|23-12-20, 07:40 AM||#1|
Join Date: May 2001
Location: New England
Peer-To-Peer News - The Week In Review - December 26th, ’20
December 26th, 2020
Pirating Streamed Content to Become Felony
Illegally pirating streaming video could put guilty parties in jail thanks to a new bill. The Protecting Lawful Streaming Act introduced by Sen. Thom Tillis (R-N.C.) was included in the omnibus spending bill of the COVID-19 relief bill that was passed by Congress on Dec. 21.
Under Tillis’ bill, any person that pirates video streams of copyrighted work will have committed a felony act and be subject to either fines or imprisonment. The previous penalty for pirating streaming content was a misdemeanor.
The bill targets large-scale, criminal, for-profit streaming services, not good faith business disputes or noncommercial activities. Nor does it target individuals who access the pirated streams, knowingly or unknowingly.
Streaming has become increasingly popular in the last few years, particularly in 2020 as the global pandemic has changed viewing habits as people have more time during lockdowns. This new bill brings the pirating of streamed content on the same level of other pirating efforts, including the illegal downloading of copyrighted content.
Co-sponsoring the bill with Tillis is Sens. Patrick Leahy (D-Vt.), Marsha Blackburn (R-Tenn.), Mazie Hirono (D-Hawaii), Catherine Cortez Masto (D-Nev.), John Cornyn (R-Texas), Richard Blumenthal (D-Conn.), Chris Coons (D-Del.), Kelly Loeffler (R-Ga.) and David Perdue (R-Ga.).
NAB President and CEO Gordon Smith issued a statement saying the association strongly supports the passing of the Protecting Lawful Streaming Act and how it is "tailored to deter large-scale copyright piracy while ensuring that legitimate licenses are not subject to potential prosecution."
Ex-Video Store Owner to Serve 5 Years in Prison for Movie Pirating and Mail Fraud
A former Bangor-area video store owner convicted of pirating thousands of movies and selling them illegally online between 2012 and 2018 was sentenced Tuesday to five years in federal prison.
Douglas Gordon, 53, who previously lived in Brewer but now resides in Mattawamkeag, denied at his October 2019 trial in U.S. District Court that he knowingly violated copyright laws and committed mail fraud. Gordon owned Edge Video in Bangor and Brewer, both of which are now closed.
The loss to the owners of the movie copyrights and distribution sales was estimated at $638,000. Gordon was ordered to pay $555 in restitution to people who filed claims stating they had purchased pirated copies from him.
Gordon remains free on $2,500 unsecured bail but was ordered to report to a prison designated by the U.S. Bureau of Prisons on June 23, 2021, so that he might be vaccinated for COVID-19 by then.
In addition to prison time, U.S. District Judge John Woodcock sentenced Gordon to two years of supervised release. Conditions include that he not be self-employed in an enterprise that sells products online or conduct a mail-order business without the approval of his probation officer.
While Gordon said he loved the movies, he refused to pay royalties to the people who produced, wrote and performed in them, Woodcock said in imposing his sentence. The victims expected to receive a quality product that was authorized by law, the judge said.
“I’ve tried to understand the defendant’s viewpoint and how he came to be involved in this scheme, and my conclusion is that the defendant is smart enough and old enough to know better,” Woodcock said. “With all your knowledge about the movie industry, you could have done things the right way.”
Woodcock determined that the recommended sentence under federal guidelines was between nine years and 11 years and three months. Assistant U.S. Attorney Christopher Ruge recommended a sentence in the middle of the guideline range.
Defense attorney Stephen Smith of Augusta urged the judge to impose a sentence of six years and three months, in part because of Gordon’s significant health issues that include multiple strokes, the loss of part of a leg and depression.
Gordon did not address the judge. Smith said Gordon’s conviction would be appealed to the 1st Circuit Court of Appeals in Boston.
After a seven-day trial, jurors concluded that Gordon was familiar with copyright law and knew that he did not have permission to make copies of films and sell them online for between $9.99 and $24.99. They also found that Gordon committed mail fraud because customers expected to receive a DVD similar to ones sold at retail stores and large online sellers through the mail.
Despite being warned by U.S. Homeland Security Investigations in 2015 and in 2017 to cease his illegal activities, Gordon ignored the warnings and continued to unlawfully reproduce and sell tens of thousands of counterfeit copies of copyright-protected motion pictures and mail them to buyers, the prosecution claimed at the trial.
Based on Gordon’s website advertisements, customers testified that they’d expected to receive authorized DVDs with cover art in plastic cases. Instead, they received a paper envelope with nothing more than a burned disc with a laser-etched movie title.
Several of Gordon’s former employees also provided evidence of the counterfeiting operation, including Gordon’s ex-girlfriend, 54-year-old Heidi Pugliese of Bucksport.
She was sentenced last month to five years of probation after pleading guilty in August 2019 to aiding and abetting a mail fraud scheme. Her plea agreement with the U.S. attorney’s office called for her to testify against Gordon.
Gordon faced up to 20 years in federal prison on the mail fraud charges and up to three years on the copyright infringement counts. He also faced fines of up to $250,000 on each count.
Law Enforcement Take Down Three Bulletproof VPN Providers
The three VPN services provided safe haven for cybercriminals to carry out ransomware attacks, web skimming operations, spearphishing, and account takeovers.
