P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 03-06-15, 07:33 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - June 6th, '15

Since 2002


































"I am the author of the Locker ransomware and I'm very sorry about that [sic] has happened. It was never my intention to release this. I uploaded the database to mega.co.nz containing 'bitcoin address, public key, private key' as CSV. This is a dump of the complete database and most of the keys weren't even used. All distribution of new keys has been stopped." – PasteBin post


"It’s not the end." – Senator Susan Collins, R-Maine


"This is the power of an informed public." – Edward Snowden






































June 6th, 2015




Blocking Pirate Bay Doesn’t Increase Legit Sales, Study Finds
Joel Hruska

Carnegie Mellon researchers have authored a study on how website blocks impact consumer behavior, and whether such actions can be used to reduce content piracy. The group’s findings indicate that website blocking does reduce overall piracy rates — but only if the blocks are comprehensive and target a large number of sites in a short period of time. This is the first study of its kind to rely on measurements of consumer behavior as opposed to aggregate market data, and as such, it should offer a more accurate window into how these bans and restrictions actually impact content consumption.

The team examined data from the UK, where website blocks and bans are common. In November 2011, the High Court ordered British Telecom and five other ISPs to begin blocking access to the Pirate Bay. Later, in 2012-2013, these same ISPs were ordered to block a total of 19 additional infringing websites that provided access to copyrighted video content. It’s not clear if all the sites were torrent search engines, or if the UK also blocked access to illegal streaming sites in these orders.

The purpose of the study was to attempt to answer how effective such bans are at lowering the number of people accessing infringing content. There have always been arguments for and against such actions, with copyright holders claiming that blocking popular websites had at least a moderate impact on total piracy. After the French adopted their anti-piracy “HADOPI” law, digital music sales increased by roughly 25%. The shutdown of MegaUpload was found to increase digital movie revenues by 6-8%. Other studies of consumer behavior and spending, however, found essentially no benefit. Torrent networks are designed to survive the death of any particular search engine — provided that the torrent is still well-seeded and available online, taking down a website like The Pirate Bay has little impact on the availability of the actual content.

Here’s what the researchers found, in aggregate: When the Pirate Bay was blocked, the total drop in piracy was effectively zero. As some have argued, the impacted users simply found other sites to use or, in a few cases, adopted VPNs. There was no mathematical increase to the total number of consumers using paid, legal streaming services as a result of the Pirate Bay going dark in the UK. Data suggests that traffic to other torrent sites increased markedly after TPB went down, which is precisely what you’d expect to happen.

When the 19 blocks are considered in aggregate, though, the consumer consumption patterns shifted. Unlike when TPB was blocked, visits to legal streaming websites did increase thereafter. VPN usage increased again, but the majority of users did not turn to VPNs to bypass the IP lockouts on various websites. The conversion rate to legal services from illegal copyright infringing ones varied depending on how often the end-user had been relying on now-blocked content in the first place.

The lightest users of the blocked sites converted to legal streaming services at a poor rate. If you visited blocked sites 1-2x a month, the conversion rate was just 2.2 to 4.4%. Midrange users, however, tended to convert in higher numbers, up to a maximum of 42.4% conversion rate for those visiting copyright infringing sites up to 24x a month. The exception was the heaviest group of infringers, who only converted over to legal consumption in 14.8% of cases. The more likely consumers were to visit an illegal site before the block, the more likely they were to turn to legal methods of content consumption after the block.

Conclusions

We can draw several tentative conclusions from this data. First, the only copyright enforcement actions that are likely to be effective are those that target multiple sites simultaneously, limiting the total number of alternatives users are aware of. Second, many people will convert to legal streaming from illegal services, though this undoubtedly depends on the quality and type of streaming service available in the host country. This last point shouldn’t be surprising — music piracy and the rise of Napster may have caused fits for the music industry, but the long-term success of digital downloads and the iTunes Music Store also illustrates that it’s perfectly possible to compete with free, provided you offer people a service that they want to buy.

As the battle over content royalties and media consumption shifts from digital downloads to a streaming model, questions of how to convert users to using that model are going to be front and center of the discussion. Netflix and Hulu have thrived in the new economy precisely because they offer US customers large amounts of content at excellent prices. In the grand scheme of things, making websites unavailable (as opposed to pursuing draconian judgments of jail time or enormous fines) is likely a far better policy for converting pirates to paying customers. No, you’ll never catch everyone that way — but once people have subscribed to well-liked services, they’re less likely to return to illicit methods, provided the content remains available and timely. Finally, the research team argues that their data does show evidence that piracy does displace use of legal alternatives, even when those alternatives are low-cost and readily available.
http://www.extremetech.com/computing...es-study-finds





EFF Fights Abuse of Court Orders to Close Sites in the Wake of Grooveshark
Mark Wilson

The EFF (Electronic Freedom Foundation) has involved itself in lots of online battles -- including the fightback against NSA surveillance, and the drive for net neutrality. The latest fight sees the organization joining forces with web performance and security firm CloudFlare in tackling the site blocking activities of the record industry.

The digital rights group is battling record labels which it says are forcing web firms into becoming the "copyright police". The move was prompted by the closure of Grooveshark, a music website run by one of CloudFlare's clients. It re-opens the question of who is ultimately responsible for the content that appears on sites -- those posting it, those hosting it, or any other company involved in the delivery?

When Grooveshark was closed down, it was done so via a sealed court order. EFF feels this is unfair and that courts are handing out retraining orders that are too far-reaching. It hopes that by bringing the matter out into the open, greater transparency will be encouraged. As things stand at the moment, EFF explains, the court orders mean that "service providers of every kind" can be held responsible for taking down a site -- including the likes of CloudFlare.

Attorney Mitch Stoltz said:

Just because you are providing a service to a website doesn't mean you should be roped into policing it. Copyright holders should not be allowed to blanket infrastructure companies with blocking requests, co-opting them into becoming private trademark and copyright police.

The case was brought before a federal court in an emergency hearing this week. U.S. District Court Judge Alison Nathan ruled that the court proceedings would continue to be sealed, something that EFF and legal firm Goodwin Procter oppose. The judge is expected to come to a decision about whether CloudFlare can be held accountable for access to Grooveshark next week. The argument is that a single court order is insufficient to put "legal responsibilities on the entire Internet."
http://betanews.com/2015/05/30/eff-f...f-grooveshark/





Google Demands Movie Studios Comply with Subpoenas
Jonathan Stempel

Google Inc (GOOGL.O) has asked a federal judge to require three major movie studios to comply with subpoenas it believes may help show they conspired with Mississippi Attorney General Jim Hood as he investigated the Internet search company.

In a request made public on Tuesday in Manhattan federal court, Google said Viacom Inc (VIAB.O), Twenty-First Century Fox Inc (FOXA.O) and Comcast Corp's CMSCA.O NBCUniversal "have produced nothing" in response to the March 12 subpoenas, and cannot claim the requested material is irrelevant or privileged.

Google sued Hood, a longtime critic, last Dec. 19 in Mississippi to block his probe of whether it should be held civilly or criminally responsible for encouraging sales of objectionable materials, such as illegal drugs and pornography, through its search engine and YouTube video-sharing website.

As part of that case, the Mountain View, California-based company accused Hood of effectively being a pawn for the Motion Picture Association of America, whose members it said "have spent years pursuing an anti-Google agenda" as the group tries to halt the distribution of pirated videos on the Internet.

Viacom, Twenty-First Century Fox and NBCUniversal are among the MPAA's six members.

The subpoenas issued in connexion with the Mississippi case seek communications with Hood, communications with other state attorneys general about Google and information about studios' campaign donations to Hood and the Democratic Attorneys General Association. Hood is a Democrat.

"Google subpoenaed the studios for information about behind-the-scenes manoeuvring that fomented AG Hood's violations of Google's constitutional and federal rights," the company said in a court filing. "Given the narrow window afforded for discovery in this case, Google can wait no longer."

Nathaniel Brown, a spokesman for Twenty-First Century Fox, declined to comment. Viacom, NBCUniversal and the MPAA did not immediately respond to requests for comment. Hood's office had no immediate comment.

Google's lawsuit against Hood is pending in federal court in Jackson, Mississippi.

Without ruling on the merits, U.S. District Judge Henry Wingate in Jackson on March 27 found a "substantial likelihood" that Hood violated Google's First Amendment rights by regulating the company's speech based on its content, and retaliated for that speech by having issued a 79-page subpoena to Google in October.

The case is Google Inc v. Twenty-First Century Fox Inc et al, U.S. District Court, Southern District of New York, No. 15-mc-00150. The Mississippi case is Google Inc v. Hood, U.S. District Court, Southern District of Mississippi, No. 14-00981.

(Reporting by Jonathan Stempel in New York; Editing by Dan Grebler)
http://uk.reuters.com/article/2015/0...0OI1XQ20150602





Last Remaining Pirate Bay Founder Freed from Jail

Fredrik Neij served two-thirds of 10-month prison sentence for copyright infringement but remains defiant over government action
Samuel Gibbs

Pirate Bay co-founder Fredrik Neij has been released from prison, marking an end to the incarnation of the notorious pirate site’s crew.

Neij was released from prison in Skänninge, Sweden, on 1 June, according to reports, after serving two-thirds of a 10-month prison sentence for his involvement with the Pirate Bay and enabling copyright infringement.

Operating under the alias TiAMO, the Swede was instrumental in the operation of the Pirate Bay and was involved in the 2009 trial that saw him and fellow co-founders Peter Sunde and Gottfrid Svartholm Warg convicted of copyright offences.

The 37-year-old was sentenced in 2012, but fled Sweden for Thailand. He was eventually arrested by Thai authorities in November last year, while attempting to travel between Laos and Thailand, and transferred to Swedish custody.

Sunde was releases from prison in November 2014, after serving five months, while Warg is currently serving a 42-month prison sentence in Denmark for unrelated computer crimes after serving time for his involvement in the Pirate Bay.

Unlike Sunde, who has publicly denounced the Pirate Bay in its current incarnation, Neij plans to appeal the Swedish government’s seizure of the Pirate Bay’s domain name, of which he was the holder.

The piratebay.se domain seizure did little to take the site offline, as it simply switched to a series of new web addresses and continued to operate.

The on-going Dutch case against the Pirate Bay, which continues to facilitate copyright infringement, could end up promoted to the European court of justice in the near future.

The attorney general for the Netherlands stated that European law should be clarified to determine whether the Pirate Bay is breaking the law in its current form, before the local case, brought by anti-piracy group Brein and is now with the Dutch Supreme Court, can proceed.
http://www.theguardian.com/technolog...l-fredrik-neij





Kim Dotcom Gets to Keep his Millions, Cars, and Jet Skis, for Now

New Zealand court rules that US legal theory in civil forfeiture case doesn't apply.
Cyrus Farivar

A New Zealand court has found in favor of Kim Dotcom’s attempt to halt the American government forfeiture of his New Zealand-held assets.

The Wednesday decision by the High Court of New Zealand, Auckland Registry, essentially found that because Dotcom lost the civil forfeiture case by default judgment in March 2015, under an American legal theory known as the "doctrine of fugitive disentitlement," and that New Zealand law did not recognize such a concept, then his assets should not be handed over. In recent months, the American government has tried to work with its New Zealand counterparts to have this forfeiture enforced.

"This is a blow to the [United States government] strategy designed to starve me out," Dotcom, the embattled Megaupload founder, e-mailed Ars early Wednesday morning.

The judgment throws a significant wrench into the civil forfeiture case that United States federal prosecutors brought in July 2014. The New Zealand decision will almost certainly be appealed to the Court of Appeal of New Zealand, and then possibly up to the Supreme Court of New Zealand—a process that could take many months.

In the US civil forfeiture case, which was brought 18 months after the initial criminal charges, prosecutors sought to seize an extensive list of seized assets, including millions of dollars in various seized bank accounts in Hong Kong and New Zealand, multiple cars, four jet skis, the Dotcom mansion, several luxury cars, two 108-inch TVs, three 82-inch TVs, a $10,000 watch, and a photograph by Olaf Mueller worth over $100,000.

Dotcom’s chief global counsel agreed with his client’s assessment: "We are grateful that the New Zealand court ruled in favor of fairness, natural justice, and due process today by stopping US efforts to take Kim Dotcom's New Zealand assets for doing nothing more than opposing extradition to the United States—a country he has never been to," Ira Rothken told Ars by text message early Wednesday morning.

So who's a fugitive, after all?

A federal judge in Virginia presiding over the civil case issued a default judgment back in March, essentially agreeing with the government’s argument on the "doctrine of fugitive disentitlement."

That idea posits that if a defendant has fled the country to evade prosecution, then he or she cannot make a claim to the assets that the government wants to seize under civil forfeiture. But as the Dotcom legal team claims, the US cannot use its legal system to seize assets abroad, nor can Dotcom be considered a fugitive if he has never set foot in the United States.

"Here, the plaintiffs are New Zealand residents who are exercising their right to resist extradition," High Court Judge Rebecca Ellis wrote in the Wednesday decision.

The American civil forfeiture case is related to, but distinct from, the dozen American criminal charges of copyright infringement, racketeering, wire fraud, and money laundering that Dotcom faces. Dotcom has been fighting extradition from his residence in New Zealand since he was arrested at his home in January 2012 and then later released on bail.

In total, American authorities allege that the "Mega Conspiracy… generated more than $175 million in criminal proceeds and caused more than half a billion dollars in harm to copyright owners." For his part, Dotcom has long maintained that Megaupload was no different from any other cloud storage firm, like Google or Dropbox, and that he made good faith efforts to remove infringing content.

The multiple legal cases that Dotcom faces in the United States have largely been put on hold as Dotcom continues to fight extradition in New Zealand—currently scheduled for September 2015, around two months before he would become eligible for New Zealand citizenship.
http://arstechnica.com/tech-policy/2...-skis-for-now/





Tor Connections to Hidden Services Could be Easy to De-Anonymize

It's safer to access Internet websites over Tor than hidden services, researchers said
Lucian Constantin

Identifying users who access Tor hidden services -- websites that are only accessible inside the Tor anonymity network -- is easier than de-anonymizing users who use Tor to access regular Internet websites.

Security researchers Filipo Valsorda and George Tankersley showed Friday at the Hack in the Box security conference in Amsterdam why Tor connections to hidden services are more vulnerable to traffic correlation attacks.

One of Tor's primary goals is to provide anonymity for Internet users. This is achieved by routing their Web traffic through a series of randomly chosen nodes or relays before passing it back onto the public Internet.

The nodes that make up the Tor network are run by volunteers and they can have specialized roles. There are nodes called entry guards that serve as the first hops onto the network and there are also exit relays that pass the traffic back onto the Internet.

Internet servers that receive traffic from Tor users won't see the real IP (Internet Protocol) addresses of those users. What they'll see will be the IP addresses of randomly chosen Tor exit nodes.

The Tor hidden service protocol extends the anonymity protection to servers as well. It makes it impossible for users to see the real IP address of a server that runs a Tor hidden service, like for example, a website.

Hidden services use addresses that end in .onion, a pseudo top-level domain that doesn't exist on the Internet and only resolves inside the Tor network. This anonymity protection for both servers and users makes hidden services attractive to political activists in countries where free speech is not well protected or where Internet surveillance is common, but also to criminals who use such websites to hide their activities from law enforcement.

The infamous online bazaar Silk Road where users sold drugs, arms and other kinds of illegal goods and services, operated as a Tor hidden service. The FBI eventually shut it down and arrested its owner, but other similar marketplaces have taken its place.
The biggest threat to the Tor network, which exists by design, is its vulnerability to traffic confirmation or correlation attacks. This means that if an attacker gains control over many entry and exit relays, they can perform statistical traffic analysis to determine which users visited which websites.

The Tor developers are closely monitoring exit relays and removing bad ones from the network, so it's relatively hard for someone to pull off such an attack. In addition, if an attacker wants to identify Tor users visiting a specific Internet website, they'd have to gain control over a very large number of exit and entry nodes in order to increase their chance of success, since the relays will be different for every connection.

That's not the case with Tor hidden services and in fact attackers could quite easily and with 100 percent reliability take control of all the rendezvous points between Tor users and specific Tor hidden services, at least for a period of time.

Tor hidden services rely on nodes with a special HSDir (hidden service directory) flag to advertise themselves on the Tor network so they can be discovered by users. Every hidden service will select six HSDir nodes to serve as its rendezvous points on a given day. This selection is done from a pool of around 4,000 nodes based on a predictable date-dependent formula.

With this formula both a Tor client and a Tor hidden service should select the same 6 HSDirs on a particular day. However, the researchers found that they could use brute force techniques to generate the keys needed for their own nodes to take up those rendezvous positions for a specific day.

The researchers managed to place their own nodes as the 6 HSDirs for facebookcorewwwi.onion, Facebook's official site on the Tor network, for the whole day on Thursday. They still held 4 of the 6 spots on Friday.

Brute-forcing the key for each node took only 15 minutes on a MacBook Pro and running the Tor relays themselves cost US$62 on Amazon's EC2 service.

New nodes receive the HSDir flag automatically after being up for around five days and attackers could set up nodes to become the HSDirs for a particular hidden service for the next five days with around US$200, the researchers estimated.

This technique will give attackers control over one end of the connection, but in order to perform traffic correlation attacks the attacker would also need to have visibility into the entry point. This can be achieved by someone who can monitor users' traffic before it enters the Tor network.

For example, a government monitoring its Internet users through ISPs could use this attack to perform traffic analysis and determine who visited a dissident site hosted on Tor. A law enforcement agency could do the same with the help of ISPs to identify who is visiting an illegal website that runs as a Tor hidden service.

The goal of the two researchers was to prove that "hidden service users face a greater risk of targeted de-anonymization than normal Tor users," because it's much easier to reliably control all HSDirs for a specific hidden service than to control all Tor exit relays that might be used to access a website.

Runa Sandvik, a security researcher and former Tor developer who was at the conference, agreed that it's technically easier to pull off such an attack than to monitor Tor exit traffic, but pointed out that the Tor Project is aware of the issue and has been working on a fix for some time.

There is a proposal for the next generation of hidden services that will address not only this problem, but also other potential issues, Sandvik said. In the meantime, the Tor developers have tools that can detect relays trying to attack users of Tor hidden services, she said.

A change in Tor that will be implemented soon will make it harder for new nodes to become HSDirs by forcing them to obtain a stable flag first, Valsorda and Tankersley said. This will require nodes to be online for a longer period of time before they can become HSDirs so it will make the attack more expensive, but not technically harder to pull off, they said.

While users can't do much to defend themselves against this, the operators of Tor hidden services do have one option. They could use the attack themselves so that their own nodes will become HSDirs for their own hidden services.

This won't prevent others from trying to take over the rendezvous positions, because the attack is essentially a race condition. However, if this happens, it will be very easy to detect that an attack is going on, the researchers explained.

They released the brute-force tool they created for the attack on Github, as well as a separate HSDir analysis tool that can potentially detect such attacks.
http://www.computerworld.com.au/arti...-de-anonymize/





Canadians are ‘Stealing’ U.S. Netflix Content: Bell
Michael Lewis

Bell Media’s new president has a message for Canadians who hide behind virtual private networks to access video streaming services intended for U.S. subscribers, calling the practice “stealing just like stealing anything else.”

“It takes behavioral change and it is the people — friend to friend, parent to child, coworker to coworker — that set the cultural framework for acceptable and unacceptable behaviour,” Mary Ann Turcke said Wednesday in her first major speech since assuming the post in April.

