P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 31-07-13, 07:57 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,012
Default Peer-To-Peer News - The Week In Review - August 3rd, '13

Since 2002


































"If indeed Aaron’s access was not 'unauthorized' — as Aaron’s team said from the start, and now MIT seems to acknowledge — then the tragedy of this prosecution has only increased." – Lawrence Lessig


"I have just seen him off. He has left for a secure location." – Anatoly Kucherena


"The FBI can remotely activate the microphones in phones running Google Inc.'s Android software to record conversations. It can do the same to microphones in laptops without the user knowing." – Jennifer Valentino-Devries and Danny Yadron






































August 3rd, 2013




1,700 Websites In Russia Go Dark In A SOPA-Style Protest

Popular websites stop their services for a day to highlight the possible effects of a new anti-piracy law
Max Smolaks 0

Over 1,700 Russian websites had gone dark on Thursday, in a protest against a new anti-piracy law that enables Roskomnadzor (the Federal Supervision Agency for Information Technologies and Communications) to ‘blacklist’ Internet resources before the issue of a court order.

The law, widely known as the ‘Russian SOPA’, came into force on Thursday. Freedom of speech campaigners are worried it could be used for political censorship, while digital companies say it will slow down the development of Internet services in the country.

During the protest campaign, participants replaced their homepages with a short warning message and a link to a petition on a government website. This petition has already collected over 76,000 signatures. However, it needs at least 100,000 to be considered by the parliament.

Websites in revolt

In 2012, changes to the Act for Information gave Roskomnadzor the powers to take offline websites that were hosting information about drugs, self-harm and child abuse. Civil rights activists had been protesting against the changes, claiming they restricted freedom of speech and would lead to further Internet censorship.

Now, the law has been extended to include intellectual property, such as films or TV shows (but interestingly, not music). Under the new rules, copyright holders can contact the website and demand for illegal content to be removed, or request a court order and complain to Roskomnadzor. The website is then required to block the access to files within 3 days, and keep them inaccessible until the court decides on the case.

If the website owners refuse to comply with the order, Roskomnadzor will order ISPs to block the whole site.

According to Russia Today, on the day the law came into force, movie distribution company Cinema Without Borders attempted to sue vKontakte, Russia’s largest social network, for breaching its copyright. The lawsuit didn’t go ahead due to the lack of supporting documents, but it goes to show that copyright holders are jumping at the opportunity to use the new rules to their advantage.

On Thursday, music resource Zaycev.net, online encyclopaedia Lurkmore.to, and around 1,700 other websites went down to show possible effects of the law.

“Today, we live in an online reality where every user became an information middleman and any page can be shut down for posting a link on the pirated content,” read a statement from Mail.ru, a popular email provider.

Meanwhile Yandex, the search engine that successfully competes with Google in Russia, said that the law “is directed against the logic of the Internet”.

Despite this, the country’s largest websites – Yandex, Rambler, VKontakte and Odnoklassniki – ignored the protest campaign, along with Google, Livejournal, Wikipedia and other US-owned properties.

As a response to the ‘Russian SOPA’, the unofficial Russian branch of the Pirate Party has launched a “Black August” campaign, urging its members and supporters to stop paying for any kind of copyrighted content for a month.
http://www.techweekeurope.co.uk/news...protest-123686





ASCAP Petitions FCC To Deny Pandora's Purchase of Radio Station
chipperdog

NorthPine.com reports: "ASCAP is firing back against Pandora Radio's attempt to get lower music royalty rates by buying a terrestrial radio station, 'Hits 102.7' (KXMZ Box Elder-Rapid City). In a petition to deny, ASCAP alleges 'Pandora has failed to fully disclose its ownership, and to adequately demonstrate that it complies with the Commission's foreign ownership rules.' ASCAP also alleges that Pandora has no intention of operating KXMZ to serve the public interest, but is rather only interested in obtaining lower royalty rates. Pandora reached a deal to buy KXMZ from Connoisseur Media for $600,000 earlier this year and is already running the station through a local marketing agreement."
http://news.slashdot.org/story/13/07...-radio-station





Dispute Blocks Hollywood’s Share of Chinese Box Office
Michael Cieply

As box-office sales for American films soften in China, Hollywood studios are running up against a new problem: they haven’t been receiving payments for the Chinese screenings of their films, according to reports in Variety and The Hollywood Reporter on Monday.

The payments problem, according to the trade publications, stems from a dispute over a new 2 percent value-added tax in China.

When the tax was applied to theater tickets, American studios and their Chinese distribution partners disagreed about whether the money could be taken from the American share of sales, under the terms of an international agreement that had earlier promised the studios 25 percent of the take from films shown in China.

In April, The Wall Street Journal reported that Fox had refused to accept payments from its screenings in China while the dispute was unresolved. Variety and The Hollywood Reporter said that all of the major American studios had become involved, and payments for films like “Skyfall,” “Man of Steel” and “Star Trek Into Darkness” had been held up.

The Motion Picture Association of America, which represents the major studios, had no immediate comment.
http://www.nytimes.com/2013/07/30/bu...ox-office.html





VCR’s Past Is Guiding Television’s Future
David Carr

The last few weeks have been a rugged legal stretch for incumbent television companies.

First, an appeals court declined to rehear a case in which broadcasters sought to close down Aereo, a company that allows users to record and play back broadcast television over the Internet. And then last week, another appeals court declined to stop Dish Network, the satellite television company, from selling a service called Hopper, which lets viewers automatically skip ads.

The cases are far from settled, but the stakes could not be bigger. Broadcast television as we know it now stands on two legs: advertising and retransmission fees from cable providers. With Hopper skipping ads and Aereo allowing for distribution over the Internet without payment, profits might go dark.

But the legal cases also seem to defy a kind of common-sense logic: how can insurgents use programming created by someone else to their own ends without sharing revenue?

The answer could get very complicated, very fast, but let’s try to make it simple. The dawn of consumer-controlled television began with the clunky, whirring Sony Betamax in the 1970s. Networks and program providers didn’t like consumers making copies of their movies and TV shows, but a landmark Supreme Court case in 1984 held that taping and time-shifting on the part of viewers was “legitimate fair use.”

Everything we have seen since extends from that decision to let consumers into the driver’s seat. It helps to think of the digital video recorder as more of a capability than a device. Both Aereo, which uses antennas to record broadcast television, and Hopper, which records prime-time programming, can be considered DVRs in the cloud, and the cord going to each home happens to be very long (Aereo over the Internet) or comes via satellite signal (Dish).

In each instance, the courts have more or less held, the customers are doing the programming and recording, and as such, have the right to do so even if they are doing so remotely through a third party.

If a revolution is under way, it is happening in increments. The VCR in the corner gave way to the DVR on the set-top box, and now some of the recording lives in the cloud and is pulled down to a variety of devices, including televisions, tablets, computers and phones.

That new paradigm was affirmed in a more recent case that began in March 2006, when Cablevision announced that it would allow subscribers not only to record whatever they wanted, but to do so remotely on hard drives centrally maintained by the company. Despite the Betamax precedent, the television and movie industry promptly sued Cablevision, claiming that the cable company — not the consumer — was making the actual copy.

A district court in New York agreed, so Cablevision appealed to the Second Circuit Court of Appeals in 2007. Consumer control took a big leap forward the next year, when the court decided in favor of Cablevision, ruling that the people pushing the buttons were the ones making the copies and that the playback of those recordings was not a public performance that infringed on copyright.

“We are in a transition period, migrating toward a world where you are going to get the content you want without commercials,” said Jonathan Band, a lawyer and advocate for consumer choice. “But the truth of the matter is that you are still going to have to pay. The only thing really being argued is who gets the money.”

To his point, Fox has sued Dish, asserting that the Hopper ad-skipping service violates copyrights and breaches contracts, not to mention that the service takes direct aim at its business model.

CBS, NBC and ABC have also been pushing back in a variety of ways. Last Wednesday, the Ninth Circuit Court of Appeals in California denied an appeal from Fox over a federal judge’s decision last fall not to grant an injunction against the Hopper technology.

The judge writing the opinion, Sidney R. Thomas, held that the copies being made met the “fair use” standard set by the Betamax case. The opinion also pointed out that although Fox owned the copyright on the programs, it had no such claim on the commercials, so skipping them did not constitute infringement.

But the judge also suggested that even though he was unwilling to provide injunctive relief — the broadcaster failed to “demonstrate a likelihood of irreparable harm” — the question of whether Dish was in breach of agreements not to create a video-on-demand service was far from settled.

Dish issued a statement, calling the decision a victory for “consumer choice and control.”

In spite of the setbacks, Fox still believes it has good lawyers and a good set of facts in both cases, the most pertinent of which suggests that if the business model that enables the programming goes away, so too will the programming.

Then again, these are the very early innings in the legal fight, and the issues raised by Aereo and Hopper are momentous enough that it may fall to the Supreme Court to decide how the future of television will be divided up.

“Both advertising and subscription revenue are critical to the continued viability of broadcast television,” said Scott Grogin, a spokesman for Fox Networks. “We prefer to have our rights protected through legal or regulatory means, but if that is not possible we must consider business solutions.”

That last bit represents plan B. If all the lawyers and arguments fail to impress the court, Fox could always take its bat and ball and shut off its broadcast signal, leaving Aereo with nothing to grab. And in the instance of Dish, the companies have a great deal of business in common, so Fox might be able to make the satellite provider sorry it ever introduced Hopper.

Still, it isn’t really Aereo, which has yet to catch on with consumers, or even Dish, that the networks are battling. It is the ideas that they represent and the disruption that they, along with other me-too companies, could create. In the current fight between CBS and Time Warner Cable over retransmission fees, for instance, the cable company has suggested to customers that they look into Aereo if CBS was blacked out. You could easily envision a cable company buying the idea and technology behind Aereo as a way to work around big retransmission fees.

It is a truism of all businesses, especially media, that once the consumer decides how things are going to go, it is only a matter of time before disruption occurs in fundamental ways. Just ask the record companies. And for now, the disrupters not only have the consumer on their side, but the law as well.
http://www.nytimes.com/2013/07/29/bu...ns-future.html





Telco Astroturfing Tries To Bring Down Reviews Of Susan Crawford's Book
Mike Masnick

Astroturfing -- the process of a faux "grassroots" effort, often set up by cynical and soulless DC lobbyists pretending to create a "grassroots" campaign around some subject -- is certainly nothing new. It's been around for quite some time, and it's rarely successful. Most people can sniff out an astroturfing campaign a mile away because it lacks all the hallmarks of authenticity. A separate nefarious practice is fake Amazon reviews -- which have also been around for ages -- amusingly revealed when Amazon once accidentally reassociated real names with reviewers' names to show authors giving themselves great reviews. Over time, Amazon has tried to crack down on the practice, but it's not easy.

So what happens when you combine incompetent astroturfing and fake Amazon reviews? Check out the reviews on Susan Crawford's book, Captive Audience: The Telecom Industry and Monopoly Power in the New Gilded Age. Now, I should be clear: while I respect Crawford quite a bit, and often find her arguments compelling and interesting, I found Captive Audience to go a bit too far at points, and felt that the book lost a lot of its persuasive power in really overstating the case. We agree that the broadband market is not even remotely competitive, but we disagree on the solution to that. Still, I think the book is very much worth reading, and an important contribution to the discussion on broadband/telco policy.

But, boy, the telco lobbyists and shills really have been going overboard trying to smear the book every which way. Front groups set up by the big broadband players going by names like NetCompetition, Broadband For America, and Media Freedom have wasted little time attacking the book as if it has no redeeming merits at all.

But, at least people can look at who's behind those various organizations, or where their "founders" last plied their trade. When it comes to Amazon reviews, it's a somewhat different story. Karl Bode recently noted the large number of one star reviews on Crawford's book that exhibit a pretty clear pattern: a "folksy" tone from someone in an "ordinary" job, living in a "rural" location (they all mention a rural location) absolutely trashing Crawford's book, all using talking points that the big telco lobbyists have been handing out. Here are a few examples.

This is wrong

By lavell martin (hazelwood, mo United States)


Des Moines, Iowa
I am professional truck driver who uses the Internet in job training.I have just read the book "Captive Audience" by Susan Crawford. I am very disappointed in her negative attitude toward our national telecommunications system. As a professional truck driver, I have been using technology since the days when CB radio was the next big thing. Then came cell phones that were barely useful for an over-the-road trucker who was almost always "roaming" from his home system.

But times have changed and now every trucker has the ability to communicate, not with a trucker a quarter of a mile ahead or behind, but a quarter (or all the way) around the world. Wireless technology allows us to track where trucks and their cargo are in real time. They allow us to contact our customers to alert them to our arrival time, meaning I can unload as soon as I get to the customer rather than waiting for someone to arrive.

To read Ms. Crawford's book you would be led to believe that the companies who have investested hundreds of billions of dollars in these systems haven't accomplished anything. She is wrong. The "breaker-breaker" days are long gone and it is private industry that has left it far in our rear-view mirrors.

Unimpressed - Facts Don't Add Up

By nhunter


I do much of my schoolwork online and do not believe that Susan Crawford's points in "Captive Audience" are valid. I am from a rural area, yet my broadband connection is good enough for me to stream online lecture and perform research. Only 3-5% of homes in the US do not have access to wired broadband services, and generally in these cases there are multiple wireless options. I simply do not know anyone who is not able to purchase a wired broadband connection - even in remote areas.

Our system of private investment is sustainable and has provided affordable service to hundreds of millions of people. Looking at the state of broadband in the US I do not see the problems in our system that Ms. Crawford points out. The last thing we need is a complete overhaul that trades our tried and true system for one of uncertainty, reliant on government spending. In order to provide better, cheaper broadband we need to move regulation out of the 1990's and into the 21st century.

Captive Audience lacks in believability

By Mantkow


I am not sure I agree with the central premise of this book. While Susan Crawford certainly has credibility, given her tenure as President Obama's technology advisor, I am just not buying her take on the supposed monopoly within the telecom industry. If the United States is truly lagging behind other countries in its access to high-speed broadband Internet, how is it our Internet network infrastructure investments have risen by almost 25 percent? Moreover, if access were really a problem in the U.S., I would almost certainly have first hand knowledge of it. I am from a remote part of Kentucky that is as far a cry from big city living as one can get. I have yet to find my access to the Internet lacking.

Terrible Book
By Lee


I do not live in a metropolitan area, but I have had access to an affordable high-speed connection for over a decade. Ms. Crawford is not telling the whole story. The FCC has reported on multiple occasions that over 99% of the population has access to satellite, wired or wireless broadband connection. Not so long ago there were people who thought laptops would never be an equal to desktops, and tablets could never be a substitute for a laptop. It seems those that doubt technology usually end up wrong, and if there is any industry that will provide world changing innovation over the next few years, my bet is it will be in broadband here in the US.


Because I'm a curious sort, I decided to look a little more deeply at the 31 one-star reviews, and see if I might glean any patterns. I read through them all and noticed some very noticeable patterns. First of all, there are a few named reviewers who are listed as "verified buyers" of the book or are in Amazon's "Real Name" program. Those are people who are clearly legit. Of course, nearly all of those reviewers are rather well-known in technology/telco policy circles, often closely associated with various think tanks known for supporting the position of the telcos: you have Scott Cleland of NetCompetition, Richard Bennett of ITIF, Ryan Young of CEI, Andrew Langer of the Institute for Liberty and Geoffrey A. Manne of the International Center for Law and Economics. I don't have any problems with these reviews. While the view of these individuals are well-known and were probably decided long before they ever came near the book, they put their names on the reviews and many of them are listed as verified purchasers. On the flip side, for the 5-star positive reviews, you have folks like Tim Karr from Free Press, though that's really about it (there is also Dane Jasper, the CEO of awesome local ISP Sonic.net, but he's an actual expert in the field, not just some think tank policy analyst like everyone else).

The problem comes in when you look at everyone else. As mentioned, a very large number of the reviews seemed to follow a similar pattern -- so I figured why not see if we can compare the 1-star reviews to the 5-star reviews in some manner. To keep it fair, I removed the named DC policy folks from the calculations, though even if you add them back in the numbers are pretty striking. First, I looked at what percentage of the reviews included some sort of folksy reference to their job (e.g., "I'm a truck driver and my experience is...", to the fact that they lived somewhere rural or non-metropolitan, or that they were a student). In reading the reviews, these all felt extremely inauthentic, because there's nothing about Crawford's book that should lead someone to discussing any of those things. It's irrelevant -- but if you're a clueless DC astroturfing firm trying to sound like everyday common folk, it might be something you do.

Fifteen of the 1-star reviews make such a mention. That's 58%. Of the 5-star reviews, there was only one single mention of anything having to do with rural settings, and it was someone delving more deeply into the issue of rural broadband, rather than anyone trying to sound folksy. No one mentioned their down home job or that they were a student. So if we include that one pseudo-mention, it's 2.5%. In other words, something is pretty clearly off with those 1-star reviews.

My second check was to look at whether or not the reviews had one of the following three criteria: they were a verified purchaser, they were enrolled in Amazon's "REAL NAME" program, or they had reviewed other products besides just Crawford's book. While this is a rather crude measure, I figured that having any of those things be true at least suggested that there was a real person behind the review. Having none of those three things might still mean they were a real person who legitimately bought the book and was giving a legitimate opinion, but at the very least it couldn't be proven. To give the benefit of the doubt to the Crawford haters, here I added back in the known policy wonks -- who were basically the only 1-star reviewers to qualify as humans under these criteria. Without this, I think only two of the remaining 26 reviewers could meet the criteria. In the end, even with the known DC policy insiders, only 11 out of the 31 reviews, or 35% met the criteria.

Of the 5-star reviews, 80% met the criteria. And, even this is somewhat misleading. Of the reviews that did not meet the criteria of provably human, nearly all of them mention that they're leaving a 5-star review solely to counteract the obvious shill 1-star reviews. I think that's counterproductive in many ways, but it suggests that those reviews weren't directly "shill" reviews, but rather response to astroturf reviews.

As a further check, I compared the average number of other products reviewed by each group -- the 1-star reviewers and the 5-star reviewers. That really wasn't a fair fight. The average number of "other" reviews by those who gave Crawford's book a 1-star review: 1.4. And that's almost entirely due to one person, Richard Bennett, who has 24 other reviews. Of those who gave it a 5-star review, the average is 113.9. Yes. 1.4 vs. 113.9. Okay, the 5-star reviews are also skewed heavily by one reviewer, Loyd E. Eskildson who has over 4,000 reviews. So, to be fairer, I cut out that outlier and the 5-star reviewers still had an average of 13 other reviews (I didn't even bother to take out Bennett's outlier on the 1-star reviews). Using the other (probably better) tool, we could also compare the median other reviews for each group. For the 1-star reviews, it will surprise no one to find out that the median is 0. For the 5-star group, the median is two.

