[url=www.theregister.co.uk/2015/08/17/tracking_supercookies_spreading/?mt=1440279981387]Anti-privacy unkillable super-cookies spreading around the world – study[/url] | The Register

Makes me glad I use an aged mostly-dumb phone, though I agree with the ending of the piece that doing *anything* on one's phone/webdevice without being tracked is likely going to become increasingly difficult, not just because telcos have a neverending appetite for all our potentially monetizable data, but because governments do, as well. On the government side of things (insofar as it differs from the corporate side), one sees continual encroachments on privacy in forms like 'trackable money' - paired with a continual push to make untrackable cash transactions either more difficult or outright illegal, on the pretext of 'keeping us safe' and 'fighting drug trafficking'. Various Euro countries now ban cash purchases in amounts above a mere few hundred Euros (and the limits keep getting lower), and in the US, in addition to the longstanding 'banks must report all cash transactions of $10000 or more to the government' rule, we now have the fun and profitable-for-law-enforcement sport of civil forfeiture, in which guilt is presumed and victims are forced to go to Kafkaesque (and very time-consuming and expensive) lengths to 'prove their innocence' for carrying amounts which are often quite a bit smaller. Ain't Freedom™ grand?

[QUOTE=ewmayer;408633][url=www.theregister.co.uk/2015/08/17/tracking_supercookies_spreading/?mt=1440279981387]Anti-privacy unkillable super-cookies spreading around the world – study[/url] | The Register

Makes me glad I use an aged mostly-dumb phone, though I agree with the ending of the piece that doing *anything* on one's phone/webdevice without being tracked is likely going to become increasingly difficult, not just because telcos have a neverending appetite for all our potentially monetizable data, but because governments do, as well. On the government side of things (insofar as it differs from the corporate side), one sees continual encroachments on privacy in forms like 'trackable money' - paired with a continual push to make untrackable cash transactions either more difficult or outright illegal, on the pretext of 'keeping us safe' and 'fighting drug trafficking'. Various Euro countries now ban cash purchases in amounts above a mere few hundred Euros (and the limits keep getting lower), and in the US, in addition to the longstanding 'banks must report all cash transactions of $10000 or more to the government' rule, we now have the fun and profitable-for-law-enforcement sport of civil forfeiture, in which guilt is presumed and victims are forced to go to Kafkaesque (and very time-consuming and expensive) lengths to 'prove their innocence' for carrying amounts which are often quite a bit smaller. Ain't Freedom™ grand?[/QUOTE]
Don't forget bank transactions under $10,000 may be considered "structured" to avoid obligatory reporting and are also verboten.
[URL="http://www.forbes.com/sites/stephendunn/2014/04/19/bank-deposits-structuring-and-asset-forfeitures/"]Bank Deposits, Structuring, and Asset Forfeitures[/URL]

[url]http://www.smh.com.au/business/world-business/no-safe-harbour-transatlantic-data-pact-struck-down-by-eus-highest-court-20151006-gk2x3b.html[/url]

And by way of a free bonus, contains a "law firm of former US AG Eric 'Place' Holder sighting!" With an attorney making a strikingly similar argument as fmr Holder underboss Lanny Breuer's [i]60 Minutes[/i] admission that pursuit of so-called justice vis-a-vis corporate 'persons' must ever be tempered by considerations of possible detrimental effects of said pursuit on corporate share prices, no less.

[URL="http://www.wired.com/2015/10/cisa-cybersecurity-information-sharing-act-passes-senate-vote-with-privacy-flaws/"]CISA Security Bill Passes Senate With Privacy Flaws Unfixed[/URL]
[QUOTE]But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”

The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”[/QUOTE]

Over 100 license plate reader cameras found online, exposed and unsecured
 

How public safety agencies responded to [URL="http://arstechnica.com/tech-policy/2015/10/lprs-exposed-how-public-safety-agencies-responded-to-major-vulnerabilities-in-vehicle-surveillance-tech/"]major vulnerabilities in vehicle surveillance tech[/URL]

I guess it's not just private individuals with WiFi who neglect such basic security needs as passwords.