Law enforcement agencies from the US, Germany, France, Switzerland, and the Netherlands have seized this week the web domains and server infrastructure of three VPN services that provided a safe haven for cybercriminals to attack their victims.
The three services were active at insorg.org [2014 snapshot], safe-inet.com [2013 snapshot], and safe-inet.net before the domains were seized and replaced with law enforcement banners on Monday.
The services have been active for more than a decade, are believed to be operated by the same individual/group, and have been heavily advertised on both Russian and English-speaking underground cybercrime forums, where they were sold for prices ranging from $1.3/day to $190/year.
According to the US Department of Justice and Europol, the three companies' servers were often used to mask the real identities of ransomware gangs, web skimmer (Magecart) groups, online phishers, and hackers involved in account takeovers, allowing them to operate from behind a proxy network up to five layers deep.
Law enforcement described the three as "bulletproof hosting services," a term typically used to describe web companies that don't take down criminal content, despite repeated requests.
"A bulletproof hoster's activities may include ignoring or fabricating excuses in response to abuse complaints made by their customer's victims; moving their customer accounts and/or data from one IP address, server, or country to another to help them evade detection; and not maintaining logs (so that none are available for review by law enforcement)," the DOJ said today.
Servers were seized this week across five countries where the three VPN providers had hosted content. Europol said it plans to analyze the collected information and start cases to identify and take action against some of the services' users.
The investigation, codenamed "Operation Nova," was coordinated by Europol officials, and led by officers from the German Reutlingen Police Headquarters.
"The investigation carried out by our cybercrime specialists has resulted in such a success thanks to the excellent international cooperation with partners worldwide. The results show that law enforcement authorities are equally as well connected as criminals," said Udo Vogel, Police President of the Reutlingen Police Headquarters.
No charges were announced against the individuals behind the three VPN services.
Taylor Swift’s ‘Evermore’ Arrives at No. 1 on Billboard 200 Albums Chart
Taylor Swift notches her eighth No. 1 album on the Billboard 200 -- and second of 2020 -- as her surprise release Evermore arrives atop the list. Her latest studio album earned 329,000 equivalent album units in the U.S. in the week ending Dec. 17, according to Nielsen Music/MRC Data, marking the fifth-largest week of the year for any album.
Evermore was released on Dec. 11 via Republic Records with little warning, and was only available as a standard digital download album (across traditional digital retailers like iTunes, as well as Swift’s own official webstore) and a standard streaming album. Its CD edition did not arrive in stores until Friday, Dec. 18 (so expect sturdy sales in the album’s second week). Cassette and vinyl LP configurations are due in 2021.
Evermore is the companion set to her earlier surprise No. 1 album, Folklore, which bowed atop the Aug. 8-dated Billboard 200.
The Billboard 200 chart ranks the most popular albums of the week in the U.S. based on multi-metric consumption as measured in equivalent album units. Units comprise album sales, track equivalent albums (TEA) and streaming equivalent albums (SEA). Each unit equals one album sale, or 10 individual tracks sold from an album, or 3,750 ad-supported or 1,250 paid/subscription on-demand official audio and video streams generated by songs from an album. The new Dec. 26-dated chart (where Evermore debuts at to No. 1) will be posted in full on Billboard's website on Dec. 22. For all chart news, follow @billboard and @billboardcharts on both Twitter and Instagram.
Of Evermore’s 329,000 equivalent album units earned in the tracking week ending Dec. 17, SEA units comprise nearly 167,000 (equaling 220.49 million on-demand streams of the album’s songs), album sales comprise 154,500 and TEA units comprise a little under 8,000.
Eighth No. 1 Album: Swift continues to rack up No. 1 albums on the Billboard 200, as Evermore nets the superstar her eighth leader. She’s nearing Barbra Streisand’s all-time record among women of 11 leaders. The only other woman with more No. 1 albums than Swift is Madonna, with nine. Among all artists, The Beatles have the most No. 1s, with 19. Among all soloists, Jay-Z leads with 14.
Second No. 1 Album of 2020: Swift is the first woman, and third act, to net a pair of No. 1 albums on the Billboard 200 chart in 2020. Folklore was her first, when the album opened atop the Aug. 8-dated list. Pop group BTS also managed the feat with Be (Dec. 5) and Map of the Soul: 7 (March 7), as did rapper YoungBoy Never Broke Again with Top (Sept. 28) and 38 Baby 2 (May 9).
2020’s Fifth-Largest Week for an Album: With Evermore bowing with 329,000 equivalent album units, it collects the fifth-biggest week of 2020 for any album. It was bested only by the debut weeks of BTS’ Map of the Soul: 7 (422,000; March 7-dated chart), The Weeknd’s After Hours (444,000; April 4), Juice WRLD’s Legends Never Die (497,000; July 25) and Swift’s Folklore (846,000; Aug. 8).
Notably, Evermore’s first-week total units (329,000) and album sales (154,500) are the biggest for any album since merchandise/album bundles and concert ticket/album sale redemption offers both ceased to count towards chart sales as of Oct. 9. It’s also the biggest week for an album since physical albums bundled with a digital album could only be counted as a physical sale upon shipment to the customer (starting on Aug. 7). In the past, Swift’s albums, including Folklore, like many other albums, benefited from merchandise/album bundles and physical/digital combo offers. (Swift has never employed a concert ticket/album sale redemption offer.)