“It has to become socially unacceptable to admit that you are VPNing into U.S. Netflix — like throwing garbage out your car window – you just don’t do it.”

Turcke, formerly Bell’s group president of media sales for local TV and radio, cited her 15-year-old daughter’s discovery of the additional movie and TV content of U.S. Netflix versus the Canadian version while on a ski vacation stateside.

The teenager was able to log onto the U.S. Web streaming service when back home using a U.S.-based VPN to mask her address.

While residing in something of a legal grey zone according to experts, VPNing runs contrary to the California-based giant’s terms of use and Netflix has threatened a crackdown.

“She was told she was stealing.” Turcke said. “Suffice to say there is no more VPNing.”

With an estimated one third of Netflix Canada customers accessing content meant for U.S. subscribers, she said “we need to personalize the fact that content is produced by real people, and that stealing it affects their livelihoods.”

Broadcasters including Bell Media’s CTV English-language network need the support of government and the federal regulator, she said, noting that the latter plans a summit in the fall to contemplate “illegal discoverability.” In the end, she said, “I believe it is on us.”

Not only does society not scold anyone for stealing content, Turcke added, but we feature “how to” articles in our national newspapers — educating the masses on how to get around copyright law.

“Discoverability does not mean, at least not to me, watching whatever you want for free,” Turcke said.

Speaking at the Canadian Telecom Summit in Toronto, she said distinctions between traditional TV and online streaming rights and between national borders are blurring.

As such, she said understanding the “rights ecosystem” is critical to create an environment where Canadians can discover content on a wide variety of platforms.

Turcke is expected to bring a new tone to Bell Media, a unit of Montreal-based BCE, after former president Kevin Crull departed suddenly in April amid reports that he meddled in the editorial coverage of a story involving CTV and the federal broadcast regulator.
http://www.thestar.com/business/tech...tent-bell.html





The Bizarre Process We Use To Approve Exemptions To The Digital Milliennium Copyright Act

Every three years, the doors to allowing legal circumvention of digital locks open up. Briefly.
Glenn Fleishman

So you bought a game, and you play it all the time with people around the world. Three months later, the maker shuts down the network. You can still play in single-player mode against the computer-generated players, and other people can bring their consoles over for LAN parties. But the rest of the world is lost to you.

Worse, some people have resuscitated multiplayer access for your game with a bunch of hacks—but what they’re doing is illegal in America. If you install their patches and you're in the U.S., you’re violating the law, too.

The Electronic Frontier Foundation (EFF) wants to change that, along with a host of other related copyright quirks. It has a window for change this year, as it and everyone else does every three years in a circus organized as part of the 1998 Digital Millennium Copyright Act (DMCA), specifically Section 1201. (And more precisely, 17 U.S.C. 1201(a)(1)(C).)

Section 1201 covers anti-circumvention. It's among the most-hated provisions of the DMCA, an overarching law designed by and for big media entities and software publishers to criminalize piracy in the digital age. The DMCA in general assumes any kind of copying or modification infringes on the owner's copyright, even though U.S. law carves out a number of exceptions, including fair-use provisions for criticism and certain forms of noncommercial use.

The DMCA doesn't require proof of infringement; it stands alone. And Section 1201 is one of its key weapons. It makes circumvention of digital rights management (DRM)—also known as copy protection—a criminal offense and actionable in a civil trial. Creating, distributing, or using a tool to get around DRM for whatever reason can land you in the pokey and subject to vast fines and judgments. The tool could be as simple as instructions for placing a piece of tape over an optical scanner that looks for a hole to shine light into. A workaround could involve holding down the Shift key. You can be fined up to $500,000 and imprisoned for up to five years for an initial offense and double that for subsequent ones, and pay out bottomless sums in a lawsuit. (Every copy of every piece of media involved can be counted as a separate violation.)

Media and software creators have a legitimate interest in preventing the easy duplication of their work. But the DMCA digs deep in its reach. Many people interact constantly with not just media and conventional consumer electronics and software relating to it, but also other pieces of technology, ranging from coffee makers to medical devices to farm machinery. Everything that incorporates software—which, these days, is almost everything—is affected by the DMCA.

In the past, companies have sued or legally threatened people and organizations making replacement Lexmark printer cartridges, discussing how to work around Apple's FairPlay DRM to use iPods with other software and operating systems, and releasing research into SunnComm's CD copy-protection technology. (Keurig notably incorporated DRM into its Keurig 2.0 coffeemakers, which could be circumvented with a clip (distributed for a while by a competitor), though it hasn't sued anybody.) While the suits have failed and the threats have proven to be empty, they have a chilling effect.

There is a loophole, though. The Librarian of Congress, a job that combines honorary and practical purposes, has a key to unlock the DMCA every three years. That time is once again nigh.

Anti-Anti-Circumvention

On May 20 and 21 in Los Angeles, the Copyright Office, which is organized under the Library of Congress, held hearings to talk about the current slate of 27 categories that are up for review under Section 1201.

That part of the DMCA requires a triennial process by the Librarian of Congress to review whether anti-circumvention provisions "adversely affect" users of copyrighted material. The list of adverse effects is long. Do DRM and similar techniques prevent "the availability for use of works for nonprofit archival, preservation, and educational purposes"? Is there an impact on "criticism, comment, news reporting, teaching, scholarship, or research"? The law doesn't explain how to conduct this process, and the one developed favors DMCA enforcement backers.

The Librarian has opted to require one or more "champions" or proponents of a carefully defined category, like "Audiovisual works – educational uses – colleges and universities," to file a brief. His office also opens the floor to rebuttals from opponents. Further, the Librarian sunsets every exemption every three years—something not required by the law, and which requires champions to arise again to launch a new defense. The office also doesn't propose its own examples of circumvention that should be permitted, even though the law permits it to do so.

The sunsetting factor led to the embarrassing matter last July of Congress and the president agreeing—unanimously, in the case of the House—to legalize phone jailbreaking with the Unlocking Consumer Choice and Wireless Competition Act, when the relevant Section 1201 exemption had expired. This exemption let people unlock their phones when carriers wouldn't. A related problem is the triennial cycle isn't followed rigorously, leading to gaps between expiration and new exemptions being processed. (Technically, jailbreaking allows full access to an OS's capabilities, while unlocking is a subcategory. However, devices typically need to be jailbroken in order to be unlocked without the cooperation of a carrier.)

For this round of exemptions, old favorites are back, such as unlocking and jailbreaking phones and tablets, vehicle software modification, and many academic exceptions. New in this round is "Abandoned software – video games requiring server communication," a new brief from the EFF. Led by law student Kendra Albert, the EFF's exemption request doesn't encompass games with central worlds, like Second Life or League of Legends. Rather, it relates to multiplayer games that use matchmaking services to connect users across the Internet.

These services are almost always hardwired into a game, and once a company decides to shut down its servers, sometimes within a year of launching a game, Internet play is unavailable. Many companies also contract to third-party services to handle this matchmaking, and one, GameSpy, shuttered abruptly in 2014, leaving hundreds of games temporarily or permanently abandoned. An arcade console called DJMAX Technika (versions 2 and 3) became unusable following its makers' turning off servers as well.

Albert advocates both on behalf of players and archivists and researchers. She notes networked gameplay is both a fundamental part of many games' experience as sold to paying customers, and that researchers and historians cannot properly examine a game as a historical or functional work without having access to key capabilities. Some groups offer hacks and servers to bypass these limits without the permission of the original game developers. Albert notes, "Many of the groups that are in the best position to archive or run servers are not ones who want to take on a lot of litigation risk."

While giving new life and academic purpose to old games that had this function abandoned would seem a reasonable goal, the trade group for the industry's largest firms, the Electronic Software Association (ESA), opposes the exemption. The ESA maintains, among many rebutting arguments, that to hack its members' games to use new matchmaking would require overriding fundamental protections against piracy both in its software and, in the case of gaming systems, the consoles or handhelds. (An ESA spokesperson initially said the ESA would offer comment, and then didn't respond.)

It notes further that many games offer local networked play after Internet matchmaking is no longer available, which should allow gamers and researchers to avail themselves of these multiplayer modes. And its members might choose to reboot a game later, though the EFF's proposal would require independent matchmakers shut down if that happened.

Let A Thousand Voices Blossom

Another new twist in this go-round involves participation. While the Copyright Office doesn't require legal briefs, and one submission was from one "Blinky X," the submission process is not as ideal as, say, the FCC's for encouraging and managing submissions from the adversely affected users mentioned in the DMCA. The Copyright Office required a filer to download a Word document and select one of 27 unlabeled categories (shown on the site but not in the document), and then upload it.

Kyle Wiens, the head of iFixIt, a firm that documents the innards of electronic devices and sells tools and parts to repair and augment them, filed statements in several categories, and appeared on multiple panels at the hearings in Los Angeles. He advocates a "right to repair" for both cost and environmental reasons—keeping owners from being dependent on manufacturers for sometimes pricey fixes and keeping equipment out of landfills or electronics recycling programs.

In the case of the triennial exemption review, Wiens tried to "repair" the submission process. iFixIt created a streamlined form to collect comments and then file on behalf of consumers. It received 40,000 comments, and created a script to convert these to the appropriate Word format and upload at a rate of one per second, avoiding causing problems by overloading the Library of Congress's servers. Or so Wiens thought. iFixIt instead accidentally brought down the LoC's email system. Every uploaded comment was being emailed, and apparently the system couldn't handle that relatively small number of messages.

"One of the most backwards, technologically poor government agencies is in charge of the future of innovation in the U.S.," Wiens says. The Library of Congress decides "what technology is all right for modifying and what is not." The irony doesn't escape him. The office agreed to accept a bulk submission from him for each category as combined comments. It's unknown how the scale of those comments will affect proceedings, which should result in decisions in a few months. (The library is a technological mess, with the General Accounting Office noting in a report, "The library does not have the leadership needed to address these IT management weaknesses.")

The Madhouse Approach

The Los Angeles hearing was a bit of a madhouse, Wiens said, with a panel of five (four from the Copyright Office) running the process, and asking questions, including interrupting during what were supposed to be three-minute opening statements by each participating party.

Wiens said he was able to surprise opposing attorneys in a hearing on games consoles by citing the scale of console devices gone bad, such as the Xbox 360 and its "red ring of death", a hardware problem that appeared over time and affected from 25 to 50 percent of units sold. Wiens says that "the iFixit red ring of death manual has been used millions of times," and argues that being able to bypass a chip-based anti-circumvention module was necessary to keep otherwise working consoles from the trash.

"You have prioritized IP law to such an extent, it is limiting how long these products last, and there are environmental consequences to that, and you have to face those," he adds.

The hearing helped clarify the stance of companies and organizations that oppose exemptions. An attorney for General Motors let slip, "It is our position the software in the vehicle is licensed by the owner of the vehicle." John Deere made a similar statement in its filings. (Tesla Motors, however, did not.) That is, even though you bought the car, you don't own the right to modify how it runs, because the software license prohibits it and the DMCA enforces that prohibition.

This triennial process is probably the worst thing that the companies that helped create the legislation could have wished for, because of the news coverage and consumer awareness that results. As more physical things become unrepairable and unmodifiable, even when software support is discontinued by a maker or the maker goes out of business, more people will face the choice between violating a law and getting what they believe they paid for. Congress is apparently not exempt from realizing that as well.

Section 1201's chief flaw isn't what it encodes. Rather, it's that it threatens to make pirates of us all.
https://www.fastcompany.com/3046659/...-copyright-act





Leaked TISA Documents Reveal Privacy Threat
Emma Woollacott

Under the draft provisions of the latest trade deal to be leaked by Wikileaks, countries could be barred from trying to control where their citizens’ personal data is held or whether it’s accessible from outside the country.

Wikileaks has released 17 documents relating to the Trade in Services Agreement (TISA), currently under negotiation between the US, the European Union and 23 other nations. These negotiating texts are supposed to remain secret for five years after TISA is finalized and brought into force.

The deal, which has been under discussion behind closed doors since early 2013, is intended to remove barriers to trade in services. It’s a sort of companion piece to the Transatlantic Trade and Investment Partnership (TTIP) and the Trans-Pacific Partnership (TPP), which cover trade in goods – but potentially far bigger, with Wikileaks claiming that ‘services’ now account for nearly 80 per cent of the US and EU economies.

Like TTIP and TPP, TISA could be sped through Congress using Trade Promotion Authority (TPA), also known as fast-track authority, which has been passed by the US Senate and may be taken up in the House this month. Under TPA, Congress is barred from making amendments to the trade deals, and most simply give yes-or-no approval.

And the contents of TISA make interesting reading, particularly for anybody concerned about privacy. Under the draft agreement, the EU would be barred from requiring the personal data of its citizens to be held within European borders, an idea currently under discussion in Germany.

“No Party may require a service supplier, as a condition for supplying a service or investing in its territory, to: (a) use computing facilities located in the Party’s territory,” the leaked draft stipulates.
http://www.forbes.com/sites/emmawool...rivacy-threat/





Comcast’s Failed TWC Merger May Blow Up in its Face… Again

Comcast Time Warner Cable Merger Failure
Brad Reed

Comcast’s decision to try to merge with Time Warner Cable last year might go down as one of the biggest strategic blunders of the decade. Not only was Comcast forced to embarrassingly withdraw its bid for the cable company but it also opened itself up to investigations about whether it’s actually lived up to promises it made to get its last mega-merger with NBCUniversal approved by regulators.

The New York Post’s sources say that regulators are “sitting on a ton of potential evidence” that Comcast has failed to live up to the conditions it agreed to as part of the deal to merge with NBC in 2011. Among other things, regulators have evidence that Comcast meddled in business decisions regarding Hulu, which would go against its promises to completely stay out of how Hulu is being run. Comcast also apparently “tied linear programming negotiations with digital deals — forcing programmers to sell to Comcast digital rights to their content on the same or better terms than they sold it to other online video distributors — when they promised not to.”

One of the major reasons that regulators were so skeptical of the proposed Comcast-TWC merger was they were concerned about Comcast not abiding by agreements it made with the government in previous mergers. There’s no guarantee that charges will be brought against Comcast, although one of the Post’s sources claims that regulators are “asking themselves if they can create a separate proceeding or whether they need a new complaint to allow [the evidence] to be introduced.”

All told, this is just another reason for Comcast to be kicking itself for trying to merge with TWC in the first place.
https://bgr.com/2015/05/30/comcast-t...erger-failure/





What's New on Netflix: Advertisements
Jason Koebler

Netflix is experimenting with advertisements that run both before and after users watch a video. It's unclear whether or not the company will eventually push ads to everyone.

For now, the company is primarily experimenting with the HBO model of pitching its own original programming to viewers. The company is only showing trailers for shows like Orange Is the New Black and House of Cards—it has not attempted to sell third party ads, and the company told me that, for the moment, only specific users in specific markets are seeing ads. Update: An additional spokesperson for Netflix tells me the company will not sell third party ads: "We do not and will not be adding third-party ads," he said.

The news was originally reported by Cord Cutters News, and was confirmed to Motherboard by Netflix.

"We are running a test to show some of our original programming," a Netflix spokesperson told me. "As with any Netflix product test, this may never come to all our members."

Various Twitter users have tweeted their frustration with the ads, but without knowing how widespread they are, it's impossible to tell actual sentiment.

It's worth noting that, though Netflix hasn't had any ads so far, it has the potential to deliver much more targeted ads (which can be sold for higher rates) than a standard cable company. Netflix has a detailed history of every show you've ever watched, meaning it can infer your interests and so on.

If Netflix does indeed move to an ad model, it would add handsomely to its profits (assuming users don’t jump ship)—some analysts have said the company will inevitably need to run ads to remain profitable. It’d also be a serious flip-flop for the company, whose top executives have repeatedly said there are no plans to introduce advertisements to the service.

"Internet TV is divorced of the need of advertising revenue because we can develop direct relationships with the consumer," Netflix chief product officer Neil Hunt said last year. Marketers "need to find a different place to advertise,” he added.
http://motherboard.vice.com/read/net...advertisements





Global Newspaper Readership Falls More than 25% in Four Years

ZenithOptimedia report finds print remains popular in UK as internet boosts media consumption worldwide
Mark Sweney

The average amount of time spent reading newspapers fell more than 25% globally from 2010 to 2014 – but the popularity of newsprint has proved resilient in the UK with just a 3% decline over the same period.

The amount of time spent reading newspapers across the world averaged 16.3 minutes per reader a day last year, down 25.6% from the 21.9 minutes daily average in 2010.

By 2017 the global average will be just 14.1 minutes a day, a 35% fall from 2010 levels, according to a new report by on media consumption by ZenithOptimedia.

However, it seems the UK remains a relative nation of newspaper lovers, with just a 3% decline in average reading time per day from 19.2 minutes to 18.6 minutes from 2010 to 2014.

The report shows that average minutes per day spent reading newspapers actually bucked the global trend in 2013 and 2014, showing 3.4% and 3.3% growth respectively.

By 2017 the average time a newspaper reader will spend browsing will be 18.2 minutes a day, a fall of just 5.4%.

On the face of it the figures make for grim reading, but the report points out that the internet is the big winner of the change in consumer media consumption.

This means that newspaper websites are benefiting from the rise in PC and mobile internet usage.

“Although print is declining publishers have never been read by more people,” said Jonathan Barnard, head of forecasting at ZenithOptimedia. “The growth of devices has been at the forefront of this shift from traditional paper-based consumption to mobile, tablet and desktop consumption.”

In the UK, the increase in use of the internet has been dramatic, with the average minutes per day spent online rising 55% from 82 minutes to 2 hours and 7 minutes between 2010 and 2014.

By 2017 the average British internet user will spend almost three hours a day online (176.8 minutes), a 115% increase over 2010 levels.

The internet-savvy UK is some way ahead of global trends with the average number of minutes spent online per day at 1 hour 49 minutes in 2014, an 84% increase over 2010 levels.

By 2017, the global average minutes per day will be two hours 25 minutes (144.8 minutes), a 143% increase over 2010 levels.

The report estimates that almost 20 million smartphone users in the UK access news on their phone, and nearly 19 million people own tablets.

Media regulator Ofcom estimates that just over half of UK households own a tablet.

“As publishers find more ways to extend their content into everyday life, consumers are also learning to consume their content in a personal and flexible way which has led to increased readership and increased engagement,” the report finds.

While this is also true for magazine publishers, the report shows dramatic declines in the readership of printed publications.

In the UK, between 2010 and 2017 the average number of minutes per day a reader will spend with a magazine will have declined 58% to just two minutes. Globally, the average minutes per day reading will fall 29% to 7.3 minutes over the same time period.
http://www.theguardian.com/media/201...ia-consumption





Slashdot Burying Stories About Slashdot Media Owned SourceForge
Dan Luu

If you’ve followed any tech news aggregator in the past week, you’ve probably seen the story about how SourceForge is taking over admin accounts for existing projects and injecting adware in installers for packages like GIMP. For anyone not following the story, SourceForge has a long history of adware laden installers, but they used to be opt-in. It appears that the process is now mandatory for many projects.

People have been wary of SourceForge ever since they added a feature to allow projects to opt-in to adware bundling, but you could at least claim that projects are doing it by choice. But now that SourceForge is clearly being malicious, they’ve wiped out all of the user trust that was built up over sixteen years of operating. No clueful person is going to ever download something from SourceForge again. If search engines start penalizing SourceForge for distributing adware, they won’t even get traffic from people who haven’t seen this story, wiping out basically all of their value.