Basically, no matter how you slice it, there's some sort of statistical anomaly going on here that makes it pretty clear that someone was pushing a ton of fake astroturfing reviews on Crawford's book, and didn't even care to take the time to hide it well. As I said, even if you don't fully agree with the book, I'd hope we can all agree that this is a pretty disgusting move by whatever lobbyists/shills/think tanks dreamed up this astroturfing campaign just because they don't like what the book says. Can't fight on the merits, huh?
http://www.techdirt.com/articles/201...rds-book.shtml





German Publishers Can’t Wean Themselves Off Google News, Despite Winning Copyright Law Change
Natasha Lomas

Germany’s new copyright law comes into force today but several major German publishers haven’t rushed to pull their news snippets from Google News, despite lobbying in favour of tightening the law. On the contrary, they have opted in to carry on having their snippets displayed. Call it a love/hate relationship, where ‘love’ refers to the traffic generated by click-throughs from Google News and ‘hate’ to the sense of indignation that Google gets to cream off news content and use it to power its own aggregator service.

German publishers including Axel Springer – whose publications include the newspapers Die Welt and Bild – had lobbied for German copyright law to be extended to cover the snippets of stories Google displays in its News service. They also lobbied for search engines to pay publishers to display these news snippets. But it’s one of several big German publishers that have apparently opted in to Google News.

Ahead of the new law coming into force, Google changed how Google News operates in Germany, making it an opt-in service, rather than the current default opt-out in all other markets where it operates a local Google News service.

At the time of writing, Axel Springer was not available for comment but according to an AP report (via the Verge) the publisher said it still expects to receive money from Google eventually. Two more German publishers — Spiegel Online and Zeit Online — have also opted into Google News for the moment, according to AP.

Google has had to deal with similar disputes with publishers elsewhere in Europe — including in Belgium and France — but those dispute have not resulted in copyright law extensions. Instead, Google settled with French publishers after agreeing to set up a €60 million fund to support French publishers’ digital initiatives. It also settled a dispute with Belgian publishers in December by agreeing to partner with them and help promote their services and content.
http://techcrunch.com/2013/08/01/goo...ers-love-hate/





Dentist Who Used Copyright to Silence Her Patients Is On the Run

Dr. Makhnevich threatened patients who wrote bad Yelp reviews with lawsuits.
Joe Mullin

A lawsuit regarding a dentist and her ticked-off patient was meant to be a test of a controversial copyright contract created by a company called Medical Justice. Just a day after the lawsuit was filed, though, Medical Justice backed down, saying it was “retiring” that contract.

Now, more than a year after the lawsuit was filed, the case against Dr. Stacy Makhnevich seems to have turned into a case about a fugitive dentist. Makhnevich is nowhere to be found, won’t defend the lawsuit, and her lawyers have asked to withdraw from the case.
No-criticism contract promised additional “privacy”

In 2010, Robert Lee was experiencing serious dental pain. He went to see Dr. Stacy Makhnevich, the “Classical Singer Dentist of New York,” in part because she was a preferred provider for his dental insurance company. Before Makhnevich treated him, she asked him to sign a contract titled “Mutual Agreement to Maintain Privacy.”

The contract worked like this: in return for closing “loopholes” in HIPAA privacy law, Lee promised to refrain from publishing any “commentary” of Makhnevich, online or elsewhere. The contract specified that Lee should “not denigrate, defame, disparage, or cast aspersions upon the Dentist.”

And the kicker: if he did write such reviews, the copyright would be assigned to the dentist. She’d own it.

This “I own your criticism” contract would soon be put to the test, because Lee was an extremely unhappy customer. “Avoid at all cost!” he wrote in a one-star Yelp review. “Scamming their customers! Overcharged me by about $4000 for what should have been only a couple-hundred dollar procedure.”

The forms Makhnevich was using, provided to her by a company called Medical Justice, were already the subject of considerable controversy. Two tech-savvy law professors, Eric Goldman of Santa Clara University and Jason Schultz of UC Berkeley, launched a website to fight the contracts, which garnered considerable press. Former Ars Technica writer Tim Lee chronicled his own experience with a Philadelphia dentist who was using the contract.

The “Mutual Agreement” was essentially a work-around to try to stifle patient reviews. Doctors, or any other business, who believe that an online review is, say, defamatory, can go ahead and sue a reviewer—but they don’t have an easy way to get the review down. Review sites like Yelp are protected by Section 230 of the Communications Decency Act, which immunizes the platforms hosting such user-generated content, as long as they don’t edit it heavily. Review sites in the US don’t typically remove posts when a business claims defamation.

Copyright, however, is a different story. Section 230 doesn’t cover intellectual property laws, and Yelp has to react quickly to claims that a user has violated copyright law.

Users of the Medical Justice form were counting on that, and it worked. In September 2011, staff members of Dr. Makhnevich sent DMCA takedown notices to Yelp and DoctorBase. That was followed up with invoices sent to Lee, saying he owed $100 per day for copyright infringement. Accompanying letters threatened to pursue “all legal actions” against him.

Makhnevich disappears: The Streisand Effect “gone bonkers”

Lee got in touch with attorney Paul Levy at Public Citizen, who has a history of taking on Internet free-speech issues, and was looking for a way to challenge the Medical Justice contract. In November 2011, Public Citizen filed a lawsuit seeking class action status, arguing that Lee’s reviews were fair use and non-defamatory. The lawsuit also alleged that Makhnevich’s “don’t criticize me” contracts were violations of New York business laws and dental ethics rules.

Levy envisioned a courtroom showdown with Medical Justice—but the case hasn’t panned out that way. Medical Justice hasn't defended the contract. And in the last few months, Makhnevich seems to have disappeared entirely. Her own lawyers can’t get in touch with her. On Tuesday, US District Judge Paul Crotty held a conference about whether the lawyers should be allowed to withdraw from the case. (They’ll be allowed to, with a few conditions.)

“Defendant Makhnevich has closed its business in New York, has closed its offices, and has not made herself available to respond to this matter,” wrote Makhnevich’s lawyers on June 25. At that time, they hadn’t communicated with Makhnevich in three months, and that communication had been through her assistant.

“We brought this lawsuit to make sure she stopped and to point out to other dentists that they couldn't do this,” said Levy in an interview with Ars. “We thought Medical Justice would step in to defend her. Instead, they walked away from it and left her holding the bag. And now she’s left her lawyers holding the bag.”

Levy is seeking to get Lee back the money he was overcharged and to have notice sent to Makhnevich’s other patients that the contracts they signed don’t prevent them from writing reviews. He’s also seeking to get legal fees paid for; it cost $3,000 to serve Makhnevich, he noted.

It isn’t clear whether Makhnevich is practicing dentistry or not, but the disappearing act she pulled in this case would suggest she isn’t.

“It’s quite possible that the consequence of her having this contract is that she had to give up her dental practice,” said Levy. “It’s the Streisand effect gone bonkers.”

Unless she shows up soon, the case is likely to end in a default judgment. At that point Levy would attempt to collect payment from her insurance company, or any other source. “She may have some assets,” said Levy. “Dental equipment is not cheap.”
http://arstechnica.com/tech-policy/2...is-on-the-run/





Microsoft's Surface Sales Figures Are In, and They're ABSOLUTELY HIDEOUS

Wrote down more inventory charges than it took in revenue
Neil McAllister

Microsoft's shares took a beating following its gloomy fiscal 2013 earnings report earlier this month, in which it wrote down nearly a billion dollars on its unloved Surface RT fondleslabs. But the software giant isn't out of the woods yet, because new details have emerged that have the full Surface picture looking even worse than was previously thought.

In Redmond's annual 10-K report to the US Securities and Exchange Commission (SEC), published on Tuesday, the software giant reported actual Surface revenue figures for the first time – and they're not good.

According to the report, Microsoft's total Surface revenue for all of fiscal 2013 amounted to just $853m. That's nearly $50m less than the $900m charge Redmond took when it discounted its remaining Surface RT inventory by $150 per box.

And that's not all. That $900m writedown was related to Surface RT only, but the $853m revenue figure includes sales of Surface RT and Surface Pro combined.

Such sluggish sales aren't likely to have covered Microsoft's costs for the Surface launch, especially when you consider the massive marketing push it gave the ill-fated devices.

Further down in its 10-K filing, Redmond reports that it upped its sales and marketing budget for the Windows Division in 2013 by a jaw-dropping $1bn, which included an $898m increase in advertising costs "associated primarily with Windows 8 and Surface."

Got that? Microsoft spent more in a single year advertising the Windows 8 and Surface launches than it took in from Surface sales that same year.

And remember, none of this was even spread over an entire calendar year. Microsoft's fiscal 2013 ended on June 30. It launched Windows 8, Windows RT, and Surface RT on October 26, 2012. The Surface Pro launch came later, in February. But whichever way you slice it, Microsoft managed to mow through an $898m marketing budget in just eight calendar months – and consumers still didn't take the bait.

It's cruel to compare the struggling Surface to Apple's iPad line, but the numbers don't lie. Apple sold 57 million iPads in the same period, meaning it could have sold them for just $15 apiece and still matched Microsoft's tablet revenue figure.

It's enough to humble even the ordinarily bullish Steve Ballmer. At a recent "rally the troops" event at the Redmond campus, Ballmer reportedly confessed, "We built a few more devices than we could sell," and "We're not selling as many Windows devices as we want to."

Those were sure to have been painful admissions, coming from a guy who has seemingly bet the farm on transforming Microsoft from a software company to one that trades in integrated devices and services.

Judging by the numbers, devices and online services remain Redmond's worst performing divisions – before Ballmer's latest reorg, that is, which did away with both groups in favor of a more nebulous corporate structure that's organized around "engineering", rather than products.

Ballmer has already hinted that a second wave of Surface slabs is in the works that will bring typical hardware upgrades. But given how poorly Microsoft's in-house hardware division has performed so far, we can't help but be reminded of what Acer CEO JT Wang said last August, when Redmond first began touting its Surface plans.

"It is not something you are good at," Wang said, "so please think twice."
http://www.theregister.co.uk/2013/07...ales_disaster/





Asus Pulling Back on Windows RT, Chairman Says
Ina Fried

Asus’s Jonney Shih has made some crazy bets over the years — teeny-tiny laptops, phones that turn into tablets, and even a seven-inch tablet that can be held to the ear to make phone calls.

But, so far, the only bet that Shih said hasn’t panned out was the company’s move to build products based on Windows RT, the slimmed-down version of Windows 8 that runs on ARM-based processors.

“The result is not very promising,” the Asus chairman told AllThingsD, noting both Microsoft’s well-publicized issues with the Surface RT as well as Asus’s own VivoTab RT.

While not completely ruling out future Windows RT products, Shih said that, when it comes to Windows, he is putting all of his time and energy into devices that use Intel chips.

People still use a lot of classic Windows apps, Shih said.

Microsoft made other mistakes too, he said, noting that one of the most popular apps for Windows 8 is a program to bring back the classic Start menu. (With Windows 8.1, Microsoft is itself bringing back the Start button to the Windows desktop.)

But Shih isn’t giving up on Windows products. The company recently introduced the Transformer Book Trio, which runs both Windows and Android, and the company is evaluating building smaller 10-inch and eight-inch Windows tablets.

“My personal opinion is the 10-inch may make more sense,” Shih said.
http://allthingsd.com/20130730/asus-...chairman-says/





Flash Breakthrough Promises Faster Storage, Terabytes of Memory
Stephen Lawson

In the ongoing quest for faster access to data, Diablo Technologies has taken what could be a significant next step.

Diablo’s Memory Channel Storage (MCS) architecture, expected to show up in servers shipping later this year, allows flash storage components to plug into the super-fast channel now used to connect CPUs with memory. That will slash data-access delays even more than current flash caching products that use the PCI Express bus, according to Kevin Wagner, Diablo’s vice president of marketing.

The speed gains could be dramatic, according to Diablo, helping to give applications such as databases, big data analytics and virtual desktops much faster access to the data they need most. Diablo estimates that MCS can reduce latencies by more than 85 percent compared with PCI Express SSDs (solid-state disks). Alternatively, the flash components could be used as memory, making it affordable to equip servers terabytes of memory, Wagner said.

Not only do bits fly faster over this link, there are also no bottlenecks under heavy use.

Other than on-chip cache, the memory channel is the fastest route to a CPU, Wagner said. Not only do bits fly faster over this link, there are also no bottlenecks under heavy use. The connection is designed to be used by many DIMMs (dual in-line memory modules) in parallel, so each component doesn’t have to relinquish the bus for another one to use it. That saves time, as well as CPU cycles that would otherwise be used managing the bus, Wagner said.

The parallel design of the memory bus also lets system makers scale up the amount of flash in a server without worrying about diminishing returns, he said. A second MCS flash card will truly double performance, where an added PCIe SSD could not, Wagner said.

Diablo, which has been selling memory controllers for about 10 years, has figured out a way to use the standard DDR-3 interface and protocols to connect flash instead of RAM to a server’s CPU. Flash is far less expensive than RAM, but also more compact. The MCS components, which come in 200GB and 400GB sizes, will fit into standard DIMM slots that typically accommodate just 32GB or so of memory. The only adaptation manufacturers will need to make is adding a few lines of code to the BIOS, Wagner said.

Enterprises are more likely to use MCS as high-capacity memory than as low-latency storage, said analyst Jim Handy of Objective Analysis.

“Having more RAM is something that a lot of people are going to get very excited about,” Handy said. His user surveys show most IT departments automatically get as much RAM as they can for their servers, because memory is where they can get the fastest access to data, Handy said.

“Basically, you’d like everything to be in the RAM,” Handy said. Virtualized data centers, where many servers need to share a large set of data, need a shared store of data. But in other applications, especially with databases and online transaction processing, storage is just a cheaper and more plentiful—but slower—alternative to memory. “Everything that’s on the storage is there just because it can’t fit on the RAM,” he said.

To implement the MCS architecture, Diablo developed software and a custom ASIC (application-specific integrated circuit), which it will sell to component vendors and makers of servers and storage platforms. Flash vendor Smart Storage Systems, which earlier this month agreed to be acquired by SanDisk, will be among the companies using the MCS technology, Wagner said. In addition, a tier-one server vendor is preparing about a dozen server models with the technology and will probably ship the first of them this year, Walker said.

For the most part, Diablo doesn’t expect consumers or small enterprises to install MCS flash on their own computers. However, Diablo may work directly with enterprises that have very large data centers they want to accelerate, he said.

Using MCS flash to supplement DRAM would dramatically reduce the per-gigabyte cost of memory but also would allow for further consolidation of the servers in a data center, Wagner said. A large social networking company with 25,000 servers analyzed the MCS technology and said it would make it possible to do the same amount of work with just 5,000 servers.

That’s because the current DRAM-only servers can be equipped with just 144GB of memory, but MCS would allow each server to have 16GB of DRAM and 800GB of flash. With that much memory, each server can do more work so fewer are needed, Wagner said. Fewer servers would mean savings of space and energy, which would translate into lower costs, he said.
http://www.pcworld.com/article/20455...of-memory.html





Sony and Panasonic Sign Basic Agreement to Jointly Develop Standard for Professional-Use Next-Generation Optical Discs

Tokyo, Japan - July 29, 2013 - Sony Corporation (‘Sony’) and Panasonic Corporation (‘Panasonic’) today announced that they have signed a basic agreement with the objective of jointly developing a next-generation standard for professional-use optical discs, with the objective of expanding their archive business for long-term digital data storage. Both companies aim to improve their development efficiency based on the technologies held by each respective company, and will target the development of an optical disc with recording capacity of at least 300GB by the end of 2015. Going forward, Sony and Panasonic will continue to hold discussions regarding the specifications and other items relating to the development of this new standard.

Optical discs have excellent properties to protect them against the environment, such as dust-resistance and water-resistance, and can also withstand changes in temperature and humidity when stored. They also allow inter-generational compatibility between different formats, ensuring that data can continue to be read even as formats evolve. This makes them a robust medium for long-term storage of content. Both companies have previously developed products based on the Blu-ray™ format, leveraging the strengths of optical discs. However, both Sony and Panasonic recognized that optical discs will need to accommodate much larger volumes of storage in years to come given the expected future growth in the archive market, and responded by formulating this agreement.

Sony previously commercialized a file-based optical disc archive system in September, 2012. Based on optical disc technology that Sony cultivated for its XDCAM series of professional broadcasting products, this system houses twelve optical discs within a compact cartridge as a single, high-capacity storage solution. Each disc within the cartridge holds 25GB capacity, offering a total range of storage capacities from 300GB to 1.5TB.

In July this year, Panasonic launched its ‘LB-DM9 series’ of optical disc storage devices. This series uses a dedicated magazine of just 20.8mm thickness to house twelve 100GB optical discs. A maximum of 90 magazines can be stored, providing a total storage capacity of 180TB. In addition, Panasonic adopted a newly-developed changer system together with RAID technology to offer rapid data transfer performance of up to 216MB/s, while also ensuring high reliability by protecting data from unforeseen faults.

In recent years, there has been an increasing need for archive capabilities, not only from video production industries, such as motion pictures and broadcasting, but also from cloud data centers that handle increasingly large volumes of data following the evolution in network services. Both Sony and Panasonic have a proven track record in developing Blu-ray Disc™ format technologies, and by actively promoting the adoption of a new standard for next-generation high-capacity optical discs, they intend to offer solutions that preserve valuable data for future generations.
http://www.sony.net/SonyInfo/News/Pr...1307/13-0729E/





Backup Service IDrive Now Ships 1TB Hard Disks To Users Who Want To Back Up Large Amounts Of Data
Frederic Lardinois

Online backup service IDrive today announced a new service that allows its users to back up large amounts of data to the cloud. Instead of waiting around for days to upload what are often hundreds of gigabytes of data, IDrive now ships hard disks to its users so they can back up to a terabyte of data to the cloud. The users then ship the drive back to IDrive and the company enables the data on their account. After this, users can continue to use the company’s regular online backup service to send incremental updates to IDrive and, of course, restore their data from their cloud backup.

The service, called IDrive Express, is available for a one-time fee of $59.99. IDrive Pro users, whose paid accounts start at $99.50 per year for 100GB of backup storage, can use the service once per year for free.

The idea to use hard disks and FedEx or UPS to back up data is, of course, not new. Mozy, for example, also offers a similar service (though for the higher price of $275 for up to 1.8 terabytes), and both Google and Amazon allow developers to send in drives to enable large amounts of data in their respective clouds.

As IDrive’s CEO Raghu Kulkarni told me, the company originally thought that it would target this service at business users, but the team quickly realized that most personal users now also have very similar storage needs. Most of us, after all, store huge amounts of photos and videos on our local hard disks now.

The process to get started with IDrive Express is pretty straightforward. Users request a drive and it gets shipped to them. The drives include IDrive’s backup software, so starting the backup is just a matter of plugging the drive into your computer’s USB port (Mac and Windows are supported), waiting for it to finish and returning it to the company. IDrive will then upload it to your account in one of the four California data centers it has a presence in. All of the data is automatically encrypted during the backup process (in case the drive gets lost), and users can also use private key encryption to ensure that nobody at iDrive can see their data, either.

The whole process, Kulkarni says, should take less than a week. It’s worth noting that users do, of course, have to pay for the extra storage these backups need on iDrive’s servers. The service’s pricing plans start at $49.50 per year for personal use and $99.50 for business users who, in return, get support for multiple accounts and backups from Windows Server. IDrive, the company tells me, currently has about 2 million users, and about 250,000 of these are on a paid plan.
http://techcrunch.com/2013/07/30/bac...ounts-of-data/





Congress Watches as FCC Mulls Spectrum Giveaway
Gautham Nagesh

Baby monitors. Bluetooth headsets. Wi-Fi Internet access. E-Z Pass. These are just some of the common technologies used by consumers every day that run on free, public airwaves known as unlicensed spectrum.