Judge confused as to why prosecutors still want iPhone unlocked
 

Defendant pleads guilty. [URL="http://arstechnica.com/tech-policy/2015/10/feds-apple-must-still-unlock-iphone-5s-even-after-defendant-pled-guilty/"]Prosecutors still trying to force Apple to comply with decrypt order.[/URL]

[QUOTE]Federal prosecutors said they will [URL="https://www.documentcloud.org/documents/2499122-123111281825.html"]continue[/URL] their attempt to compel Apple to unlock a seized iPhone 5S running iOS 7 even after the defendant in the relevant felony drug case [URL="https://www.documentcloud.org/documents/2499370-jun-feng-guilty-plea.html"]pleaded guilty[/URL]. On Thursday, defendant Jun Feng [URL="https://www.documentcloud.org/documents/2499370-jun-feng-guilty-plea.html"]pleaded guilty[/URL] to one count of conspiracy to distribute and possess with intent to distribute methamphetamine. Feng was originally charged with three counts of possessing and distributing methamphetamine. As part of the government's effort to convict Feng, the feds wanted Apple to unlock a seized iPhone 5S belonging to Feng—but Apple [URL="http://arstechnica.com/tech-policy/2015/10/feds-since-apple-can-unlock-iphone-5s-running-ios-7-it-should/"]objected[/URL].

On Friday, [URL="https://www.nyed.uscourts.gov/content/magistrate-judge-james-orenstein"]United States Magistrate Judge James Orenstein[/URL] said in a court filing that he is confused why prosecutors are still trying to compel the tech giant:[INDENT]In light of the fact that the defendant against whom evidence from the subject telephone was to be used has pleaded guilty, I respectfully direct the government to explain why the application is not moot. To the extent the response requires the disclosure of information occurring before a grand jury, the government may file its response under seal, along with a redacted version suitable for public access.
[/INDENT][/QUOTE][QUOTE]If Feng's phone had iOS 8 or later installed—as 90 percent of iPhones do—this entire issue would likely be moot. Apple now enables full encryption by default, and the company [URL="http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-ios-8-making-handover-to-cops-moot/"]specifically said the move happened[/URL] "so it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."[/QUOTE]

[url]http://arstechnica.com/security/2015/11/own-a-vizio-smart-tv-its-watching-you/[/url]

[QUOTE]The tracking—which Vizio calls “Smart Interactivity”—is turned on by default for the more than 10 million Smart TVs that the company has sold. Customers who want to escape it have to opt-out.[/QUOTE]

[QUOTE=Xyzzy;415637][URL]http://arstechnica.com/security/2015/11/own-a-vizio-smart-tv-its-watching-you/[/URL][/QUOTE][URL]http://arstechnica.com/security/2015/11/man-in-the-middle-attack-on-vizio-tvs-coughs-up-owners-viewing-habits/[/URL]

[QUOTE]Today's lesson comes courtesy of a smart TV from Vizio that was subjected to a man-in-the-middle attack because it couldn't be bothered to validate the HTTPS certificates of servers it connected to.[/QUOTE]

[url=http://theantimedia.org/snowden-vindicated-as-judge-shuts-down-nsa-bulk-spying-in-epic-smackdown/]Snowden Vindicated as Judge Shuts Down NSA Bulk Spying in Epic Smackdown[/url] | The AntiMedia

Good news, but headline too optimistic: Ordering a shutdown is not the same as effecting one. How can it be confirmed whether NSA is complying?

[QUOTE=ewmayer;415876][URL="http://theantimedia.org/snowden-vindicated-as-judge-shuts-down-nsa-bulk-spying-in-epic-smackdown/"]Snowden Vindicated as Judge Shuts Down NSA Bulk Spying in Epic Smackdown[/URL] | The AntiMedia

Good news, but headline too optimistic: Ordering a shutdown is not the same as effecting one. [B]How can it be confirmed whether NSA is complying?[/B][/QUOTE]

It can't be verified. The NSA farts in the general direction of said judge, and waves their private parts at his aunties.

[url=http://tinyurl.com/qjqbtfr]That was quick[/url]:
[quote]A federal appeals court has granted a stay that will allow a controversial NSA telephone surveillance program to continue through its planned end on Nov 29.