Remarkably, Evermore has the biggest week -- both in equivalent album units and album sales -- for an album that was only available as a digital download album and a streaming album, and without any bundles or physical/digital combo offers in over two years. The last album to post a bigger week with only a digital and streaming album, and no bundles of any sort (and no physical album either) was Drake’s Scorpion, when it debuted with 732,000 units (of which 160,000 were in album sales, all from its download album) on the July 14, 2018-dated chart.
Second-Largest Streaming Week of 2020 for a Non-R&B/Hip-Hop Album: As Evermore collected 167,000 SEA units in its first week, that equaled 220.49 million on-demand streams of the album’s songs — the second-biggest streaming week of 2020 for a non-R&B/hip-hop album. The only loftier week for a non-R&B/hip-hop set was earned by Swift’s Folklore, which arrived with 289.85 million streams of its songs.
Shortest Gap Between New No. 1 Albums by a Woman: Evermore debuts at No. 1 just four months and 18 days after Folklore opened atop the list dated Aug. 8. That’s the shortest gap between new No. 1s on the Billboard 200 chart ever by a woman since the tally became a regularly published weekly chart in March of 1956. Previously, the smallest wait between new No. 1s by a woman was five months and three days between the first weeks at No. 1 for Olivia Newton-John’s If You Love Me Let Me Know (Oct. 12, 1974) and Have You Never Been Mellow (March 15, 1975). Both titles spent one week at No. 1.
The last time an act had a shorter wait between No. 1s before Swift was BTS, when the group waited only a little over three months between Love Yourself: Tear (June 2, 2018) and Love Yourself: Answer (Sept. 8, 2018). Before that, Future landed back-to-back new No. 1s in successive weeks in 2017 (with his self-titled album March 11, 2017 and HNDRXX on March 18, 2017).
At No. 2 on the Billboard 200, Kid Cudi scores his fifth top 10 effort, as Man on the Moon III: The Chosen bows with 144,000 equivalent album units earned. Of that sum, 127,000 comprise SEA units (equaling 167.45 million on-demand streams of the set’s songs), 15,000 comprise album sales and 1,000 comprise TEA units.
Swift’s Folklore flies 11-3 on the Billboard 200 with 133,000 equivalent album units (up 249%), as its album sales ballooned to 106,000 (up 742%). The set’s sales got a huge boost from sale pricing and promotion in Swift’s official webstore of the Folklore vinyl LP (in assorted colored vinyl variants) and a signed CD edition of the album.
With Swift at Nos. 1 and 3, she’s the first woman to have two albums concurrently in the top three dating back to 1963 when Billboard 200’s then-separate mono and stereo LP charts folded back into one overall chart. The last act, overall, to have two albums in the top three at the same time was Future, on the March 18, 2017-dated chart, when HNDRXX debuted at No. 1 and his self-titled album was No. 2.
As Republic Records is the home of both Swift and Kid Cudi, the label lays claim to the entire top three for the second time in 2020. On the Oct. 31-dated chart, Folklore was No. 1, Pop Smoke’s Shoot for the Stars, Aim for the Moon (released via Victor Victor Worldwide/Republic) was No. 2, and 21 Savage and Metro Boomin’s Savage Mode II (released via Boominati/Slaughter Boomin/Republic/Epic) was No. 3. The label last achieved the feat in 2018, and is the only label to have held the top three since Interscope in 2003.
Michael Bublé’s former No. 1 Christmas is steady at No. 4 on the new Billboard 200 with 58,000 equivalent album units (up 6%).
Jack Harlow’s debut studio album Thats What They All Say starts at No. 5 with 51,000 equivalent album units. Of that sum, 48,000 comprise SEA units (equaling 66.21 million on-demand streams of the set’s songs), 2,000 comprise album sales and a little under 1,000 comprise TEA units. The album contains Harlow’s breakout hit “What’s Poppin,” which rose to No. 2 on the Billboard Hot 100 chart dated July 11.
Carrie Underwood’s My Gift dips 5-6 on the Billboard 200 with 47,000 equivalent album units (down 11%), Pop Smoke’s Shoot for the Stars, Aim for the Moon descends 6-7 with 46,000 units (down 4%), Nat King Cole’s The Christmas Song falls 7-8 with 45,000 units (up 8%), Bad Bunny’s El Ultimo Tour del Mundo drops 2-9 with a little over 44,000 units (down 23%) and Mariah Carey’s Merry Christmas is steady at No. 10 with 44,000 units (up 15%).
P2P Mobile File Transfer Apps Open to Attacks, Researchers Find
Shared design flaws discovered in Huawei, LG, and Xiaomi smartphones allowed attackers to hijack file transfer sessions
P2P mobile file transfer apps leave smartphones open to attack threat, researchers find
Security vulnerabilities in the direct file transfer applications of popular smartphone makers allow attackers to send malicious files to mobile devices, a security researcher has found.
In a study of the peer-to-peer (P2P) file-sharing features of Android phones manufactured by Huawei, LG, and Xiaomi, Doyensec application security engineer Lorenzo Stella found shared design flaws that allowed malicious apps to easily hijack transfer sessions.
Access to file-sharing services
Previous research on the WiFi Direct protocol focused on the network architecture, covering the discovery and connection processes and the various frame formats.