Unlicensed spectrum is the interstate highway of the wireless world: Anyone can use it, provided they stay within their lane. Advocates say freeing up more unlicensed spectrum could spawn new technologies, such as super Wi-Fi networks capable of covering entire neighborhoods or even cities. But some lawmakers remain wary of giving away something so valuable for free, and Congress is watching closely as the Federal Communications Commission makes critical decisions about unlicensed spectrum as it prepares to hold a spectrum auction next year.

Any device that sends or receives signals to transmit sound, video or data uses spectrum, and most of the spectrum in the United States is designated for the use of a particular government agency or commercial industry under licenses allocated by the FCC, which aims to prevent the nation’s countless devices from interfering with each other.

Wireless carriers have proven ravenous in their demand for spectrum in recent years, as consumers’ mobile data consumption has skyrocketed, but the amount of spectrum available remains scarce. That has driven the value of the most-technically-useful spectrum into the billions of dollars and prompted wireless carriers to buy up whatever spectrum licenses they can find, subject to the FCC’s approval. The spectrum crunch has also created pressure on the government to free up more airwaves for commercial use.

To initiate next year’s spectrum auction, the FCC will solicit offers from TV broadcasters to either pull their stations off the air or have them repacked into another channel. The agency will then assemble the various chunks of newly released spectrum in the 600 megahertz block and auction them to wireless carriers, in hopes of maximizing revenue.

The high cost of spectrum has shut out all but the largest telecom and technology companies from being able to experiment in the wireless space. Realizing this, the FCC first acted in 1989 to allow for some unlicensed use in high- frequency airwaves known as “junk bands.” Any company is allowed to make new devices that operate wirelessly in this spectrum, so long as they don’t interfere with other devices making use of the band.

Gradually, the availability of unlicensed spectrum for experimentation produced a number of innovations, including baby monitors, garage door openers and wireless microphones. The FCC acted again in the ’90s, freeing up more spectrum for unlicensed use, which ultimately spawned commercial Wi-Fi technology. By 1999, the computing world had adopted standards for Wi-Fi, and the technology took off.

Today Wi-Fi has become a crucial part of most communications networks, including wired broadband and wireless providers, who offload a significant portion of their data traffic to wireless networks. The growth of Wi-Fi has attracted a new level of interest in unlicensed spectrum, starting with the unused spectrum between TV channels known as the “white spaces.”

In 2010, the FCC adopted an order allowing developers to create devices that use the white spaces, after establishing a set of databases meant to prevent interference. A host of companies, including Google and Microsoft, have shown significant interest in the area; the search giant is in the final stages of being approved as a database manager by the FCC.

But the amount of white spaces spectrum available for unlicensed use in the long term depends on the FCC, which is under political pressure from House Republicans to maximize the amount of spectrum for sale to wireless carriers.

Rep. Greg Walden, R-Ore., who chairs the Energy and Commerce Subcommittee on Communications and Technology, prefers licensing 600 MHz spectrum to wireless carriers for two reasons: The airwaves are better suited to covering long distances; and to maximize the revenue raised from the auction, according to a committee aide. The aide noted, though, that Walden has expressed support for licensed and unlicensed spectrum.

“The additional spectrum will help address the spectrum crunch commercial wireless providers face and will increase bandwidths and speeds for Wi-Fi users,” Walden said. “The subcommittee will continue its oversight of both the FCC and the [National Telecommunications and Information Administration] to ensure the benefits of this legislation inure to both licensed and unlicensed users.”

But Rep. Anna G. Eshoo of California, the subcommittee’s senior Democrat, notes that the unlicensed wireless sector is generating $50 billion to $100 billion per year for the U.S. economy.

“This kind of growth cannot be ignored,” Eshoo said. “The FCC should ensure that the 600 MHz band plan is structured so that spectrum for unlicensed innovation is available on a nationwide basis. This will produce great economic benefits and could yield untold technological discovery.”

Interestingly, Senate Commerce, Science and Transportation Chairman Jay Rockefeller, D-W.Va., also backs those wanting to maximize the amount of spectrum sold at auction. “I come down on the auction side,” he said in an interview. “We need the money for D Block,” the national public safety communications network that will be funded by auction proceeds.

The FCC’s band plan will lay out how much spectrum will be up for auction, depending on how much is relinquished by the TV broadcasters, and may include some of the white space spectrum that is currently unlicensed.

“Repacking, or the reassignment of channels to broadcast television stations that remain on air after the incentive auction, is required to free up contiguous blocks of spectrum for mobile broadband use,” an FCC spokesman said. “As directed by Congress, the FCC will ensure this process makes all reasonable efforts to preserve the coverage area and population served of each broadcast television licensee.”

Experts believe that plenty of white spaces and unlicensed spectrum will be available in rural areas where it can be used for broadband. But the large urban markets are another story, with crowded spectrum conditions and few unused channels.

A Democratic aide underscored the necessity of setting aside blocks of spectrum for unlicensed use on a nationwide basis by arguing that manufacturers are unlikely to take much interest in developing new devices that don’t work in New York or Los Angeles.

The pressure for the FCC to auction as much spectrum as possible means device makers and others looking to tap unlicensed spectrum in the 600 MHz band may instead be limited to the use of “guard bands,” as outlined in the 2012 payroll tax cut extension (PL 112-96) that authorized the auction. Guard bands are small chunks of spectrum reserved between larger blocks in order to prevent adjacent networks from interfering with each other.

As Walden noted at a recent hearing, that law authorizes the FCC to create guard bands as technically needed. The commission is authorized by the statute to permit some unlicensed uses in the guard bands, provided they don’t cause interference with the licensed users in adjacent spectrum.

Several industry experts emphasized that an important issue in the debate is which guard bands are ideal for unlicensed use, including what size bands are optimal for wireless equipment manufacturers.

But the FCC is weighing a wide range of band plans and hasn’t tipped its hand on the size or nature of its final proposal. Whether those guard bands would be enough to deliver on the promise of super Wi-Fi remains anyone’s guess.
http://www.rollcall.com/news/congres...-226795-1.html





Now That It’s in the Broadband Game, Google Flip-Flops on Network Neutrality
Ryan Singel

In a dramatic about-face on a key internet issue yesterday, Google told the FCC that the network neutrality rules Google once championed don’t give citizens the right to run servers on their home broadband connections, and that the Google Fiber network is perfectly within its rights to prohibit customers from attaching the legal devices of their choice to its network.

At issue is Google Fiber’s Terms of Service, which contains a broad prohibition against customers attaching “servers” to its ultrafast 1 Gbps network in Kansas City.

Google wants to ban the use of servers because it plans to offer a business class offering in the future. A potential customer, Douglas McClendon, filed a complaint against the policy in 2012 with the FCC, which eventually ordered Google to explain its reasoning by July 29.

In its response, Google defended its sweeping ban by citing the very ISPs it opposed through the years-long fight for rules that require broadband providers to treat all packets equally.

“Google Fiber’s server policy is consistent with policies of many major providers in the industry,” Google Fiber lawyer Darah Smith Franklin wrote, going on to quote AT&T, Comcast and Verizon’s anti-server policies.

Google’s version, as it admits in its response to McClendon, flatly prohibits subscribers from using “any type of server:”

Your Google Fiber account is for your use and the reasonable use of your guests. Unless you have a written agreement with Google Fiber permitting you do so, you should not host any type of server using your Google Fiber connection, use your Google Fiber account to provide a large number of people with Internet access, or use your Google Fiber account to provide commercial services to third parties (including, but not limited to, selling Internet access to third parties).

The problem is that a server, by definition, doesn’t have to be a dedicated expensive computer. Any PC or Mac can be a server, as can all sorts of computing devices.

Moreover, the net neutrality rules (.pdf) regarding devices are plain and simple: ”Fixed broadband providers may not block lawful content, applications, services, or non-harmful devices.”

But Google’s legally binding Terms of Service outlaw Google Fiber customers from running their own mail server, using a remotely accessible media server, SSHing into a home computer from work to retrieve files, running a Minecraft server for friends to share, using a Nest thermometer, using a nanny camera to watch over a childcare provider or using a Raspberry Pi to host a WordPress blog.

None of those devices would do any harm to any broadband network, let alone a Google Fiber connection with a 1Gbps capacity equally split between uploading and downloading.

The server ban also prohibits you from attaching your personal computer to Google Fiber if you are using peer-to-peer software, because that works by having your computer be both a client and a server.

The Free Network Foundation is working on a “Freedom Box”?—?an open-source appliance you plug into your router that gives you ways to surf the net safely and anonymously; to help dissidents publish to the world; and to create open, distributed alternatives to Twitter and Facebook.

That too, by definition, is a server and thus banned by Google Fiber.

Google says its rule is “fully consistent with the Open Internet Order and Rules,” citing the provisions that allow for reasonable network management. (These provisions regulate what ISPs can do when congestion happens, and are not intended to provide an excuse to ban things that might cause congestion or threaten a business model.)

But in the Google Fiber forums, employees assure subscribers the rules aren’t meant to apply to Minecraft servers. And, in reality, Google Fiber probably won’t notice, let alone kick you off, for using a Slingbox or peer-to-peer software.

Call it net neutrality by the grace of cool Google employees.

But that’s not the vision of net neutrality that Google laid out in that friend of the court brief (.pdf) it signed onto in November, when it argued that the FCC’s aggressive net neutrality policing made it possible for Sling to succeed:

Sling, a company under joint control with DISH, has also witnessed the close link between non-discriminatory online access and infrastructure investment.

Sling is a combination of software and equipment that connects a user’s home set-top box, DVR, or DVD player to the Internet, allowing the viewing of live and recorded television from anywhere in the world—essentially ‘place shifting’ the home television experience to wherever the user is.

Sling was able to overcome initial resistance by Apple and AT&T for inclusion in the iPad platform (Order, 25 FCC Rcd. at 17925 35 n.107), and has been available on the iPad since 2009. Overcoming this initial barrier has promoted infrastructure investment in two ways.

First, the demand for the Sling equipment has risen many times over, partly due to the product’s availability on the iPad platform. Second, the consumption of content through Sling has increased commensurately, driving further demand for access and inviting greater infrastructure investment.


That’s D.C. tech-policy speak for: After the FCC strong-armed Apple into allowing iPhone users to connect to their Slingboxes, the public benefited with increased infrastructure investment by mobile providers and ISPs got more business.

Unfortunately for Google Fiber’s current stance, a Slingbox is a server. A home server.

So in Google’s version of net neutrality, the FCC was the right to force Apple to let iPhone users connect to their home servers, but the FCC has no right to force Google to let its broadband subscribers run a home server.

In November, Google said it was important for innovation that “the main broadband gatekeepers will not act unilaterally to constrain artificially the availability of new ‘edge-based’ content and services.”

Nothing is more edge-based than a citizen running a server on their own connection.

But, it turns out that Google’s real net neutrality policy is that big corporate services like YouTube and Facebook shouldn’t get throttled or banned by evil ISPs like Verizon, but it’s perfectly fine for Google to control what devices citizens can use in their homes.

We, it seems, are supposed to be good consumers of cloud services, not hosting our own Freedom Boxes, media servers, small-scale commercial services or e-mail servers.

That’s not what the net neutrality fight was about.

The fight was intended to make broadband services act like utilities that don’t care what a packet contains or what router, computer, phone or device you use, so long as you aren’t hurting the network.

In the net neutrality vision of the world, broadband providers simply deliver packets as they are paid to do.

When it was just a set of online services, Google happened to fall on the side of citizens and used to advocate against broadband companies controlling the pipes. Now that it’s an ISP itself, Google is becoming a net neutrality hypocrite.

The FCC has avoided addressing this issue, and in this case, simply forwarded to Google an “informal complaint.”

But now that Google’s shown what it really thinks of net neutrality, the door is open for the FCC to show that it’s serious enough about the principle to take on its former corporate ally.
http://www.wired.com/threatlevel/201...le-neutrality/





Report: TSA Employee Misconduct Up 26% in 3 years
Michael Pearson, Ed Payne, Rene Marsh

Let's get this out of the way straight off: The Transportation Security Administration is probably not going to top anyone's list of Favorite Federal Government Agencies.

And the stories of its failures spread faster than a speeding jetliner: TSA officers stealing money from luggage, taking bribes from drug dealers, sleeping on the job.

So it shouldn't come as any surprise that a new Government Accountability Office report, citing a 26% increase in misconduct among TSA employees between 2010 and 2012, is striking a nerve with some travelers who've had to endure the shoeless, beltless shuffle on the trip through security.

"Whenever you get an organization that has to be there, sometimes it just starts to take on a weight of its own," traveler Chris Simon said Wednesday at San Francisco International Airport. "So maybe it's just not being managed."

"This makes me never want to check my bag," Twitter user KathrynPowers1 posted Wednesday in response to the news.

"That's disgusting, " tweeted user RidockKing.

GAO report reveals increase in TSA employee misconduct

Among the report's findings:

-- Misconduct cases involving TSA employees -- everything from being late to skipping crucial security protocols -- rose from 2,691 a year in 2010 to 3,408 in 2012.

-- About a third of the cases involved being late or not reporting for work, the largest single category of offenses.

-- 10% of offenses involved inappropriate comments or abusive behavior.

-- About a quarter involved screening and security failures -- including sleeping on the job -- or neglect of duty offenses that resulted in losses or careless inspections.

Examples of violations

The report details one case of a TSA agent suspended for seven days after trying to carry a relative's bag past security without screening. A supervisor interceded and the bag was found to contain "numerous prohibited items," according to the GAO report. It didn't say what the items were.

In another case, a TSA agent was suspended for 30 days after a closed-circuit camera caught the officer failing to individually examine X-ray images of passenger items, as required by agency policy.

Among the 9,622 offenses cataloged in the report, the GAO also found 384 ethics and integrity violations, 155 "appearance and hygiene" complaints and 56 cases of theft.

While not specifically mentioned in the report, notable cases of theft by TSA agents include a 2012 case in which two former employees pleaded guilty to stealing $40,000 from a checked bag at New York's John F. Kennedy Airport, and a 2011 guilty plea from an officer who admitted stealing between $10,000 and $30,000 from travelers at Newark Liberty International Airport in New Jersey.

The officer in the 2011 case, Al Raimi, admitted he would "kick up" some of that money to a supervisor, who in turn allowed him to keep stealing. The supervisor, Michael Arato, also pleaded guilty to accepting kickbacks and bribes.

Taking it seriously

Overall, 47% of the offenses detailed in the report resulted in a letter of reprimand, at least 17% cost the employees their jobs and 31% ended with a suspension.

"If they're stealing, they're doing drugs or breaching the security system intentionally and I can prove it, they're out," TSA Deputy Administrator John W. Halinski told a joint hearing of two House Homeland Security subcommittees on Wednesday.

But he said, even the letters of reprimand handed out in nearly half of the cases are serious punishment.

Such letters can block employees from receiving a bonus or promotion, and stay with them their entire career, he told Rep. Richard Hudson, R-North Carolina, chair of the Transportation Security subcommittee.

"It's a serious thing, sir," Halinksi said. He also defended his agency's 56,000 employee workforce as overwhelmingly upright.

But Rep. John Mica, a Florida Republican and longtime critic of the TSA who requested the audit, is skeptical. He told CNN that the report shows the TSA is not doing enough to respond to and prevent misconduct.

"There's not even a way to properly report some of the offenses, so this may be just the tip of the iceberg of some of the offenses," he said.

TSA agents at Newark spared from firings after violations

Some other lawmakers stood by the agency Wednesday, saying the offenses represent a small percentage of TSA's 56,000 employees.

"Transportation security officers have an undeniably hard job and the overwhelming majority of them conduct themselves honorably and in accordance with TSA protocols," Rep. Cedric Richardson, D-Louisiana, said during Wednesday's hearing.

Frost and Sullivan airport security analyst John Hernandez said the report isn't particularly surprising. The TSA has been plagued by uneven training for years, he said, resulting in a work force that isn't always properly educated about how to do their jobs.

"I think John Q. Traveler should not so much be concerned, but take an active role in security," he said. "As they are willing to point out things we do wrong, we should be ready to report on the failure in their security operations, as well."

The government report calls on the TSA to improve how the agency monitors and follows up on allegations of misconduct. The agency has accepted the recommendations, Halinksi said.
http://www.cnn.com/2013/07/31/travel...uct/index.html





Mail from the (Velvet) Cybercrime Underground
Brian Krebs

Over the past six months, “fans” of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares.

But the most recent attempt to embarrass and fluster this author easily takes the cake as the most elaborate: Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police. Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery.

This would-be smear campaign was the brainchild of a fraudster known variously online as “Fly,” “Flycracker,” and MUXACC1 (muxa is transliterated Russian for “муха” which means “fly”). Fly is the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

On July 14, Flycracker posted a new forum discussion thread titled, “Krebs Fund,” in which he laid out his plan: He’d created a bitcoin wallet for the exclusive purpose of accepting donations from other members. The goal: purchase heroin in my name and address from a seller on the Silk Road, an online black market that is only reachable via the Tor network. In the screenshot pictured above, Flycracker says to fellow members:

“Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the “Helping Brian Fund”, and shortly we will create a bitcoin wallet called “Drugs for Krebs” which we will use to buy him the purest heroin on the Silk Road. My friends, his withdrawal is very bad, let’s join forces to help the guy! We will save Brian from the acute heroin withdrawal and the world will get slightly better!”

Together, forum members raised more than 2 bitcoins – currently equivalent to about USD $200. At first, Fly tried to purchase a gram of heroin from a Silk Road vendor named 10toes, an anonymous seller who had excellent and plentiful feedback from previous buyers as a purveyor of reliably good heroin appropriate for snorting or burning and inhaling (see screnshot below).

For some reason, that transaction with 10toes fell through, and Flycracker turned to another Silk Road vendor — Maestro — from whom he purchased a dozen baggies of heroin of “HIGH and consistent quality,” to be delivered to my home in Northern Virginia earlier today. The purchase was made using a new Silk Road account named “briankrebs7,” and cost 1.6532 bitcoins (~USD $165).

Flycracker ultimately bought 10 small bags of smack from Silk Road seller “Maestro.” The seller threw in two extra bags for free (turns out he actually threw in three extra bags).

In the screen shot below, Fly details the rest of his plan:

“12 sacks of heroin [the seller gives 2 free sacks for a 10-sacks order] are on the road, can anyone make a call [to the police] from neighbors, with a record? Seller said the package will be delivered after 3 days, on Tuesday. If anyone calls then please say that drugs are hidden well.”

Last week, I alerted the FBI about this scheme, and contacted a Fairfax County Police officer who came out and took an official report about it. The cop who took the report just shook his head incredulously, and kept saying he was trying to unplug himself from various accounts online with the ultimate goal of being “off the Internet and Google” by the time he retired. Before he left, the officer said he would make a notation on my report so that any officer dispatched to respond to complaints about drugs being delivered via mail to my home would prompted to review my report.

FOLLOWING THE MONEY

I never doubted Flycracker”s resolve for a minute, but I still wanted to verify his claims about having made the purchase. On that front I received assistance from Sara Meiklejohn, a graduate student at the University of California, San Diego who’s been analyzing the role of bitcoin and anonymity on the Silk Road. Meiklejohn confirmed that the bitcoin wallet linked to in Fly’s forum thread was indeed used to deposit two bitcoins into a purse controlled by anonymous individuals who help manage commerce on the Silk Road.