Whenever I hear about a story like this, I’m amazed at how quickly it’s possible to destroy user trust, and how much easier it is to destroy a brand than to create one. In that vein, it’s funny to see Slashdot (which is owned by the same company as SourceForge) also attempting to destroy their own brand. They’re the only major tech news aggregator which hasn’t had a story on this, and that’s because they’ve buried every story that someone submits. This has prompted people to start submitting comments about this on other stories.

I find this to be pretty incredible. How is it possible that someone, somewhere, thinks that censoring SourceForge’s adware bundling on Slashdot is a net positive for Slashdot Media, the holding company that owns Slashdot and SourceForge? A quick search on either Google or Google News shows that the story has already made it to a number of major tech publications, making the value of suppressing the story nearly zero in the best case. And in the worst case, this censorship will create another Digg moment1, where readers stop trusting the moderators and move on to sites that aren’t as heavily censored. There’s basically no upside here and a substantial downside risk.

I can see why DHI, the holding company that owns Slashdot Media, would want to do something. Their last earnings report indicated that Slashdot Media isn’t doing well, and the last thing they need is bad publicity driving people away from Slashdot:

Corporate & Other segment revenues decreased 6% to $4.5 million for the quarter ended March 31, 2015, reflecting a decline in certain revenue streams at Slashdot Media.

Compare that to their post-acquisition revenue from Q4 2012, which is the first quarter after DHI purchased Slashdot Media:

Revenues totaled $52.7 … including $4.7 million from the Slashdot Media acquisition

“Corporate & Other” seems to encompass more than just Slashdot Media. And despite that, as well as milking SourceForge for all of the short-term revenue they can get, all of “Corporate & Other” is doing worse than Slashdot Media alone in 20122. Their original stated plan for SourceForge and Slashdot was “to keep them pretty much the same as they are [because we] are very sensitive to not disrupting how users use them …”, but it didn’t take long for them realize that wasn’t working; here’s a snippet from their 2013 earnings report:

advertising revenue has declined over the past year and there is no improvement expected in the future financial performance of Slashdot Media’s underlying advertising business. Therefore, $7.2 million of intangible assets and $6.3 million of goodwill related to Slashdot Media were reduced to zero.

I believe it was shortly afterwards that SourceForge started experimenting with adware/malware bundlers for projects that opted in, which somehow led us to where we are today.

I can understand the desire to do something to help Slashdot Media, but it’s hard to see how permanently damaging Slashdot’s reputation is going to help. As far as I can tell, they’ve fallen back to this classic syllogism: “We must do something. This is something. We must do this.”

___________

1. Ironically, if you follow the link, you’ll see that Slashdot’s founder, CmdrTaco, is against “content getting removed for being critical of sponsors”. It’s not that Slashdot wasn’t biased back then; Slashdot used to be notorious for their pro-Linux pro-open source anti-MS anti-commercial bias. If you read through the comments in that link, you’ll see that a lot of people lost their voting abilities after upvoting a viewpoint that runs against Slashdot’s inherent bias. But it’s Slashdot’s bias that makes the omission of this story so remarkable. This is exactly the kind of thing Slashdot readers and moderators normally make hay about. But CmdrTaco has been gone for years, as has the old Slashdot.↩

2. If you want to compare YoY results, Slashdot Media pulled in $4M in Q1 2013.↩

http://danluu.com/slashdot-sourceforge/





Apple Macs Vulnerable to EFI Zero-Day

Attackers can insert EFI rootkits from userland.
Juha Saarinen

A new vulnerability in Apple Mac computers could be used to remotely inject persistent rootkit malware into users' computers, providing attackers with full-system level control, a security researcher has discovered.

The exact cause for the zero-day vulnerability, which is yet to be named, has not been fully identified.

It appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer.

Memory areas are normally locked as read-only to protect them.

However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

The researcher who discovered the flaw, Pedro Vilaça, said the vulnerability can be used to remotely plant rootkits or persistent malware that is invisible to the operating system in the writeable flash memory, by using for instance the Safari web browser.

"A remote exploit could simply deliver a payload that will either wait or test if a previous sleep existed and machine is vulnerable, or force a sleep and wait for a wakeup to resume its work," Vilaça told iTnews.

"After the BIOS protections are unlocked it can simply overwrite the BIOS firmware with something that contains an EFI rootkit and that's it."

Some extra steps may be required to achieve superuser privilege escalation to load kernel modules, but that's not particularly complicated to do, Vilaça said.

"The attack is more or less targeted because it requires a firmware specific for each Mac model due to bios differences between models," he told iTnews.

"This isn't also very complex to deal with since an offensive payload could just download the right version for the target. Just a matter of resources to create backdoored firmwares to the targeted Macs."

Being able to plant malware at the operating system level makes the flaw easier to exploit than the Thunderstrike vulnerability that was patched in January this year.

Thunderstrike required the use of the Thunderbolt interface to inject rootkits into the EFI at boot up time, a complicated attack vector in comparison.

Vilaça believes Apple is aware of the issue - his testing shows the flaw is not found in the firmware of Macs made after mid 2014. He did not disclose the flaw to Apple.

Testing by iTnews showed that a 2013 MacBook Pro and iMac from the same year appeared to be vulnerable, but not a 2015 MacBook Air or MacBook.

iTnews has asked Apple for comment on the zero-day discovery.
http://www.itnews.com.au/News/404657...-zero-day.aspx





Ransomware Creator Apologizes for 'Sleeper' Attack, Releases Decryption Keys

Criminal with a soft spot relents on successful Locker ransomware campaign and offers free decryption for victims. Refunds don't appear to be coming, however.
Colin Neagle

Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a "sleeper" campaign that, when the malware's creator "woke it up," encrypted the infected devices' files and charged roughly $24 in exchange for the decryption keys.

This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker's creator released this message in a PasteBin post:

"I am the author of the Locker ransomware and I'm very sorry about that [sic] has happened. It was never my intention to release this. I uploaded the database to mega.co.nz containing 'bitcoin address, public key, private key' as CSV. This is a dump of the complete database and most of the keys weren't even used. All distribution of new keys has been stopped."

The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd. However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and $24 around the time Locker was activated) required for the decryption keys since last week.

Sjouwerman says the data released does not appear to be malicious after brief analysis, and that "it does contain a large quantity of RSA keys and Bitcoin addresses." And he warned for those interested to only open these files "at your own risk until further analyses are performed." Those infected, though, could potentially find decryption keys for their devices in files hosted at this Mega.co page. It might be safer, however, to wait and see if the automated decryption process actually occurs tomorrow.

Last week, KnowBe4 said hundreds of PC users worldwide had reported falling victim to Locker within the first few days of its activation. Sjouwerman says the design of the sleeper-style campaign suggests "months-long, careful planning," and doubts the claims that it was released as a mistake.

Speculating as to why the malware's creator would suddenly put an end what could have been a successful scam, Sjouwerman suggests he or she may have become concerned about attracting unwanted attention from either law enforcement or organized crime. Many ransomware campaigns have origins in organized criminal outfits, often in Eastern Europe, Sjouwerman says.

"What we can assume is that he is a talented coder but not an experienced cybercriminal, because a foul-up like this would never have happened with professional Eastern European organized cybercrime," Sjouwerman says. "He may have worked as a developer for one of these gangs and decided to start his own outfit, which backfired."

Ransomware has been massively successful over the past few years, with even law enforcement agencies finding that they have to pay the ransom when their files are encrypted. Previous successful strains of ransomware have been foiled in the past – just over a year ago, security researchers found the database containing decryption keys for those infected by the infamous CryptoLocker, and created an online tool that distributed them.

However, this may be the first time a ransomware campaign was put to an end on account of the attacker's remorse.
http://www.networkworld.com/article/...tion-keys.html





New SOHO Router Security Audit Uncovers Over 60 Flaws in 22 Models
Lucian Constantin

In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers.

The researchers performed the manual security review in preparation for their master’s thesis in IT security at Universidad Europea de Madrid in Spain. They published details about the vulnerabilities they found Sunday on the Full Disclosure security mailing list.

The flaws, most of which affect more than one router model, could allow attackers to bypass authentication on the devices; inject rogue code into their Web-based management interfaces; trick users into executing rogue actions on their routers when visiting compromised websites; read and write information on USB storage devices attached to the affected routers; reboot the devices, and more.

The vulnerable models listed by the researchers were: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.

Some of the vulnerable Observa Telecom, Comtrend, ZyXEL and Amper models were distributed to customers by the Spanish ISP Telefonica. Vodafone also distributed one of the vulnerable Observa Telecom models, as well as the Huawei and Astoria ones.

The Sagem models were distributed by Orange, the Spanish ISP Jazztel distributed one of the Comtrend models and Ono, a Vodafone subsidiary in Spain, distributed the Netgear model.

Even though the group’s research focused on routers that were given by ISPs to customers in Spain, some of the same models were likely distributed by ISPs in other countries as well.

Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers’ management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.

Even though ISPs have the ability to remotely update the firmware on the routers they distribute to customers, they often don’t and in some cases the users can’t do it either because they only have restricted access on the devices.

On the Observa Telecom RTA01N router, the Spanish research group found a hidden administrative account called admin with a hard-coded password that can be accessed via the Web-based management interface or via Telnet. Similar undocumented “backdoor” accounts have been found in other ISP-supplied routers in the past and were likely intended for remote support.

Twelve of the tested routers were vulnerable to cross-site request forgery (CSRF) attacks and in some cases it was possible to change their Domain Name System (DNS) configuration using the technique.

CSRF attacks use specifically crafted code inserted into malicious or compromised websites to force visitors’ browsers to execute unauthorized actions on a different website. If the visitors are already authenticated on the targeted website, the action will be executed with their privileges.

The target website can also be a router’s Web-based management interface that’s only accessible over the local area network, in which case the user’s browser allows the attacker to bridge the Internet and the LAN.

Security researchers recently uncovered a large-scale CSRF attack that targets over 40 router models and is designed to replace their primary DNS servers with a server controlled by hackers. Once that’s done, the attackers can spoof any websites that users behind those routers try to access and can snoop on their Internet traffic.

Another serious flaw discovered by the Spanish researchers allows unauthenticated, external attackers to view, modify or delete files on USB storage devices connected to the Observa Telecom VH4032N, Huawei HG553, Huawei HG556a and Astoria ARV7510 routers. A similar vulnerability was identified in the past on popular Asus routers.

While some people could have claimed in the past that routers are not a target for attackers, that’s no longer the case. There have been numerous large-scale attacks over the past several years that specifically targeted routers and other embedded devices: It’s time for users to view their routers as more than magical boxes that give them Internet access.
http://www.itworld.com/article/29302...22-models.html





Disconnect.Me Files Antitrust Case Against Google In Europe Over Banned Anti-Malware Android App
Ingrid Lunden

As the European Commission turns the heat up on Google over allegations that the company has abused its dominant market position in areas like search and mobile to create an anticompetitive environment for other online businesses, another small startup has joined the chorus of those crying foul.

sideload-mobile-phone3Disconnect Inc. — a B Corporation startup co-founded by ex-Googlers to build software to help Internet users block ads and other third-party services that tracks them or potentially releases malware — has filed an antitrust complaint against Google, claiming the Android giant is abusing its market position by banning Disconnect’s latest Android app, Disconnect Mobile, from the Google Play store.

“Disconnect charges Google with abusing its dominant market position by banning Disconnect’s app, a revolutionary technology that protects users from invisible tracking and malvertising, malware served through advertisements,” Disconnect.me said in a statement.

Unsurprisingly, Google thinks otherwise. The Android giant has issued a response to the complaint, calling the the claims “baseless” and explaining that there is a specific clause in its Google Play apps policy that Disconnect Mobile violates. In short, whatever Disconnect claims to do in protecting from malware, it also prevents apps from making money legitimately.

“This reported claim is baseless,” the company says in a statement provided to TechCrunch. “Our Google Play policies (specifically clause 4.4) have long prohibited apps that interfere with other apps (such as by altering their functionality, or removing their way of making money). We apply this policy uniformly — and Android developers strongly support it. All apps must comply with these policies and there’s over 200 privacy apps available in Google Play that do.”

Disconnect Mobile, a freemium app (the premium version is $5/month or $50/year) that has been built for both iOS and Android, says it is specifically designed to protect against malware sites, identity theft by way of malicious tracking, and “malvertising threats” that are disguised as ads. The company claims that it’s not anti-advertising.

“We don’t oppose advertising and understand ad revenue is critically important to many Internet companies, publishers and developers,” Disconnect co- founder and CEO Casey Oppenheim says. “But users have the right to protect themselves from invisible tracking and malware, both of which put sensitive personal information at risk. Advertising doesn’t have to violate user privacy and security.” It cites specific studies that highlight the risk of undisclosed tracking in Android apps as one justification for its app.

Disconnect started back in 2010 as a side project specifically as a Facebook ad-blocker when co-founder Brian Kennish was still at Google.

Since then it has gone on to raise funding — $4.1 million (modest by Silicon Valley standards) from investors like Highland Capital and CRV — and pick up over 10 million users of its various desktop extensions and mobile apps. (In the process, the two ex-Googler co-founders, Kennish and Austin Chau, have moved on to other projects but remain “friends” with the company, says Oppenheim, who is an ex-lawyer and longtime privacy and social justice advocate.)

Google blocking Disconnect Mobile is not news in itself.

The app was twice banned when it was posted to Google Play last year. After Google threatened to remove its developer account altogether over the matter — Disconnect currently still offers two other Android apps via Google Play — Disconnect decided to take a different approach when it launched a modified version in November 2014.

Disconnect Mobile for Android is now offered as a sideloaded option through its own site, as well as in partnership with others. In Europe, it has distribution agreements with Deutsche Telekom as well as a preinstall deal with Blackphone.

But it’s likely that Disconnect Mobile hasn’t made up for the exposure Disconnect believes it would have had were it offered on Google Play directly, especially when compared to its downloads on iOS, Oppenheim says. (There, Disconnect Mobile might sit alongside hundreds of other security and privacy apps, but Google Play exposure still trumps the startup’s other distribution channels.)

Oppenheim says Disconnect is not releasing the full complaint to the public just yet, so we don’t know how many downloads it has seen of its Android app through the sideloading and preinstall deals.

Other details, such as what kind of compensation its demanding, are also not entirely clear, either.

“We want what the lawyers call ‘equal treatment,'” Oppenheim tells me in answer to a question about whether his company is seeking damages. “We want Android users to be able to get our products quickly and easily through the Play Store and we want to be fully supported by Google, just like other apps in the Store.”

Today, Disconnect is seizing the opportunity of filing a complaint in Europe at the same time as the wider EC-led investigation. But while it’s quick to cite studies from the U.S. Senate that highlight the hazards of online advertising with regards to data privacy and security, Disconnect Inc. is not filing any complaints in the U.S. or any other market for now.

Time, and the potential outcome of this complaint — which could either be combined with existing antitrust complaints from other parties like the FairSearch.org consortium and Yelp; or treated separately since it specifically concerns ad tracking technology; or rejected altogether — will determine if Disconnect engages further with Google on the regulatory front.
http://techcrunch.com/2015/06/02/dis...e-android-app/





Breach in a Federal Computer System Exposes Personnel Data
David E. Sanger and Julie Hirschfeld Davis

The Obama administration on Thursday announced what appeared to be one of the largest breaches of federal employees’ data, involving at least four million current and former government workers, in an intrusion that federal officials say apparently originated in China.

The personal data was held by the Office of Personnel Management, which handles government security clearances and federal employee records. The breach was detected in April, the office said, but it appears to have begun at least late last year.

The breach is the third major foreign intrusion into an important federal computer system in the past year.

Last year, the White House and the State Department found that their email systems had been compromised in an attack that has been widely attributed to Russian hackers. In that case, some of President Obama’s unclassified emails were apparently obtained by the intruders.

And last summer, the personnel office announced an intrusion in which hackers appeared to target the files on tens of thousands of employees who had applied for top-secret security clearance.

In that case, the objective seemed clear: The security clearances could help identify covert agents, scientists and others with data of intense interest to foreign governments. That breach appeared to involve Chinese hackers.

But the breadth of the latest attack was so much greater that the objective seemed less clear. It also came before the personnel office had fully put in place a series of new security procedures that restricted remote access for administrators of the network and reviewed all connections to the outside world through the Internet.

In acting too late, the personnel agency was not alone: The National Security Agency was also beginning to put in place new network precautions after its most sensitive information was taken by Edward J. Snowden.

The target in the latest breach appeared to be Social Security numbers and other “personal identifying information.” That led the personnel office to tell current and former federal employees that they could request free credit reports to make sure that their identities had not been stolen.

It is unclear whether the breach was related to commercial gain or espionage.

The personnel agency said it was working with cybersecurity specialists from the Department of Homeland Security and the Federal Bureau of Investigation to assess the impact of the breach.

“Protecting our federal employee data from malicious cyberincidents is of the highest priority at O.P.M.,” Katherine Archuleta, the agency’s director, said in a statement. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”
http://www.nytimes.com/2015/06/05/us...nnel-data.html





Facebook Threat Conviction Thrown Out by U.S. Supreme Court
Greg Stohr

The U.S. Supreme Court buttressed speech protections on the Internet, throwing out the conviction of a man who used graphic language on Facebook to suggest he might kill his wife, kindergarten students and an FBI agent.

The case marks the first time the high court has ruled on the rights of people when they post on social media. It tested how the federal threat statute applies in a world of online communications, with their potential to reach thousands of people instantly and to be misunderstood.

A lower court had said prosecutors needed to show only that a reasonable person would view Anthony Elonis’s statements as a threat. Writing for the court, Chief Justice John Roberts said prosecutors need to prove more than that -- at least that Elonis’s comments were reckless and perhaps that he meant for his words to be taken as a threat.

“Federal criminal law generally does not turn solely on the results of an act without considering the defendant’s mental state,” Roberts wrote.

Elonis, who cites the rapper Eminem as an inspiration, said his posts were therapeutic rap lyrics and weren’t intended as threats. One post said, “I’m not gonna rest until your body is a mess, soaked in blood and dying from all the little cuts.” Another envisioned his wife’s “head on a stick.”

The justices didn’t decide whether Elonis’s First Amendment rights were violated, instead interpreting the federal threat statute in a way that averted potential constitutional problems.

Six Justices

Six justices joined the entirety of Roberts’s opinion. Justice Clarence Thomas dissented, voting to uphold Elonis’s conviction.

Justice Samuel Alito wrote separately and said he would have set aside the conviction. At the same time, Alito said he would have given prosecutors a new chance to convince a lower court that Elonis’s conduct was so reckless that the conviction should be reinstated.

Alito faulted the majority for not saying whether it would be enough for prosecutors to show that Elonis’s conduct was reckless.

“This court’s disposition of this case is certain to cause confusion and serious problems,” Alito wrote.

Roberts said the court didn’t reach that issue because no federal appeals court had considered it first.

‘Heinous’ Shooting

Elonis, now 31, made the posts on his public Facebook page in 2010, after his wife left him and took their two children with her, and after he lost his job at an amusement park in Allentown, Pennsylvania.

Among the posts was one that said there were “enough elementary schools in a 10-mile radius to initiate the most heinous school shooting ever imagined.” He added, “And hell hath no fury like a crazy man in a kindergarten class.”

The Obama administration, defending the prosecution, contended that someone can be charged under a federal law so long as a reasonable person would view the statement as a threat.

A Philadelphia-based federal appeals court upheld the conviction. Elonis served more than three years in prison.

The case is Elonis v. United States, 13-983.
http://www.bloomberg.com/news/articl...-supreme-court





New Facebook Feature Shows Actual Respect for Your Privacy
Klint Finley

Facebook just took another surprising step towards securing your communications online.