The D.C. Circuit Court of Appeals issued the order Monday afternoon without offering any explanation beyond saying that the government had “satisfied the requirements for a stay pending appeal.”

U.S. District Court Judge Richard Leon issued an injunction last week ordering NSA to stop collecting the telephone data of California lawyer J.J. Little and his legal practice. The judge had previously found the anti-terrorism phone-records program appeared to violate the Constitution by collecting metadata on calls of people not suspected of any crime.[/quote]

[url]http://arstechnica.com/tech-policy/2015/11/the-national-security-letter-spy-tool-has-been-uncloaked-and-its-bad/[/url]

[QUOTE]For the first time, as part of a First Amendment lawsuit, a federal judge ordered the release of what the FBI was seeking from a small ISP as part of an NSL.[/QUOTE]

[url=arstechnica.com/tech-policy/2015/11/the-national-security-letter-spy-tool-has-been-uncloaked-and-its-bad/]The National Security Letter spy tool has been uncloaked, and it’s bad[/url] | Ars Technica
[quote]For the first time, as part of a First Amendment lawsuit, a federal judge ordered the release of what the FBI was seeking from a small ISP as part of an NSL. Among other things, the FBI was demanding a target's complete Web browsing history, IP addresses of everyone a person has corresponded with, and records of all online purchases, according to a court document unveiled Monday. All that's required is an agent's signature denoting that the information is relevant to an investigation.
...
The NSL got a major boost in the wake of the 2001 terror attacks, as it became part of the USA Patriot Act. Between 2003 and 2005, the FBI issued 143,074 NSLs according to a Justice Department inspector general report.

Jameel Jaffer, the American Civil Liberties Union deputy legal director, said that "the FBI has imposed effectively permanent gag orders on tens of thousands of NSL recipients... This kind of secrecy prevents the public from learning how the government’s surveillance authorities are used, distorts public debate, shields policymakers from accountability for their decisions, and insulates surveillance powers from judicial review."[/quote]

I was looking for another Walt Handelsman animation about the NSA, but this turned up first:
[YOUTUBE]fA5Tdi43KAo[/YOUTUBE]

Ah! Got it! This one is from mid-2006. This is a slightly glitchy conversion, at least so it seems to me.

[YOUTUBE]3knYQaK1yDc[/YOUTUBE]

Latest on the UK court case involving GCHQ (the British NSA) and Privacy International:
[URL]https://privacyinternational.org/node/681[/URL]

If you don't have the time (or inclination) to sift through all the evidence, I recommend Ross Anderson's submission:
[URL]https://privacyinternational.org/sites/default/files/Anderson_IPT_Expert_Report_2015_Final.pdf[/URL]

[url]http://www.reuters.com/article/2015/12/03/us-new-york-crime-cannibal-idUSKBN0TM20820151203[/url]

[QUOTE]The appeals court also vacated Valle's conviction for using the database, finding that federal law does not prohibit individuals from accessing a computer they are normally authorized to use, even if they do so for an improper purpose.[/QUOTE]

Oh, look, how conveeeeeeeeeeeeniently timed!

[url=http://www.mercurynews.com/crime-courts/ci_29212953/san-bernardino-shooting-terror-investigators-cant-view-nsa]San Bernardino shooting: Terror investigators can't view NSA phone records - San Jose Mercury News[/url]
[quote]WASHINGTON — The U.S. government’s ability to review and analyze five years’ worth of telephone records for the married couple blamed in the deadly shootings in California lapsed just four days earlier when the National Security Agency’s controversial mass surveillance program was formally shut down.

Under a court order, those historical calling records at the NSA are now off-limits to agents running the FBI terrorism investigation even with a warrant.

Instead, under the new USA Freedom Act, authorities were able to obtain roughly two years’ worth of calling records directly from the phone companies of the married couple blamed in the attack. The period covered the entire time that the wife, Tashfeen Malik, lived in the United States … from July 2014.