Meiklejohn and fellow researcher Damon McCoy, an assistant professor of computer science at George Mason University, have been mapping out a network of bitcoin wallets that are used exclusively by the curators of the Silk Road. If you wish to transact with merchants on the Silk Road, you need to fund your account with bitcoins. The act of adding credits appears to be handled by a small number of bitcoin purses.

“All Silk Road purchases are handled internally by Silk Road, which means money trades hands from the Silk Road account of the buyer to the Silk Road account of the seller,” explained Meiklejohn, author of the paper, A Fistful of Bitcoins: Characterizing Payments Among Men with No Names, to be released in October 2013 at the ACM Internet Measurement Conference in Barcelona, Spain.

“These accounts aren’t visible on the bitcoin network though, so the only thing we can even hope to see by looking at the public transactions is when money goes into and comes out of the set of addresses that represent the collective account balances of all silk road users,” Meiklejohn wrote in an email to KrebsOnSecurity. “By manually tagging a handful of silk road addresses (via direct interaction) and then bootstrapping using the heuristic I described to label many more (around 250,000 in total), we are able to achieve this second goal by identifying addresses in the network that are ‘owned’ by silk road.”

In short, we can see that Flycracker’s Krebs Fund wallet was used to deposit 2 bitcoins into a bitcoin wallet controlled by those who maintain the Silk Road marketplace, but we can’t say for certain whether he used that credit to make a purchase.

THE DELIVERY

A thin package containing what appears to be packets of some white powder was delivered to my doorstep Monday, a day earlier than Flycracker had told his buddies that it would arrive. The package was hand-delivered by our local postal carrier, sent in a thin USPS Express Mail envelope that was postmarked from Chicago. Inside was another blank envelope containing a May 2013 copy of Chicago Confidential, a weekly glossy magazine from the Chicago Tribune.

On the back of the magazine, taped to a full-page ad for jewelry from LesterLampert, were a baker’s dozen individually wrapped packets emblazoned with the same black and gold skull motif that was on Maestro’s Silk Road ad. I guess the seller in this case was worried that 12 packets didn’t quite meet the 1 gram measurement for which Flycracker and his goons paid, so he threw in an extra one for good measure.

I wasn’t planning even to touch the individual packages, but curiosity got the best of me. Before calling the cop who took my initial report and letting him that know he could come and retrieve the parcel, I had a look inside one of the packets. But not before donning a particulate face mask and a pair of disposable gloves. Hey, I watch Breaking Bad: Safety first!

Without actually having the substance tested at a lab, I can’t say for certain whether this is talcum powder or the real thing. The cop that came to collect the package said he had a drug field test kit in his squad car but then discovered he was out of the heroin tests (I’m not sure what that says about the heroin problem in Northern Virginia, but I digress). Frankly, I’m willing to give the seller the benefit of the doubt, given that Maestro currently has glowing feedback from almost 100 other buyers on Silk Road. Nevertheless, if I receive any testing results from the local police, I’ll update this blog post.

Just who is this Flycracker mischief maker? That will have to wait for another post. Stay tuned.
http://krebsonsecurity.com/2013/07/m...e-underground/





Black Hat: Ad Networks Lay Path to Million-Strong Browser Botnet

Researchers say lax ad networks and a broken web infrastructure set the stage for massive, browser based botnets.
Paul F Roberts

Long ago, we surrendered our privacy to the web. Most of us take for granted that our interactions with web pages are tracked in browser based cookies, and the data siphoned off to “Big Data” analysis engines in the cloud. This kind of stuff is so ubiquitous that we filter it out - until it's staring us right in the face. As an example, I searched Amazon.com for a pair of Speedo swim goggles four weeks ago. Now I can’t go anywhere without images of buff guys in bikini swim trunks looking back at me. But, hey, that’s the price for living (and shopping) online.

But research presented at this week’s Black Hat Briefings in Las Vegas suggests that, in addition to our privacy, we may have also surrendered the security to the web, as well. Powerful ad networks, coupled with structural flaws in the web make possible a panoply of dangerous attacks, including browser based botnets and distributed password cracking via infected browser sessions.

Web- and browser based attacks are nothing new. In recent years, sophisticated attackers have frequently compromised large, reputable sites, then infecting them with malware that is pushed to those who visit the sites. But researchers Jeremiah Grossman, the CTO of WhiteHat Security, and Matt Johansen, the Manager of Threat Research at WhiteHat say that their research show how enterprising criminals, with a small investment of cash, could leverage default web browser behaviors and known attack types to build large, ephemeral networks of browser “bots” that could be marshaled for distributed denial of service (DDoS) attacks, password cracking expeditions, the distribution of malware and spam or other ends.

“Basically, when a web browser goes to a page, that page can force the browser to do whatever it wants – make web connections, download illegal files, attack other Internet sites, make illegal searchers – whatever,” Grossman told me in an interview last week.

The difficulty (from the malicious actor’s standpoint) has always been getting unwitting web surfers to come to a site you control. Blacklists make it hard to block malicious web sites. And legitimate sites that draw significant traffic aren’t likely to stay compromised for long enough to be much use. Grossman and Johansen discovered a third way, however: web advertising networks. The two discovered that even reputable ad networks do a poor job of vetting the java script that is bundled with ad images. “As long as it looks pretty, they have no problem with it,” Johansen said. “The folks we were dealing with (at the ad networks) didn’t really have the javascript reading skills to know the difference anyway.”

Using a banner ad and a simple, but non-malicious script designed to ping a server they controlled, the two measured the potential reach of an attack that spread over an ad network. The results suggest that massive, browser-based botnets can be had on the cheap. For an up-front investment of just $.50, they were able to get 1,000 unique hosts to ping their test server. Based on that, the two concluded that access to a million-strong browser botnet would cost just $500.

Unlike traditional botnets, which require attackers to install software on the endpoint, the browser-based infections are ephemeral: running while the ad is displayed, but disappearing, without a trace on the endpoint, once the malicious ad rotates out. Grossman and Johansen admit: browser based botnets are more limited in their capabilities than traditional botnet software.

The denial of service attacks they tested were connection-based, not traffic based and were designed to exhaust the target server’s ability to manage simultaneous open sessions. And, more complex attacks, such as data theft, more complex code would be required to make the malicious script persist on the browser or to access local storage on the infected host. That, in turn, could arouse the suspicion of the ad network monitors.

Still, the two tested proof-of-concept ads that could be used for DDoS attacks on web applications, distributed brute-force cracking of encrypted password “hashes,” and cross domain brute force attacks on passwords.

Grossman said that there’s no easy fix for ad network based attacks because “the web is meant to be used this way.” “The model is broken,” Grossman said. “And there’s no interested party that will fix these issues.” Online advertisers are focused on the bottom line. To the extent they’re concerned about the content of their ads, its to ensure that they are backward compatible to older browser and operating system configurations, Grossman said.
http://www.itworld.com/security/3668...browser-botnet





Software Experts Attack Cars, to Release Code as Hackers Meet
Jim Finkle

Car hacking is not a new field, but its secrets have long been closely guarded. That is about to change, thanks to two well-known computer software hackers who got bored finding bugs in software from Microsoft and Apple.

Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government.

The two "white hats" - hackers who try to uncover software vulnerabilities before criminals can exploit them - will also release the software they built for hacking the cars at the Def Con hacking convention in Las Vegas this week.

They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

"Imagine what would happen if you were near a crowd," said Valasek, director of security intelligence at consulting firm IOActive, known for finding bugs in Microsoft Corp's Windows software.

But it is not as scary as it may sound at first blush.

They were sitting inside the cars using laptops connected directly to the vehicles' computer networks when they did their work. So they will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack.

The two say they hope the data they publish will encourage other white-hat hackers to uncover more security flaws in autos so they can be fixed.

"I trust the eyes of 100 security researchers more than the eyes that are in Ford and Toyota," said Miller, a Twitter security engineer known for his research on hacking Apple Inc's App Store.

Toyota Motor Corp spokesman John Hanson said the company was reviewing the work. He said the carmaker had invested heavily in electronic security, but that bugs remained - as they do in cars of other manufacturers.

"It's entirely possible to do," Hanson said, referring to the newly exposed hacks. "Absolutely we take it seriously."

Ford Motor Co spokesman Craig Daitch said the company takes seriously the electronic security of its vehicles. He said the fact that Miller's and Valasek's hacking methods required them to be inside the vehicle they were trying to manipulate mitigated the risk.

"This particular attack was not performed remotely over the air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers and any mass level," Daitch said.

'TIME TO SHORE UP DEFENSES'

Miller and Valasek said they did not research remote attacks because that had already been done.

A group of academics described ways to infect cars using Bluetooth systems and wireless networks in 2011. But unlike Miller and Valasek, the academics have kept the details of their work a closely guarded secret, refusing even to identify the make of the car they hacked.

Their work got the attention of the U.S. government. The National Highway Traffic Safety Administration has begun an auto cybersecurity research program.

"While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities," the agency said in a statement. It said it knew of no consumer incident where a vehicle was hacked.

Still, some experts believe malicious hackers may already have the ability to launch attacks.

"It's time to shore up the defenses," said Tiffany Strauchs Rad, a researcher with Kaspersky Lab, who previously worked for an auto security research center.

A group of European computer scientists had been scheduled to present research on hacking the locks of luxury vehicles, including Porsches, Audis, Bentleys and Lamborghinis, at a conference in Washington in mid-August.

But Volkswagen AG obtained a restraining order from a British high court prohibiting discussion of the research by Flavio D. Garcia of the University of Birmingham, and Roel Verdult and Baris Ege of Radboud University Nijmegen in the Netherlands.

A spokeswoman for the three scientists said they would pull out of the prestigious Usenix conference because of the restraining order. Both universities said they would hold off on publishing the paper, pending the resolution of litigation.

Volkswagen declined to comment.

(Reporting by Jim Finkle in Boston; Additional reporting by Joseph Lichterman in Detroit and Christine Murray in London; Editing by Tiffany Wu and Peter Cooney)
http://www.reuters.com/article/2013/...96R06120130728





Chinese Hacking Team Caught Taking Over Decoy Water Plant

A hacking group accused of being operated by the Chinese army now seems to be going after industrial control systems.
By Tom Simonite

Although security vulnerabilities in industrial systems have been well documented, evidence that people are actively trying to exploit them has been scarce.

A Chinese hacking group accused this February of being tied to the Chinese army was caught last December infiltrating a decoy water control system for a U.S. municipality, a researcher revealed on Wednesday.

The group, known as APT1, was caught by a research project that provides the most significant proof yet that people are actively trying to exploit the vulnerabilities in industrial control systems. Many of these systems are connected to the Internet to allow remote access (see “Hacking Industrial Systems Turns Out to Be Easy”). APT1, also known as Comment Crew, was lured by a dummy control system set up by Kyle Wilhoit, a researcher with security company Trend Micro, who gave a talk on his findings at the Black Hat conference in Las Vegas.

The attack began in December 2012, says Wilhoit, when a Word document hiding malicious software was used to gain full access to his U.S.-based decoy system, or “honeypot.” The malware used, and other characteristics, were unique to APT1, which security company Mandiant has claimed operates as part of China’s army (see “Exposé of Chinese Data Thieves Reveals Sloppy Tactics”).

“You would think that Comment Crew wouldn’t come after a local water authority,” Wilhoit told MIT Technology Review, but the group clearly didn’t attack the honeypot by accident while seeking another target. “I actually watched the attacker interface with the machine,” says Wilhoit. “It was 100 percent clear they knew what they were doing.”

Wilhoit went on to show evidence that other hacking groups besides APT1 intentionally seek out and compromise water plant systems. Between March and June this year, 12 honeypots deployed across eight different countries attracted 74 intentional attacks, 10 of which were sophisticated enough to wrest complete control of the dummy control system.

Cloud software was used to create realistic Web-based login and configuration screens for local water plants seemingly based in Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. If a person got beyond the initial access screens, they found control panels and systems for controlling the hardware of water plant systems.

None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using techniques to meddle with a specific communication protocol used to control industrial hardware.

Wilhoit used a tool called the Browser Exploitation Framework, or BeEF, to gain access to his attackers’ systems and get precise data on their location. He was able to access data from their Wi-Fi cards to triangulate their location.

The 74 attacks on the honeypots came from 16 different countries. Most of the noncritical attacks, 67 percent, originated in Russia, and a handful came from the U.S. About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and Japan.

The results lead Wilhoit to conclude that water plants, and likely other facilities, around the world are being successfully compromised and taken control of by outside attackers, even if no major attack has been staged. “These attacks are happening and the engineers likely don’t know,” he told MIT Technology Review.

Wilhoit previously published the first research that proved some people were actively trawling the Internet with the intention of compromising industrial control systems (see “Honeypots Lure Industrial Hackers Into the Open”). He now plans to put honeypots inside real industrial facilities to attempt to capture details of targeted attacks.

Joe Weiss, managing partner at Applied Control Solutions and an expert in industrial control system security, told MIT Technology Review that he hoped Wilhoit’s findings can convince industrial control system owners and operators to take the threat of attacks more seriously. “The community needs to know there are people explicitly targeting these systems,” said Weiss. “I hope people can understand how valid and real it is, what he’s finding.”
http://www.technologyreview.com/news...y-water-plant/





A Cheap Spying Tool With a High Creepy Factor
Somini Sengupta

Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?

Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.

Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.

Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.

“Actually it’s not hard,” he concluded. “It’s terrifyingly easy.”

Also creepy – which is why he called his contraption “creepyDOL.”

“It could be used for anything depending on how creepy you want to be,” he said.

You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed.

Mr. O’Connor says he did none of that – and for a reason. In addition to being a security researcher and founder of a consulting firm called Malice Afterthought, he is also a law student at the University of Wisconsin at Madison. He says he stuck to snooping on himself – and did not, deliberately, seek to scoop up anyone else’s data – because of a federal law called the Computer Fraud and Abuse Act.

Some of his fellow security researchers have been prosecuted under that law. One of them, Andrew Auernheimer, whose hacker alias is Weev, was sentenced to 41 months in prison for exploiting a security hole in the computer system of AT&T, which made e-mail addresses accessible for over 100,000 iPad owners; Mr. Aurnheimer is appealing the case.

“I haven’t done a full deployment of this because the United States government has made a practice of prosecuting security researchers,” he contends. “Everyone is terrified.”

He is presenting his findings at two security conferences in Las Vegas this week, including at a session for young people. It is a window into how cheap and easy it is to erect a surveillance apparatus.

“It eliminates the idea of ‘blending into a crowd,’” is how he put it. “If you have a wireless device (phone, iPad, etc.), even if you’re not connected to a network, CreepyDOL will see you, track your movements, and report home.”

Can individual consumers guard against such a prospect? Not really, he concluded. Applications leak more information than they should. And those who care about security and use things like VPN have to connect to their tunneling software after connecting to a Wi-Fi hub, meaning that at least for a few seconds, their Web traffic is known to anyone who cares to know, and VPN does nothing to mask your device identifier.

In addition, every Wi-Fi network that your cellphone has connected to in the past is also stored in the device, meaning that as you wander by every other network, you share details of the Wi-Fi networks you’ve connected to in the past. “These are fundamental design flaws in the way pretty much everything works,” he said.
http://bits.blogs.nytimes.com/2013/0...creepy-factor/





The MIT Report on #aaronsw
Lawrence Lessig

The MIT report (PDF) on the Aaron Swartz case is out. I am going to take some time to study it and understand it more fully. I’m away with my family and won’t be commenting on the report now, beyond the following:

The report says that MIT never told the prosecutor that Aaron’s access was “unauthorized." They indicated that his machine was not supposed to be plugged into the ethernet jack it was plugged into, but there is no law against abusing an ethernet jack. The law regulates authorized access to a network. The whole predicate to the government’s case was that Aaron’s access to the network was “unauthorized," yet apparently in the many many months during which the government was prosecuting, they were too busy to determine whether indeed, access to the network was “authorized."

Here’s the section from the report (§11b):

The superseding indictment abandoned the theory of “exceeding authorized access,” and counts 9 and 12 (applicable to MIT) relied instead on “unauthorized access.” The allegations in the indictment focus on numerous means whereby Aaron Swartz obtained access to the computer through unauthorized means, such as repeatedly taking steps to change his computer’s apparent identities and to conceal his computer’s real identity. Clearly, these are means whereby Aaron Swartz obtained access to the computer in order to engage in unauthorized conduct, that is, to do something that MIT did not want him to do through its network: engage in massive downloading of JSTOR articles.

The question posed by this charge in the indictment is, however, different: it is whether— given MIT’s guest policy—Aaron Swartz accessed the MIT network without authorization. Put differently, it is whether Aaron Swartz was authorized to access the network, regardless of whether he used improper means to do so. To illustrate this distinction, the Review Panel has asked itself the following question: had Swartz, intending to engage in the conduct for which he was indicted, walked into an MIT library, shown his personal identification to the desk, and asked to log on to the MIT system as a guest—would he then have been given access? If the answer to this question is “yes,” then it seems possible that Aaron Swartz’s access to the MIT network was authorized, notwithstanding his inappropriate means of implementing access, or of then abusing such access (which may themselves have been violations of different criminal or civil prohibitions).

The Cambridge Detective involved in the prosecution explained to the Review panel that he repeatedly asked, in various ways, whether the laptop was authorized to be in closet; whether the cable from the laptop to the network switch was authorized to be there; whether the manner of downloading the articles was authorized; and, overall, whether the method of accessing and using MIT’s network in this manner was authorized. He was told “no,” and told that MIT had tried to prevent the downloading by disconnecting the computer of the (then) unknown suspect.

The Review Panel questioned five employees of MIT’s IS&T who were involved in the identification and monitoring of Aaron Swartz’s laptop found in the network closet of Building 16 and who provided information to the prosecution during its preparation of the criminal case. According to them, and also according to OGC and MIT’s outside counsel, at no time, either before or after the arrest of Aaron Swartz, did anyone from the prosecution inquire as to whether Aaron Swartz had authorized access to the MIT network. Given MIT’s open guest policy, it might be argued that Aaron Swartz accessed the MIT network with authorization. Put differently, there is apparently an issue as to whether Aaron Swartz was authorized to access the network, regardless of the considerations that (1) he might have used improper means to implement such access; and (2) once he was on the network, he might have used such access for an improper purpose.

The relevance of this distinction can be seen in the Department of Justice’s computer crime manual, Prosecuting Computer Crime (2nd ed.), published by the Office of Legal Education, Executive Office for United States Attorneys: "A more difficult question is whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded."

As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p137-39)


If indeed Aaron’s access was not “unauthorized" — as Aaron’s team said from the start, and now MIT seems to acknowledge — then the tragedy of this prosecution has only increased.
http://lessig.tumblr.com/post/568815...ort-on-aaronsw





Manning Is Acquitted of ‘Aiding the Enemy’
Charlie Savage

A military judge on Tuesday found Pfc. Bradley Manning not guilty of aiding the enemy, but convicted him of multiple counts of violating the Espionage Act.