“We instead focused on what happens after a local P2P WiFi connection is created between two devices, specifically in the application layer, analyzing file transfer applications featured in many custom Android ROM shipped by the various vendors,” Stella told The Daily Swig.
Most OEMs use a File Transfer Controller or Client (FTC) and a File Transfer Server (FTS) to establish WiFi connections between devices, manage sessions, and transfer files.
In his research, Stella found that after the P2P WiFi connection is established, its interface will become available to every application that has android.permission.INTERNET.
“Because of this, local apps can interact with the FTS and FTC services spawned by the file sharing applications on the local or remote device clients, opening the door to a multitude of attacks,” Stella wrote in a blog post that details the vulnerabilities.
Hijacking file-sharing sessions
Stella found that after creating a session on SmartShare Beam, the P2P file-sharing feature of LG phones, sending files to the receiving port requires no authentication.
The service also uses a hard-coded receiving port and generates its session IDs from a very small pool of random numbers. This makes it easy for a malicious app to hijack the file transfer session and send a malicious file to the receiving device.
“After a P2P WiFi connection is established (for example, when a user wants to send a file) any other application running on the user’s device is able to use the P2P interface to interfere with the transfer,” Stella said.
“For LG SmartShare Beam we found that no authorization from the end user was required to push a file to the remote or local device.”
Digital color blocksSome attacks could be blocked by mutual TLS authentication that uses per-session certificates
In the blog post, Stella also notes that an attacker can change the name of the sent file or send multiple files in a single transaction.
Huawei’s ‘Share’ service didn’t have the same design flaws but suffered from stability issues. A third-party app can cause the FTS service to crash and launch its own malicious service to hijack file transfer sessions.
“The crashes are undetectable both to the device’s user and to the file recipient. Multiple crash vectors using malformed requests were identified, making the service systemically weak and exploitable,” Stella writes.
Finally, Stella examined Xiaomi’s ‘Mi Share’ feature, which was prone to denial-of-service (DoS) attacks and had weak randomized session numbers.
“The security design of these applications could benefit from several improvements to guard against rogue local apps,” Stella said.
For example, adding mutual TLS authentication using per-session certificates could help to prevent some of the described attacks, Stella notes, given the certificates are generated and exchanged via BLE before the P2P network is created and are not renegotiated after the initial connection.
The applications must also avoid unencrypted and unauthenticated traffic.
“This would still not guarantee the stability of the services (i.e. if any DoS is found) but could be effective against rogue applications’ attacks trying to crash the service,” he says.
A fragmented landscape
P2P WiFi file transfer has existed for 10 years, but device manufacturers have not yet managed to consolidate their solutions and insist on their own proprietary applications, which makes it difficult to secure them.
“While the core technology has always been there, OEMs still struggle to defend their own P2P sharing flavors,” Stella writes, adding other mobile file transfer solutions might also be vulnerable to attacks he has found.
China Used 'Mass Surveillance' on Thousands of Americans' Phones, Report Claims
A mobile security expert has accused China of exploiting cellphone networks in the Caribbean to conduct "mass surveillance" on Americans.
Gary Miller, a former vice president of network security at California-based analytics company Mobileum, told The Guardian he had amassed evidence of espionage conducted via "decades-old vulnerabilities" in the global telecommunications system.
While not explicitly mentioned in the report, the claims appear to be centered around Signaling System 7 (SS7), a communications protocol that routes calls and data around the world and has long been known to have inherent security weaknesses.
According to Miller, his analysis of "signals data" from the Caribbean has shown China was using a state-controlled mobile operator to "target, track, and intercept phone communications of U.S. phone subscribers," The Guardian reported.
Miller claimed China appeared to exploit Caribbean operators to conduct surveillance on Americans as they were traveling, alleging that attacks on cell phones between 2018 to 2020 likely affected "tens of thousands" of U.S. mobile users in the region.
"Once you get into the tens of thousands, the attacks qualify as mass surveillance," the mobile researcher said, noting the tactic is "primarily for intelligence collection and not necessarily targeting high-profile targets." Miller continued: "It might be that there are locations of interest, and these occur primarily while people are abroad."
Exigent Media, a media production business founded by Miller, has been contacted for comment about the analysis supplied to The Guardian. A threat report titled Far From Home is currently listed as for sale on the company's website for $229.
A previous analysis paper covering 2018-2019, also titled Far From Home, contained a series of similar espionage claims about SS7, alleging that "mass surveillance attacks" in 2018 were most prevalent by China and Caribbean mobile networks.
The report noted that SS7 is a patchwork system that helps "network operators around the world to communicate with each other for international roaming services." But it warned the system leaves "fingerprints" that are used for tracking or monitoring.
Worries about SS7 vulnerabilities are far from new. Homeland Security said in a 2017 report about the mobile industry that some operators had admitted that SS7 bugs may exist. The agency was "particularly concerned that many foreign vendors appear to be sharing or selling expertise and services that can be used to spy on Americans."
"New laws and authorities may be needed to enable the government to independently assess the national security and other risks associated with SS7," the report said. In the years since, the infrastructure security gaps have largely remained open.
A blog published by security firm Secure Group in 2017 detailed how the 1970s-era SS7 protocol can be exploited to track calls, texts and movements.
It said: "The protocol is ubiquitous and connects practically all networks around the globe. Hacking into SS7 gives attackers the same capabilities as mobile operators and intelligence agencies. And in terms of surveillance, they are considerable."