Under the new law, passed in June, investigators still can look for links in phone records, but they must obtain a targeted warrant to get them directly from phone companies.[/quote]
That's right - "we were just about to finally get around to analyzing years' and years' worth of incriminating phone calls involving these two, but y'all made us stop, you terrorism-loving bastards!" Given how many such terror plots the NSA has been shown to have broken up via their precrime initiatives, that is a very credible spin on the story. /sarc

When it comes to getting da peeps to surrender what little is left of their constitutional rights, one must never let a crisis or tragedy go to waste.

Suitably scathing demolition-in-detail of the above article [url=https://www.emptywheel.net/2015/12/06/why-the-aps-call-record-article-is-so-stupid/]available here[/url].

Guess what was sneaked into the just-passed omnibus budget bill in DC?

[url]http://www.theguardian.com/us-news/2015/dec/16/congress-cybersecurity-information-sharing-cisa-spending-bill[/url]

An NC reader answers: "CISA. The zombie bill that would not die. They’ve been trying for close to four years now to get this turd passed."

I'm pretty sure there are several other nasty surprises in this latest bipartisan - echoing Nancy Pelosi - "We have to pass this bill to see what's in it" effort.

A small victory perhaps:

[QUOTE=American Friends Service Committee]Congress just passed a bill funding the government for the coming year. We're excited to report that the bill does not include language that would hinder the resettlement of Syrian and Iraqi refugees in the U.S.[/QUOTE]

[QUOTE=ewmayer;419618]Guess what was sneaked into the just-passed omnibus budget bill in DC?

[url]http://www.theguardian.com/us-news/2015/dec/16/congress-cybersecurity-information-sharing-cisa-spending-bill[/url]

An NC reader answers: "CISA. The zombie bill that would not die. They’ve been trying for close to four years now to get this turd passed."

I'm pretty sure there are several other nasty surprises in this latest bipartisan - echoing Nancy Pelosi - "We have to pass this bill to see what's in it" effort.[/QUOTE]CISA includes a nasty provision :[Code]Cisa would create a system for corporate informants willing to share their customers’ data with
the Department of Homeland Security, which would then pass the information to other federal
agencies, defined in the final text as the departments of commerce, defense (which oversees the
CIA), energy, justice (the FBI), the treasury (which oversees the IRS), and the office of the
director of national intelligence (which oversees the NSA).

In return, companies participating would be shielded from regulatory action related to the
information they passed along and any Freedom of Information Act requests filed by the public to
determine exactly what kind of user information was being handed over to the government.[/Code]Jacob

The 2015 European Digital Rights awards (both negative and positive):
[URL]https://edri.org/edri-awards-2015/[/URL]

o [url=theantimedia.org/china-just-launched-the-most-frightening-game-ever-and-soon-it-will-be-mandatory/]China Just Launched the Most Frightening Game Ever — and Soon It Will Be Mandatory[/url] | The AntiMedia
[quote]As if further proof were needed Orwell’s dystopia is now upon us, China has now gamified obedience to the State. Though that is every bit as creepily terrifying as it sounds, citizens may still choose whether or not they wish to opt-in — that is, until the program becomes compulsory in 2020. “Going under the innocuous name of ‘Sesame Credit,’ China has created a score for how good a citizen you are,” explains Extra Credits’ [url=https://www.youtube.com/watch?v=lHcTKWiZ8sI&feature=youtu.be&app=desktop]video about the program[/url]. “The owners of China’s largest social networks have partnered with the government to create something akin to the U.S. credit score — but, instead of measuring how regularly you pay your bills, it measures how obediently you follow the party line.”[/quote]
Prediction: Western "democratic" governments will very soon - insofar that they are not already doing this sort of thing "informally" - be going down this route, but with an even more subtle twist: Instead of any appearance of mandatoriness, people not allowing their life data to be continually vacuumed up via social media (and thereby dutifully fed to the government domestic-spying hydra) will simply find themselves evermore shut out of the emerging Big Data-run economy. Want to work in the aboveground economy? Gotta have a Facefvck acount, your employer's corporate spying app installed on your smartphone and and be trackably online 24/7. One can already see many aspects of the future wired-totalitarian state apparatus busily establishing itself in the form of things like "social foo" and apps that start out as "convenient and fun thins to do" and quickly become mandatory - employers and HR using social accounts to vet prospective hires and track employees, schools embracing "online learning" which of course needs the kid to sign up for some BigDataCorp's panopticon, and governments relentlessly pushing toward the abolition of physical currency.