Private Manning had already confessed to being WikiLeaks’ source for a huge cache of government documents, which included videos of airstrikes in which civilians were killed, hundreds of thousands of front-line incident reports from the Afghanistan and Iraq wars, dossiers on men being held without trial at the Guantánamo Bay prison, and about 250,000 diplomatic cables.

But while Private Manning had pleaded guilty to a lesser version of the charges he was facing, which could expose him to up to 20 years in prison, the government decided to press forward with a trial on a more serious version of the charges, including “aiding the enemy” and violations of the Espionage Act.

Beyond the fate of Private Manning as an individual, the “aiding the enemy” charge — unprecedented in a leak case — could have significant long-term ramifications for investigative journalism in the Internet era.

The government’s theory was that providing defense-related information to an entity that published it for the world to see constituted aiding the enemy because the world includes adversaries, like members of Al Qaeda, who could read the documents online.

Private Manning’s court-martial began in early June, and the merits portion wrapped up last week with closing arguments in which a prosecutor portrayed Private Manning as an anarchist and a traitor who was merely out to make a splash, while his defense lawyer portrayed him as a young, naïve, but well-intentioned humanist who wanted to prompt debate and bring about change.
http://www.nytimes.com/2013/07/31/us...g-verdict.html





Bradley Manning and "Hacker Madness" Scare Tactic
Cindy Cohn

US Army private Bradley Manning was convicted on 19 counts, including charges under the Espionage Act and the Computer Fraud and Abuse Act for leaking approximately 700,000 government documents to WikiLeaks.

While it was a relief that he was not convicted of the worst charge, "aiding the enemy", the verdict remains deeply troubling and could potentially result in a sentence of life in prison.

We will likely have a deeper analysis of the verdict later, but two things stand out as particularly relevant to – and especially frightening for – folks who love the internet and use digital tools.

First, the decision continues a trend of government prosecutions that use familiarity with digital tools and knowledge of computers as a scare tactic and a basis for obtaining grossly disproportionate and unfair punishments, strategies enabled by broad, vague laws like the CFAA and the Espionage Act. Let's call this the "hacker madness" strategy. Using it, the prosecution portrays actions taken by someone using a computer as more dangerous or scary than they actually are by highlighting the digital tools used to a nontechnical or even technophobic judge.

In the Manning case, the prosecution used Manning's use of a standard, more than 15-year-old Unix program called Wget to collect information, as if it were a dark and nefarious technique. Of course, anyone who has ever called up this utility on a Unix machine, which at this point is likely millions of ordinary Americans, knows that this program is no more scary or spectacular (and far less powerful) than a simple Google search. Yet the court apparently didn't know this and seemed swayed by it.

We've seen this trick before. In a case that we at the Electronic Frontier Foundation handled in 2009, Boston College police used the fact that our client worked on a Linux operating system with "a black screen with white font" as part of a basis for a search warrant. Luckily the Massachusetts Supreme Court tossed out the warrant after EFF got involved, but who knows what would have happened had we not been there. And happily, Oracle got a big surprise when it tried a similar trick in Oracle v. Google and discovered that the judge was a programmer who sharply called them on it.

But law enforcement keeps using this technique, likely based on a calculation that most judges aren't as technical as ordinary Americans, may even be afraid of technology, and can be swayed by the ominous use of technical jargon and techniques – playing to media stereotypes of evil computer geniuses. Indeed the CFAA itself apparently was a response to President Ronald Reagan's fears after watching the completely fictional movie War Games.

Second, while the court did not convict on the "aiding the enemy" charge, the government's argument – that publishing something to the general public on the internet can count as "aiding the enemy" – has strong digital overtones. The "aiding the enemy" charge is a breathtakingly broad military charge never before used against a leaker to the press.

It is shocking that the government would even make this argument and that the judge didn't dismiss it outright. The prosecution argued that even if Manning never intended to aid the enemy, and even though the government did not need to prove the information published by WikiLeaks ever harmed the United States, the mere fact it ended up on the internet means he is guilty of a capital crime.

This argument wasn't actually confined to WikiLeaks – the government admitted during the trial that its claims would apply equally to The New York Times or other traditional media. But the reason this argument wasn't laughed out of court, we suspect, is the digital environment. After all, Adolf Hitler certainly had access to American newspapers, as did Joseph Stalin, Fidel Castro, Mao Zedong, Ho Chi Minh, or any other past enemy of America. The court tried to dress it up a bit, noting that Manning "trained in intelligence and received training on the fact that that enemy uses the internet to collect information about the United States", as if this is something that only someone with specialised "internet training" would know.

But of course it's not. Everyone (at least everyone who regularly uses the internet) knows that the internet is used by good people and bad people all over the world and that anything published is, well, published and available to all. This is a feature of the Internet, not a bug, yet here it played into distorting the "aiding the enemy" crime out of all proportion and may have played a role in the five other counts under Espionage Act claims that he was convicted of.

Even without this claim, Manning still faces life imprisonment – no member of the press or public interested in more transparency about how our military works (or doesn't work) should rest easy with this verdict.

Manning will appeal, of course. And in the long run, these tactics will likely stop working as more people become familiar with technologies. In the meantime, real harm to real people happens through overreaction, over-prosecution, and over-penalisation. And the harm also occurs to the public, which becomes less informed about governmental misconduct at home and abroad.

Here's hoping the military appellate court has a programmer or two on it and can see through the scare tactics and technophobia that the prosecution has been doling out. But we're not holding our breath.
http://www.newscientist.com/article/...s#.UfuDdlM6dEk





Edward Snowden Receives Temporary Asylum in Russia, Leaves Moscow Airport
Isabel Gorst

Edward Snowden left the transit zone at Moscow's international airport Thursday, August 1 after receiving permission from the Kremlin to enter Russian territory.

Anatoly Kucherena, an attorney for Snowden, said documents were issued Thursday allowing Snowden to live and work in Russia for up to one year while his application for permanent political asylum is pending. Snowden, 30, had been stranded in Russia’s Sheremetyevo Airport for more than five weeks.

“I have just seen him off. He has left for a secure location,” Kucherena told the state broadcaster Russia 24.

Kucherena described Snowden as “the most wanted man on the planet” and said he “needed time to adapt to Russian realities.”

Snowden left Sheremetyevo in a taxi Thursday afternoon, eluding reporters who have camped at the airport since he arrived June 23 on a flight from Hong Kong.

Kucherena did not reveal where Snowden was bound, saying that although he was ready to provide advice, it was up to his client to decide where to live.

The lawyer said arrangements are being made for Snowden’s father to visit him in Russia, the Associated Press reported. In an interview with The Washington Post on Tuesday, Lon Snowden said he was eager to speak with his son but had refused an FBI offer to fly him to Moscow while his son was trapped at the airport, because U.S. authorities could not guarantee that the two would be able to meet.

“If he comes back to the United States, he is going to be treated horribly,” Lon Snowden said. “He is going to be thrown into a hole. He is not going to be allowed to speak.”

Snowden is wanted in the United States for leaking classified documents about telephone and e-mail surveillance programs. The documents issued Thursday will allow Snowden to live in Russia for up to one year, the lawyer said.

U.S. authorities repeatedly asked Russia to turn Snowden over to them so that he could be prosecuted for leaking the documents, and Secretary of State John F. Kerry said in June that Russia was defying international convention by allowing the fugitive to remain unhindered in the transit zone.

“There are standards of behavior between sovereign nations,” Kerry said. “There is common law. There is respect for rule of law.”

Russian President Vladimir Putin, however, said he saw no reason for Russia to extradite Snowden to the United States. He said that for Snowden to remain in Russia, he would have to refrain from releasing information that is damaging to the United States. Putin added that the case should not be allowed to damage Russian-U.S. ties.

“If he wants to stay here, there is one condition,” Putin said July 1. “He has to stop his work undermining our U.S. partners, as odd as it may sound coming from me.”

The Guardian newspaper on Wednesday published a new report on U.S. intelligence-gathering based on information from Snowden, but Kucherena said the material was provided before Snowden promised to stop leaking, the Associated Press reported.

Nicaragua, Bolivia and Venezuela have offered Snowden refuge, but pressure from Washington and concerns that the United States or Europe might block him from traveling through their airspace — his U.S. passport has been revoked — have prevented him from leaving Russia.

Yuri Ushakov, a Kremlin official, told reporters Thursday that the “relatively insignificant case” of Snowden would not harm ties between Russia and the United States. There was no sign that President Obama would cancel a planned trip to Moscow in September, he added.
http://www.washingtonpost.com/world/...7e3_story.html





Lawmakers Who Upheld NSA Phone Spying Received Double the Defense Industry Cash
David Kravets

The numbers tell the story — in votes and dollars. On Wednesday, the House voted 217 to 205 not to rein in the NSA’s phone-spying dragnet. It turns out that those 217 “no” voters received twice as much campaign financing from the defense and intelligence industry as the 205 “yes” voters.

That’s the upshot of a new analysis by MapLight, a Berkeley-based non-profit that performed the inquiry at WIRED’s request. The investigation shows that defense cash was a better predictor of a member’s vote on the Amash amendment than party affiliation. House members who voted to continue the massive phone-call-metadata spy program, on average, raked in 122 percent more money from defense contractors than those who voted to dismantle it.

Overall, political action committees and employees from defense and intelligence firms such as Lockheed Martin, Boeing, United Technologies, Honeywell International, and others ponied up $12.97 million in donations for a two-year period ending December 31, 2012, according to the analysis, which MapLight performed with financing data from OpenSecrets. Lawmakers who voted to continue the NSA dragnet-surveillance program averaged $41,635 from the pot, whereas House members who voted to repeal authority averaged $18,765.

Of the top 10 money getters, only one House member — Rep. Jim Moran (D-Virginia) — voted to end the program.

“How can we trust legislators to vote in the public interest when they are dependent on industry campaign funding to get elected? Our broken money and politics system forces lawmakers into a conflict of interest between lawmakers’ voters and their donors,” said Daniel G. Newman, MapLight’s president and co-founder.

The Guardian newspaper disclosed the phone-metadata spying last month with documents leaked by former NSA contractor Edward Snowden.

The House voted 205-217 Wednesday and defeated an amendment to the roughly $600 billion Department of Defense Appropriations Act of 2014 that would have ended authority for the once-secret spy program the White House insisted was necessary to protect national security.

The amendment was proposed by Rep. Justin Amash (R-Michigan), who received a fraction of the money from the defense industry compared to top earners. For example, Amash got $1,400 — ranking him in the bottom 50 for the two-year period. On the flip side, Rep. Howard McKeon (R-California) scored $526,600 to lead the House in defense contributions. He voted against Amash.

Of the 26 House members who voted and did not receive any defense financing, 16 voted for the Amash amendment.

House Speaker John Boehner (R-Ohio) voted against the measure. He ranked 15th in defense earnings with a $131,000 take. House Minority Leader Nancy Pelosi (D-California) also voted against Amash. Pelosi took in $47,000 from defense firms over the two-year period.

Ninety-four Republicans voted for the amendment as did 111 Democrats.

The Amash amendment was in response to the disclosure of a leaked copy of a top-secret Foreign Intelligence Surveillance Court opinion requiring Verizon Business to provide the National Security Agency the phone numbers of both parties involved in all calls, the international mobile subscriber identity (IMSI) number for mobile callers, calling card numbers used in the call, and the time and duration of the calls.

The government confirmed the authenticity of the leak and last week suggested many more, or “certain telecommunication service providers” are required to fork over the same type of metadata. The government says it needs all the data to sift out terrorist needles in a haystack. The program began shortly after the 2001 terror attacks.
http://www.wired.com/threatlevel/201...oney-nsa-vote/





Warrantless Cellphone Tracking Is Upheld
Somini Sengupta

In a significant victory for law enforcement, a federal appeals court on Tuesday said that government authorities could extract historical location data directly from telecommunications carriers without a search warrant.

The closely watched case, in the United States Court of Appeals for the Fifth Circuit, is the first ruling that squarely addresses the constitutionality of warrantless searches of historical location data stored by cellphone service providers. Ruling 2 to 1, the court said a warrantless search was “not per se unconstitutional” because location data was “clearly a business record” and therefore not protected by the Fourth Amendment.

The ruling is likely to intensify legislative efforts, already bubbling in Congress and in the states, to consider measures to require warrants based on probable cause to obtain cellphone location data.

The appeals court ruling sharply contrasts with a New Jersey State Supreme Court opinion in mid-July that said the police required a warrant to track a suspect’s whereabouts in real time. That decision relied on the New Jersey Constitution, whereas the ruling Tuesday in the Fifth Circuit was made on the basis of the federal Constitution.

The Supreme Court has yet to weigh in on whether cellphone location data is protected by the Constitution. The case, which was initially brought in Texas, is not expected to go to the Supreme Court because it is “ex parte,” or filed by only one party — in this case, the government.

But the case could renew calls for the highest court to look at the issue, if another federal court rules differently on the same question. And two other federal cases involving this issue are pending.

“The opinion is clear that the government can access cell site records without Fourth Amendment oversight,” said Orin Kerr, a constitutional law scholar at George Washington University Law School who filed an amicus brief in the case.

For now, the ruling sets an important precedent: It allows law enforcement officials in the Fifth Circuit to chronicle the whereabouts of an American with a court order that falls short of a search warrant based on probable cause.

“This decision is a big deal,” said Catherine Crump, a lawyer with the American Civil Liberties Union. “It’s a big deal and a big blow to Americans’ privacy rights.”

The group reviewed records from more than 200 local police departments last year, concluding that the demand for cellphone location data had led some cellphone companies to develop “surveillance fees” to enable police to track suspects.

In reaching its decision on Tuesday, the federal appeals court went on to agree with the government’s contention that consumers knowingly give up their location information to the telecommunications carrier every time they make a call or send a text message on their cellphones.

“That means it is not protected by Fourth Amendment when the government goes to a third-party service provider and issues something that is not a warrant to demand production of those records,” said Mark Eckenwiler, a former Justice Department lawyer who worked on the case and is now with the Washington law firm Perkins Coie. “On this kind of historical cell site information, this is the first one to address the core constitutional question.”

Historical location data is crucial to law enforcement officials. Mr. Eckenwiler offered the example of drug investigations: A cellphone carrier can establish where a suspect met his supplier and how often he returned to a particular location. Likewise, location data can be vital in establishing people’s habits and preferences, including whether they worship at a church or mosque or whether they are present at a political protest, which is why, civil liberties advocates say, it should be accorded the highest privileges of privacy protection.

The decision could also bear implications for other government efforts to collect vast amounts of so-called metadata, under the argument that it constitutes “business records,” as in the National Security Agency’s collection of Verizon phone records for millions of Americans.

“It provides support for the government’s view that that procedure is constitutional, obtaining Verizon call records, because it holds that records are business records,” said Mr. Kerr, of George Washington University. “It doesn’t make it a slam dunk but it makes a good case for the government to argue that position.”

An important element in Tuesday’s ruling is the court’s presumption of what consumers should know about the way cellphone technology works. “A cell service subscriber, like a telephone user, understands that his cellphone must send a signal to a nearby cell tower in order to wirelessly connect his call,” the court ruled, going on to note that “contractual terms of service and providers’ privacy policies expressly state that a provider uses a subscriber’s location information to route his cellphone calls.”

In any event, the court added, the use of cellphones “is entirely voluntary.”

The ruling also gave a nod to the way in which fast-moving technological advances have challenged age-old laws on privacy. Consumers today may want privacy over location records, the court acknowledged: “But the recourse for these desires is in the market or the political process: in demanding that service providers do away with such records (or anonymize them) or in lobbying elected representatives to enact statutory protections.”

Cellphone privacy measures have been proposed in the Senate and House that would require law enforcement agents to obtain search warrants before prying open location records. Montana recently became the first state to require a warrant for location data. Maine soon followed. California passed a similar measure last year but Gov. Jerry Brown, a Democrat, vetoed it, saying it did not strike what he called the right balance between the demands of civil libertarians and the police.
http://www.nytimes.com/2013/07/31/te...is-upheld.html





FISA Court Judge: No Company Has Ever Challenged Patriot Act Sharing

Also: Court staff helps gov't lawyers make their applications more palatable.
Cyrus Farivar

According to one of the 11 judges that sits on the Foreign Intelligence Surveillance Court (FISC), no corporation ever served with a “business record” court order under the Patriot Act has ever challenged one, even though the law provides them a means to do so.

In other words, when the government asked Verizon to hand over call records and other metadata to the National Security Agency (NSA), the company did so without so much as a peep. Earlier this month, the Electronic Privacy Information Center filed an emergency petition to the Supreme Court to halt the entire metadata sharing program.

In a new 11-page letter published Monday from FISC Presiding Judge Reggie B. Walton to Sen. Patrick Leahy (D-VT), the judge writes, “To date no recipient of a production order has opted to invoke this section of the statute.” (Leahy is set to hold a senatorial hearing on the government surveillance program this week.)

Judge Walton refers specifically to 50 USC § 1861(f)(2)(A)(i), which states:

(i) A person receiving a production order may challenge the legality of that order by filing a petition with the pool established by section 1803 (e)(1) of this title. Not less than 1 year after the date of the issuance of the production order, the recipient of a production order may challenge the nondisclosure order imposed in connection with such production order by filing a petition to modify or set aside such nondisclosure order, consistent with the requirements of subparagraph (C), with the pool established by section 1803 (e)(1) of this title.

“This is not a typical judicial proceeding”

The FISC is one of the United States’ least publicly understood judicial entities. All of its 11 sitting judges, who serve seven-year terms, are appointed by the Supreme Court Chief Justice John Roberts. Ten of the 11 FISC judges are conservative Republicans.

Established under the Foreign Intelligence Surveillance Act (FISA) of 1978, the court’s mandate (among other things) is to approve special surveillance warrants for the NSA or the FBI against suspected foreign agents. Any of the eleven judges can then approve the warrant. Throughout the court’s history, warrants (and related orders) are approved more than 99 percent of the time.

The court’s decisions, orders, and warrants are supposed to be kept secret for 30 years. But last month, for the first time ever, FISC granted a motion to not block the disclosure of an earlier FISC opinion that declared parts of the NSA’s surveillance under Section 702 of the FISA Amendments Act to be unconstitutional. (The court’s publicly accessible docket is pretty short—in fact, its website didn't even exist until early June 2013.)

At least one member of the 1970s-era Church Committee told Ars that as it exists today, the FISC isn’t doing its job. That committee was a group of senators who convened solely to come up with remedies for the Nixonian abuses of power and intelligence gathering; their remedies included creating FISA and the FISC.

“The glass-half-full is that properly trained and qualified judges are hearing persuasive cases,” former Democrat Senator Gary Hart told Ars last month. “But as a lawyer, this is not a typical judicial proceeding that we're familiar with, because there's no other side. Unlike virtually everything else [in the legal system], it's not adversarial. The judge hears [the government’s case], but there's nobody else to argue the other side. If you're a constitutionalist as I am, that's disturbing.”
If at first you don’t succeed…

But the situation appears even worse than that. In this new letter, the judge also describes what appears to be a fairly cozy relationship between the FISC judge’s staff and government counsel.