Security expert Dmitry Fedotov has previously said the only tech needed to conduct such a hack is a computer, the Linux operating system and a software development kit for SS7. "Apart from the computer itself, remaining ingredients are free and publicly available on the Internet," he wrote in a blog on the flaws in January 2019.
A China Unicom spokesperson told The Guardian that it "strongly refutes the allegations that China Unicom has engaged in active surveillance attacks against U.S. mobile phone subscribers using access to international telecommunications networks."
DHS Looking Into Cyber Risk from TCL Smart TVs
The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets.
Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.”
“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”
As reported by The Security Ledger last month, independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets. The first, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
The second vulnerability, CVE-2020-28055, would have allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.
In a statement to The Security Ledger, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.
DHS announces New Cybersecurity Strategy
While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones. Owners must authorize the company to access cameras and microphones, however, according to a company statement.
The company did not address in its public statements the question of whether prior notification of the update was given to TCL owners or whether TV set owners were given the option to approve the update before it was installed.
Sick Codes, in a phone interview with The Security Ledger, said the company’s ability to push and update code to its deployed sets without owner approval amounted to a back door that could give TCL access to audio and video streams from deployed sets, regardless of the wishes of owners.
“They can update the application and make authorization happen through that. They have full control,” he said.
Such concerns obviously raised alarms within the Department of Homeland Security as well, which has taken steps to ban technology from other Chinese firms from use on federal networks.
In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).
This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.
“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.
The statement is part of escalating tensions between Washington and Beijing. On Friday, Commerce Secretary Wilbur Ross announced export controls on 77 Chinese companies including the country’s biggest chipmaker, SMIC, and drone maker DJI that restrict those firms’ access to US technology. The order cites those firms alleged ties to China’s military.
TCL did not respond to an email request for comment prior to publication of this story. We will update this story as more information becomes available.
The FBI is Secretly Breaking Into Encrypted Devices. We’re Suing.
We can't let the FBI keep the public in the dark about its ability to gain access to information stored on our personal mobile devices.
Arianna Demas, Felipe Escobedo
The FBI is secretly breaking the encryption that secures our cell phones and laptops from identity thieves, hackers, and abusive governments, and it refuses to even acknowledge that it has information about these efforts — even though some details have been filed publicly in federal court. We’re suing to get some answers.
Between our emails, text messages, location information, social media activity, and more, our cell phones hold almost our entire lives. In recent years, governments have stepped up efforts to gain access to the information on our cell phones and personal computers. The federal government has been pressuring companies to build encryption backdoors that would severely undermine our digital privacy and security, and both federal and state governments have regularly paid third-party vendors to break into people’s encrypted devices.
Now, it appears the FBI has built an in-house capability to break into these devices. Publicly available information indicates that the Electronic Device Analysis Unit (EDAU), a team within the FBI, has acquired or is in the process of acquiring software that allows the government to unlock and decrypt information that is otherwise securely stored on cell phones. Public court records also describe instances where the EDAU appeared capable of accessing encrypted information off of a locked iPhone. And beyond that, the EDAU even sought to hire an electronics engineer whose major responsibilities would include “perform[ing] forensic extractions and advanced data recovery on locked and damaged devices.”
To learn more about the EDAU and its capabilities, we filed a request under the Freedom of Information Act asking that the Department of Justice and the FBI disclose records relating to the EDAU and its technological capabilities for retrieving information from locked electronic devices. The FBI responded in part by issuing what’s known as “Glomar” responses to two of our requests — which means that the agency refuses to even confirm or deny the existence of any records pertaining to the EDAU.
A valid Glomar response is rare, as there are only extremely limited instances where its invocation is appropriate — that is, only where the existence or nonexistence of records is itself exempt under FOIA. The problem with the FBI’s Glomar response is that, as detailed above, we already know records pertaining to the EDAU exist because information about the unit is already public. The fact that all of this information is already publicly known deeply undercuts the FBI’s Glomar theory. The FBI itself has made clear that it is attempting to access and decrypt personal electronic devices, so the claim that it can’t even acknowledge whether these records exist is implausible.
Seeking some much-needed transparency, today we asked a federal court to intervene and order the DOJ and the FBI to turn over all responsive documents pertaining to the EDAU. We’re demanding the government release records concerning any policies applicable to the EDAU, its technological capabilities to unlock or access electronic devices, and its requests for, purchases of, or uses of software that could enable it to bypass encryption.
By invoking the Glomar response, the federal government is sending a clear message: It aims to keep the American public in the dark about its ability to gain access to information stored on our personal mobile devices. But it’s not that the FBI has just shut the door on this information — they’ve shut the door, closed the windows, drawn the shades, and refused to acknowledge whether the house that we’re looking at even exists. It’s imperative that the public gets meaningful access to these records regarding the federal government’s capabilities to access our phones and computers. Our privacy and security are at stake.
New York Suspends Facial Recognition Use in Schools
Chris Mills Rodrigo
New York Gov. Andrew Cuomo (D) signed legislation Tuesday pausing the use of facial recognition technology at K-12 schools in the state for two years.
The moratorium, approved by the state legislature this summer, follows an attempt by a school district in upstate New York to install the controversial technology at its schools.
Lockport City School District installed cameras in 2019 but turned them off after pushback from locals and civil rights groups.