At the start of what promises to be another year of government encroachment on civil liberties, it is useful to recall the [url=https://www.eff.org/about/history]history of the EFF[/url]. Note that the precedent set in their first big case has effectively been abrogated by mass warrantless e-mail surveillance by NSA and similar organizations overseas:
[i]
The [1990] Steve Jackson Games case turned out to be an extremely important one in the development of a proper legal framework for cyberspace. For the first time, a court held that electronic mail deserves at least as much protection as telephone calls. We take for granted today that law enforcement must have a warrant that particularly describes all electronic mail messages before seizing and reading them.
[/i]
Also, I had been unaware of crypto guru Dan Bernstein's central role in their second major case, that related to exportation of crypto technologies.

And related:

[url=http://theantimedia.org/15-news-stories-from-2015-you-should-have-heard-about-but-probably-didnt/]15 News Stories From 2015 You Should Have Heard About But Probably Didn't[/url] | The AntiMedia.org

[QUOTE=ewmayer;421017]Also, I had been unaware of crypto guru Dan Bernstein's central role in their second major case, that related to exportation of crypto technologies.[/QUOTE]I was a minor participant in the trenches during the First Crypto Wars. In particular, I played a small rôle in the Bernstein case. I sent an American lawyer unambiguous proof that I (and by extension, anyone else in the UK) had access to the source code of PEM with its symmetric and asymmetric cryptographic protection for email.

The same lawyer gratefully received a one-line C program I wrote which implemented a OTP. It took him quite a time to persuade the State Department to rule that it wasn't export-controlled crypto code despite implementing an unbreakable cryptosystem.

Lots of other fun things happened 20-25 years ago. By fun, I mean politically embarrassing for certain US officials. UK officials too, for that matter. Some of us old warriors are still active but it's good to see the next generation also getting involved.

o [url=http://www.reuters.com/article/us-spying-juniper-idUSKBN0UN07520160109]Juniper Networks will drop code tied to National Security Agency[/url] | Reuters

Even though its revision-control system surely must tell the complete "when, who and (allegedly) why" story here, we are expected to swallow some pathetic line about "Juniper said it was continuing to investigate."

o [url=http://www.nextgov.com/big-data/2016/01/70-percent-global-internet-traffic-goes-through-northern-virginia/124976/]Up to 70 Percent of Global Internet Traffic Goes Through Northern Virginia[/url] | Nextgov

Thankfully that is nowhere near the extended US SIGINT 'campus' the article refers to as the heart of "spook country" ... oh, wait ... Note that Amazon Web Services gets a prominent treatment.

I wouldn't assume that the NSA has not hacked revision control systems as a way to inject code...

The court of appeal in London has ruled that the UK Terrorism Act is not compatible with the European convention on human rights.

The appeal was brought by David Miranda (Glenn Greenwald's partner) after he was detained in transit at London's Heathrow Airport in 2013.

Press article: [URL]http://www.theguardian.com/world/2016/jan/19/terrorism-act-incompatible-with-human-rights-court-rules-in-david-miranda-case[/URL]

[QUOTE=Nick;423012]The court of appeal in London has ruled that the UK Terrorism Act is not compatible with the European convention on human rights.

The appeal was brought by David Miranda (Glenn Greenwald's partner) after he was detained in transit at London's Heathrow Airport in 2013.

Press article: [URL]http://www.theguardian.com/world/2016/jan/19/terrorism-act-incompatible-with-human-rights-court-rules-in-david-miranda-case[/URL][/QUOTE]

Thanks for the link.

So a bunch of High Lords deem that Miranda's 'detention was lawful' even though the law under which it was made is itself unlawful. Lord Kafka will be pleased to hear of this.

[QUOTE=ewmayer;423156]So a bunch of High Lords deem that Miranda's 'detention was lawful' even though the law under which it was made is itself unlawful. Lord Kafka will be pleased to hear of this.[/QUOTE]The unlawful law was supposed to only be used to catch terrorists (whatever that means), but as usual function creep takes over and the laws get used where they are most convenient. Original intents be damned, it is all about using the laws to intimidate and suppress whatever puts "them" (the spooks/politicians/cops/etc.) in danger of being exposed and/or curtailed.