Upon the Court’s receipt of a proposed application for an order under FISA, a member of the Court’s legal staff reviews the application and evaluates whether it meets the legal requirements under the statute. As part of this evaluation, a Court attorney will often have one or more telephone conversations with the government to seek additional information and/or raise concerns about the application. A Court attorney then prepares a written analysis of the application for the duty judge, which includes an identification of any weakness, flaws, or other concerns. For example, the attorney may recommend that the judge consider requiring the addition of information to the application; imposing special reporting requirements; or shortening the requested duration of an authorization.

. . .

The annual statistics provided to Congress by the Attorney General pursuant to 50 USC § 1807 and 1862(b)—frequently cited to in press reports as a suggestion that the Court’s approval rate of applications is over 99%—reflect only the number of final applications submitted to and acted on by the Court. These statistics do not reflect the fact that many applications are altered prior to final submission or even withheld from final submission entirely, often after an indication that a judge would not approve them.


In short, it appears that the government only submits applications that it knows will get approved—after having first gotten them modified to meet that approval. But some legal scholars say that if we are to believe that the FISC is acting as a check on the government, this type of back-and-forth isn't necessarily representative of a hand-in-glove relationship.

"One analogy would be an application for a warrant, either search or arrest," Ruthann Robson, a constitutional law professor at the City University of New York, told Ars by e-mail. "There is no opposition in a warrant application, and the judge is supposed to make an independent assessment, which would include raising concerns and could include revising the warrant. Indeed, the FISA process in many ways might be likened to a routine warrant application (and some argue that it should be more like our familiar criminal procedure process, as flawed as that might be). So while you are right that the judge and her/his staff could be seen to be 'helping' the government, it might be possible to read it as meaning the judge should be more skeptical of the government's application. But of course, it is going to depend upon the judge, and also how inured a judge could become, to these applications."

Another law professor agreed, but raised an eyebrow at this level of cooperation.

"Judges (or magistrates) often give the government feedback on warrant requests and the government then makes changes accordingly," wrote Fred Cate, a law professor at Indiana University in an e-mail sent to Ars. "Clerks assist in that process, sometimes by providing behind-the-scenes information to the government about what the judge will want to see. That said, the FISA still represents an unusual amount of cooperation between the requesting agency and the judge and in fact the two staffs work for the same agency, which is unusual."
http://arstechnica.com/tech-policy/2...t-act-sharing/





U.S. Outlines N.S.A.’s Culling of Data for All Domestic Calls
Charlie Savage

The Obama administration on Wednesday released formerly classified documents outlining a once-secret program of the National Security Agency that is collecting records of all domestic phone calls in the United States, as a newly leaked N.S.A. document surfaced showing how the agency spies on Web browsing and other Internet activity abroad.

Together, the new round of disclosures shed even more light on the scope of the United States government’s secret surveillance programs, which have been dragged into public view and debate by leaks from the former N.S.A. contractor Edward J. Snowden.

The Office of the Director of National Intelligence released the newly declassified documents related to the domestic phone logging program at the start of a Senate Judiciary Committee hearing on the topic. Simultaneously, The Guardian published a still-classified 32-page presentation leaked by Mr. Snowden that describes the N.S.A.'s XKeyscore program, which mines Internet browsing information that the agency is apparently vacuuming up at 150 network sites around the world.

The documents released by the government, meanwhile, include an April ruling by the Foreign Intelligence Surveillance Court that supported a secondary order — also leaked by Mr. Snowden — requiring a Verizon subsidiary to turn over all of its customers’ phone logs for a three-month period.

It said the government may access the logs only when an executive branch official determines that there are “facts giving rise to a reasonable, articulable suspicion” that the number searched is associated with terrorism.

The releases also included two formerly classified briefing papers to Congress from 2009 and 2011, when the provision of the Patriot Act that the court relied on to issue that order was up for reauthorization. The papers outlined the bulk collection of “metadata” logging all domestic phone calls and e-mails of Americans and are portrayed as an “early warning system” that allowed the government to quickly see who was linked to a terrorism suspect.

“Both of these programs operate on a very large scale,” the 2011 briefing paper said, followed by something that is redacted, and then: “However, as described below, only a tiny fraction of such records are ever viewed by N.S.A. intelligence analysts.”

Both programs traced back to the surveillance efforts the Bush administration secretly started after the terrorist attacks of Sept. 11, 2001, and which initially operated outside statutory authority or court oversight. The Bush administration later obtained orders from the Foreign Intelligence Surveillance Court to continue them.

The Obama administration has said it shut down the program that collected e-mail “metadata” in 2011, but it is not clear whether such collection has continued under a different program.

The newly disclosed XKeyscore presentation focuses in particular on Internet activities, including chats and Web site browsing activities, as intelligence analysts search for terrorist cells by looking at “anomalous events” like who is using encryption in Iran or “searching the web for suspicious stuff.”

In contrast to the domestic-call tracking program, the example cited in the XKeyscore presentation — which said it had generated intelligence that resulted in the capture of more than 300 terrorists — appeared to be focused on overseas activity.

A map showed 150 network sites around the world at which the N.S.A. is collecting that information; it is not clear whether the governments in those places are aware of the spying.

The volume of data is so vast that most of it is stored for only three days, the presentation said, although “metadata” — information showing log-ins and server activity, but not content — is stored for a month.

Several of the pages on the presentation were redacted by The Guardian.

But the presentation shows that while much of the focus from Mr. Snowden’s revelations so far has been on communications — whether calls or e-mails — that are linked, directly or indirectly, to a known suspect, the N.S.A. is also collecting and searching through massive amounts of Web-browsing activity.

“A large amount of time spent on the Web is performing actions that are anonymous,” the presentation explains, saying that the XKeyscore system can extract and store retrospective activity from “raw unselected bulk traffic.”

One example of how analysts might use the system is to search for whenever someone has started up a “virtual private network” in a particular country of interest; VPNs are pipelines that add greater security to online communications. N.S.A. analysts are able to use the system to extract the activity retrospectively from “raw unselected bulk traffic” and then decrypt it to “discover the users.”

It also cited using the system to locate a target who speaks German but is known to be in Pakistan by looking for German-language Internet activity in that country, or to uncover where and by whom a Microsoft Word document was created that had passed through several users’ hands.

Yet another slide said: “My target uses Google Maps to scope target locations — can I use this information to determine his e-mail address? What about the Web searches — do any stand out and look suspicious?”

At the start of Wednesday’s hearing, the chairman of the Senate Judiciary Committee, Senator Patrick J. Leahy, Democrat of Vermont, expressed deep skepticism about the domestic phone records program. He criticized intelligence officials and defenders of the program for misleadingly saying it helped prevent 54 terrorist events, a number that conflates the usefulness of N.S.A. surveillance activities targeted at noncitizens abroad with the usefulness of the database of Americans’ phone calls.

A classified list of “terrorist events” that N.S.A. surveillance helped to prevent, he said, “simply does not reflect dozens or even several terrorist plots” that the domestic call log program “helped thwart or prevent, let alone 54, as some have suggested.”

Citing the “massive privacy implications” of the program, Mr. Leahy said: “If this program is not effective it has to end. So far I’m not convinced by what I’ve seen.”

But Senator Dianne Feinstein, the chairwoman of the Senate Intelligence Committee who is also on the judiciary panel, said that while the program could be changed with greater restrictions and safeguards, it should be preserved because it would place the nation “in jeopardy” to eliminate it.

Robert Litt, the top lawyer in the Office of the Director of National Intelligence, testified that the Obama administration was also “open to re-evaluating this program” to create greater public confidence that it protects privacy while “preserving the essence of the program.”

Last week, the House of Representatives voted narrowly to defeat an amendment to shut down the N.S.A.'s domestic phone record tracking program. The 217-to-205 vote was far closer than expected and came as members of both parties defied their leadership to oppose continuing the domestic call logging program, suggesting that momentum against it was building.

Before Mr. Snowden’s leaks made clear what the government was doing with the Patriot Act program, several senators on the Intelligence Committee had made cryptic warnings that it was interpreting the law in a twisted way to do something alarming and made reference to the 2011 briefing paper. The New York Times filed a lawsuit under the Freedom of Information Act to obtain that document.

The lawsuit contended that the abstract legal analysis outlining what the government believed the Patriot Act meant could not be withheld from the public as properly classified and should be released, even if the passages detailing the program that relied upon that interpretation were redacted.

The Obama administration had argued that it could withhold that document entirely, and in May 2012 a Federal District Court judge, William H. Pauley III, agreed to dismiss the lawsuit after reading the briefing paper, finding that the details of the classified program were “inextricably intertwined” with the rest, so releasing it in redacted form was “neither feasible nor warranted.”

The newly declassified documents about the call logging program do not go into great detail about the legal analysis on which it is based. The court’s order was rooted in a surveillance law that allows the F.B.I. to obtain records that are “relevant” to an investigation.

A key question has been how the judges justified stretching that term to encompass collecting records of all calls. Government officials have explained that a subset of those calls will later turn out to be relevant when analyzing who has links to a suspected terrorist.

By putting them all into a single database, the N.S.A. can preserve the records for later analysis for up to five years; look at circles of callers up to three “hops” removed from the target, even if they are subscribers to different phone companies; and search for patterns that may indicate that a suspect is trying to hide his communications, like cycling through throwaway “burner” phones from different providers.

Mr. Leahy asked whether by the same legal logic, the government could not obtain “virtually all available commercial data” like a comprehensive database of all Americans’ credit card records, Web site visits, medical records, or firearms. As an example, he asked whether the government would be justified in collecting records of all purchases in case someone was buying precursors to a bomb.

James Cole, the deputy attorney general, emphasized that the court had found the phone logs all to be relevant, and so lawfully collectable only “in the context of the restrictions and in the context of what it is you’re looking for.” Other kinds of records in a different context might not meet that same criteria, he said.

“We’re not collecting all their phone records so that we can wander through them,” Mr. Cole said. “The phone records are being done to look at the connections. If somebody’s buying things that could be used to make bombs, of course we would like to know that. But we may not need to do it in this fashion.”

Senator Charles Grassley of Iowa, the ranking Republican on the panel, also expressed skepticism about that theory. He asked how the calling records of innocent Americans could be considered relevant.

Mr. Litt explained: “It’s a well-accepted concept that if you need to get a large group of records in order to find a smaller group of records that actually provides the information you need to move forward, that the larger group of records can be relevant.”

But Mr. Grassley pressed on, asking whether there was any legal precedent to support such a broad conception of “relevance.”

Mr. Cole replied that judges on the Foreign Intelligence Surveillance Court had now signed off on the program 34 times because the orders have to be renewed every three months, and each was such a precedent.

“The legal precedent comes from the history of all the orders that have been issued,” he said.

David E. Sanger contributed reporting.
http://www.nytimes.com/2013/08/01/us...veillance.html





XKeyscore: NSA Tool Collects 'Nearly Everything a User Does On the Internet'

• XKeyscore gives 'widest-reaching' collection of online data
• NSA analysts require no prior authorization for searches
• Sweeps up emails, social media activity and browsing history
• NSA's XKeyscore program – read one of the presentations

Glenn Greenwald

A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.

The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet.

The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian's earlier stories on bulk collection of phone records and Fisa surveillance court oversight.

The files shed light on one of Snowden's most controversial statements, made in his first video interview published by the Guardian on June 10.

"I, sitting at my desk," said Snowden, could "wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email".

US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden's assertion: "He's lying. It's impossible for him to do what he was saying he could do."

But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.

XKeyscore, the documents boast, is the NSA's "widest reaching" system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers "nearly everything a typical user does on the internet", including the content of emails, websites visited and searches, as well as their metadata.

Analysts can also use XKeyscore and other NSA systems to obtain ongoing "real-time" interception of an individual's internet activity.

Under US law, the NSA is required to obtain an individualized Fisa warrant only if the target of their surveillance is a 'US person', though no such warrant is required for intercepting the communications of Americans with foreign targets. But XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst.

One training slide illustrates the digital activity constantly being collected by XKeyscore and the analyst's ability to query the databases at any time.

The purpose of XKeyscore is to allow analysts to search the metadata as well as the content of emails and other internet activity, such as browser history, even when there is no known email account (a "selector" in NSA parlance) associated with the individual being targeted.

Analysts can also search by name, telephone number, IP address, keywords, the language in which the internet activity was conducted or the type of browser used.

One document notes that this is because "strong selection [search by email address] itself gives us only a very limited capability" because "a large amount of time spent on the web is performing actions that are anonymous."

The NSA documents assert that by 2008, 300 terrorists had been captured using intelligence from XKeyscore.

Analysts are warned that searching the full database for content will yield too many results to sift through. Instead they are advised to use the metadata also stored in the databases to narrow down what to review.

A slide entitled "plug-ins" in a December 2012 document describes the various fields of information that can be searched. It includes "every email address seen in a session by both username and domain", "every phone number seen in a session (eg address book entries or signature block)" and user activity – "the webmail and chat activity to include username, buddylist, machine specific cookies etc".

Email monitoring

In a second Guardian interview in June, Snowden elaborated on his statement about being able to read any individual's email if he had their email address. He said the claim was based in part on the email search capabilities of XKeyscore, which Snowden says he was authorized to use while working as a Booz Allen contractor for the NSA.

One top-secret document describes how the program "searches within bodies of emails, webpages and documents", including the "To, From, CC, BCC lines" and the 'Contact Us' pages on websites".

To search for emails, an analyst using XKS enters the individual's email address into a simple online search form, along with the "justification" for the search and the time period for which the emails are sought.

The analyst then selects which of those returned emails they want to read by opening them in NSA reading software.

The system is similar to the way in which NSA analysts generally can intercept the communications of anyone they select, including, as one NSA document put it, "communications that transit the United States and communications that terminate in the United States".

One document, a top secret 2010 guide describing the training received by NSA analysts for general surveillance under the Fisa Amendments Act of 2008, explains that analysts can begin surveillance on anyone by clicking a few simple pull-down menus designed to provide both legal and targeting justifications. Once options on the pull-down menus are selected, their target is marked for electronic surveillance and the analyst is able to review the content of their communications:

Beyond emails, the XKeyscore system allows analysts to monitor a virtually unlimited array of other internet activities, including those within social media.

An NSA tool called DNI Presenter, used to read the content of stored emails, also enables an analyst using XKeyscore to read the content of Facebook chats or private messages.

An analyst can monitor such Facebook chats by entering the Facebook user name and a date range into a simple search screen.

Analysts can search for internet browsing activities using a wide range of information, including search terms entered by the user or the websites viewed.

As one slide indicates, the ability to search HTTP activity by keyword permits the analyst access to what the NSA calls "nearly everything a typical user does on the internet".

The XKeyscore program also allows an analyst to learn the IP addresses of every person who visits any website the analyst specifies.

The quantity of communications accessible through programs such as XKeyscore is staggeringly large. One NSA report from 2007 estimated that there were 850bn "call events" collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 1-2bn records were added.

William Binney, a former NSA mathematician, said last year that the agency had "assembled on the order of 20tn transactions about US citizens with other US citizens", an estimate, he said, that "only was involving phone calls and emails". A 2010 Washington Post article reported that "every day, collection systems at the [NSA] intercept and store 1.7bn emails, phone calls and other type of communications."

The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."

To solve this problem, the NSA has created a multi-tiered system that allows analysts to store "interesting" content in other databases, such as one named Pinwale which can store material for up to five years.

It is the databases of XKeyscore, one document shows, that now contain the greatest amount of communications data collected by the NSA.

In 2012, there were at least 41 billion total records collected and stored in XKeyscore for a single 30-day period.

Legal v technical restrictions

While the Fisa Amendments Act of 2008 requires an individualized warrant for the targeting of US persons, NSA analysts are permitted to intercept the communications of such individuals without a warrant if they are in contact with one of the NSA's foreign targets.

The ACLU's deputy legal director, Jameel Jaffer, told the Guardian last month that national security officials expressly said that a primary purpose of the new law was to enable them to collect large amounts of Americans' communications without individualized warrants.

"The government doesn't need to 'target' Americans in order to collect huge volumes of their communications," said Jaffer. "The government inevitably sweeps up the communications of many Americans" when targeting foreign nationals for surveillance.

An example is provided by one XKeyscore document showing an NSA target in Tehran communicating with people in Frankfurt, Amsterdam and New York.

In recent years, the NSA has attempted to segregate exclusively domestic US communications in separate databases. But even NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications.

Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.

Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. "It's very rare to be questioned on our searches," Snowden told the Guardian in June, "and even when we are, it's usually along the lines of: 'let's bulk up the justification'."

In a letter this week to senator Ron Wyden, director of national intelligence James Clapper acknowledged that NSA analysts have exceeded even legal limits as interpreted by the NSA in domestic surveillance.

Acknowledging what he called "a number of compliance problems", Clapper attributed them to "human error" or "highly sophisticated technology issues" rather than "bad faith".

However, Wyden said on the Senate floor on Tuesday: "These violations are more serious than those stated by the intelligence community, and are troubling."

In a statement to the Guardian, the NSA said: "NSA's activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.

"XKeyscore is used as a part of NSA's lawful foreign signals intelligence collection system.

"Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring."

"Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.

"These types of programs allow us to collect the information that enables us to perform our missions successfully – to defend the nation and to protect US and allied troops abroad."
http://www.theguardian.com/world/201...am-online-data





Google 'Pressure Cookers' and 'Backpacks,' Get a Visit from the Cops
Philip Bump

Michele Catalano was looking for information online about pressure cookers. Her husband, in the same time frame, was Googling backpacks. Wednesday morning, six men from a joint terrorism task force showed up at their house to see if they were terrorists. Which prompts the question: How'd the government know what they were Googling?

Catalano (who is a professional writer) describes the tension of that visit.

[T]hey were peppering my husband with questions. Where is he from? Where are his parents from? They asked about me, where was I, where do I work, where do my parents live. Do you have any bombs, they asked. Do you own a pressure cooker? My husband said no, but we have a rice cooker. Can you make a bomb with that? My husband said no, my wife uses it to make quinoa. What the hell is quinoa, they asked. ...

Have you ever looked up how to make a pressure cooker bomb? My husband, ever the oppositional kind, asked them if they themselves weren’t curious as to how a pressure cooker bomb works, if they ever looked it up. Two of them admitted they did.


The men identified themselves as members of the "joint terrorism task force." The composition of such task forces depend on the region of the country, but, as we outlined after the Boston bombings, include a variety of federal agencies. Among those agencies: the FBI and Homeland Security.

Update 1:45 p.m.: In a conversation with The Atlantic Wire, FBI spokesperson Peter Donald confirmed The Guardian's report that the FBI was not involved in the visit itself. Asked if the FBI was involved in providing information that led to the visit, Donald replied that he could not answer the question at this point, as he didn't know.

We asked if the Suffolk and Nassau police, which The Guardian reported were the authorities that effected the visit, are part of the government's regional Joint Terrorism Task Force. They are, he replied, representing two of the 52 agencies that participate. He said that local police are often deputized federal marshals for that purpose — but that the JTTF "did not visit the residence." He later clarified: "Any officers, agents, or other representatives of the JTTF did not visit that location."

We are awaiting a response from Suffolk County police and the Department of Homeland Security which operates an investigatory fusion center in the region. A representative of the Nassau County police denied the department's involvement in the visit.