As part of the agreement to sign the bill, the New York state legislature will pass a bill next session to study facial recognition technologies and the concerns about them.
"This legislation requires state education policymakers to take a step back, consult with experts and address privacy issues before determining whether any kind of biometric identifying technology can be brought into New York's schools,” Cuomo said in a statement. “The safety and security of our children is vital to every parent, and whether to use this technology is not a decision to be made lightly."
One of the primary objections to facial recognition in the legislation signed Tuesday is its replication of biases based on race and gender.
The National Institute of Standards and Technology, a federal agency within the Commerce Department, released an expansive study last year that found the majority of facial recognition systems have “demographic differentials” that can worsen their accuracy based on a person’s age, gender or race.
Other critics have raised privacy concerns should the technology become more accurate, potentially expanding the reach of groups like the police and FBI.
France Bans Use of Drones to Police Protests in Paris
France's top administrative court has backed privacy campaigners by imposing a ban on police use of drones for covering public protests in Paris.
The Council of State said Paris police prefect Didier Lallement should halt "without delay" drone surveillance of gatherings on public roads.
The move comes as parliament discusses a contentious security bill that includes police use of drones.
Its main aim is to regulate how people share film or photos of police.
Privacy rights group La Quadrature du Net (LQDN) has argued that the bill's main measures violate freedom of expression and that drones equipped with cameras cannot keep the peace but track individuals instead.
The Council of State ruled there was "serious doubt over the legality" of drones without a prior text authorising and setting out their use. LQDN said the only way the government could legalise drone surveillance now was in providing "impossible proof" that it was absolutely necessary to maintain law and order.
The decision is the second setback in months for Parisian authorities' drone plans. In May, the same court ruled that drones could not be used in the capital to track people in breach of France's strict lockdown rules.
Under article 22 of the security bill currently going through parliament, security forces would be allowed to send images filmed by drone or helicopter to command teams and retain those images for 30 days or more as part of a possible police inquiry.
Protests broke out after the bill passed its first reading in the National Assembly, with most of the anger directed at article 24, which makes it a criminal offence to publish images of on-duty police officers with the intent to harm their "physical or psychological integrity".
Images also emerged of three police kicking and punching Michel Zecler, a black music producer, in Paris. Campaigners argued the new bill would prevent people from exposing police brutality.
President Emmanuel Macron said the images were unacceptable and his ruling party promised to rewrite article 24.
In a separate development, judges on Tuesday ordered the release of the police officers taken into custody over the attack on Mr Zecler, subject to conditions.
Russian Lawmakers Pass Bills That Could Block Social Media Sites — And Stifle Dissent
The lower chamber of Russia's parliament approved a number of bills on Wednesday that restrict online content.
Russian lawmakers have approved a range of new measures that could further stifle dissent and allow tighter restrictions on online content — including blocking websites like YouTube and Twitter.
One bill would allow for the blocking of foreign websites that it says "discriminate" against Russian media. A second law would allow it to levy large fines against companies that don't take down content banned in the country.
A third law would establish jail terms for those convicted of making slanderous comments online or in the media. A person found guilty of slander could face up to two years in jail and be fined up to 1 million rubles (about $13,300), Reuters reports.
The bills were passed by Russia's lower house, the State Duma. If they become law, as expected, they would mean that Russia could block websites like YouTube, Facebook and Twitter that label content produced by Russian state media outlets as being just that. Under the legislation, Russian authorities will be able to block or slow down such sites.
Since August, Twitter has been labeling the accounts of Russian media outlets as being "state-affiliated," angering Russia, Reuters reports. President Vladimir Putin has called for Russia to come up with its own social media platforms to gain greater control.
Kremlin critics, including opposition leader Alexei Navalny, have used Twitter and YouTube to reach millions of Russians, bypassing censorship on state television.
When the draft bill to allow blocking foreign sites was introduced last month, Navalny tweeted: "Great. Let them pass it as soon as possible, the whole country will finally install a VPN" — a tool that can be used to evade government censors.
Human Rights Watch notes that Russian authorities already have a number of ways to restrict online content: "The 2019 'sovereign Internet' law for example, allows the government to use technology to track, filter and reroute Internet traffic, raising concerns over the arbitrary and extrajudicial blocking of legitimate content."
Alexei Makarkin, deputy director of the Center for Political Technologies in Moscow, told Bloomberg that the moves are in anticipation of the incoming Biden administration.
"They are preventively crafting a shield against the support of Russia's opposition from Joe Biden that they expect," he said. "We are ready — that's what they are demonstrating to America now."
NPR's Lucian Kim contributed to this report from Moscow.
Google Says Australian Law on Paying for News is Unworkable
A Google executive said on Friday that a proposed Australian law to make digital platforms pay for news was unworkable and its proposed arbitration model was biased toward media businesses.
Google Australia and New Zealand Managing Director Mel Silva made her first public comments on the details of the proposed legislation since it was introduced to Parliament last week.
The so-called News Media and Digital Platforms Mandatory Bargaining Code would force Google and Facebook to compensate Australian news media for the journalism that they link to.
“It forces Google to pay to show links in an unprecedented intervention that would fundamentally break how search engines work,” Silva said in a statement.
If a platform and a news business couldn’t agree on a price for news after three months of negotiations, a three-member arbitration panel would be appointed to make a binding decision for payment.