[B] US lawmakers delay bill on European data privacy deal [/B]

[QUOTE]The Judicial Redress Act would allow EU citizens to sue over data privacy in the US but is likely to miss a January deadline for completion[/QUOTE]If this is not resolved, any company transferring personal data from the EU to the US after 1 February could face fines for doing so.

Press article: [URL]http://www.theguardian.com/world/2016/jan/20/data-privacy-deal-us-eu[/URL]

[URL="http://www.digitaltrends.com/social-media/sarcasm-detector-twitter/"]Researchers develop sarcasm detector for Twitter and that's no joke[/URL]
[QUOTE]Part of detecting sarcasm included individual tweets, account details from the user’s profile, past tweets and content, and any details regarding the tweeter’s audience that may be available. Surprisingly, this test resulted in an 85 percent accuracy level – 10 percent higher than the sarcasm detected when analyzing just the tweet alone.[/QUOTE]
[QUOTE]According to those researching the sarcasm detector, some of the most common indicators in an author’s profile include the terms, [B]sarcasm, chemistry, atheist, and humor[/B]. Which you may want to consider adding to your profile so that even if your friends don’t get you, computers will.[/QUOTE]

[URL="http://motherboard.vice.com/en_uk/read/judge-in-fbi-hacking-case-is-unclear-on-how-fbi-hacking-works"]Judge in FBI Hacking Case Is Unclear on How FBI Hacking Works[/URL]
[QUOTE]“I suppose there is somebody sitting in a cubicle somewhere with a keyboard doing this stuff. I don't know that. It may be they seed the clouds, and the clouds rain information."[/QUOTE]
[QUOTE]Another exchange showed how it can be difficult for judge’s to conceptualise where data obtained from malware is sourced from, and where it goes.

“Do the FBI experts have any way to look at the NIT information other than going to the server?” Judge Bryan asked.

“Your Honor, they don't go to the server,” Colin Fieman, a federal public defender who is representing Michaud, replied.

“Where do they go? How do they get the information?”

“They get it from Mr. Michaud's computer.”

“They don't have his computer.”

“That's what the NIT is for,” Fieman explained.[/QUOTE]

Support Our Snoops … Protest Against Encryption (Comic)
 

[url]https://recode.net/2016/01/20/support-our-snoops-protest-against-encryption-comic/[/url]

NOBUS is not possible. And even if it was possible who would you trust to be the "Us"? No one is beyond reproach.

The NSA’s SKYNET program may be killing thousands of innocent people
 

The story is in regard to surveillance in Pakistan. The faulty technique used to "identify terrorists" is more broadly applicable.
[URL="http://arstechnica.co.uk/security/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/"][SIZE=2]"Ridiculously optimistic" machine learning algorithm is "completely bullshit," says expert.[/SIZE][/URL]
[QUOTE]In 2014, the former director of both the CIA and NSA proclaimed that "we kill people based on metadata." Now, a new examination of previously published Snowden documents suggests that many of those people may have been innocent.

Last year, The Intercept published [URL="https://theintercept.com/document/2015/05/08/skynet-courier/"]documents[/URL] detailing the NSA's [URL="https://theintercept.com/document/2015/05/08/skynet-applying-advanced-cloud-based-behavior-analytics/"]SKYNET[/URL] programme. According to the documents, SKYNET engages in mass surveillance of Pakistan's mobile phone network, and then uses a machine learning algorithm on the cellular network metadata of 55 million people to try and rate each person's likelihood of being a terrorist.