The social network is rolling out enable users to use the encryption standard OpenPGP to protect e-mail notifications sent by the company, and to share their public encryption keys with their friends or with the public. The feature is being rolled out to users starting today, according to an announcement on the company’s security blog.

PGP, short for “Pretty Good Privacy,” is a way of scrambling emails or other chunks of text in such a way that, in theory, only the intended recepient can read. To use PGP, you create a pair of keys — essentially long stings of letters and numbers used to encrypt and decrypt a message. One is a public key that you can share with everyone, and a private key that you keep a closely guarded secret. People can then use the public key to create a message that can only be deciphered using your private key. That way, even if someone is able to intercept your email, they can’t read the encrypted messages.

'They’re acting as kind of a trend leader to drag other big platforms into this world.' Eleanor Saitta, Security Researcher

Incorporating PGP into Facebook could help protect activists who use the service for political organizing, though it won’t protect all Facebook communcations.

Facebook can use PGP to encrypt emails it sends you, such as new message notifications from other users or password reset requests. But messages sent from you to other Facebook users through Facebook itself will remain unencrypted. That means that if someone gains access to your Facebook account—or Facebook is forced to hand your account over to law enforcement—those messages will be readable. Still, if someone only has access to your email account, and not to your private encryption key or Facebook account, they won’t be able to reset your password or read private notifications sent to you from Facebook.

Shoring Up Security

This is the latest attempt by Facebook to shore up its security and privacy credentials. Earlier this year Facebook announced that it will help fund the development of GnuPGP, an open source implementation of the OpenPGP standard. The company began encrypting all of its web traffic in 2013, making it harder for crooks and spies to eavesdrop on communications, and last year it added support for the anonymity tool Tor. Also, WhatsApp, the messaging company Facebook acquired last year, incorporated an encryption system from Open Whisper Systems into the Android version of its app last year.

Meanwhile, Google and Yahoo have been developing a PGP based encryption system for web mail called End-to-End which could help bring PGP to a much wider audience.

Not Going Away

Despite its limitations, privacy advocates are hailing the new Facebook feature as an important step towards improving security online.

“There are things that Facebook does that we don’t want,” says security researcher Eleanor Saitta, who was initially skeptical of Google’s End-to-End efforts. “The advertising business requires that they collect more data than we want. However, their security team wants to work with [the privacy community] and they can make a real difference.”

Although it’s tempting to say that people with serious security concerns simply shouldn’t use Facebook, Saitta says that’s not a practical response. “They [Facebook] have a billion and a half users and they’re not going away,” she says. “Facebook, even if it’s not going to be an organization platform, will always be an outreach platform. It will be a place where people go to do political work, and letting people secure the accounts they use to do that political work is really important.”

Most important for now may be getting more people using PGP and improving the ecosystem of tools that support the standard. “They’re acting as kind of a trend leader to drag other big platforms into this world,” she says. Even if only a thousandth of a percent of Facebook’s users end up using it, she points out, that’s still 15,000 people.

And by adopting these tools, Facebook is making it harder to for criminals to steal your credentials or read your messages. And that’s a good thing, Saitta says, because they improves the overall security of Facebook.

“Things like Tor and PGP are not just useful for high-risk users,” she says. “They actually build a better internet for everyone.”
http://www.wired.com/2015/06/new-fac...spect-privacy/





Sharing Data, but Not Happily
Natasha Singer

Should consumers be able to control how companies collect and use their personal data?

At a dinner honoring privacy advocates this week in Washington, Timothy D. Cook, the chief executive of Apple, gave a speech in which he endorsed this simple idea. Yet his argument leveled a direct challenge to the premise behind much of the Internet industry — the proposition that people blithely cede their digital bread crumbs to companies in exchange for free or reduced-priced services subsidized by advertising.

“You might like these so-called free services,” Mr. Cook said during the event held by EPIC, a nonprofit research center. “But we don’t think they’re worth having your email or your search history or now even your family photos data-mined and sold off for God knows what advertising purpose.”

Now a study from the Annenberg School for Communication at the University of Pennsylvania has come to a similar conclusion: Many Americans do not think the trade-off of their data for personalized services, giveaways or discounts is a fair deal either. The findings are likely to fuel the debate among tech executives and federal regulators over whether companies should give consumers more control over the information collected about them.

In the survey, which is scheduled to be made public on Friday, 55 percent of respondents disagreed or strongly disagreed that “it’s O.K. if a store where I shop uses information it has about me to create a picture of me that improves the services they provide for me.”

About seven in 10 people also disagreed that it was fair for a store to monitor their online activities in exchange for free Wi-Fi while at the store. And 91 percent of respondents disagreed that it was fair for companies to collect information about them without their knowledge in exchange for a discount.

“Companies are saying that people give up their data because they understand they are getting something for those data,” said Joseph Turow, a professor at Penn’s Annenberg School for Communication and the lead author of the study. “But what is really going on is a sense of resignation. Americans feel that they have no control over what companies do with their information or how they collect it.”

The report on consumers’ attitudes to commercial surveillance comes at a pivotal moment for online marketers and advertisers. Companies are scrambling to develop new techniques to influence people who increasingly use mobile devices to shop, bank and socialize. Yet, even as millions of people embrace these data-driven services, many are mistrustful of the kinds of inferences that companies might make based on information gathered about them.

Some marketing companies, for instance, segment individuals into clusters like “low-income elders” or “small town, shallow pockets” or categorize them by waistband size.

The potential risk of inferior treatment is one reason that an increasing number of Internet users are downloading Ghostery, a free plug-in that allows consumers to see and control online tracking by data brokers, advertising networks and other third parties.

Consumers will share information with sites they trust because they want to get personalized ads and content, said Scott Meyer, Ghostery’s chief executive. “But they will turn off the tracking technology if they are looking up painkillers for their mother because they don’t want the Internet to think they are addicted to opiates.”

The conflicted feelings are hardly a new phenomenon. An article published 15 years ago in InformationWeek carried the headline: “Privacy Paradox: Consumers Want Control — and Coupons.”

But the Penn survey concluded that many people are now resigned to having little say over how companies use and interpret their information.

Among people who took part in the survey, 84 percent strongly or somewhat agreed that they wanted to have control over what marketers could learn about them; at the same time, 65 percent agreed that they had come to accept that they had little control over it. The randomized telephone survey of 1,506 adult American Internet users, conducted by Princeton Survey Research Associates International in February and March, has a margin of error of plus or minus 2.9 percent.

Although he did not take the survey, Jeff Allen, a manager at a school yearbook company in the Atlanta area, is one of the reconciled.

Mr. Allen said he regularly used Uber, the ride-hailing app, on business trips, fully cognizant that the service’s drivers needed to know his whereabouts to pick him up.

Yet he said he was troubled last week after he learned that Uber was updating its privacy policy to explicitly allow the company to record the location of customers’ devices even when they were not actively using the app.

“I think it’s none of their business where I am up until the moment when I elect to use their service,” Mr. Allen said. Nevertheless, he said he planned to continue using Uber, at least for the moment, because he found it more convenient than taxis.

“Data is being collected on you all the time,” Mr. Allen observed. “You either don’t have a clue about it, or you’re resigned to the fact that this is the way it is in 2015.”

Companies that are more transparent about why they collect certain customer details and how they use them may find it easier to maintain customer trust. Certainly, millions of people have signed up for store loyalty cards and frequent-flier programs that offer deals or upgrades based on consumers’ purchases. And for the many people who relish personalized services, the idea that Amazon, Facebook, Google Maps or Pandora may remember and learn from their preferences represents an advantage, not a problem.

“People are always willing to trade privacy and information when they see the direct value of sharing that information,” said Mike Zaneis, the chief counsel for the Interactive Advertising Bureau, an industry group in Washington.

But the Penn researchers found that many consumers may not fully comprehend the data-mining practices that occur when they use sites and apps. For instance, 58 percent of survey respondents wrongly believed that when a website had a privacy policy, it meant that the site would not share their information without their permission.

The more concrete situations the survey described, the more likely people were to reject deals. For instance, 43 percent of respondents said they would accept a discount if the supermarket where they shopped kept detailed records of their purchases. But only 19 percent said they would accept discounts if the supermarket could use their purchasing history to make assumptions about their race or ethnicity.

Fatemeh Khatibloo, an analyst at Forrester Research, describes consumers’ experience with sophisticated data-mining systems as “frog-in-the-caldron syndrome.”

“You start off by putting the frog in tepid water,” Ms. Khatibloo said, “and then you raise the temperature so the frog doesn’t realize it’s cooking.”

Like Mr. Cook of Apple, she contends that companies that offer consumers more control over and insight into how their information is used may differentiate themselves from their competitors.

But many companies behave more like Uber.

The company’s new privacy policy, scheduled to take effect on July 15, says that if customers permit the Uber app to connect to location data, the app may collect the precise locations of their devices whether the app is running in the foreground or the background. Whether or not customers turn on that permission, the app still may deduce their general location based on other signals from their devices.

And, if consumers use the ride-hailing app on or after that date, the company will conclude that they have read and agreed to the terms, Uber said in a recent email to customers.

In other words, Uber customers may resign themselves to having their data extracted — or forgo the service altogether.
http://www.nytimes.com/2015/06/05/te...ort-finds.html





U.S. Surveillance in Place Since 9/11 Is Sharply Limited
Jennifer Steinhauer and Jonathan Weisman

In a significant scaling back of national security policy formed after the Sept. 11, 2001, terrorist attacks, the Senate on Tuesday approved legislation curtailing the federal government’s sweeping surveillance of American phone records, and President Obama signed the measure hours later.

The passage of the bill — achieved over the fierce opposition of the Senate majority leader — will allow the government to restart surveillance operations, but with new restrictions.

The legislation signaled a cultural turning point for the nation, almost 14 years after the Sept. 11 attacks heralded the construction of a powerful national security apparatus. The shift against the security state began with the revelation by Edward J. Snowden, a former National Security Agency contractor, about the bulk collection of phone records. The backlash was aided by the growth of interconnected communication networks run by companies that have felt manhandled by government prying.

The storage of those records now shifts to the phone companies, and the government must petition a special federal court for permission to search them.

Even with the congressional action, the government will continue to maintain robust surveillance power, an authority highlighted by Senator Rand Paul, Republican of Kentucky, whose opposition to the phone records program forced it to be shut down at 12:01 a.m. Monday. Mr. Paul and other critics of the legislation said the government’s reach into individuals’ lives remained too intrusive.

The bill cleared the Senate 67 to 32 after a fierce floor fight; at least four of the opponents voted no because they felt the bill did not go far enough.

Mr. Obama was quick to praise passage of the legislation and to scold those who opposed it.

“After a needless delay and inexcusable lapse in important national security authorities, my administration will work expeditiously to ensure our national security professionals again have the full set of vital tools they need to continue protecting the country,” Mr. Obama said. “Just as important, enactment of this legislation will strengthen civil liberty safeguards and provide greater public confidence in these programs.”

The Senate’s longest-serving member, Patrick J. Leahy, the seven-term Democrat of Vermont, said the legislation, which he co-sponsored, represented “the most significant surveillance reform in decades.”

The fight for the changes was led largely by Democrats and a new generation of Republicans in the House and the Senate who were elected a decade after the terrorist attacks. Even as threats have multiplied since then, privacy concerns, stoked by reports of widespread computer security breaches at private companies, have shifted public opinion.

“National security and privacy are not mutually exclusive,” said Senator James Lankford, Republican of Oklahoma, a freshman who like several other younger Republicans voted against the senior senator from his state. “They can both be accomplished through responsible intelligence gathering and careful respect for the freedoms of law-abiding Americans.”

Tuesday’s vote was a rebuke to Senator Mitch McConnell, Republican of Kentucky and the majority leader, who, until the end in a bitter floor speech, maintained the bill was a dangerous diminishment of national security. Lawmakers in both parties beat back amendments — one by one — that he insisted were necessary to blunt some of the bill’s controls on government spying.

Mr. McConnell blasted his fellow senators — and by association Speaker John A. Boehner, who heartily endorsed the measure — as taking “one more tool away from those who defend our country every day.”

“This is a significant weakening of the tools that were put in place in the wake of 9/11 to protect the country,” he said. “I think Congress is misreading the public mood if they think Americans are concerned about the privacy implications.”

But even scores of senators who loathed the actions of Mr. Snowden voted for the legislation.

The legislation’s goals are twofold: to rein in aspects of the government’s data collection authority and to crack open the workings of the secret national security court that oversees it. After six months, the phone companies, not the N.S.A., will hold the bulk phone records — logs of calls placed from one number to another, and the time and the duration of those contacts, but not the content of what was said. A new kind of court order will permit the government to swiftly analyze them.

The Foreign Intelligence Surveillance Court, for the first time, will be required to declassify some of its most significant decisions, and outside voices will be allowed to argue for privacy rights before the court in certain cases.

The battle over the legislation, the USA Freedom Act, made for unusual alliances. Mr. Boehner joined forces with Mr. Obama, the bipartisan leadership of the House Judiciary Committee, and a bipartisan coalition of senators against Mr. McConnell and his Intelligence Committee chairman, Senator Richard Burr, Republican of North Carolina.

Mr. McConnell made a series of miscalculations, stretching back to last year, when he filibustered a similar surveillance overhaul measure. Last month, after Republicans blocked consideration of the Freedom Act, Mr. McConnell sent the Senate on a weeklong Memorial Day recess, pushing Washington up against a June 1 deadline, when surveillance authority would lapse.

That empowered Mr. Paul, who promised supporters of his presidential campaign that he would single-handedly ensure that surveillance authority lapsed, a promise on which he delivered. When Mr. McConnell then argued in favor of amending the Freedom Act, senators in both parties — even some who supported him — said any changes would only extend the surveillance blackout and risk the country’s security.

Mr. McConnell dragged senators back for an unusual Sunday session, only to end up with the very bill he tried to kill.

“This should have been planned on over a week ago,” said Senator Bill Nelson, Democrat of Florida, who had backed Mr. McConnell’s efforts but found his timing untenable.

In a heated meeting of House Republicans on Tuesday morning, one of the architects of the post-Sept. 11 USA Patriot Act, Representative Jim Sensenbrenner of Wisconsin, angrily told Senator John Barrasso of Wyoming, an emissary from the Senate leadership, to deliver a message to his colleagues: Any change to the House bill would be flatly rejected.

About a dozen Republican senators — most of them recent House members — took the warning to heart, joined Democrats and voted down all of Mr. McConnell’s proposed changes.

As the debate over the bulk phone records program unfolded, supporters and opponents both trotted out worst case scenarios to make their argument. Opponents warned that the government could root through the records to learn who was calling psychiatrists and political groups, while supporters said ending it would lead to terrorist attacks on the United States.

Neither of those warnings was supported by how the program had performed in its nearly 14 years of existence. Repeated studies found no evidence of intentional abuse for personal or political gain, but also found no evidence that it had ever thwarted a terrorist attack.

Still, the debaters on each side also made other points. Opponents said that the mere collection of Americans’ calling records by the government was a privacy violation and that it risked being abused in the future. Supporters said it had helped flesh out investigations in other ways, and could still prove to be crucial in the future.

Senator Mike Lee, a Utah Republican, and Senator Leahy made it clear after passage that curtailing the phone sweeps might be only the beginning. The two are collaborating on legislation to undo a provision in the Electronic Communications Privacy Act of 1986 that allows the government to read the contents of email over six months old. House members and senators from both parties are already eyeing a section of the Foreign Intelligence Surveillance Act that they say has also been abused by the government.

But opponents of the law said they imagined further fights going forward for their positions, too. Senator Susan Collins, Republican of Maine, said she and others would continue to seek reforms and oversight.

“It’s not the end,” she said.

Charlie Savage contributed reporting.
http://www.nytimes.com/2015/06/03/us...own-looms.html





Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border
Charlie Savage, Julia Angwin, Jeff Larson and Henrik Moltke

Without public notice or debate, the Obama administration has expanded the National Security Agency’s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified N.S.A. documents.

In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware, the documents show.

The Justice Department allowed the agency to monitor only addresses and “cybersignatures” — patterns associated with computer intrusions — that it could tie to foreign governments. But the documents also note that the N.S.A. sought permission to target hackers even when it could not establish any links to foreign powers.

The disclosures, based on documents provided by Edward J. Snowden, the former N.S.A. contractor, and shared with The New York Times and ProPublica, come at a time of unprecedented cyberattacks on American financial institutions, businesses and government agencies, but also of greater scrutiny of secret legal justifications for broader government surveillance.

As the threat of malicious hacking has grown, the National Security Agency and the Federal Bureau of Investigation have secretly expanded their surveillance of Internet communications flowing to and from the United States, documents provided by the former intelligence contractor Edward J. Snowden show.

While the Senate passed legislation this week limiting some of the N.S.A.’s authority, it involved provisions in the U.S.A. Patriot Act and did not apply to the warrantless wiretapping program.

Government officials defended the N.S.A.’s monitoring of suspected hackers as necessary to shield Americans from the increasingly aggressive activities of foreign governments. But critics say it raises difficult trade-offs that should be subject to public debate.

The N.S.A.’s activities run “smack into law enforcement land,” said Jonathan Mayer, a cybersecurity scholar at Stanford Law School who has researched privacy issues and who reviewed several of the documents. “That’s a major policy decision about how to structure cybersecurity in the U.S. and not a conversation that has been had in public.”

It is not clear what standards the agency is using to select targets. It can be hard to know for sure who is behind a particular intrusion — a foreign government or a criminal gang — and the N.S.A. is supposed to focus on foreign intelligence, not law enforcement.

The government can also gather significant volumes of Americans’ information — anything from private emails to trade secrets and business dealings — through Internet surveillance because monitoring the data flowing to a hacker involves copying that information as the hacker steals it.

One internal N.S.A. document notes that agency surveillance activities through “hacker signatures pull in a lot.”

Brian Hale, the spokesman for the Office of the Director of National Intelligence, said, “It should come as no surprise that the U.S. government gathers intelligence on foreign powers that attempt to penetrate U.S. networks and steal the private information of U.S. citizens and companies.” He added that “targeting overseas individuals engaging in hostile cyberactivities on behalf of a foreign power is a lawful foreign intelligence purpose.”

The effort is the latest known expansion of the N.S.A.’s warrantless surveillance program, which allows the government to intercept Americans’ cross-border communications if the target is a foreigner abroad. While the N.S.A. has long searched for specific email addresses and phone numbers of foreign intelligence targets, the Obama administration three years ago started allowing the agency to search its communications streams for less-identifying Internet protocol addresses or strings of harmful computer code.

The surveillance activity traces to changes that began after the Sept. 11 terrorist attacks. The government tore down a so-called wall that prevented intelligence and criminal investigators from sharing information about suspected spies and terrorists. The barrier had been erected to protect Americans’ rights because intelligence investigations use lower legal standards than criminal inquiries, but policy makers decided it was too much of an obstacle to terrorism investigations.

The N.S.A. also started the warrantless wiretapping program, which caused an outcry when it was disclosed in 2005. In 2008, under the FISA Amendments Act, Congress legalized the surveillance program so long as the agency targeted only noncitizens abroad. A year later, the new Obama administration began crafting a new cybersecurity policy — including weighing whether the Internet had made the distinction between a spy and a criminal obsolete.

“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the N.S.A.’s internal files.