Silva said “binding arbitration within the code could be a reasonable backstop — so long as the arbitration model is fair.”
However, the proposed arbitration model was “skewed to the interests of one type of business only,” Silva said, referring to media.
Google said it had provided a better model with Google News Showcase. Google is paying participating publishers to provide paywalled content to News Showcase users through the model that it launched in October.
“By imposing final-offer arbitration with biased criteria, it encourages publishers to go to arbitration rather than reaching an agreement,” Silva said of the government’s model.
Swinburne University media lecturer Belinda Barnet said Google was pushing its own model because it wanted more power in negotiations than media businesses.
“It’s a cynical ploy by Google,” Barnet said. “They tried the misinformation campaign, that didn’t work, and now they’re saying: ‘We can do it better. We’re already doing it better.’”
News Showcase “benefits the major players,” while the Australian government wanted payment for news to be “fair and across the board,” Barnet said.
Details of the draft legislation will be scrutinized by a Senate committee before lawmakers vote on it next year.
Treasurer Josh Frydenberg, who introduced the legislation to Parliament, said in a statement that Google could make a submission to that committee before it releases its finding in February.
Breaches of the code, such as failure to negotiate in good faith, would be punishable by a fine of 10 million Australian dollars ($7.4 million) or the equivalent of 10% of annual turnover in Australia.
After 11 Years, Australia Declares its National Broadband Network is ‘Built and Fully Operational’
Those 35,000 connections that aren’t built? Celebrate the 11.86 million that were, says Minister
Australia has declared its national broadband network (NBN) is “built and fully operational”, ending a saga that stretches back to the mid-2000s.
Minister for communications, cyber safety and the arts Paul Fletcher declared the build complete in a Wednesday statement that admitted 35,000 premises remain unable to connect to the network. But seeing as that number was over 100,000 in August 2020 and over 11.86 million premises have been wired, he’s happy to say the job’s been done.
However Australian outlet itnews points out that over 230,000 premises can't connect at 25Mbps, the speed deemed to represent "broadband" in Australia.
The minister's statement also pointed out that legislation governing the NBN build requires a declaration the job is done before December 31st.
“New premises are being built all the time,” the minister said. “This means that there will always be a number of premises around Australia that are not yet ‘ready to connect’. The fact that there is a certain number of premises which are not ready to connect is not of itself evidence that the network cannot be treated as ‘built and fully operational’.”
Thus ends a saga that began in the mid-2000s when Australia figured out that ubiquitous broadband access was a good idea. Dominant telco Telstra proposed to build the network and operate as both a wholesaler to rivals and a retailer, but as that arrangement had stifled competition for years the government of the day wasn’t keen on the idea. At the 2007 election the left-of-centre Australian Labor Party swept to power in part due to its plans to build a fast national broadband network.
That promise evolved into a commitment to build a fibre-to-the-premises (FTTP) network. NBN Co, the company charged with building and operating the network, was summoned into existence in April 2009 but struggled to get much done in its early years. By 2013, when a right-of-centre government won power, just over 350,000 premises had been connected.
The new government decided that a FTTP build would be too slow and expensive, despite leaks from within NBN Co purporting to say FTTP costs were falling fast. The new plan called for a “multi-technology mix” that emphasised fibre-to-the-node (FTTN) and use of existing cable TV networks, rather than FTTP everywhere.
Critics of that plan said its promise to deliver universal 25Mbps services was inadequate, would require costly re-builds, and would leave Australia struggling to compete with other nations building faster networks. The plan was said to retard wide adoption of digital services such as telemedicine or videoconferencing.
The government did not heed those critics and brushed them off when the project missed deadlines and build costs expanded. A decision to spend billions on a cable network that turned out not to be capable of delivering broadband services was one of many SNAFUs during the build.
Australia's economy outperformed many better-wired rivals throughout the build period and the likes of Netflix were happy to enter the market during the build. The NBN did not slow adoption of streaming video.
Nor did it cause widepsread problems under the stresses of 2020’s work-from-home wave. Australia has Zoomed as thoroughly as any other nation.
Critics now point to wholesale charges that make it hard for retailers to make a profit, and therefore leave Australian broadband prices high by world standards. Others maintain the NBN’s utility will be eroded by 5G networks. Satellite services for remote users remain slow, and wireless services in regional areas are often adequate rather than brilliant. The NBN has also baked in one of the legacy problems in Australian telecoms, with retailers and the wholesale NBN both offering consumers frustratingly little insight about who has responsibility for restoring services after outages.
But the thing is now officially built. This story was filed over an NBN connection rated to 100Mbps and delivering 52Mbps downloads and 14Mbps uploads over WiFi. Which seldom troubles your text-dependent correspondent.
Minister Fletcher also decided that December 23rd was a fine day on which to announce new laws that introduce a scheme that will require digital platforms to take down “seriously harmful” material directed at adults, in addition to strengthening cyber-bullying protections for kids. The scheme proposes 24-hour takedown requirements for digital platforms after notification of harmful content. As Australia heads to the beach, its Competition and Consumer Commission has revealed changes to the nation’s Consumer Data Right Rules that will allow bank customers to allow sharing of their data with other financial institutions as a means of enabling easier purchasing of products from rivals.
