roger Lawry, a biomedical engineer in California, was hooked by a hot stamper of Blood Sweat & Tears‘ self-titled LP, the title Port deems “the best sounding pop or rock album ever recorded.” Lawry has accumulated about 150 hot stampers since then. Adjusted for inflation, that’s the equivalent of buying a new Mercedes E-Class. The only difference is that one has an excellent resale value.

Lawry admits this pricy vinyl won’t pad his investment portfolio, but he has no regrets. “If you’re going to spend tens of thousands of dollars on hardware, why wouldn’t you pay a few hundred for the software?” he asks. A recent salary cut, however, has forced Lawry to curb his vinyl excess. Still, if the right hot stamper came along, he says he wouldn’t hesitate pulling the trigger: “I’d be willing to pay $500 for the best copy of Aja.”

The Chorus

Not only are these original vinyl copies shiny and minty fresh, Port will tell you they also sound better than any of those $30 reissues “sourced from the original master tapes” currently in fashion. Port has particular disdain for these premium, heavy vinyl records, with their bonus tracks and glossy liner notes.

“Those records sound horrible,” he growls. “A flea market copy of Sweet Baby James will sound better than any new 180-gram version.” Surely, there must be some notable reissues of other pop albums? The 60-year-old California native pauses. “If there are, I haven’t heard them.”

This outright dismissal of an entire industry has made Port a pariah in most audiophile circles. It’s an emotional subject. Jonathan Weiss, the owner of Oswalds Mill Audio, a hi-fi sanctuary in Brooklyn known for its outstanding horn speakers, barely contains his contempt. “This guy is the poster child for everything that’s wrong with the business,” he says. “He caters to the worst fears and anxieties of audiophile victims. It’s really absurd.” Weiss finishes by calling Port a couple of names we can’t print.

To truly understand the fears and anxieties of vinyl aficionados, follow the impassioned threads that unravel on the hobbyist web forums. Although Port has supporters, they’re a minority. Most members of sites like audiokarma and audioasylum who discuss vinyl records are vehemently anti-hot stamper. It’s the exorbitant markup, of course, that provokes the outrage.

Port finds the criticism amusing. On his website, he mocks these people where it hurts: By criticizing their obsessive-compulsive love for bachelor pad hi-fi gear from the Boogie Nights era. “Pioneer turntables? In this day and age? What time warp did these guys fall through anyway? It’s as if the last thirty years of audio never happened.” (Never mind the apparent hypocrisy of his using a 40-year-old amp to rate his records.)

He also relishes ripping their precious 180-gram LPs to shreds and stomping on them. “Heavy vinyl is just a gimmick, like gold plated CDs,” he says.

To Port’s dismay, record labels have doubled down on the surging vinyl market, promising even higher fidelity by pushing a new format: the 45-RPM, double LP. Remastered at half-speed, these limited edition records, if properly produced and manufactured, have the capability to outperform single 33-RPM discs because the stylus spends more time in the grooves retrieving data. Critics gush about greater dynamic range and improved transient response.

Predictably, Tom Port isn’t a fan. Here’s his review of Metallica’s Ride The Lightning, a Warner Brothers 45-RPM album remastered at MoFi from the original analog tape: “Compressed, sucked-out mids, no deep bass and muddy mid-bass, the mastering of this album is an absolute disaster on every level.” He chuckles when asked how many business relationships have soured over the years due to unpopular opinions like this. “I burn all my bridges,” he says. “I want nothing to do with any of these people.”

The Duel

Stereophile columnist Michael Fremer falls into this category. In October, the audio critic conducted a poll on his blog, Analog Planet, to address the hot stamper vs. heavy vinyl debate. The material chosen for this audio contest was RCA’s 1960 “Living Stereo” recording of Nikolai Rimsky-Korsakov’s Scheherazade, a symphonic poem considered by audiophiles to be one of the greatest performances ever captured on vinyl.

In one corner was the prohibitive favorite: Analogue Productions’ 200-gram, 33-RPM reissue, a record that prominent critics, including Fremer (he called it “transformative”), argued was better than the original. The challenger was a vintage RCA pressing of Scheherazade that Port had personally selected from his hot stamper stash. The records were transferred to hi-res 24bit/96KHz files—well above standard CD quality—and posted on Fremer’s blog for readers to sample. When the votes were tallied, the new Analogue Productions version was declared the winner by a 6 percent margin.

Port dismisses the results as meaningless, blaming his hot stamper’s poor showing on flawed methodology. “Fremer labeled one of the files ‘AP,'” he says incredulously. “Voters knew that was Analogue Productions. So, the experiment was biased from the start! When it was corrected, we caught up fast.”

He could have left it at that, but the thought of smoldering bridges excites Port too much. Convinced that the industry high priests are aligned against him, he lashes out: “Michael Fremer once said he had six copies of Aja, and they all sounded the same. That’s impossible on a good system! Is he deaf?”

Fremer has since conducted several live listening sessions using the same two Scheherazade pressings. In each case, the results were, in Fremer’s words, “pretty much 50-50.” Which would seem to indicate, at least in this instance, that heavy vinyl and hot stampers are more about personal preference than one record actually sounding better than the other.

“If you can afford it, I think Tom provides a good product,” Fremer says diplomatically. “Although, I don’t always agree with him on everything.”
http://www.wired.com/2015/03/hot-stampers/


















Until next week,

- js.



















Current Week In Review





Recent WiRs -

February 28th, February 21st, February 14th, February 7th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 08:12 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)