About that time, the documents show, the N.S.A. — whose mission includes protecting military and intelligence networks against intruders — proposed using the warrantless surveillance program for cybersecurity purposes. The agency received “guidance on targeting using the signatures” from the Foreign Intelligence Surveillance Court, according to an internal newsletter.

In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.

That limit meant the N.S.A. had to have some evidence for believing that the hackers were working for a specific foreign power. That rule, the N.S.A. soon complained, left a “huge collection gap against cyberthreats to the nation” because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.

Edward Snowden went from unknown intelligence contractor to international celebrity-in-exile in June 2013. Today he is on a worldwide speaking tour, making his virtual rounds from Texas to Stockholm. By Erica Berenstein on Publish Date May 29, 2015. Photo by Frederick Florin/Agence France-Presse

So the N.S.A., in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any “malicious cyberactivity,” even if it did not yet know who was behind the attack.

The newsletter described the further expansion as one of “highest priorities” of the N.S.A. director, Gen. Keith B. Alexander. However, a former senior intelligence official said that the government never asked the court to grant that authority.

Meanwhile, the F.B.I. in 2011 had obtained a new kind of wiretap order from the secret surveillance court for cybersecurity investigations, permitting it to target Internet data flowing to or from specific Internet addresses linked to certain governments.
To carry out the orders, the F.B.I. negotiated in 2012 to use the N.S.A.’s system for monitoring Internet traffic crossing “chokepoints operated by U.S. providers through which international communications enter and leave the United States,” according to a 2012 N.S.A. document. The N.S.A. would send the intercepted traffic to the bureau’s “cyberdata repository” in Quantico, Virginia.

The disclosure that the N.S.A. and the F.B.I. have expanded their cybersurveillance adds a dimension to a recurring debate over the post-Sept. 11 expansion of government spying powers: Information about Americans sometimes gets swept up incidentally when foreigners are targeted, and prosecutors can use that information in criminal cases.

Citing the potential for a copy of data “exfiltrated” by a hacker to contain “so much” information about Americans, one N.S.A. lawyer suggested keeping the stolen data out of the agency’s regular repository for information collected by surveillance so that analysts working on unrelated issues could not query it, a 2010 training document showed. But it is not clear whether the agency or the F.B.I. has imposed any additional limits on the data of hacking victims.

In a response to questions for this article, the F.B.I. pointed to its existing procedures for protecting victims’ data acquired during investigations, but also said it continually reviewed its policies “to adapt to these changing threats while protecting civil liberties and the interests of victims of cybercrimes.”

None of these actions or proposals had been disclosed to the public. As recently as February, when President Obama spoke about cybersecurity at an event at Stanford University, he lauded the importance of transparency but did not mention this change.

“The technology so often outstrips whatever rules and structures and standards have been put in place, which means that government has to be constantly self-critical and we have to be able to have an open debate about it,” Mr. Obama said.

Julia Angwin and Jeff Larson report for ProPublica.
http://www.nytimes.com/2015/06/05/us...us-border.html





You Can Be Prosecuted for Clearing Your Browser History
Juliana DeVries

Khairullozhon Matanov is a 24-year-old former cab driver from Quincy, Massachusetts. The night of the Boston Marathon bombings, he ate dinner with Tamerlan and Dhzokhar Tsarnaev at a kebob restaurant in Somerville. Four days later Matanov saw photographs of his friends listed as suspects in the bombings on the CNN and FBI websites. Later that day he went to the local police. He told them that he knew the Tsarnaev brothers and that they'd had dinner together that week, but he lied about whose idea it was to have dinner, lied about when exactly he had looked at the Tsarnaevs' photos on the Internet, lied about whether Tamerlan lived with his wife and daughter, and lied about when he and Tamerlan had last prayed together. Matanov likely lied to distance himself from the brothers or to cover up his own jihadist sympathies—or maybe he was just confused.

Then Matanov went home and cleared his Internet browser history.

Matanov continued to live in Quincy for over a year after the bombings. During this time the FBI tracked him with a drone-like surveillance plane that made loops around Quincy, disturbing residents. The feds finally arrested and indicted him in May 2014. They never alleged that Matanov was involved in the bombings or that he knew about them beforehand, but they charged him with four counts of obstruction of justice. There were three counts for making false statements based on the aforementioned lies and—remarkably—one count for destroying "any record, document or tangible object" with intent to obstruct a federal investigation. This last charge was for deleting videos on his computer that may have demonstrated his own terrorist sympathies and for clearing his browser history.

Matanov faced the possibility of decades in prison—twenty years for the records-destruction charge alone.

Federal prosecutors charged Matanov for destroying records under the Sarbanes-Oxley Act, a law enacted by Congress in the wake of the Enron scandal. The law was, in part, intended to prohibit corporations under federal investigation from shredding incriminating documents. But since Sarbanes-Oxley was passed in 2002 federal prosecutors have applied the law to a wider range of activities. A police officer in Colorado who falsified a report to cover up a brutality case was convicted under the act, as was a woman in Illinois who destroyed her boyfriend's child pornography.

Prosecutors are able to apply the law broadly because they do not have to show that the person deleting evidence knew there was an investigation underway. In other words, a person could theoretically be charged under Sarbanes-Oxley for deleting her dealer's number from her phone even if she were unaware that the feds were getting a search warrant to find her marijuana. The application of the law to digital data has been particularly far-reaching because this type of information is so easy to delete. Deleting digital data can inadvertently occur in normal computer use, and often does.

In 2010 David Kernell, a University of Tennessee student, was convicted under Sarbanes-Oxley after he deleted digital records that showed he had obtained access to Sarah Palin's Yahoo e-mail account. Using publicly available information, Kernell answered security questions that allowed him to reset Palin's Yahoo password to "popcorn." He downloaded information from Palin's account, including photographs, and posted the new password online. He then deleted digital information that may have made it easier for federal investigators to find him. Like Matanov, he cleared the cache on his Internet browser. He also uninstalled Firefox, ran a disk defragmentation program to reorganize and clean up his hard drive, and deleted a series of images that he had downloaded from the account. For entering Palin's e-mail, he was eventually convicted of misdemeanor unlawfully obtaining information from a protected computer and felony destruction of records under Sarbanes-Oxley. In January 2012, the US Court of Appeals for the Sixth Circuit found that Kernell's awareness of a potential investigation into his conduct was enough to uphold the felony charge.

At the time Kernell took steps to clean his computer, he does not appear to have known that there was any investigation into his conduct. Regardless, the government felt that they were entitled to that data, and the court agreed that Kernell was legally required to have preserved it.

Hanni Fakhoury, a senior staff attorney at the Electronic Frontier Foundation, says the feds' broad interpretation of Sarbanes-Oxley in the digital age is part of a wider trend: federal agents' feeling "entitled" to digital data.

Fakhoury compares the broad application of Sarbanes-Oxley in the digital realm to the federal government's resistance to cellphone companies that want to sell encrypted phones that would prevent law enforcement from being able to access users' data. When the new encrypted iPhone came out, FBI Director James Comey told reporters that he didn't understand why companies would "market something expressly to allow people to place themselves beyond the law."

"At its core," Fakhoury says, "what the government is saying is, ‘We have to create a mechanism that allows everybody's [cellphone] data to be open for inspection on the off-chance that one day in the future, for whatever random circumstance, we need to see that data.'"

Similarly, Fakhoury says the government's underlying theory in cases like Kernell's is, "Don't even think about deleting anything that may be harmful to you, because we may come after you at some point in the future for some unforeseen reason and we want to be able to have access to that data. And if we don't have access to that data, we're going to slap an obstruction charge that has as 20-year maximum on you."

As more and more data are stored online, the government wants and believes it deserves access to that data for policing purposes. But Fakhoury disagrees.

"The idea that you have to create a record of where you've gone or open all your cupboards all the time and leave your front door unlocked and available for law enforcement inspection at any time is not the country we have established for ourselves more than 200 years ago."

This past February the Supreme Court somewhat narrowed the scope of Sarbanes-Oxley in the case of Yates v. United States. The feds had charged a commercial fishing captain under the same record-destruction law for throwing a batch of undersized fish overboard after a federal agent had instructed him not to. The Court ruled that applying Sarbanes-Oxley to the dumping of fish was too far afield from the law's original corporate-crime purpose. Another Tsarnaev associate, Azamat Tazhayakov, who helped throw Tsarnaev's backpack full of fireworks into a dumpster, may see his conviction overturned because of the Yates decision.

But it appears that, at least for now, cases like Matanov's and Kernell's are still fair game. The Supreme Court did not answer the pressing question of how broadly federal prosecutors are allowed to use Sarbanes-Oxley in the digital age. Can you be prosecuted for deleting a potentially incriminating tweet? For uninstalling Firefox? For clearing your browser history? How much of their digital data should citizens have to preserve in case law enforcement wants to take a look?

In March, Matanov pleaded guilty to all four counts of obstruction of justice. When he entered his plea, he told Judge William G. Young that he maintains his innocence but fears a decades-long sentence were he to go to trial. His plea agreement with prosecutors calls for a 30-month sentence—still a harsh punishment for little more than deleting videos and clearing his browser history. Matanov's sentencing hearing is scheduled for June.

"The whole case is mystery," Matanov has said. The "FBI is trying to destroy my life."
http://m.thenation.com/article/20859...rowser-history





FBI Behind Mysterious Surveillance Aircraft Over US Cities
Jack Gillum, Eileen Sullivan and Eric Tucker

The FBI is operating a small air force with scores of low-flying planes across the country carrying video and, at times, cellphone surveillance technology - all hidden behind fictitious companies that are fronts for the government, The Associated Press has learned.

The planes' surveillance equipment is generally used without a judge's approval, and the FBI said the flights are used for specific, ongoing investigations. In a recent 30-day period, the agency flew above more than 30 cities in 11 states across the country, an AP review found.

Aerial surveillance represents a changing frontier for law enforcement, providing what the government maintains is an important tool in criminal, terrorism or intelligence probes. But the program raises questions about whether there should be updated policies protecting civil liberties as new technologies pose intrusive opportunities for government spying.

U.S. law enforcement officials confirmed for the first time the wide-scale use of the aircraft, which the AP traced to at least 13 fake companies, such as FVX Research, KQM Aviation, NBR Aviation and PXW Services. Even basic aspects of the program are withheld from the public in censored versions of official reports from the Justice Department's inspector general.

"The FBI's aviation program is not secret," spokesman Christopher Allen said in a statement. "Specific aircraft and their capabilities are protected for operational security purposes." Allen added that the FBI's planes "are not equipped, designed or used for bulk collection activities or mass surveillance."

But the planes can capture video of unrelated criminal activity on the ground that could be handed over for prosecutions.

Some of the aircraft can also be equipped with technology that can identify thousands of people below through the cellphones they carry, even if they're not making a call or in public. Officials said that practice, which mimics cell towers and gets phones to reveal basic subscriber information, is rare.

Details confirmed by the FBI track closely with published reports since at least 2003 that a government surveillance program might be behind suspicious-looking planes slowly circling neighborhoods. The AP traced at least 50 aircraft back to the FBI, and identified more than 100 flights since late April orbiting both major cities and rural areas.

One of the planes, photographed in flight last week by the AP in northern Virginia, bristled with unusual antennas under its fuselage and a camera on its left side. A federal budget document from 2010 mentioned at least 115 planes, including 90 Cessna aircraft, in the FBI's surveillance fleet.

The FBI also occasionally helps local police with aerial support, such as during the recent disturbance in Baltimore that followed the death of 25-year-old Freddie Gray, who sustained grievous injuries while in police custody. Those types of requests are reviewed by senior FBI officials.

The surveillance flights comply with agency rules, an FBI spokesman said. Those rules, which are heavily redacted in publicly available documents, limit the types of equipment the agency can use, as well as the justifications and duration of the surveillance.

Details about the flights come as the Justice Department seeks to navigate privacy concerns arising from aerial surveillance by unmanned aircrafts, or drones. President Barack Obama has said he welcomes a debate on government surveillance, and has called for more transparency about spying in the wake of disclosures about classified programs.

"These are not your grandparents' surveillance aircraft," said Jay Stanley, a senior policy analyst with the American Civil Liberties Union, calling the flights significant "if the federal government is maintaining a fleet of aircraft whose purpose is to circle over American cities, especially with the technology we know can be attached to those aircraft."

During the past few weeks, the AP tracked planes from the FBI's fleet on more than 100 flights over at least 11 states plus the District of Columbia, most with Cessna 182T Skylane aircraft. These included parts of Houston, Phoenix, Seattle, Chicago, Boston, Minneapolis and Southern California.

Evolving technology can record higher-quality video from long distances, even at night, and can capture certain identifying information from cellphones using a device known as a "cell-site simulator" - or Stingray, to use one of the product's brand names. These can trick pinpointed cellphones into revealing identification numbers of subscribers, including those not suspected of a crime.

Officials say cellphone surveillance is rare, although the AP found in recent weeks FBI flights orbiting large, enclosed buildings for extended periods where aerial photography would be less effective than electronic signals collection. Those included above Ronald Reagan Washington National Airport and the Mall of America in Bloomington, Minnesota.

After The Washington Post revealed flights by two planes circling over Baltimore in early May, the AP began analyzing detailed flight data and aircraft-ownership registrations that shared similar addresses and flight patterns. That review found some FBI missions circled above at least 40,000 residents during a single flight over Anaheim, California, in late May, according to Census data and records provided by the website FlightRadar24.com.

Most flight patterns occurred in counter-clockwise orbits up to several miles wide and roughly one mile above the ground at slow speeds. A 2003 newsletter from the company FLIR Systems Inc., which makes camera technology such as seen on the planes, described flying slowly in left-handed patterns.

"Aircraft surveillance has become an indispensable intelligence collection and investigative technique which serves as a force multiplier to the ground teams," the FBI said in 2009 when it asked Congress for $5.1 million for the program.

Recently, independent journalists and websites have cited companies traced to post office boxes in Virginia, including one shared with the Justice Department. The AP analyzed similar data since early May, while also drawing upon aircraft registration documents, business records and interviews with U.S. officials to understand the scope of the operations.

The FBI asked the AP not to disclose the names of the fake companies it uncovered, saying that would saddle taxpayers with the expense of creating new cover companies to shield the government's involvement, and could endanger the planes and integrity of the surveillance missions. The AP declined the FBI's request because the companies' names - as well as common addresses linked to the Justice Department - are listed on public documents and in government databases.

At least 13 front companies that AP identified being actively used by the FBI are registered to post office boxes in Bristow, Virginia, which is near a regional airport used for private and charter flights. Only one of them appears in state business records.

Included on most aircraft registrations is a mysterious name, Robert Lindley. He is listed as chief executive and has at least three distinct signatures among the companies. Two documents include a signature for Robert Taylor, which is strikingly similar to one of Lindley's three handwriting patterns.

The FBI would not say whether Lindley is a U.S. government employee. The AP unsuccessfully tried to reach Lindley at phone numbers registered to people of the same name in the Washington area since Monday.

Law enforcement officials said Justice Department lawyers approved the decision to create fictitious companies to protect the flights' operational security and that the Federal Aviation Administration was aware of the practice. One of the Lindley-headed companies shares a post office box openly used by the Justice Department.

Such elusive practices have endured for decades. A 1990 report by the then-General Accounting Office noted that, in July 1988, the FBI had moved its "headquarters-operated" aircraft into a company that wasn't publicly linked to the bureau.

The FBI does not generally obtain warrants to record video from its planes of people moving outside in the open, but it also said that under a new policy it has recently begun obtaining court orders to use cell-site simulators. The Obama administration had until recently been directing local authorities through secret agreements not to reveal their own use of the devices, even encouraging prosecutors to drop cases rather than disclose the technology's use in open court.

A Justice Department memo last month also expressly barred its component law enforcement agencies from using unmanned drones "solely for the purpose of monitoring activities protected by the First Amendment" and said they are to be used only in connection with authorized investigations and activities. A department spokeswoman said the policy applied only to unmanned aircraft systems rather than piloted airplanes.

---

Associated Press writers Sean Murphy in Oklahoma City; Joan Lowy and Ted Bridis in Washington; Randall Chase in Wilmington, Delaware; and news researchers Monika Mathur in Washington and Rhonda Shafner in New York contributed to this report.

---

View documents: http://apne.ws/1HEyP0t
http://hosted.ap.org/dynamic/stories...LATE =DEFAULT





FBI Official: Companies Should Help Us ‘Prevent Encryption Above All Else’
Andrea Peterson

The debate over encryption erupted on Capitol Hill again Wednesday, with an FBI official testifying that law enforcement's challenge is working with tech companies "to build technological solutions to prevent encryption above all else."

At first glance the comment from Michael B. Steinbach, assistant director in the FBI's Counterterrorism Division, might appear to go further than FBI Director James B. Comey. Encryption, a technology widely used to secure digital information by scrambling data so only authorized users can decode it, is "a good thing," Comey has said, even if he wants the government to have the ability get around it.

But Steinbach's testimony also suggests he meant that companies shouldn't put their customers' access to encryption ahead of national security concerns -- rather than saying the government's top priority should be preventing the use of the technology that secures basically everything people do online.

"Privacy, above all other things, including safety and freedom from terrorism, is not where we want to go," Steinbach said. He also disputed the "back door" term used by experts to describe such built-in access points. "We're not looking at going through a back door or being nefarious," he argued, saying that the agency wants to be able to access content after going through a judicial process.

But many technical experts believe that building intentional vulnerabilities into the systems that people around the world rely on reduces the overall security of the entire digital system, even if done to comply with legal requirements.

The policy fight over encryption has been going on since the 1990s -- when it resulted in policies that are still causing security problems for Internet users around the world, even though the policies have since been changed. But the debate regained steam after revelations about National Security Agency spying from former government contractor Edward Snowden.

In the wake of those reports, tech companies -- most notably Apple with its iPhone -- have expanded how they protect users with encryption, in some cases automatically rolling out a more robust form of encryption called end-to-end. End-to-end protections mean that only the sender and the recipient can unlock communications -- so tech companies can't provide access to law enforcement even if served with a legitimate court order.

This prompted a backlash from some law enforcement officials, who warn that encryption can allow criminals and terrorists to "go dark" -- making it harder for the government to track them. Leaders such as Comey have argued that Congress should make tech companies build in ways for law enforcement to access secured content from their products.

It's this argument Steinbach made in the hearing:

So, when a company, a communications company or a ISP or social media company elects to build in its software encryption, end-to-end encryption, and leaves no ability for even the company to access that, we don't have the means by which to see the content. When we intercept it, we intercept encrypted communications.

So that's the challenge: working with those companies to build technological solutions to prevent encryption above all else.

Many encryption experts say building in such technical solutions would fundamentally undermine the security of the technology because there's no guarantee hackers couldn't use the same "back door."

But government officials are still examining their options. Earlier this year, National Security Agency chief Adm. Michael Rogers floated an idea that would involve splitting up the keys to decode encryption to provide more oversight and make an access point harder for hackers to exploit.

A recent report from the United Nations Office of the High Commissioner for Human Rights recommended governments avoid mandating back doors along with other policies that could weaken encryption because it would weaken the security many around the world depend on to exercise freedom of expression.

Last month, a group of tech companies, civil society groups and academics sent a letter to President Obama urging him to oppose efforts force companies to build in ways for law enforcement to access products and services protected by encryption.

And despite testimony like Steinbach's, opponents of back doors seem to be making inroads on the hill: Earlier this week, the House approved two amendments about the issue to an appropriations bill. The first, from Reps. Zoe Lofgren (D-Calif.) and Ted Poe (R-Tex.), would bar the government from forcing a company to alter its security measures to spy on users -- unless it is already required to comply with an existing wiretap law.