Verizon’s Nationwide 5G can be Slower than its LTE Network, Tests Show
PC Magazine has found that the carrier’s Nationwide 5G can be a downgrade
Verizon’s new nationwide 5G network is reportedly slower than its LTE network, to the point that users are apparently better off just disabling 5G entirely unless they’re near a mmWave network. The results come from testing done by PC Magazine’s Sascha Sagan, who points to Dynamic Spectrum Sharing, or DSS, as the culprit.
The tech lets carriers run LTE and 5G networks side by side, which is useful if, like Verizon, you don’t yet have enough dedicated 5G spectrum. While the carrier has largely focused on its mmWave network until recently, it also has begun rolling out a mid-band nationwide 5G network, which promises to avoid mmWave’s range issues by using DSS. The only catch is that, with Verizon, it seems like this tech leads to worse performance in most cases for phones running in 5G mode.
The solution, at least for now, is to just turn 5G off if you’re a Verizon customer. If that has your concerned about speeds compared to your T-Mobile customer friends, don’t worry too much: in it’s nationwide speed test earlier this year, PC Magazine found that T-Mobile’s 5G can often still be slower than Verizon’s LTE, even though it uses dedicated 5G bands. That same nationwide test also revealed that AT&T’s 5G can be slower than its LTE as well — which makes sense, given that it also uses the DSS technology for it’s 5G network.
The results from PC Magazine were only done in New York City, so if you have a 5G phone on Verizon, it may be worth checking to see if you’re actually getting faster speeds with 5G on. If you’re not, it may be worth turning it off entirely for now. This is also likely just a temporary issue — as Verizon continues to add dedicated 5G spectrum, their speeds are going to improve.
It’s important to note that this doesn’t apply to Verizon’s mmWave technology, which is much faster than anything any other carrier has to offer. However, while mmWave has the speed, it doesn’t have the range, and it can be blocked by trees, buildings, and sometimes even windows. But if you often find that 5G UB logo popping up on your phone, and you need that speed, it may be worth keeping 5G on, even if it could lead to slow downs when you get outside its range.
US Relief Package Provides $7 Billion for Broadband
And nearly $2 billion to remove Huawei and ZTE equipment
After months of deliberation, congressional leaders reached a $900 billion coronavirus relief deal on Sunday, including billions in funding for broadband internet access.
Congress’ latest relief measure provides $7 billion in funding for broadband connectivity and infrastructure. That figure includes $3.2 billion for a $50-per-month emergency broadband benefit for people who are laid off or furloughed during the pandemic, according to a press release from Sen. Ron Wyden’s (D-OR) office on Sunday.
“Broadband connections are essential for Americans seeking to get new jobs, and to access school, health care and other government services,” Wyden said in a statement Sunday night. “Ensuring working families can stay online will pay massive dividends for kids’ education, helping people find jobs and jump starting the economic recovery next year.”
Axios reported Sunday that the coronavirus relief bill also includes $1.9 billion to remove Huawei and ZTE equipment from US networks. In June, the Federal Communications Commission officially designated Huawei and ZTE as national security threats. In doing so, the FCC banned US companies from purchasing the equipment with government money. Earlier this month, the agency moved to require US telecom companies to “rip and replace” any Huawei or ZTE equipment currently deployed in their networks.
The deal also includes $1 billion in Tribal broadband grants, $250 million toward telehealth, and $65 million for broadband mapping improvements, according to Axios. The US’s broadband maps have been the target of criticism for years. The FCC’s current methodology declares an entire ZIP code as having broadband if just one home in that census block is served.
The $900 billion COVID relief bill includes a new round of direct payments, following the same requirements as the first round of stimulus checks earlier this year. This package provides stimulus checks of up to $600 per person for people earning up to $75,000 a year and another $600 for their children, according to The New York Times.
Trump Calls Relief Bill 'A Disgrace,' Asks For Changes After Bitter Negotiations
President Trump is slamming a $900 billion COVID-19 relief package passed by Congress on Monday after months of bitter negotiations.
In a video released on his Twitter feed Tuesday evening, the president said the bill was a "disgrace" and asked for substantial changes, like increasing payments to individuals from $600 to $2,000, or $4,000 for couples.
The relief package was passed as part of a bill to fund government operations for the rest of the fiscal year, though the president did sign a stopgap measure that extends government funding until Monday.
Trump blasts money appropriated for foreign aid, environmental programs and cultural institutions, calling them "wasteful."
Trump did not expressly threaten to veto the legislation. It was passed by overwhelming majorities in the House and Senate, with enough votes to potentially override a presidential veto if Trump were to carry out that option.
Until next week,
Current Week In Review
Recent WiRs -
December 19th, December 12th, December 5th, November 28th
Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.
"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black
Thanks For Sharing
|Thread Tools||Search this Thread|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Peer-To-Peer News - The Week In Review - July 16th, '11||JackSpratts||Peer to Peer||0||13-07-11 06:43 AM|
|Peer-To-Peer News - The Week In Review - July 9th, '11||JackSpratts||Peer to Peer||0||06-07-11 05:36 AM|
|Peer-To-Peer News - The Week In Review - January 30th, '10||JackSpratts||Peer to Peer||0||27-01-10 07:49 AM|
|Peer-To-Peer News - The Week In Review - January 16th, '10||JackSpratts||Peer to Peer||0||13-01-10 09:02 AM|
|Peer-To-Peer News - The Week In Review - December 5th, '09||JackSpratts||Peer to Peer||0||02-12-09 08:32 AM|