Ever since details of the NSA's surveillance infrastructure were leaked by Edward Snowden, the agency has been insistent on the boundaries of the information it collects. It is not, by law, allowed to spy on Americans — although there are exceptions of which it takes advantage. Its PRISM program, under which it collects internet content, does not include information from Americans unless those Americans are connected to terror suspects by no more than two other people. It collects metadata on phone calls made by Americans, but reportedly stopped collecting metadata on Americans' internet use in 2011. So how, then, would the government know what Catalano and her husband were searching for?

It's possible that one of the two of them is tangentially linked to a foreign terror suspect, allowing the government to review their internet activity. After all, that "no more than two other people" ends up covering millions of people. Or perhaps the NSA, as part of its routine collection of as much internet traffic as it can, automatically flags things like Google searches for "pressure cooker" and "backpack" and passes on anything it finds to the FBI.

Or maybe it was something else. On Wednesday, The Guardian reported on XKeyscore, a program eerily similar to Facebook search that could clearly allow an analyst to run a search that picked out people who'd done searches for those items from the same location. How those searches got into the government's database is a question worth asking; how the information got back out seems apparent.

It is also possible that there were other factors that prompted the government's interest in Catalano and her husband. He travels to Asia, she notes in her article. Who knows. Which is largely Catalano's point.

They mentioned that they do this about 100 times a week. And that 99 of those visits turn out to be nothing. I don’t know what happens on the other 1% of visits and I’m not sure I want to know what my neighbors are up to.

One hundred times a week, groups of six armed men drive to houses in three black SUVs, conducting consented-if-casual searches of the property perhaps in part because of things people looked up online.

But the NSA doesn't collect data on Americans, so this certainly won't happen to you.
http://www.theatlanticwire.com/natio...earches/67864/





NSA Director Heckled At Conference As He Asks For Security Community's Understanding
Andy Greenberg

When NSA Director Keith Alexander appeared at the Las Vegas security conference Black Hat Wednesday morning, he hoped to mend the NSA’s reputation in the eyes of thousands of the conference’s hackers and security professionals. It didn’t go exactly as planned.

Alexander was about a half hour into his talk when a 30-year-old security consultant named Jon McCoy shouted “Freedom!”

“Exactly,” responded Alexander. “We stand for freedom.”

“Bullshit!” McCoy shouted.

“Not bad,” Alexander said, as applause broke out in the crowd. “But I think what you’re saying is that in these cases, what’s the distinction, where’s the discussion and what tools do we have to stop this.”

“No, I’m saying I don’t trust you!” shouted McCoy.

“You lied to Congress. Why would people believe you’re not lying to us right now?” another voice in the crowd added.

“I haven’t lied to Congress,” Alexander responded, visibly tensing. “I do think it’s important for us to have this discussion. Because in my opinion, what you believe is what’s written in the press without looking at the facts. This is the greatest technical center of gravity in the world. I ask that you all look at those facts.”

Alexander’s talk had begun with a plea for the hacker and security researcher community to reconsider the NSA’s role in the wake of a still-unfolding scandal revealed by the classified leaks of former Booz Allen contractor Edward Snowden. “Their reputation has been tarnished,” he said, speaking of his NSA staff. “But you can help us articulate the facts properly. I will answer every question to the fullest extent possible, and I promise you the truth: What I know, what we’re doing, and what I cannot tell you because we don’t want to jeopardize the future of our defense.”

Alexander’s talk focused on the oversight placed on the NSA by Congress and the Foreign Intelligence Surveillance Court, which must approve the NSA’s surveillance in any case where it might target Americans. The FISC, which hears the NSA’s arguments without any opposing counsel, has been accused of offering negligible oversight of the Agency’s work. The FISC stated in April that it had received 1,789 applications for electronic surveillance, of which 1,748 others were approved without changes and only one was withdrawn.

“I’ve heard the court is a rubber stamp. I’m on the other end of that table, against that table of judges that don’t take any—I’m trying to think of a word here—from even a four-star general. They want to make sure what we’re doing comports with the constitution and the law,” Alexander said. “I can tell you from the wire brushings I’ve received, they are not a rubber stamp.”

Alexander also cited a Congressional inquiry into the NSA that found no evidence that it had engaged in any illegal use of its spying powers. But the NSA has come under continued Congressional scrutiny, including in a hearing Wednesday morning in which the Senate Judiciary committee grilled members of the intelligence community, including NSA deputy director John Inglis, over the mass collection of Americans’ cell phone records. Also Wednesday morning, the Guardian published new documents leaked by Edward Snowden revealing yet another NSA program known as XKeyScore, a tool that allows the broad search of millions of individuals’ emails and browsing history.

In his Black Hat talk, the four-star general presented a timeline of terrorist attacks around the world, from the 1993 World Trade Center bombing to the Boston Marathon attack. He told the story of Najibullah Zazi, a terrorist accused of plotting an attack on the New York subway whose plot was foiled by the NSA’s surveillance, particularly the PRISM program that allows the NSA access to user data from Google , Microsoft , Apple , Skype, Facebook and other tech firms.

Alexander also noted the 6,000 NSA cryptologists who have deployed to Afghanistan and Iraq, 20 of whom were killed in the line of duty according to Alexander. “Think about people willing to go forward to Iraq and Afghanistan, to make sure our soldiers, airmen and marines get the intelligence they need,” he said. “I believe these are the most noble people we have in this country.”

“We get all these allegations of what [NSA staff] could be doing,” Alexander added. “But when people check what the NSA is doing, they’ve found zero times that’s happened. And that’s no bullshit. Those are the facts.” The crowd responded to that line with loud applause, as Alexander asked the press not to quote his swearing, noting his 15 grandchildren.

“The whole reason I came here was to ask you to help you to help us make it better,” said the general. “And if you disagree with what we’re doing, you should help us twice as much.”

“Read the constitution!” shouted McCoy in one last heckle.

“I have. So should you,” responded Alexander to another round of applause.

After the talk, I found McCoy in the crowd and asked him about his not-so-friendly debate with the general. “His speech was pretty canned,” said McCoy. “It’s anything you can see on Fox News any day. We’re in danger, we have to get rid of your freedom to keep you safe.”

“Everyone’s thinking this, but no one’s saying it public, so everyone thinks they’re alone,” he said. “Ninety-eight percent of society has issues with this…But no one speaks up.”
http://www.forbes.com/sites/andygree...understanding/





Momentum Builds Against N.S.A. Surveillance
Jonathan Weisman

The movement to crack down on government surveillance started with an odd couple from Michigan, Representatives Justin Amash, a young libertarian Republican known even to his friends as “chief wing nut,” and John Conyers Jr., an elder of the liberal left in his 25th House term.

But what began on the political fringes only a week ago has built a momentum that even critics say may be unstoppable, drawing support from Republican and Democratic leaders, attracting moderates in both parties and pulling in some of the most respected voices on national security in the House.

The rapidly shifting politics were reflected clearly in the House on Wednesday, when a plan to defund the National Security Agency’s telephone data collection program fell just seven votes short of passage. Now, after initially signaling that they were comfortable with the scope of the N.S.A.’s collection of Americans’ phone and Internet activities, but not their content, revealed last month by Edward J. Snowden, lawmakers are showing an increasing willingness to use legislation to curb those actions.

Representatives Jim Sensenbrenner, Republican of Wisconsin, and Zoe Lofgren, Democrat of California, have begun work on legislation in the House Judiciary Committee to significantly rein in N.S.A. telephone surveillance. Mr. Sensenbrenner said on Friday that he would have a bill ready when Congress returned from its August recess that would restrict phone surveillance to only those named as targets of a federal terrorism investigation, make significant changes to the secret court that oversees such programs and give businesses like Microsoft and Google permission to reveal their dealings before that court.

“There is a growing sense that things have really gone a-kilter here,” Ms. Lofgren said.

The sudden reconsideration of post-Sept. 11 counterterrorism policy has taken much of Washington by surprise. As the revelations by Mr. Snowden, a former N.S.A. contractor, were gaining attention in the news media, the White House and leaders in both parties stood united behind the programs he had unmasked. They were focused mostly on bringing the leaker to justice.

Backers of sweeping surveillance powers now say they recognize that changes are likely, and they are taking steps to make sure they maintain control over the extent of any revisions. Leaders of the Senate Intelligence Committee met on Wednesday as the House deliberated to try to find accommodations to growing public misgivings about the programs, said the committee’s chairwoman, Senator Dianne Feinstein, Democrat of California.

Senator Mark Udall, a Colorado Democrat and longtime critic of the N.S.A. surveillance programs, said he had taken part in serious meetings to discuss changes.

Senator Saxby Chambliss of Georgia, the ranking Republican on the panel, said, “We’re talking through it right now.” He added, “There are a lot of ideas on the table, and it’s pretty obvious that we’ve got some uneasy folks.”

Representative Mike Rogers, a Michigan Republican and the chairman of the House Intelligence Committee, has assured House colleagues that an intelligence policy bill he plans to draft in mid-September will include new privacy safeguards.

Aides familiar with his efforts said the House Intelligence Committee was focusing on more transparency for the secret Foreign Intelligence Surveillance Court, which oversees data gathering, including possibly declassifying that court’s orders, and changes to the way the surveillance data is stored. The legislation may order such data to be held by the telecommunications companies that produce them or by an independent entity, not the government.

Lawmakers say their votes to restrain the N.S.A. reflect a gut-level concern among voters about personal privacy.

“I represent a very reasonable district in suburban Philadelphia, and my constituents are expressing a growing concern on the sweeping amounts of data that the government is compiling,” said Representative Michael G. Fitzpatrick, a moderate Republican who represents one of the few true swing districts left in the House and who voted on Wednesday to limit N.S.A. surveillance.

Votes from the likes of Mr. Fitzpatrick were not initially anticipated when Republican leaders chided reporters for their interest in legislation that they said would go nowhere. As the House slowly worked its way on Wednesday toward an evening vote to curb government surveillance, even proponents of the legislation jokingly predicted that only the “wing nuts” — the libertarians of the right, the most ardent liberals on the left — would support the measure.

Then Mr. Sensenbrenner, a Republican veteran and one of the primary authors of the post-Sept. 11 Patriot Act, stepped to a microphone on the House floor. Never, he said, did he intend to allow the wholesale vacuuming up of domestic phone records, nor did his legislation envision that data dragnets would go beyond specific targets of terrorism investigations.

“The time has come to stop it, and the way we stop it is to approve this amendment,” Mr. Sensenbrenner said.

He had not intended to speak, and when he did, he did not say much, just seven brief sentences.

“I was able to say what needed to be said in a minute,” he said Friday.

Lawmakers from both parties said the brief speech was a pivotal moment. When the tally was final, the effort to end the N.S.A.’s programs had fallen short, 205 to 217. Supporters included Republican leaders like Representative Cathy McMorris Rodgers of Washington and Democratic leaders like Representative James E. Clyburn of South Carolina. Republican moderates like Mr. Fitzpatrick and Blue Dog Democrats like Representative Kurt Schrader of Oregon joined with respected voices on national security matters like Mr. Sensenbrenner and Ms. Lofgren.

Besides Ms. McMorris Rodgers, Representative Lynn Jenkins of Kansas, another member of the Republican leadership, voted yes. On the Democratic side, the chairman of the House Democratic Caucus, Representative Xavier Becerra of California, and his vice chairman, Representative Joseph Crowley of New York, broke with the top two Democrats, Representatives Nancy Pelosi of California and Steny H. Hoyer of Maryland, who pressed hard for no votes.

On Friday, Ms. Pelosi, the House minority leader and a veteran of the Intelligence Committee, and Mr. Hoyer dashed off a letter to the president warning that even those Democrats who had stayed with him on the issue on Wednesday would be seeking changes.

That letter included the signature of Mr. Conyers, who is rallying an increasingly unified Democratic caucus to his side, as well as 61 House Democrats who voted no on Wednesday but are now publicly signaling their discontent.

“Although some of us voted for and others against the amendment, we all agree that there are lingering questions and concerns about the current” data collection program, the letter stated.

Representative Reid Ribble of Wisconsin, a Republican who voted for the curbs and predicted that changes to the N.S.A. surveillance programs were now unstoppable, said: “This was in many respects a vote intended to send a message. The vote was just too strong.”

Ms. Lofgren said the White House and Democratic and Republican leaders had not come to grips with what she called “a grave sense of betrayal” that greeted Mr. Snowden’s revelations. Since the Bush administration, lawmakers had been repeatedly assured that such indiscriminate collection of data did not exist, and that when targeting was unspecific, it was aimed at people abroad.

The movement against the N.S.A. began with the fringes of each party. Mr. Amash of Michigan began pressing for an amendment on the annual military spending bill aimed at the N.S.A. Leaders of the Intelligence Committee argued strenuously that such an amendment was not relevant to military spending and should be ruled out of order.

But Mr. Amash, an acolyte of Ron Paul, a libertarian former congressman, persisted and rallied support.

Mr. Sensenbrenner and Ms. Lofgren said they were willing to work with the House and Senate intelligence panels to overhaul the surveillance programs, but indicated that they did not believe those panels were ready to go far enough.

“I would just hope the Intelligence Committees will not stick their heads in the sand on this,” Mr. Sensenbrenner said.
http://www.nytimes.com/2013/07/29/us...veillance.html





Is China Wiring Africa for Surveillance?
Meghan Neal

Some in the US have long expected that China's massive telecom company Huawei is developing tools for the Chinese government to commit cyber-espionage around the world. Now that Huawei's getting serious about its expansion into Africa, eyebrows are being raised again.

In 2012, a House committe labeled Huawei a national security threat, and the US government has accused the firm of nefarious surveillance practices many times in the last several years. That includes accusing it of helping the Iranian government monitor its citizens and quash dissent, and having ties to the Taliban. Each time the company has denied the allegations, and government investigations consistently fail to turn up any hard evidence.

But now Huawei has invested billions of dollars in Africa over the last two decades, providing affordable cell phones, internet access, and telecommunications networks to the continent. Over the last few months Huawei has closed major deals in Africa to get more areas on the grid. The company says it's bridging the digital divide, but others suspect it's wiring the continent for surveillance.

The loudest concerned party is former NSA and CIA head Michael Hayden, who has repeatedly raised warning flags about Huawei's suspected espionage. "The Chinese see themselves in a global economic competition with the United States, and they see real advantages of at least having the possibility of exploiting African networks in the future," he told Foreign Policy yesterday.

At this point, Huawei supplies back-end telecommunications equipment—wi-fi routers, mobile networks, communications hardware—to a third of the world. The thinking goes that if you build the infrastructure, you can easily build backdoors to get in and ascertain information. And not only is China laying the brick, so to speak. In many cases it's also running the networks for the African governments. If the allegations are true that Huawei provides a direct line to Beijing, it's about to have a huge peep hole into Africa.

"Even if there aren't any backdoors, which is a large hypothesis, just the Chinese state having access to the architecture of your system is a tremendous advantage for the Chinese should they want to engage in any electronic surveillance, any electronic eavesdropping," Hayden told FT.

Earlier this month, Hayden again accused Huawei of spying at the Chinese government's behest, saying he had the evidence to back it up, but the company fired back, calling the allegations "tired, unsubstantiated, and defamatory."

Hmm, government backdoor access to data through communications technology. Where would the NSA get an idea like that? It could be tempting to assume that 40 years in the CIA and NSA is making Hayden see spies around every corner, but whether or not Huawei is involved, the Chinese government has been named the world leader in cyber-espionage.

Evidence or no, the suspicions are strong enough that regulators continue to block Huawei from entering the US market, despite the manufacturer's best efforts to break in.
http://motherboard.vice.com/blog/is-...r-surveillance





Germany Nixes Surveillance Pact With US, Britain
Frank Jordans

Germany canceled a Cold War-era surveillance pact with the United States and Britain on Friday in response to revelations by National Security Agency leaker Edward Snowden about those countries' alleged electronic eavesdropping operations.

Chancellor Angela Merkel had raised the issue of alleged National Security Agency spying with President Barack Obama when he visited Berlin in June. But with weeks to go before national elections, opposition parties had demanded clarity about the extent to which her government knew of the intelligence gathering operations directed at Germany and German citizens.

Government officials have insisted that U.S. and British intelligence were never given permission to break Germany's strict privacy laws. But they conceded that an agreement dating back to the late 1960s gave the U.S., Britain and France the right to request German authorities to conduct surveillance operations within Germany to protect their troops stationed there.

"The cancellation of the administrative agreements, which we have pushed for in recent weeks, is a necessary and proper consequence of the recent debate about protecting personal privacy," Germany's Foreign Minister Guido Westerwelle said in a statement.

A German official, speaking on condition of anonymity, said the cancellation would have no practical consequences.

He said the move was largely symbolic since the agreement had not been invoked since the end of the Cold War and would have no impact on current intelligence cooperation between Germany and its NATO allies. The official, who spoke on condition of anonymity because he wasn't authorized to publicly discuss the issue, said Germany was currently in talks with France to cancel its part of the agreement as well.

In March 2011, two U.S. Air Force members were killed and two others wounded when a gunman from Kosovo fired on a military bus at Frankfurt International Airport. The gunman told police he was motivated by anger over the U.S.-led wars in Iraq and Afghanistan.

A spokeswoman for the U.S. embassy in Berlin, Ruth Bennett, confirmed that the agreement had been canceled but declined to comment further on the issue. Officials at the United Kingdom's embassy in Berlin couldn't immediately be reached for comment.
http://news.yahoo.com/germany-nixes-...113557159.html





FBI Pressures Internet Providers to Install Surveillance Software

CNET has learned the FBI has developed custom "port reader" software to intercept Internet metadata in real time. And, in some cases, it wants to force Internet providers to use the software.
Declan McCullagh

The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies' internal networks to facilitate surveillance efforts.

FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI's legal position during these discussions is that the software's real-time interception of metadata is authorized under the Patriot Act.

Attempts by the FBI to install what it internally refers to as "port reader" software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the "harvesting program."

Carriers are "extra-cautious" and are resisting installation of the FBI's port reader software, an industry participant in the discussions said, in part because of the privacy and security risks of unknown surveillance technology operating on an sensitive internal network.

It's "an interception device by definition," said the industry participant, who spoke on condition of anonymity because court proceedings are sealed. "If magistrates knew more, they would approve less." It's unclear whether any carriers have installed port readers, and at least one is actively opposing the installation.

In a statement from a spokesman, the FBI said it has the legal authority to use alternate methods to collect Internet metadata, including source and destination IP addresses: "In circumstances where a provider is unable to comply with a court order utilizing its own technical solution(s), law enforcement may offer to provide technical assistance to meet the obligation of the court order."

AT&T, T-Mobile, Verizon, Comcast, and Sprint declined to comment. A government source familiar with the port reader software said it is not used on an industry-wide basis, and only in situations where carriers' own wiretap compliance technology is insufficient to provide agents with what they are seeking.

For criminal investigations, police are generally required to obtain a wiretap order from a judge to intercept the contents of real-time communication streams, including e-mail bodies, Facebook messages, or streaming video. Similar procedures exist for intelligence investigations under the Foreign Intelligence Surveillance Act, which has received intense scrutiny after Edward Snowden's disclosures about the National Security Agency's PRISM database.

There's a significant exception to both sets of laws: large quantities of metadata can be intercepted in real time through a so-called pen register and trap and trace order with minimal judicial review or oversight. That metadata includes IP addresses, e-mail addresses, identities of Facebook correspondents, Web sites visited, and possibly Internet search terms as well.