Another, from Rep. Thomas Massie (R-Ky.), would stop funds provided to the agency that sets cryptographic standards from being used to consult with the NSA unless it strengthens, rather than weakens, information security.
http://www.washingtonpost.com/blogs/...bove-all-else/





NSA Surveillance: How Librarians Have Been on the Front Line to Protect Privacy

‘Librarians were the original search engine’ and long before Edward Snowden, thousands campaigned against the government violating privacy rights
Dan Roberts

In the hours before US senators voted to take on the might of the National Security Agency this week, their inboxes were deluged with more than 2,200 supportive emails from a most unlikely group of revolutionaries: America’s librarians.

Their contribution to the passage of the USA Freedom Act may not have been as dramatic as the revelations of Edward Snowden, but this mild-mannered wing of the privacy lobby has been stridently campaigning against government surveillance since long before the NSA whistleblower shot to fame.

The first politician to discover the danger of underestimating what happens when you have thousands of librarians on your case was attorney general John Ashcroft who, in 2003, accused the American Library Association of “baseless hysteria” and ridiculed their protests against the Patriot Act.

US libraries were once protected from blanket requests for records of what their patrons were reading or viewing online, but the legislation rushed through after after 9/11 threatened to wreck this tradition of confidentiality in ways that presaged later discoveries of bulk telephone and internet record collection.

In 2005, four librarians from Connecticut also successfully fought a FBI request to use national security letters to seize reading records and hard-drives, forcing the government to drop the case and back off.

“When people were asked ‘who do you trust, some librarian, or the attorney general?’, they said ‘I trust my librarian’,” recalls Emily Sheketoff, head of the ALA’s Washington office.

“You can throw the attorney general up against us and we beat him because we are the ones spending every morning doing story time with your toddlers and we are the ones – when you have been given a devastating health report – who help you find information on what this means,” she adds. “There is this close, close relationship with people and their library.”

Such boosterism might be dismissed as civic nostalgia in the age of Google, but the evolution of libraries from print depositories to digital gateways has put the ALA in the rare position of being one of the few large lobby groups in Washington representing consumers of information rather than producers.

“Librarians were the original search engine,” claims ALA government relations head Adam Eisgrau.

“As advocates [for consumers in digital copyright disputes] we were not just on the barricades, we helped erect the barricades.”

There is no doubt that the risks to personal liberty from having one’s library card or community internet terminal confiscated are small scale compared with the collection of hundreds of millions of phone records or domestic internet surveillance exposed by Snowden.

Yet it is the library’s traditional, and dare one say humdrum, place in American life that perhaps gave the ALA such outsize lobbying clout when it came to making broader arguments about the importance of privacy.

“Because we have this history and it’s our core value, there was no question we were going to be at the forefront,” argues Sheketoff.

“We are able to have the influence we have not because we contribute one dime to anybody’s campaign but because we have the grassroots: we have librarians and library supporters in every congressional district who call and contact their member of Congress.”

And when librarians fought to protect, for example, the identity of a reader who had scrawled notes in the margin of a biography of Osama bin Laden they weren’t just making arguments about consumer confidentiality.

“The reason we feel this is so important is we feel there is a direct tie to democracy: unless people feel free to investigate and read, and now, look at websites, so they can see for themselves what is going on, they cannot truly be a good citizen and they cannot oversee the government,” adds Sheketoff.

Or as Eisgrau puts it: “Freedom of thought is an absolute prerequisite to the freedom of speech, and freedom of inquiry is an absolute prerequisite to freedom of thought.”

From other trade groups, such claims might sound pompous, but the thousands of ALA members who have lobbied Congress or picketed speeches by security hawks like Ashcroft are neither easily roused nor easily dismissed.

“I say this with the greatest affection about our grassroots, but they are a little unusual in that there are some organisations where people read an alert and lunge for their phones or their keyboards,” adds Eisgrau. “Librarians are not lungers. And this is a strength; they want to know what it is they are advocating about.”

It is, acknowledges the ALA, the paradox that explains this stereotypically meek profession’s surprisingly kick-ass reputation on civil liberties.

“We are fearsome defenders of our patrons,” says Sheketoff. “But we are fearful of government overstep.”
http://www.theguardian.com/world/201...arians-privacy





The Agency

From a nondescript office building in St. Petersburg, Russia, an army of well-paid “trolls” has tried to wreak havoc all around the Internet — and in real-life American communities.
Adrian Chen

Around 8:30 a.m. on Sept. 11 last year, Duval Arthur, director of the Office of Homeland Security and Emergency Preparedness for St. Mary Parish, Louisiana, got a call from a resident who had just received a disturbing text message. “Toxic fume hazard warning in this area until 1:30 PM,” the message read. “Take Shelter. Check Local Media and columbiachemical.com.”

St. Mary Parish is home to many processing plants for chemicals and natural gas, and keeping track of dangerous accidents at those plants is Arthur’s job. But he hadn’t heard of any chemical release that morning. In fact, he hadn’t even heard of Columbia Chemical. St. Mary Parish had a Columbian Chemicals plant, which made carbon black, a petroleum product used in rubber and plastics. But he’d heard nothing from them that morning, either. Soon, two other residents called and reported the same text message. Arthur was worried: Had one of his employees sent out an alert without telling him?

If Arthur had checked Twitter, he might have become much more worried. Hundreds of Twitter accounts were documenting a disaster right down the road. “A powerful explosion heard from miles away happened at a chemical plant in Centerville, Louisiana #ColumbianChemicals,” a man named Jon Merritt tweeted. The #ColumbianChemicals hashtag was full of eyewitness accounts of the horror in Centerville. @AnnRussela shared an image of flames engulfing the plant. @Ksarah12 posted a video of surveillance footage from a local gas station, capturing the flash of the explosion. Others shared a video in which thick black smoke rose in the distance.

Dozens of journalists, media outlets and politicians, from Louisiana to New York City, found their Twitter accounts inundated with messages about the disaster. “Heather, I’m sure that the explosion at the #ColumbianChemicals is really dangerous. Louisiana is really screwed now,” a user named @EricTraPPP tweeted at the New Orleans Times-Picayune reporter Heather Nolan. Another posted a screenshot of CNN’s home page, showing that the story had already made national news. ISIS had claimed credit for the attack, according to one YouTube video; in it, a man showed his TV screen, tuned to an Arabic news channel, on which masked ISIS fighters delivered a speech next to looping footage of an explosion. A woman named Anna McClaren (@zpokodon9) tweeted at Karl Rove: “Karl, Is this really ISIS who is responsible for #ColumbianChemicals? Tell @Obama that we should bomb Iraq!” But anyone who took the trouble to check CNN.com would have found no news of a spectacular Sept. 11 attack by ISIS. It was all fake: the screenshot, the videos, the photographs.

In St. Mary Parish, Duval Arthur quickly made a few calls and found that none of his employees had sent the alert. He called Columbian Chemicals, which reported no problems at the plant. Roughly two hours after the first text message was sent, the company put out a news release, explaining that reports of an explosion were false. When I called Arthur a few months later, he dismissed the incident as a tasteless prank, timed to the anniversary of the attacks of Sept. 11, 2001. “Personally I think it’s just a real sad, sick sense of humor,” he told me. “It was just someone who just liked scaring the daylights out of people.” Authorities, he said, had tried to trace the numbers that the text messages had come from, but with no luck. (The F.B.I. told me the investigation was still open.)

The Columbian Chemicals hoax was not some simple prank by a bored sadist. It was a highly coordinated disinformation campaign, involving dozens of fake accounts that posted hundreds of tweets for hours, targeting a list of figures precisely chosen to generate maximum attention. The perpetrators didn’t just doctor screenshots from CNN; they also created fully functional clones of the websites of Louisiana TV stations and newspapers. The YouTube video of the man watching TV had been tailor-made for the project. A Wikipedia page was even created for the Columbian Chemicals disaster, which cited the fake YouTube video. As the virtual assault unfolded, it was complemented by text messages to actual residents in St. Mary Parish. It must have taken a team of programmers and content producers to pull off.

And the hoax was just one in a wave of similar attacks during the second half of last year. On Dec. 13, two months after a handful of Ebola cases in the United States touched off a minor media panic, many of the same Twitter accounts used to spread the Columbian Chemicals hoax began to post about an outbreak of Ebola in Atlanta. The campaign followed the same pattern of fake news reports and videos, this time under the hashtag #EbolaInAtlanta, which briefly trended in Atlanta. Again, the attention to detail was remarkable, suggesting a tremendous amount of effort. A YouTube video showed a team of hazmat-suited medical workers transporting a victim from the airport. Beyoncé’s recent single “7/11” played in the background, an apparent attempt to establish the video’s contemporaneity. A truck in the parking lot sported the logo of the Hartsfield-Jackson Atlanta International Airport.

On the same day as the Ebola hoax, a totally different group of accounts began spreading a rumor that an unarmed black woman had been shot to death by police. They all used the hashtag #shockingmurderinatlanta. Here again, the hoax seemed designed to piggyback on real public anxiety; that summer and fall were marked by protests over the shooting of Michael Brown in Ferguson, Mo. In this case, a blurry video purports to show the shooting, as an onlooker narrates. Watching it, I thought I recognized the voice — it sounded the same as the man watching TV in the Columbian Chemicals video, the one in which ISIS supposedly claims responsibility. The accent was unmistakable, if unplaceable, and in both videos he was making a very strained attempt to sound American. Somehow the result was vaguely Australian.

Who was behind all of this? When I stumbled on it last fall, I had an idea. I was already investigating a shadowy organization in St. Petersburg, Russia, that spreads false information on the Internet. It has gone by a few names, but I will refer to it by its best known: the Internet Research Agency. The agency had become known for employing hundreds of Russians to post pro-Kremlin propaganda online under fake identities, including on Twitter, in order to create the illusion of a massive army of supporters; it has often been called a “troll farm.” The more I investigated this group, the more links I discovered between it and the hoaxes. In April, I went to St. Petersburg to learn more about the agency and its brand of information warfare, which it has aggressively deployed against political opponents at home, Russia’s perceived enemies abroad and, more recently, me.

Seven months after the Columbian Chemicals hoax, I was in a dim restaurant in St. Petersburg, peering out the window at an office building at 55 Savushkina Street, the last known home of the Internet Research Agency. It sits in St. Petersburg’s northwestern Primorsky District, a quiet neighborhood of ugly Soviet apartment buildings and equally ugly new office complexes. Among the latter is 55 Savushkina; from the front, its perfect gray symmetry, framed by the rectangular pillars that flank its entrance, suggests the grim impenetrability of a medieval fortress. Behind the glass doors, a pair of metal turnstiles stand guard at the top of a short flight of stairs in the lobby. At 9 o’clock on this Friday night in April, except for the stairwell and the lobby, the building was entirely dark.

This puzzled my dining companion, a former agency employee named Ludmila Savchuk. She shook her head as she lifted the heavy floral curtain to take another look. It was a traditional Russian restaurant, with a dining room done up like a parlor from the early 1900s, complete with bentwood chairs and a vintage globe that showed Alaska as part of Russia. Savchuk’s 5-year-old son sat next to her, slurping down a bowl of ukha, a traditional fish soup. For two and a half months, Savchuk told me, she had worked 12-hour shifts in the building, always beginning at 9 a.m. and finishing at 9 p.m., at which point she and her co-workers would eagerly stream out the door at once. “At 9 p.m. sharp, there should be a crowd of people walking outside the building,” she said. “Nine p.m. sharp.” One Russian newspaper put the number of employees at 400, with a budget of at least 20 million rubles (roughly $400,000) a month. During her time in the organization, there were many departments, creating content for every popular social network: LiveJournal, which remains popular in Russia; VKontakte, Russia’s homegrown version of Facebook; Facebook; Twitter; Instagram; and the comment sections of Russian news outlets. One employee estimated the operation filled 40 rooms.

Every day at the Internet Research Agency was essentially the same, Savchuk told me. The first thing employees did upon arriving at their desks was to switch on an Internet proxy service, which hid their I.P. addresses from the places they posted; those digital addresses can sometimes be used to reveal the real identity of the poster. Savchuk would be given a list of the opinions she was responsible for promulgating that day. Workers received a constant stream of “technical tasks” — point-by-point exegeses of the themes they were to address, all pegged to the latest news. Ukraine was always a major topic, because of the civil war there between Russian-backed separatists and the Ukrainian Army; Savchuk and her co-workers would post comments that disparaged the Ukrainian president, Petro Poroshenko, and highlighted Ukrainian Army atrocities. Russian domestic affairs were also a major topic. Last year, after a financial crisis hit Russia and the ruble collapsed, the professional trolls left optimistic posts about the pace of recovery. Savchuk also says that in March, after the opposition leader Boris Nemtsov was murdered, she and her entire team were moved to the department that left comments on the websites of Russian news outlets and ordered to suggest that the opposition itself had set up the murder.

Savchuk told me she shared an office with about a half-dozen teammates. It was smaller than most, because she worked in the elite Special Projects department. While other workers churned out blandly pro-Kremlin comments, her department created appealing online characters who were supposed to stand out from the horde. Savchuk posed as three of these creations, running a blog for each one on LiveJournal. One alter ego was a fortuneteller named Cantadora. The spirit world offered Cantadora insight into relationships, weight loss, feng shui — and, occasionally, geopolitics. Energies she discerned in the universe invariably showed that its arc bent toward Russia. She foretold glory for Vladimir Putin, defeat for Barack Obama and Petro Poroshenko. The point was to weave propaganda seamlessly into what appeared to be the nonpolitical musings of an everyday person.

In fact, she was a troll. The word “troll” was popularized in the early 1990s to denounce the people who derailed conversation on Usenet discussion lists with interminable flame wars, or spammed chat rooms with streams of disgusting photos, choking users with a cloud of filth. As the Internet has grown, the problem posed by trolls has grown more salient even as their tactics have remained remarkably constant. Today an ISIS supporter might adopt a pseudonym to harass a critical journalist on Twitter, or a right-wing agitator in the United States might smear demonstrations against police brutality by posing as a thieving, violent protester. Any major conflict is accompanied by a raging online battle between trolls on both sides.

As Savchuk and other former employees describe it, the Internet Research Agency had industrialized the art of trolling. Management was obsessed with statistics — page views, number of posts, a blog’s place on LiveJournal’s traffic charts — and team leaders compelled hard work through a system of bonuses and fines. “It was a very strong corporate feeling,” Savchuk says. Her schedule gave her two 12-hour days in a row, followed by two days off. Over those two shifts she had to meet a quota of five political posts, 10 nonpolitical posts and 150 to 200 comments on other workers’ posts. The grueling schedule wore her down. She began to feel queasy, she said, posting vitriol about opposition leaders of whom she had no actual opinion, or writing nasty words about Ukrainians when some of her closest acquaintances, including her own ex-husband, were Ukrainian.

Employees were mostly in their 20s but were drawn from a broad cross-section of Russian society. It seemed as if the agency’s task was so large that it would hire almost anyone who responded to the many ads it posted on job boards, no matter how undereducated or politically ignorant they were. Posts teemed with logical and grammatical errors. “They were so stupid,” says Marat Burkhardt, who worked for two months in the department of forums, posting 135 comments a day on little-read message boards about remote Russian towns. “You see these people with a lot of tattoos. They’re so cool, like they’re from New York; very hip clothing, very hip tattoos, like they’re from Williamsburg. But they are stupid.” In office conversation, they used gay slurs to refer to Petro Poroshenko and called Barack Obama a monkey. Management tried to rectify their ignorance with grammar classes. Others had “politology” classes to outline the proper Russian point of view on current events.

Yet the exact point of their work was left unclear to them. The handful of employees I spoke with did not even know the name of the company’s chief executive. They had signed a nondisclosure agreement but no official contract. Salaries were surprisingly high for the work; Savchuk’s was 41,000 rubles a month ($777), or as much as a tenured university professor earns. “I can’t say they clearly explain to you what your purpose there is,” Savchuk says. “But they created such an atmosphere that people would understand they were doing something important and secretive and very highly paid. And that they won’t be able to find a job like this anywhere else.”

Savchuk is 34, but her taste in clothes runs toward the teenage: The night of our dinner she wore a plaid dress and a billowing neon yellow jacket, and her head was swaddled in a fuzzy hood with animal ears. She credits her innocent appearance for allowing her to infiltrate the Internet Research Agency without raising alarms. While employed there, she copied dozens of documents to her personal email account and also plied her co-workers for information. She made a clandestine video of the office. In February, she leaked it all to a reporter for Moi Raion, a local newspaper known for its independent reporting. The documents, together with her story, offered the most detailed look yet into the daily life of a pro-Kremlin troll. Though she quit the agency the day the exposé was published, she was continuing her surveillance from the outside. She brought a camera to our dinner in hopes of documenting the changing of the shifts, which she planned to post to the VKontakte page of Information Peace, the group she founded to fight the agency. Her ultimate goal is to shut it down entirely, believing that its information warfare is contributing to an increasingly dark atmosphere in Russia. “Information peace is the start of real peace,” she says.

But at 10 minutes after 9 p.m., still no crowd had entered or left 55 Savushkina. Finally, around 9:30, a group of five young people approached the building and walked inside. Savchuk perked up, grabbed the camera and began to film the scene. Now more started filtering in, each of them stopping at the guard desk to check in. I counted at least 30 in all. Savchuk told me with pride that she believed the agency had changed its schedule to confound journalists, who began to stake out the place after her exposé.

Savchuk is accustomed to antagonizing powerful people. She has been a longtime environmental activist in the town of Pushkin, the suburb of St. Petersburg where she lives; her main cause before the troll farm was saving forests and parks from being paved over by well-connected developers. Last year she even ran for a seat on her municipal council as an independent, which in Russia requires a level of optimism bordering on delusion. On Election Day, she told me, state employees — health care workers, teachers, law enforcement, etc. — came to the polls wielding lists of candidates they had been “encouraged” to vote for, all of them associated with United Russia, the governing party of Vladimir Putin. (She lost her race.) Savchuk has filed a lawsuit against the Internet Research Agency for violating labor rights laws, citing the lack of official contracts. She has enlisted the help of a well-known human rights lawyer named Ivan Pavlov, who has spent years fighting for transparency laws in Russia; he took on Savchuk’s case in hopes that it would force the agency to answer questions about its business on the record.

Several Russian media outlets have claimed that the agency is funded by Evgeny Prigozhin, an oligarch restaurateur called “the Kremlin’s chef” in the independent press for his lucrative government contracts and his close relationship with Putin. When a reporter from the opposition paper Novaya Gazeta infiltrated the agency posing as a job seeker, she discovered that one of the team leaders was an employee of Prigozhin’s Concord holding company. (The reporter was familiar with her because the woman was famous among journalists for having been deployed by Prigozhin to spy on Novaya Gazeta.) The suspicion around Prigozhin was bolstered when emails leaked by hackers showed an accountant at Concord approving payments to the agency. If the speculation is accurate, it would not be the first time that Prigozhin has used his enormous wealth to fund quixotic schemes against his enemies: According to Novaya Gazeta, a documentary he backed, which later ran on the Kremlin-controlled NTV, claimed that the protesters who participated in the enormous anti-Putin demonstrations of 2011 were paid agents provocateurs, some of them bribed by United States government officials, who fed them cookies. “I think of him as Dr. Evil,” says Andrei Soshnikov, the reporter at Moi Raion to whom Savchuk leaked her documents. (My calls to Concord went unreturned.)