Patrick Ball—a data scientist and the executive director at the [URL="https://hrdag.org/"]Human Rights Data Analysis Group[/URL]—who has previously given expert testimony before war crimes tribunals, described the NSA's methods as "ridiculously optimistic" and "completely bullshit." A flaw in how the NSA trains SKYNET's machine learning algorithm to analyse cellular metadata, [URL="https://hrdag.org/people/patrick-ball-phd/"]Ball[/URL] told Ars, makes the results scientifically unsound.
[/QUOTE]

[QUOTE=kladner;426568]The story is in regard to surveillance in Pakistan. The faulty technique used to "identify terrorists" is more broadly applicable.
[URL="http://arstechnica.co.uk/security/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/"][SIZE=2]"Ridiculously optimistic" machine learning algorithm is "completely bullshit," says expert.[/SIZE][/URL][/QUOTE]

A.k.a. field testing of experimental tech intended to be deployed more broadly (including at home) in the future. Ya can't make an omelet without breaking a few eggs - or in this case pink-misting a few Pakistani wedding parties - right? Far-away conflict zones - and no risk of running out of those, just create new ones as needed - make for ideal beta-testing laboratories, just as is often done with experimental vaccines in Africa.

------------------------------------

[url=timshorrock.com/?p=2354]Cryptome’s searing critique of Snowden Inc.[/url] | TimShorrock.com
[quote]Cryptome raises serious questions that nobody else on the left or in the media want to talk about, including how Omidar has created a business from Snowden’s cache; what exactly Snowden may have been doing while he was working for the CIA prior to his time at NSA (and what else he may have been doing at NSA itself); and why Snowden and The Intercept continue to proselytize for Tor, the anonymization tool, despite its massive funding from the U.S. government, the Pentagon and the national security state.
...
Cryptome’s critique, as expressed in the interview, is not new. Ever since Greenwald first wrote about Snowden’s documents in The Guardian in 2013, the organization has been keeping careful track of the glacial pace of the documents’ release and The Intercept’s almost-total control over the cache. Their latest tally, posted this week, is 6,318 pages of what The Guardian first reported as 58,000 files.

From the start, Young and Natsios made it clear that they strongly disapprove of the fact that this cache has not been made widely available to the public and posted for all to see – as they have done with the tens of thousands of intelligence files they have released since the late 1990s (and as Daniel Ellsberg did with the Pentagon Papers).[/quote]
This strikes me as roughly equal parts valid concerns and internecine shitfight, but interested in other readers' opinions on it.

[QUOTE=ewmayer;426578]This strikes me as roughly equal parts valid concerns and internecine shitfight, but interested in other readers' opinions on it.[/QUOTE]
Language such as "proselytize for Tor" does not sound objective to me. In my conversations with the late Caspar Bowden, Roger Dingledine and others on the Tor project, I always found them knowledgeable and sincere.

Why Tim Cook is right to call court-ordered iPhone hack a “backdoor”
 

[URL="http://arstechnica.com/tech-policy/2016/02/why-tim-cook-is-right-to-call-court-ordered-iphone-hack-a-backdoor/"]Another spook attempt[/URL] to be able to snoop on millions more. Who could possibly believe that they would use this court-ordered hack [U]only once[/U]?
[QUOTE]The order requires Apple to create a customized version of iOS that will run only on the iPhone 5C belonging to Syed Rizwan Farook. Along with his wife, Tashfeen Malik, Farook went on a deadly shooting rampage in San Bernadino. The FBI understandably wants access to the data stored on Farook's phone so investigators have a better idea of the events leading up to the deadly attack and whether the husband-and-wife team received support from unknown people. But so far investigators have been unable to unlock the device. Security measures Apple built into the iPhone limit the number of guesses they can make, and there's also concern too many guesses could cause the phone to automatically destroy the data it stores.

The special iOS version the court ordered would work around these restrictions. It would remove normal iOS functions Apple created to intentionally increase the amount of time it takes to repeatedly enter passcodes, and it would allow an unlimited number of guesses to be made without destroying any data. The Apple-produced software must also allow the FBI to submit PIN code guesses through the phone's physical device port or through Bluetooth or Wi-Fi connections, a requirement that would allow investigators to use speedy computer scripts rather than manually enter each PIN candidate. Based on the wording of the order, the customized iOS version probably wouldn't be directly installed on the phone, but rather loaded into the phone's memory, in much the way OSes can be booted from a USB drive.