"The statute hasn't caught up with the realties of electronic communication," says Colleen Boothby, a partner at the Washington, D.C. firm of Levine, Blaszak, Block & Boothby who represents technology companies and industry associations. Judges are not always in a position, Boothby said, to understand how technology has outpaced the law.

Judges have concluded in the past that they have virtually no ability to deny pen register and trap and trace requests. "The court under the Act seemingly provides nothing more than a rubber stamp," wrote a federal magistrate judge in Florida, referring to the pen register law. A federal appeals court has ruled that the "judicial role in approving use of trap and trace devices is ministerial in nature."

A little-noticed section of the Patriot Act that added one word -- "process" -- to existing law authorized the FBI to implant its own surveillance technology on carriers' networks. It was in part an effort to put the bureau's Carnivore device, which also had a pen register mode, on a firmer legal footing.

A 2003 compliance guide prepared by the U.S. Internet Service Provider Association reported that the Patriot Act's revisions permitted "law enforcement agencies to use software instead of physical mechanisms to collect relevant pen register" information.

Even though the Patriot Act would authorize the FBI to deploy port reader software with a pen register order, the legal boundaries between permissible metadata and impermissible content remain fuzzy.

"Can you get things like packet size or other information that falls somewhere in the grey area between traditional pen register and content?" says Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center. "How does the judge know the box is actually doing? How does the service provider know? How does anyone except the technician know what's going on?"

An industry source said the FBI wants providers to use their existing CALEA compliance hardware to route the targeted customer's communications through the port reader software. The software discards the content data and extracts the metadata, which is then provided to the bureau. (The 1994 Communications Assistance for Law Enforcement Act, or CALEA, requires that communication providers adopt standard practices to comply with lawful intercepts.)

Whether the FBI believes its port reader software should be able to capture Subject: lines, URLs that can reveal search terms, Facebook "likes" and Google+ "+1s," and so on remains ambiguous, and the bureau declined to elaborate this week. The Justice Department's 2009 manual (PDF) requires "prior consultation" with the Computer Crime and Intellectual Property Section before prosecutors use a pen register to "collect all or part of a URL."

"The last time I had to ask anybody that, they refused to answer," says Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, referring to Subject: lines. "They liked creative ambiguity."

Some metadata may, however, not be legally accessible through a pen register. Federal law says law enforcement may acquire only "dialing, routing, addressing, or signaling information" without obtaining a wiretap. That clearly covers, for instance, the Internet Protocol address of a Web site that a targeted user is visiting. The industry-created CALEA standard also permits law enforcement to acquire timestamp information and other data.

But the FBI has configured its port reader to intercept all metadata -- including packet size, port label, and IPv6 flow data -- that exceeds what the law permits, according to one industry source.

In 2007, the FBI, the Justice Department, and the Drug Enforcement Administration asked the Federal Communications Commission for an "expedited rulemaking" process to expand what wireless providers are required to do under CALEA.

The agencies said they wanted companies to be required to provide more information about Internet packets, including the "field identifying the next level protocol used in the data portion of the Internet datagram," which could reveal what applications a customer is using. The FCC never ruled on the law enforcement request.

Because it's relatively easy to secure a pen register and trap and trace order -- they only require a law enforcement officer to certify the results will likely be "relevant" to an investigation -- they're becoming more common. The Justice Department conducted 1,661 such intercepts in 2011, up from only 922 a year earlier.

That less privacy-protective standard is no accident. A U.S. Senate report accompanying the pen register and trap and trace law said its authors did "not envision an independent judicial review of whether the application meets the relevance standard." Rather, the report said, judges are only permitted to "review the completeness" of the paperwork.

Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation and a former federal public defender, said he's concerned about port reader software doing more than the carriers know. "The bigger fear is that the boxes are secretly storing something," he said, "or that they're doing more than just simply allowing traffic to sift through and pulling out the routing information."

"For the Feds to try to push the envelope is to be expected," Fakhoury said. "But that doesn't change the fact that we have laws in place to govern this behavior for a good reason."
http://news.cnet.com/8301-13578_3-57...ance-software/





FBI Taps Hacker Tactics to Spy on Suspects

Law-enforcement officials expand use of tools such as spyware as people under investigation 'go dark,' evading wiretaps
Jennifer Valentino-Devries, Danny Yadron

Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.

People familiar with the Federal Bureau of Investigation's programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can't be wiretapped like a phone, is called "going dark" among law enforcement.

A spokeswoman for the FBI declined to comment.

The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.'s Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment.

The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said.

The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases.

Earlier this year, a federal warrant application in a Texas identity-theft case sought to use software to extract files and covertly take photos using a computer's camera, according to court documents. The judge denied the application, saying, among other things, that he wanted more information on how data collected from the computer would be minimized to remove information on innocent people.

Since at least 2005, the FBI has been using "web bugs" that can gather a computer's Internet address, lists of programs running and other data, according to documents disclosed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington state, for example.

The FBI "hires people who have hacking skill, and they purchase tools that are capable of doing these things," said a former official in the agency's cyber division. The tools are used when other surveillance methods won't work: "When you do, it's because you don't have any other choice," the official said.

Surveillance technologies are coming under increased scrutiny after disclosures about data collection by the National Security Agency. The NSA gathers bulk data on millions of Americans, but former U.S. officials say law-enforcement hacking is targeted at very specific cases and used sparingly.

Still, civil-liberties advocates say there should be clear legal guidelines to ensure hacking tools aren't misused. "People should understand that local cops are going to be hacking into surveillance targets," said Christopher Soghoian, principal technologist at the American Civil Liberties Union. "We should have a debate about that."

Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking conference in Las Vegas, said information about the practice is slipping out as a small industry has emerged to sell hacking tools to law enforcement. He has found posts and resumes on social networks in which people discuss their work at private companies helping the FBI with surveillance.

A search warrant would be required to get content such as files from a suspect's computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who until December was the Justice Department's primary authority on federal criminal surveillance law. Continuing surveillance would necessitate an even stricter standard, the kind used to grant wiretaps.

But if the software gathers only communications-routing "metadata"—like Internet protocol addresses or the "to" and "from" lines in emails—a court order under a lower standard might suffice if the program is delivered remotely, such as through an Internet link, he said. That is because nobody is physically touching the suspect's property, he added.

An official at the Justice Department said it determines what legal authority to seek for such surveillance "on a case-by-case basis." But the official added that the department's approach is exemplified by the 2007 Washington bomb-threat case, in which the government sought a warrant even though no agents touched the computer and the spyware gathered only metadata.

In 2001, the FBI faced criticism from civil-liberties advocates for declining to disclose how it installed a program to record the keystrokes on the computer of mobster Nicodemo Scarfo Jr. to capture a password he was using to encrypt a document. He was eventually convicted.

A group at the FBI called the Remote Operations Unit takes a leading role in the bureau's hacking efforts, according to former officials.

Officers often install surveillance tools on computers remotely, using a document or link that loads software when the person clicks or views it. In some cases, the government has secretly gained physical access to suspects' machines and installed malicious software using a thumb drive, a former U.S. official said.

The bureau has controls to ensure only "relevant data" are scooped up, the person said. A screening team goes through all of the data pulled from the hack to determine what is relevant, then hands off that material to the case team and stops working on the case.

The FBI employs a number of hackers who write custom surveillance software, and also buys software from the private sector, former U.S. officials said.

Italian company HackingTeam SRL opened a sales office in Annapolis, Md., more than a year ago to target North and South America. HackingTeam provides software that can extract information from phones and computers and send it back to a monitoring system. The company declined to disclose its clients or say whether any are in the U.S.

U.K.-based Gamma International offers computer exploits, which take advantage of holes in software to deliver spying tools, according to people familiar with the company. Gamma has marketed "0 day exploits"—meaning that the software maker doesn't yet know about the security hole—for software including Microsoft Corp.'s Internet Explorer, those people said. Gamma, which has marketed its products in the U.S., didn't respond to requests for comment, nor did Microsoft.
http://online.wsj.com/article_email/...TEwNDEyWj.html





The Surveillance-Free Day (Part I)
Kevin Roose

At 6 a.m. on Friday, I wake up, fumble for my alarm, and roll out of bed. As I walk to the kitchen to brew coffee, I think to myself: I am a cipher. I exist nowhere. My enemies could not find me, even if they tried. These thoughts come to me not because I fell asleep watching The Bourne Identity or took too much NyQuil before bed, but because I’m psyching myself up for a very difficult assignment.

For the next 24 hours, I’m going to try to live completely surveillance-free. I will foil Chinese hackers and the NSA with encrypted texts and VPN tunnels. I will find ways to buy things online without giving away any personal information and communicate via smartphone without producing metadata. Also, I will wear a funny-looking hat with small lightbulbs in it that will protect me from being caught on camera. With expert help and a spy’s toolkit, I will attempt to stick to my normal routine for an entire day, but without leaving behind a trail of data for the government – or anyone else – to collect.

I got this idea a few weeks ago, when some friends and I were talking about what Edward Snowden’s leaks concerning the NSA’s PRISM program meant for the future of privacy. Now that we know that the government can access our phone records and snoop on our e-mails, our Facebook messages, and our Google searches, will any digital interactions ever feel private again? Is it even worth thinking about life outside the panopticon?

Years ago, people who asked these questions might have been written off as tinfoil-hat nutters. But now, even normal people have reasons to be paranoid. If you're an investigative journalist, a corporate executive working on a sensitive deal, a member of a targeted ethnicity, religious group, or political faction, or merely a citizen who puts a high value on privacy, you're probably already worried about the extent to which you're being snooped on. In a recent poll, roughly half of Americans said that the NSA’s data-collection efforts violated their rights. And as technologies like Google Glass become widespread, the pool of interactions that aren't captured and catalogued — by private companies, the government, or both — will shrink even more.

Last week, after a proposal to defund the PRISM program narrowly failed in the House of Representatives, I decided to test the borders of the surveillance state, by trying to leave it for a day. Several friends pointed out that I could simply go camping in the woods without my gadgets, or become Amish. But my goal is to make my surveillance-free day a relatively normal one. I don't want to wear disguises, change my name, and live on the lam, as Evan Ratliff did for his 2009 Wired story. I want to get online, check e-mail and Twitter, use a smartphone, eat meals at restaurants, buy things at stores, and take public transportation, just like I would on any other day. I want to see if it’s possible to maintain some semblance of personal privacy without time-warping to 1950 (or 1650).

I begin my project by shutting off all the technology in my house that automatically collects or sends out data about me. It’s a horrifyingly long list. I can’t use my Jawbone Up band, which wakes me up, tracks my sleep, and counts the number of steps I take every day. I have to switch my iPhone to airplane mode, turn my iPad and my Kindle off completely, and unplug my Xbox, since it's connected to my home wi-fi network. Just to be safe, I also cover the cameras on my laptop, desktop, and cell phone with snippets of electrical tape, since savvy hackers can gain control of them remotely.

So, after my morning coffee, I start surveillance-proofing my biggest problem spots: my laptop and cell phone. Every day, these two devices transmit millions of data points about me — where I am, who I’m talking to, what I’m shopping for, which animated gifs I’m looking at — to an armada of private-sector companies and third-party marketers. Usually, I accept these leaks as the cost of living a digital life. But today, I’m going to try to tighten the information spigot.

Hundreds of programs and apps have sprung up in the last few years to help people keep their data out of unwanted hands, and when I was planning my surveillance-free day, I enlisted the help of two cyber-security experts to help me sort through them all: Jon Callas and Gary Miliefsky. Jon is a professional cryptographer and the co-founder of a company called Silent Circle, which makes a suite of software that allows you to send and receive encrypted calls and texts. Gary is the executive producer of Cyber Defense Magazine, and the founder of a company called SnoopWall, which makes a suite of apps that prevent cyber-spying and eavesdropping.

The first thing both Jon and Gary told me is that if my goal was complete anonymity and totally untraceable communication, I was certain to fail. They suggested I set my sights lower — shrinking my surveillance footprint, instead of eliminating it.

“Are you going to be completely invisible from the U.S. government?” Gary said. “Never. But you can make it painful for them to find you.”

On their advice, I download Wickr, an app that allows you to send and receive encrypted texts and photos that self-destruct after minutes or hours of viewing. (It’s basically Snapchat on steroids.) I also sign up for a site called HideMyAss. It’s a private VPN service that is popular with the anti-surveillance crowd, since it allows you to camouflage your web activity by sending it through a network of thousands of proxy servers scattered around the world. I'm in the Bay Area, but with HideMyAss, I can make it look like I’m logging on from Brazil or Bangladesh.

While signing up for HideMyAss, I run into my first glitch of the day. Since credit cards are a privacy no-no, I was going to use cash and a Visa gift card (which I bought with cash at my local 7-11) to pay for things. But HideMyAss won’t accept a Visa gift card unless I register it with a real name and address — which sort of defeats the point. I’m feeling hopeless, until I spot a “Pay By Bitcoin” option on HideMyAss’s payment page. Bitcoins are, in many ways, the ultimate underground currency. They’re even better than Visa gift cards, since they don’t involve a credit card company or a bank at all, and since they exist only as untraceable strings of letters and numbers.

Luckily, I have a little left over in my Bitcoin wallet from my adventures with the crypto-currency earlier this year. So I click over to Coinbase and send about $50 worth of Bitcoins over to HideMyAss for a six-month subscription, the shortest I could buy. Once I log in, HideMyAss connects me to a server in a city of my choosing (I pick Reykjavik, Iceland), shows me a little green box telling me my connection is now secure, and asks me how often I want to switch servers. I set it for 30 minutes — meaning that in half an hour, my virtual life will pack its bags in Reykjavik and head to some other exotic locale. My online identity will be putting dozens of stamps on its passport today, even if I never leave my dining room table.

Next, I sign up for Hushmail, a Vancouver-based service that provides free encrypted e-mail accounts. Gmail is obviously a no-go for the day – Google being a particularly aggressive data-collector and PRISM target – and Hushmail, though not perfectly safe (it has forked over user data to the Canadian government in the past), is miles ahead. So I set up a vacation auto-reply on my Gmail account:

Hi, I'm trying to spend today entirely free of surveillance. Since Google is known to be part of the PRISM program, I will be using more secure web services to communicate for the next 24 hours. If you need to reach me today, please contact me through my secure email account ([redacted]@hushmail.com) or on Wickr (secure texting app) at username: [redacted].

Once I’ve gotten HideMyAss and Hushmail running, I download Tor, a secure browser that is beloved by the hacker community. Tor (short for The Onion Router) works by shuttling your requests through a network of servers all around the world, and decrypting and re-encrypting data multiple times during transmission. It’s not a perfectly secure network, but it does a fairly good job of keeping its users anonymous – which is why it’s reportedly the browser of choice for cyber-criminals and online drug dealers.

While Google, Facebook, and Instagram are off limits, I carve out an exception for Twitter — sending direct messages over a secure connection, and posting public updates with no geotags — since the company isn't part of the PRISM program and is known for fighting hard to maintain its users’ privacy in court. And I allow myself to log into my work e-mail remotely, since I think (hope?) my employer would never give me up to the feds.

Then there's the question of what to do with my iPhone. It's got all kinds of geolocation functions enabled (to tell me where my nearest Uber car, Seamless delivery restaurant, or ATM is), and it’s on a Verizon Wireless plan, which means that its metadata is being delivered to the NSA on a silver platter. To minimize my digital traces today, I’ll keep it on airplane mode and will only be using it for Wickr messages when I’m on a public wi-fi network — meaning that location services and cellular data functions will never come on. For all other things, I’ll use a burner phone – a Samsung Galaxy that was sent to me a few weeks ago as a tester unit, and isn’t registered under my name or connected to any of my existing accounts.

To avoid the risk of unwanted transmission, I decide to put both phones in a so-called “Faraday cage,” a conductive metal enclosure that will block out any radio or cellular signals. A video I found online claimed that metal cocktail shakers make the best Faraday cages, but my cocktail shaker isn’t big enough to hold two phones, so I wrap them in aluminum foil instead.

In all, I’m doing what most security experts would consider a half-assed job. I could protect myself much better with CIA-grade technology, and my plan is full of holes (for one thing, I don’t have a burner laptop). But the modern surveillance state is so pervasive that there are always going to be weaknesses in any amateur plan.

My favorite anti-surveillance hack of the day has nothing to do with either my phone or my laptop, though. It’s a red baseball hat that I outfitted with infrared LEDs, and wired to a pair of 9-volt batteries, following instructions I found online. Most surveillance cameras operate on the infrared spectrum. And to the naked eye, my hat's LEDs will look like nothing. But on infrared cameras, they'll drown my face and render me unrecognizable. I'll just appear as a ball of light.

Both Jon and Gary pointed out one of the central paradoxes of my day – that, by downloading Tor and HideMyAss, by paying for software in Bitcoin, wrapping my phones in foil, and by turning my head into a giant glowing orb, I’m effectively asking to be put on a terrorist watch list. It’s the digital equivalent of hanging a big “I’M SKETCHY” sign around my neck. And as I browse through my morning news sites, using my Icelandic internet connection and my Tor browser, I can’t shake the feeling that black helicopters are already circling overhead.

Still, I have to keep going. I’ve got a full day ahead of me – some writing at my local coffee shop, an afternoon of meetings in San Francisco, an errand or two in the city, and drinks at a friend’s house after work. And somehow, I’ve got to do all of this while staying below the government’s radar.

And so, after finishing my breakfast, I get dressed, put some extra foil and batteries in my bag, don my anti-surveillance hat, and head out into the wide, watching world.
http://nymag.com/daily/intelligencer...ay-part-i.html





Crypton Open Source Project to Thwart Online Surveillance
Adrian Bridgwater

Online (Dropbox-style) storage company Spideroak has detailed news of its Crypton open source data security project.

Crypton's "unique" approach comes from its ability to allow web application developers to exert and apply encryption controls in the browser itself i.e. before the application data is sent to perform storage or related processing at a remote server location where the wider spread of malware could potentially occur on unencrypted data.

With these controls, Spideroak is suggesting that web developers will also be able to circumvent and thwart online surveillance channels.

Crypton's ABOUT pages describe it as a framework for building cryptographically secure cloud applications: such applications offer meaningful privacy assurance to end users because the servers running the application cannot read the data created and stored by the applications says its development team.

According to the https://crypton.io/ team, "To our knowledge there is no existing framework that handles all the encryption, database storage, and private user to user communication needed to build a zero knowledge cloud application."

Its developer say that other cloud applications have been created that involve cryptography, but not in a "generalised & reusable form" that everyday developers could easily use to build a wide range of new apps.

NOTE: The name Crypton is a derivative of 'cryptography' and 'photon'. Cryptography is defined as the elements necessary to create a cypher. Photon is an elementary particle of light.

"We can now start a true dialogue around privacy online as Crypton makes it possible for anyone to build 'zero-knowledge' cloud-based applications," said Ethan Oberman, CEO and Co-Founder of SpiderOak. "Most companies out there aren't making money by mining through your uploaded content; rather, they are providing a service and charging a monthly or yearly fee. Through Crypton, these companies can now give privacy back to their user base and further protect themselves against potential liabilities and/or outside attacks."
http://www.computerweekly.com/blogs/...veillance.html

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

July 27th, July 20th, July 13th, July 6th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 11:05 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)