Savchuk’s revelations about the agency have fascinated Russia not because they are shocking but because they confirm what everyone has long suspected: The Russian Internet is awash in trolls. “This troll business becomes more popular year by year,” says Platon Mamatov, who says that he ran his own troll farm in the Ural Mountains from 2008 to 2013. During that time he employed from 20 to 40 people, mostly students and young mothers, to carry out online tasks for Kremlin contacts and local and regional authorities from Putin’s United Russia party. Mamatov says there are scores of operations like his around the country, working for government authorities at every level. Because the industry is secretive, with its funds funneled through a maze of innocuous-sounding contracts and shell businesses, it is difficult to estimate exactly how many people are at work trolling today. But Mamatov claims “there are thousands — I’m not sure about how many, but yes, really, thousands.”

The boom in pro-Kremlin trolling can be traced to the antigovernment protests of 2011, when tens of thousands of people took to the streets after evidence of fraud in the recent Parliamentary election emerged. The protests were organized largely over Facebook and Twitter and spearheaded by leaders, like the anticorruption crusader Alexei Navalny, who used LiveJournal blogs to mobilize support. The following year, when Vyascheslav Volodin, the new deputy head of Putin’s administration and architect of his domestic policy, came into office, one of his main tasks was to rein in the Internet. Volodin, a lawyer who studied engineering in college, approached the problem as if it were a design flaw in a heating system. Forbes Russia reported that Volodin installed in his office a custom-designed computer terminal loaded with a system called Prism, which monitored public sentiment online using 60 million sources. According to the website of its manufacturer, Prism “actively tracks the social media activities that result in increased social tension, disorderly conduct, protest sentiments and extremism.” Or, as Forbes put it, “Prism sees social media as a battlefield.”

The battle was conducted on multiple fronts. Laws were passed requiring bloggers to register with the state. A blacklist allowed the government to censor websites without a court order. Internet platforms like VKontakte and Yandex were brought under the control of Kremlin allies. Putin gave ideological cover to the crackdown by calling the entire Internet a “C.I.A. project,” one that Russia needed to be protected from. Restrictions online were paired with a new wave of digital propaganda. The government consulted with the same public relations firms that worked with major corporate brands on social-media strategy. It began paying fashion and fitness bloggers to place pro-Kremlin material among innocuous posts about shoes and diets, according to Yelizaveta Surnacheva, a journalist with the magazine Kommersant Vlast. Surnacheva told me over Skype that the government was even trying to place propaganda with popular gay bloggers — a surprising choice given the notorious new law against “gay propaganda,” which fines anyone who promotes homosexuality to minors.

All of this has contributed to a dawning sense, among the Russian journalists and activists I spoke with, that the Internet is no longer a natural medium for political opposition. “The myth that the Internet is controlled by the opposition is very, very old,” says Leonid Volkov, a liberal politician and campaign manager to Alexei Navalny. “It’s not true since at least three years.” Part of this is simple demographics: The Internet audience has expanded from its early adopters, who were more likely to be well-educated liberal intelligentsia, to the whole of Russia, which overwhelmingly supports Putin. Also, by working every day to spread Kremlin propaganda, the paid trolls have made it impossible for the normal Internet user to separate truth from fiction.

“The point is to spoil it, to create the atmosphere of hate, to make it so stinky that normal people won’t want to touch it,” Volkov said, when we met in the office of Navalny’s Anti-Corruption Foundation. “You have to remember the Internet population of Russia is just over 50 percent. The rest are yet to join, and when they join it’s very important what is their first impression.” The Internet still remains the one medium where the opposition can reliably get its message out. But their message is now surrounded by so much garbage from trolls that readers can become resistant before the message even gets to them. During the protests, a favorite tactic of the opposition was making anti-Putin hashtags trend on Twitter. Today, waves of trolls and bots regularly promote pro-Putin hashtags. What once was an exhilarating act of popular defiance now feels empty. “It kind of discredited the idea of political hashtags,” says Ilya Klishin, the web editor for the independent television station TV Rain who, in 2011, created the Facebook page for the antigovernment protests.

Russia’s information war might be thought of as the biggest trolling operation in history, and its target is nothing less than the utility of the Internet as a democratic space. In the midst of such a war, the Runet (as the Russian Internet is often called) can be an unpleasant place for anyone caught in the crossfire. Soon after I met Leonid Volkov, he wrote a post on his Facebook wall about our interview, saying that he had spoken with someone from The New York Times. A former pro-Kremlin blogger later warned me about this. Kremlin allies, he explained, monitored Volkov’s page, and now they would be on guard. “That was not smart,” he said.

The chain that links the Columbian Chemicals hoax to the Internet Research Agency begins with an act of digital subterfuge perpetrated by its online enemies. Last summer, a group called Anonymous International — believed to be unaffiliated with the well-known hacktivist group Anonymous — published a cache of hundreds of emails said to have been stolen from employees at the agency. It was just one hack in a long series that Anonymous International had carried out against the Kremlin in recent months. The group leaked embarrassing photos of Putin allies and incriminating emails among officials. It claimed to have hacked into Prime Minister Dmitri Medvedev’s phone, and reportedly hacked his Twitter account, tweeting: “I’m resigning. I am ashamed of this government’s actions. Forgive me.”

The emails indicated that the Internet Research Agency had begun to troll in English. One document outlined a project called “World Translation”; the problem, it explained, was that the foreign Internet was biased four to one against Russia, and the project aimed to change the ratio. Another email contained a spreadsheet that listed some of the troll accounts the agency was using on the English-language web. After BuzzFeed reported on the leak, I used the spreadsheet to start mapping the network of accounts on Facebook and Twitter, trying to draw connections.

One account was called “I Am Ass.” Ass had a Twitter account, an Instagram account, multiple Facebook accounts and his own website. In his avatars, Ass was depicted as a pair of cartoon buttocks with an ugly, smirking face. He filled his social-media presences with links to news articles, along with his own commentary. Ass had a puerile sense of humor and only a rudimentary grasp of the English language. He also really hated Barack Obama. Ass denounced Obama in posts strewn with all-caps rants and scatological puns. One characteristic post linked to a news article about an ISIS massacre in Iraq, which Ass shared on Facebook with the comment: “I’m scared and farting! ISIS is a monster awakened by Obama when he unleashed this disastrous Iraq war!”

Despite his unpleasant disposition, Ass had a half-dozen or so fans who regularly liked and commented on his posts. These fans shared some unusual characteristics. Their Facebook accounts had all been created in the summer of 2014. They all appeared to be well-dressed young men and women who lived in large American cities, yet they seemed to have no real-life friends. Instead, they spent their free time leaving anti-Obama comments on the Facebook posts of American media outlets like CNN, Politico and Fox News. Their main Facebook interactions, especially those of the women, appeared to be with strangers who commented on their physical appearance. The women were all very attractive — so attractive, indeed, that a search revealed that some of their profile photos had been stolen from models and actors. It became clear that the vast majority of Ass’s fans were not real people. They were also trolls.

I friended as many of the trolls on Facebook as I could and began to observe their ways. Most of the content they shared was drawn from a network of other pages that, like Ass’s, were clearly meant to produce entertaining and shareable social-media content. There was the patriotic Spread Your Wings, which described itself as “a community for everyone whose heart is with America.” Spread Your Wings posted photos of American flags and memes about how great it was to be an American, but the patriotism rang hollow once you tried to parse the frequent criticisms of Obama, an incoherent mishmash of liberal and conservative attacks that no actual American would espouse. There was also Art Gone Conscious, which posted bad art and then tenuously connected it to Obama’s policy failures, and the self-explanatory Celebrities Against Obama. The posts churned out every day by this network of pages were commented on and shared by the same group of trolls, a virtual Potemkin village of disaffected Americans.

After following the accounts for a few weeks, I saw a strange notification on Facebook. One account, which claimed to be a woman from Seattle named Polly Turner, RSVPed to a real-life event. It was a talk in New York City to commemorate the opening of an art exhibit called Material Evidence. I was vaguely aware of Material Evidence, thanks to eye-catching advertisements that had appeared in subway stations and on the sides of buses throughout New York City: a black-and-white photo of masked men in camouflage, overlaid with the slogan “Syria, Ukraine … Who’s Next?” Material Evidence’s website described it as a traveling exhibition that would reveal “the full truth” about the civil war in Syria, as well as about 2014’s Euromaidan revolution in Ukraine, through a combination of “unique footage, artefacts, video.” I clicked on the Material Evidence talk and saw that a number of other trolls had been invited, including my old friend I Am Ass.

Walking into Material Evidence, mounted last September in the cavernous ArtBeam gallery in Chelsea, was like walking into a real-life version of the hall of mirrors I’d stumbled into on Facebook. A sign at the front declared that the show did not “support a specific political goal,” but the message became clear as soon as I began to browse the images. Large, well-composed photos testified to the barbarity of the Syrian rebels, bent on slaughtering handsome Syrian soldiers and innocent civilians alike. A grim panorama showed a gymnasium supposedly used by rebels to torture prisoners. There was a heroic, sunlit portrait of a Syrian Army officer. A room hidden behind a curtain displayed gory photos of rebel-caused civilian causalities, “provided by the Syrian ministry of defense.”

Then there were the pictures from the Ukrainian revolution, which focused almost exclusively on the Right Sector, a small group of violent, right-wing, anti-Russian protesters with a fondness for black balaclavas. Russian authorities have seized upon Right Sector to paint the entire revolution, backed by a huge swath of Ukrainian society, as orchestrated by neo-fascist thugs. The show’s decision to juxtapose the rebellions in Syria and Ukraine was never clearly explained, perhaps because the only connection possible was that both targeted leaders supported by Russia.

On the floor in front of many of the photos sat the actual items that appeared in them, displayed under glass cases. How, exactly, did organizers procure the very same battered motorcycle helmet that a Ukrainian protester wore in a photo while brawling with riot police? Who had fronted the money to purchase a mangled white van, supposedly used by Syrian rebels in a botched suicide bombing, and transport it to New York City? Few answers were forthcoming from Benjamin Hiller, the Berlin-based German-American photojournalist who was put forth as the curator of Material Evidence. He sat at a table in the front of the gallery, a heavyset bearded man dressed entirely in black. He told me that the show had been organized by an independent collective of European, Russian and Syrian war photographers who were fed up with the one-sided view of conflicts presented by Western media. He said they simply wanted to show the “other side.” Hiller claimed that the funds to rent the space, take out the ads, transport the material and create a $40,000 grant advertised on the Material Evidence website had been raised through “crowdfunding.” (Hiller has since left the organization and says that because of the show’s “misinformations” and “nonjournalistic approach,” he “does not want to be affiliated anymore with the project.”)

When I got home, I searched Twitter for signs of a campaign. Sure enough, dozens of accounts had been spamming rave reviews under the hashtag #MaterialEvidence. I clicked on one, a young woman in aviator sunglasses calling herself Zoe Foreman. (I later discovered her avatar had been stolen.) Most of her tweets were unremarkable song lyrics and inspirational quotes. But on Sept. 11 of last year, she spent hours spamming politicians and journalists about a horrific chemical plant explosion in St. Mary Parish, La. The source field on Twitter showed that the tweets Zoe Foreman — and the majority of other trolls — sent about #ColumbianChemicals were posted using a tool called Masss Post, which is associated with a nonworking page on the domain Add1.ru. According to online records, Add1.ru was originally registered in January 2009 by Mikhail Burchik, whose email address remained connected to the domain until 2012. Documents leaked by Anonymous International listed a Mikhail Burchik as the executive director of the Internet Research Agency.

In early February, I called Burchik, a young tech entrepreneur in St. Petersburg, to ask him about the hoax and its connection to the Internet Research Agency. In an article for the newspaper Süddeutsche Zeitung, the German journalist Julian Hans had claimed that Burchik confirmed the authenticity of the leaked documents. But when I called Burchik, he denied working at the Internet Research Agency. “I have heard of it, but I don’t work in this organization,” he said. Burchik said he had never heard of the Masss Post app; he had no specific memory of the Add1.ru domain, he said, but he noted that he had bought and sold many domains and didn’t remember them all. Burchik suggested that perhaps a different Mikhail Burchik was the agency’s executive director. But the email address used by the Mikhail Burchik in the leak matched the address listed at that time on the website of the Mikhail Burchik I spoke with.

In St. Petersburg, I finally had a chance to compare notes with Andrei Soshnikov, the young investigative journalist at Moi Raion to whom Ludmila Savchuk leaked her documents. Soshnikov is an indefatigable reporter: During one investigation, he had gone so far as to create a 3-D computer model of a roadway in order to calculate how much asphalt had been stolen during its construction. He was one of the first journalists to expose the Internet Research Agency when he went undercover and got a job there in 2013. Since then, he had followed the agency’s Russian trolls as obsessively as I had been tracking their English counterparts.

I showed Soshnikov a YouTube video posted on Facebook by one of the trolls. The video was a slick animated infographic about the faults of the United States Secret Service. What had caught my attention was the narrator. He sounded just like the voice from the videos spread during the Columbian Chemicals and Atlanta shooting hoaxes: a man trying desperately to sound American but coming off as Australian instead.

Soshnikov instantly recognized the style of the animation. It was made, he said, by an outfit called Infosurfing, which posts pro-Kremlin infographics on Instagram and VKontakte. Soshnikov showed me how he used a service called Yomapic, which maps the locations of social-media users, to determine that photos posted to Infosurfing’s Instagram account came from 55 Savushkina. He had been monitoring all of the content posted from 55 Savushkina for weeks and had assembled a huge database of troll content.

He brought up Infosurfing’s YouTube channel, and as we scrolled down, I noticed several videos in the same style as the Secret Service animation. In fact, Infosurfing had posted the exact same video on its own account — except instead of the unfortunate Australian voice-over, it was narrated in Russian. It was the most tantalizing connection yet: It seemed as if the man in the hoax videos had worked for an outfit connected to the same building that housed the Internet Research Agency.

Still, no one had heard of any department that might have orchestrated the hoax. The English-language trolling team was an elite and secretive group. Marat Burkhardt, who worked in the forums department, was asked to try out for an English-language team but didn’t get the job. The only person I spoke with who worked in the English department was a woman named Katarina Aistova. A former hotel receptionist, she told me she joined the Internet Research Agency when it was in a previous, smaller office. I found her through the Anonymous International leak, which included emails she had sent to her bosses, reporting on the pro-Putin comments she left on sites like The Blaze and Politico. One of her assignments had been to write an essay from the point of view of an average American woman. “I live in such developed society, so that people have practically ceased to walk on foot,” she wrote. When I emailed Aistova, she wasn’t eager to talk. She told me she had been harassed by critics of the Internet Research Agency after her email appeared in the leak; some men had even come to her door. She would meet me for an interview, but only if she could bring her brother for protection. I agreed, and we met at an out-of-the-way Chinese restaurant.

Aistova and her brother made an unusual pair. She was a short young woman with midlength brown hair, dressed all in black: sweater, leggings, big wedge boots. She insisted on paying for my coffee. “You are a Russian guest,” she said. He, by contrast, was a hulking skinhead with arms full of Nazi-themed tattoos, most prominent among them a five-inch swastika on his left biceps. “My brother, he looks like a strongman,” Aistova said, giggling. He wore a black T-shirt emblazoned with the skull-and-crossbones insignia of the SS Totenkopf division, which administered the Nazi concentration camps. I asked him what his T-shirt meant. “Totenkopf,” he grunted. During the interview he sat across the table from Aistova and me, smiling silently behind his sunglasses.

Aistova said that she worked for the Internet Research Agency for a month and a half. The majority of her work was translating news articles from English to Russian. The news articles covered everything from Ukraine to traffic accidents. On a few occasions, her bosses asked her to leave comments on American news sites about Russia, but she said that they never told her what to say. She loves Russia, she told me. She truly believes that Putin is just trying to help the people of Eastern Ukraine, and that his actions are being unfairly spun by the Western media. “I was like, Hey, you guys, you are saying these bad things about Putin, but people are suffering.”

But she claimed to harbor no ill will toward the United States. She wants to visit New York City, she said, and see the locations from “Breakfast at Tiffany’s,” one of her favorite films. “I don’t feel aggressive toward America. We’re the same people, we just speak different languages,” she said. After the interview, we shook hands outside the restaurant. “You seem like a journalist who will tell the truth,” she said. “I wish you luck on your story.”

On my last morning in St. Petersburg, I returned to 55 Savushkina. The clouds had lifted after a miserable week of snow and howling wind. At a few minutes before 10, my translator and I positioned ourselves on the sidewalk in front of the entrance, hoping to catch some of the trolls as they began the day shift. This was not a very well thought out strategy. Any employees arriving so close to the start of their shift didn’t have time to talk to a journalist even if they wanted to. A large van lurched to a halt in front of us and deposited a half-dozen young people, who hurried in the door before we had the chance to approach them. A bus stopped halfway down the block, and another gaggle of workers emerged. They waved off my translator’s inquiries with annoyed grunts or stone-faced silence. A young man smoking a cigarette said he didn’t work inside the building. He finished his cigarette and promptly went inside the building.

At 10 a.m. sharp, the flow of workers stopped. I decided we might as well try walking inside. I had read of other journalists who tried to enter the building, only to be kicked out immediately, so I entered with some trepidation. Two men in suits guarded the turnstiles. My translator and I approached a receptionist behind a desk and asked if we could speak with someone from Internet Research. (It dropped the “Agency” on moving to 55 Savushkina.) She informed us that Internet Research was no longer a tenant. “A couple of months ago, we had to say goodbye, because it was giving the entire building a bad reputation,” she said, matter-of-factly.

She pointed to a board that displayed a makeshift directory of the building’s current occupants. The names were printed out on small scraps of paper, and none of them were Internet Research. But I did recognize one: “FAN,” or Federal News Agency. I had read some news articles claiming that FAN was part of a network of pro-Kremlin news sites run out of 55 Savushkina, also funded by Evgeny Prigozhin. Former Internet Research Agency employees I had spoken to said they believed FAN was another wing of the same operation, under a different name. I asked to speak to someone from FAN. To my surprise, the receptionist picked up the phone, spoke into it for a few seconds and then informed us that Evgeny Zubarev, the editor in chief of FAN, would be right out to meet us.

Zubarev, who looked to be in his 50s, had close-cropped salt-and-pepper hair and a weary face. He greeted me with a handshake and invited me into his office. We made our way through the turnstiles and signed in with the guards, then took a brief walk down a long hallway to FAN’s two-room office on the first floor. It was unusually quiet for an online news operation that, according to Zubarev, had a staff of 40 people. The newsroom was equipped for a sizable team, with about a dozen identical black desktop computers sitting on identical brown laminate desks, but only two young reporters sat at them. The shades were drawn and the furniture looked just barely unpacked.

As we sat at Zubarev’s desk, I told him about the articles I’d read accusing FAN of being a Kremlin propaganda outfit. He shook his head in indignation. He turned to his computer and brought up FAN’s website, pointing to the masthead and the certificate number that showed FAN was an officially registered Russian mass-media organization. “FAN is a news agency,” he declared. It had stringers and reporters in Ukraine, and in many former Soviet states; they did original reporting, sometimes at great personal risk. Zubarev himself was a veteran journalist who covered the annexation of Crimea for the Russian news agency Rosbalt before joining FAN. But ever since reports linked him to the Internet Research Agency, he had faced questions about his integrity.

“We understand being in this building may discredit us, but we can’t afford to move at the moment,” Zubarev said with a sigh. “So we have to face the situation where reporters like you, Mr. Chen, come in here and ask us questions every day.”

Zubarev said he believed that he and FAN were victims of a smear campaign. I asked him who would do such a thing.

“Listen, that’s my position, not a confirmed fact,” he said. “It’s possible that there are some business interests, I don’t know. Maybe it’s an attack on our investors.” But when I asked who those investors were, he declined to comment. “I can’t discuss the identities of investors,” he said. “That’s in my contract.”

I left St. Petersburg on April 28. One day later, FAN published an article with the headline “What Does a New York Times Journalist Have in Common With a Nazi From St. Petersburg?” The story detailed a mysterious meeting in St. Petersburg between a New York Times journalist — me — and a neo-Nazi. Its lead image was a photo of a skinhead giving an enthusiastic Nazi salute. But it was not just any skinhead. It was the skinhead whom Katarina Aistova brought to our meeting and introduced to me as her brother. As I learned from reading the article, Aistova’s “brother” was in fact a notorious neo-Nazi named Alexei Maximov.

The article explained that Maximov, who goes by the nickname Fly, is a member of Totenkopf, a prominent skinhead group in St. Petersburg. He reportedly served nine years in prison for stabbing a man to death. Just a month before I met him, Maximov again made headlines when, during an investigation into beatings of immigrants around St. Petersburg, the police found weaponry and Nazi paraphernalia in his apartment.

The story made no mention of Katarina Aistova or the Internet Research Agency. Instead, the article claimed I met with Maximov because I wanted his help in creating a provocation against Russia. Maximov told FAN that I requested to meet him because I was “very keenly interested in sentiment among Russian nationalists.” He continued: “He evidently needed stories about how the murderous Kremlin regime persecutes free Russian people. It’s not the first time I’ve come across such requests on the part of Western journalists, but I’m not going to help them with this. Many want to see in Russian nationalists a ‘fifth column,’ which will function on orders from the West and sweep away the Kremlin.” Apparently I was trying to foment a mini-Euromaidan, right there in St. Petersburg.

The article was illustrated with photos of my meeting with Aistova and Maximov. One photo appears to have been shot surreptitiously through the restaurant window while we sat and talked. The point of view is such that Aistova is barely visible; indeed, at first glance, I seem to be having a friendly chat with a skinhead over a cup of coffee. Another photo, this one taken outside the restaurant, somehow makes me look deep in conversation with Maximov, even though I distinctly recall that Aistova was standing between us.

I had to admire the brazenness of the scheme. I remembered how, at the restaurant, Aistova had sat next to me so I had to twist around to talk to her, while Maximov sat silently across from us. Apparently they had arranged themselves so it could appear, from the right perspective, that I was meeting Maximov alone. I emailed Aistova to ask her to explain what happened. She responded only: “I would also like you to explain yourself and the situation!!” (A few weeks later, when I tried calling her by phone, she pretended I had the wrong number.)

Over the course of a few days, the sensational story circulated among a network of small pro-Kremlin blogs. In fact, the FAN story itself had been aggregated from another pro-Kremlin news site called People’s News, which Andrei Soshnikov, the Moi Raion journalist, has reported also operates out of 55 Savushkina. As it spread, it mutated to become even more alarming. One website suggested I was working for the C.I.A.; another, the National Security Agency. A YouTube channel called Russia Today — not the well-known state television channel but a knockoff — posted a slick video about the meeting, set to a pounding dubstep soundtrack. Disconcertingly, it included a photo of me leaving my hotel. The video currently has more than 60,000 views. Many of those views were a result of a familiar pattern of social-media promotion: Dozens of trolls on Twitter began tweeting links to the video using the hashtag #ВербовкаНацистов — “Recruitment of Nazis.” The hashtag trended on Russian Twitter.

After recovering from the initial shock, I began to track the campaign against me. I had practice, after all, from my months spent on the trail of the Internet Research Agency. I Googled the various Russian spellings of my name every hour to catch the latest posts as soon as they surfaced on LiveJournal and VKontakte. I searched Twitter for the URL of the YouTube video to catch every post.

A few days later, Soshnikov chatted with me on Skype. “Did you see an article about you on FAN?” he asked. “They know you are going to publish a loud article, so they are trying to make you look stupid in front of the Russian audience.”

I explained the setup, and as I did I began to feel a nagging paranoia. The more I explained, the more absurd my own words seemed — the more they seemed like exactly the sort of elaborate alibi a C.I.A. agent might concoct once his cover was blown. The trolls had done the only thing they knew how to do, but this time they had done it well. They had gotten into my head.
http://www.nytimes.com/2015/06/07/ma...he-agency.html





Exclusive: Inside Washington's Quest to Bring Down Edward Snowden
Jason Leopold

A bipartisan group of Washington lawmakers solicited details from Pentagon officials that they could use to "damage" former NSA contractor Edward Snowden's "credibility in the press and the court of public opinion."

That's according to declassified government documents obtained exclusively by VICE News in response to a long-running Freedom of Information Act (FOIA) lawsuit. The lawmakers' requests for information were made in December 2013 and again in February 2014, following classified briefings top officials at the Defense Intelligence Agency (DIA) held for oversight committees in the House and Senate about a DIA assessment of the alleged damage to national security caused by Snowden's leak of top-secret documents to journalists Glenn Greenwald, Barton Gellman, and Laura Poitras.

The documents contain the most detailed information to date about the DIA's yearlong discussions with Congress about Snowden's leaks and the costs of the Pentagon's efforts to allay the damage. But the 35 pages of documents do not contain any concrete examples of damage to national security because DIA redacted those details.

The documents, however, do contain a startling claim revealed here for the first time: Snowden took "over 900,000" Department of Defense (DoD) files — more documents than he downloaded from the NSA about the agency's surveillance programs, according to an undated two-page DIA report that was prepared for the head of a task force that assessed the damage caused by Snowden's leaks in advance of the official briefing the Senate Intelligence Committee. The report references a chart that provides a "breakdown" of the "data sets" Snowden took and the "locations from where they were copied." However, the DIA withheld the information on national security grounds.

In a separate February 6, 2014 summary of a congressional briefing DIA officials held for House Appropriations Subcommittee on Defense staffers, it's not made explicitly clear how much information Snowden took from the DoD. The summary, which included included a "short overview of the timeline of the disclosures by Edward Snowden," said committee staffers "appeared surprised and concerned at the extent of the Department of Defense information that was potentially compromised by Edward Snowden."

"Many of the [staffers] were interested in Edward Snowden's background, motivations and tactics. Those questions were deferred to [redacted] for future briefings," according to the congressional summary.

The document goes on to say that committee staffers were told Snowden downloaded military files that "could negatively impact future military operations." The House Appropriations Subcommittee on Defense was regularly briefed by DIA because it was funding the agency's work to mitigate the damage from the Snowden leaks.

VICE News has not been able to identify any Snowden-related stories published over the past two years that were based on files the DIA said Snowden downloaded from DoD.

In a statement last year, Snowden denied DoD and intelligence officials' claims he deliberately downloaded military files. "They rely on a baseless premise, which is that I was after military information," Snowden said.

After the DIA completed a damage assessment report about how Snowden apparently compromised US counterterrorism operations and threatened national security on December 18, 2013, leaks from the classified report immediately started to surface in the media. They were sourced to members of Congress and unnamed officials who cast Snowden as a "traitor."

On December 18, the Washington Post's Walter Pincus published a column, citing anonymous sources, that contained details from the Snowden damage assessment. Three days earlier, 60 Minutes had broadcast a report that was widely condemned as overly sympathetic to the NSA. Foreign Policy and Bloomberg published news stories on January 9, 2014, three days after the damage assessment report was turned over to six congressional oversight committees. Both of those reports quoted a statement from Republican congressional leaders who cited the DIA's classified damage assessment report and asserted that Snowden's leaks endangered the lives of US military personnel.

As the weeks passed, according to the DIA documents, more members of Congress were eager to publicly discredit Snowden.

"Members from both sides (Reps. Richard Nugent, Austin Scott, Henry "Hank" Johnson, Jr. and Susan Davis) repeatedly pressed the [DIA] briefers for information from the [Snowden damage] report to be made releasable to the public," states a February 6, 2014 DIA summary prepared for then-DIA director Lieutenant General Michael Flynn and deputy director David Shedd about a briefing on the Snowden leaks for members of the House Armed Services Subcommittee on Emerging Threats and Capabilities.

"[Redacted] explained the restrictions were to [redacted] but the members appeared unmoved by this argument. Overall, HASC [House Armed Services Committee] members were both appreciative of the report and expressed repeatedly that this information needed to be shared with the American public."

The DIA documents obtained by VICE News were released exactly two years after the Guardian published its first report from the cache of documents leaked by Snowden, and during the same week that some of the same lawmakers who sought to discredit Snowden passed a bill that ended the NSA's bulk collection of domestic phone records and Internet metadata — the very program revealed in the first Guardian report. The legislative change is the first time since 9/11 that both houses of Congress have agreed to place a limit on the government's surveillance powers.

* * *

The DIA documents also resolve the thorny question about the genesis of the claim that Snowden downloaded 1.7 million files. For more than a year, the allegation has been cited as fact in numerous news reports but never directly attributed to a named government official.

In a report published on the Intercept in May 2014, Greenwald excoriated journalists for "repeatedly affirming the inflammatory evidence-free claim that Snowden took 1.7 million documents," a number which he said "always has been pure fabrication."

Now, the DIA documents make clear that the accusation came from a list of unclassified Defense Department talking points sent to Congress on January 8, 2014, a day before Foreign Policy and Bloomberg published their reports that contained the same DIA talking points.

"A former NSA contractor downloaded nearly 1.7 million files from Intelligence Community (IC) systems. This is the single greatest quantitative potential compromise of secrets in US history," states the first of five Defense Department talking points.

The other talking points, which do not offer insight into the specific damage Snowden is said to have caused, say:

Much of the information compromised [by Snowden] has the potential to gravely impact the National Security of the United States, to include the Department of Defense [DoD] and its capabilities.

While most of the reporting to date in the press has centered on NSA's acquisition of foreign intelligence to protect the lives of our citizens and allies, the files cover sensitive topics well beyond the NSA collection. Disclosure of this information in the press and to adversaries has the potential to put Defense personnel in harm's way and jeopardize the success of DoD operations.

These unauthorized disclosures have tipped off our adversaries to intelligence sources and methods and negatively impacted our Allies who partner with us to fight terrorism, cyber crimes, human and narcotics trafficking, and the proliferation of weapons of mass destruction. Such international cooperation involving the pooling of information, technology, and expertise is critical to preserve our security and that of our allies.

Snowden is identified by name on some pages of the documents and as a "Person of Interest" or "POI" on other pages due to the government's criminal case against him. During one classified briefing the damage assessment task force officials held for members of the House Intelligence Committee on Intelligence, lawmakers asked why Snowden, "who claims publicly to be seeking to reform NSA… acquired so many DoD files unrelated to NSA activities."

"[Redacted] explained that [Snowden] appeared to have acquired all files he could reach" was the answer. House Intelligence Committee chairman Mike Rogers and Congressman Adam Schiff "raised the issue that most documents were DoD related — which [redacted] confirmed — and both the congressmen stated they believed this simple fact was both unclassified… and was important for changing the narrative" about Snowden, states an undated summary of the House Intelligence Committee briefing the DIA prepared for Flynn and Shedd.

The summary went on to say that much of the briefing was spent on "Q&A with topics including the cost of mitigation, the risk to soldiers on the ground, defense vulnerabilities as a result of the compromise, and the scope of data secured by the Person of Interest."

The DIA summary noted that then-House Armed Services Committee chairman Buck McKeon and then-chairman of the Intelligence, Emerging Threats, and Capabilities subcommittee, Representative Mac Thornberry, held a press conference after the DIA briefing in which they referred to Snowden as a "traitor" and "not a whistleblower."

* * *

The DIA documents contain new revelations about the make-up of the so-called Information Review Task Force (IRTF) charged with assessing the damage from the Snowden leaks that specifically pertain to military files he downloaded. (Earlier this year, the DIA turned over to VICE News 151 pages of its Snowden damage assessments that were completely redacted.)

According to the documents, "on any given day," between 200 and 250 people from DoD "triage, analyze, and assess DoD impacts related to the Snowden compromise." Summaries of the briefings the DIA held for Congress also reference a previously unknown entity: the Joint Staff Mitigation Oversight Task Force (MOTF), which was entrusted with, among other things, assessing the financial costs of "mitigation efforts" resulting from the Snowden leaks in quarterly reports. The NSA has its own Snowden task force that also assessed the alleged damage to national security his leaks about the agency's surveillance programs caused.

At a House Armed Services Committee hearing last year, Army General Martin Dempsey, the chairman of the Joint Chiefs of Staff, said the mitigation task force "will need to function for about two years ... and I suspect it could cost billions of dollars to overcome the loss of security that has been imposed on us."

The Department of Defense said it first learned that Snowden took documents containing Department of Defense information on July 10, 2013, about a month after Snowden disclosed that he was the source of the leaks about the NSA's controversial surveillance programs.

In response, Flynn, the DIA director, "directed the standup of a DoD Task Force to tackle the compromise," states the two-page DIA task force report that was prepared for an official gearing up to brief the Senate Intelligence Committee on the task force's work. "Rather than start from scratch, key members of the task force that assessed the WikiLeaks compromise in 2010 were again brought together to form the nucleus of the 'Information Review Task Force-2. Led by DIA, and working in coordination with the Office of the National Counterintelligence Executive and our Intelligence Community partners, the IRTF-2 includes representations from the military services, the combatant commands, and Joint Chiefs of Staff.'"

The WikiLeaks reference pertains to leaks of hundreds of thousands of government documents to the transparency organization by Chelsea Manning, who was convicted on espionage charges in 2013 and sentenced to 35 years in prison.

Although the DIA released a copy of its second damage assessment report to me last year — albeit a redacted version that did not contain any specific details to support the conclusion that Snowden caused "grave damage" to national security — members of the House Intelligence Committee said the report was "excellent and timely."

The documents reveal that the DIA also completed an even earlier version of a damage assessment report, which congressional staffers said was "one of the most well-read documents by Members in recent years." It's unknown when that task force report was released. Neither the DIA nor spokespeople for lawmakers who were briefed about the Snowden damage reports would comment for this story.

* * *

The DIA's briefings for Congress continued through last September, according to the documents, which reveal that House and Senate Armed Services Committee members were frustrated that the DIA did not share another damage assessment report with the committee that the DIA completed months earlier.

At one briefing that month, Thornberry said "this was a briefing he did not want to miss as it has been a long time since he received an update on what information was compromised and the impact to US national security."

"He also mentioned that it was hard to think of something that has happened in the world that is more deserving of a response and that can affect future funding" of the DIA, according to the DIA's congressional briefing summary.

But another DIA congressional briefing summary, dated September 9, 2014 and sent to DIA deputy director David Shedd, said DIA officials were also "warned" by committee staffers that lawmakers "would be frustrated" if the so-called Joint Staff Mitigation Oversight Task Force "could not show progress and provide specific examples of steps taken to mitigate damage done to capabilities, plans, and partnerships by the [Snowden] breach."

A Senate Armed Services Committee staffer "commented that he felt the [Mitigation Oversight Task Force] briefers were trying to lower expectations."

The Senate staffer "recommended focusing less on process and more on mitigation efforts and anticipated costs" of reining in the damage, says the document, which summarized a briefing the DIA and Mitigation task force members held for House and Senate Armed Services Committee staffers.

Ultimately, the lawmakers' efforts to use the information provided to Congress by DIA briefers to discredit Snowden didn't work, according to Snowden's attorney, Ben Wizner of the ACLU.

"Once again, we see that the intelligence community leaked classified information [last year] in order to excoriate Edward Snowden for leaking classified information," Wizner told VICE News. "The difference is that Snowden provided information [to] journalists to inform the public about the government's actions, and the government leaked information in order to misinform the public about his."
https://news.vice.com/article/exclus...edward-snowden





The World Says No to Surveillance
Edward J. Snowden

TWO years ago today, three journalists and I worked nervously in a Hong Kong hotel room, waiting to see how the world would react to the revelation that the National Security Agency had been making records of nearly every phone call in the United States. In the days that followed, those journalists and others published documents revealing that democratic governments had been monitoring the private activities of ordinary citizens who had done nothing wrong.

Within days, the United States government responded by bringing charges against me under World War I-era espionage laws. The journalists were advised by lawyers that they risked arrest or subpoena if they returned to the United States. Politicians raced to condemn our efforts as un-American, even treasonous.

Privately, there were moments when I worried that we might have put our privileged lives at risk for nothing — that the public would react with indifference, or practiced cynicism, to the revelations.

Never have I been so grateful to have been so wrong.

Two years on, the difference is profound. In a single month, the N.S.A.’s invasive call-tracking program was declared unlawful by the courts and disowned by Congress. After a White House-appointed oversight board investigation found that this program had not stopped a single terrorist attack, even the president who once defended its propriety and criticized its disclosure has now ordered it terminated.

This is the power of an informed public.

Ending the mass surveillance of private phone calls under the Patriot Act is a historic victory for the rights of every citizen, but it is only the latest product of a change in global awareness. Since 2013, institutions across Europe have ruled similar laws and operations illegal and imposed new restrictions on future activities. The United Nations declared mass surveillance an unambiguous violation of human rights. In Latin America, the efforts of citizens in Brazil led to the Marco Civil, an Internet Bill of Rights. Recognizing the critical role of informed citizens in correcting the excesses of government, the Council of Europe called for new laws to protect whistle-blowers.

Beyond the frontiers of law, progress has come even more quickly. Technologists have worked tirelessly to re-engineer the security of the devices that surround us, along with the language of the Internet itself. Secret flaws in critical infrastructure that had been exploited by governments to facilitate mass surveillance have been detected and corrected. Basic technical safeguards such as encryption — once considered esoteric and unnecessary — are now enabled by default in the products of pioneering companies like Apple, ensuring that even if your phone is stolen, your private life remains private. Such structural technological changes can ensure access to basic privacies beyond borders, insulating ordinary citizens from the arbitrary passage of anti-privacy laws, such as those now descending upon Russia.

Though we have come a long way, the right to privacy — the foundation of the freedoms enshrined in the United States Bill of Rights — remains under threat. Some of the world’s most popular online services have been enlisted as partners in the N.S.A.’s mass surveillance programs, and technology companies are being pressured by governments around the world to work against their customers rather than for them. Billions of cellphone location records are still being intercepted without regard for the guilt or innocence of those affected. We have learned that our government intentionally weakens the fundamental security of the Internet with “back doors” that transform private lives into open books. Metadata revealing the personal associations and interests of ordinary Internet users is still being intercepted and monitored on a scale unprecedented in history: As you read this online, the United States government makes a note.

Spymasters in Australia, Canada and France have exploited recent tragedies to seek intrusive new powers despite evidence such programs would not have prevented attacks. Prime Minister David Cameron of Britain recently mused, “Do we want to allow a means of communication between people which we cannot read?” He soon found his answer, proclaiming that “for too long, we have been a passively tolerant society, saying to our citizens: As long as you obey the law, we will leave you alone.”

At the turning of the millennium, few imagined that citizens of developed democracies would soon be required to defend the concept of an open society against their own leaders.

Yet the balance of power is beginning to shift. We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason. With each court victory, with every change in the law, we demonstrate facts are more convincing than fear. As a society, we rediscover that the value of a right is not in what it hides, but in what it protects.
http://www.nytimes.com/2015/06/05/op...veillance.html

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

May 30th, May 23rd, May 16th, May 9th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 06:47 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)