Because of requirements that iPhone software be digitally signed using valid Apple signing keys, Apple is the only company capable of installing the custom OS on Farook's phone without going through the extremely risky process of jailbreaking it. In essence, the order requires Apple to create software that bypasses all of these key security features it built into the iPhone.
[B][SIZE=3]Aye, there's the rub [/SIZE][/B]

[/QUOTE]

McAfee offers to crack iPhone for free
 

ArsTechnia just posted a story that they will crack the iPhone for free in 3 weeks or less using their staff of hackers using social media. The author thought McAfee was full of it. [URL="http://arstechnica.com/staff/2016/02/mcafee-will-break-iphone-crypto-for-fbi-in-3-weeks-or-eat-shoe-on-live-tv/"]http://arstechnica.com/staff/2016/02/mcafee-will-break-iphone-crypto-for-fbi-in-3-weeks-or-eat-shoe-on-live-tv/[/URL]

[QUOTE=tServo;426844]ArsTechnia just posted a story that they will crack the iPhone for free in 3 weeks or less using their staff of hackers using social media. The author thought McAfee was full of it. [URL]http://arstechnica.com/staff/2016/02/mcafee-will-break-iphone-crypto-for-fbi-in-3-weeks-or-eat-shoe-on-live-tv/[/URL][/QUOTE]
Haha, that is a good one. Actually, I read it to the end, and even googled "soylent farts" :blush:

[url]http://daringfireball.net/linked/2016/02/18/nyt-china-apple[/url]

[QUOTE=xilman;426929][url]http://daringfireball.net/linked/2016/02/18/nyt-china-apple[/url][/QUOTE]Either an intentionally smart move on NYT's part, or a dumb mistake. By deleting it they bring to everyone's attention. Once it is published, you can't un-publish it, this is the Internet, it never forgets.

It's possible that removing that part will allow the rest of the article to be read from Internet connections in China.

[QUOTE=retina;426930]Either an intentionally smart move on NYT's part, or a dumb mistake. By deleting it they bring to everyone's attention. Once it is published, you can't un-publish it, this is the Internet, it never forgets.[/QUOTE]
NYT..cough cough..Judith Miller....aluminium tubes

[URL="http://gizmodo.com/justice-department-forcing-apple-to-unlock-about-12-oth-1760749507"]Justice Department Forcing Apple to Unlock 'About 12 Other iPhones' Says WSJ[/URL][QUOTE]The unlocking of the San Bernardino iPhone may just be the tip of the iceberg. According to the Wall Street Journal, the Justice Department is currently trying to have Apple extract data from “about a dozen” iPhones around the country.

According to “people familiar with the matter,” the authorities are looking to extract data from these other phones in much the same way as the San Bernardino case. In each example, prosecutors have attempted to use the All Writs Act to force Apple to bypass the device’s passcode in order to extract data.

While the Journal hasn’t learned any exact details about the cases, it claims “they don’t involve terrorism charges,” according to its sources. Other than that, details remain scant.[/QUOTE]

A woman parked her car in Amsterdam and paid using her mobile phone, but mistyped her car registration number. She was subsequently fined, but fought her case all the way up to the (Dutch) Supreme Court - and won. The court ruled today that the law only allows a fine to be imposed if someone parks a car without paying.

Judgment (in Dutch): [URL]http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:HR:2016:316[/URL]

Found this on Twitter.

[url]https://pbs.twimg.com/media/Cb2muR8WIAA36hp.jpg[/url]

The joke went down well at the security meeting today.

[QUOTE=xilman;427495]Found this on Twitter.

[URL]https://pbs.twimg.com/media/Cb2muR8WIAA36hp.jpg[/URL]

The joke went down well at the security meeting today.[/QUOTE]
Yeah. That is a good one, right down to changing Siri into HAL.

There was this rickroll suggestion:
[URL="http://www.slate.com/blogs/future_tense/2016/02/23/this_comic_perfectly_captures_the_element_of_absurdity_in_apple_s_standoff.html"]The Essence of Apple’s Standoff With the FBI, in One Comic[/URL]

Am I missing a thread on the "Apple vs FBI" issue? I would have expected a poll or at least a number of people arguing one side or the other.

[QUOTE=rogue;427533]Am I missing a thread on the "Apple vs FBI" issue? I would have expected a poll or at least a number of people arguing one side or the other.[/QUOTE]

I suspect most folks around here consider this existing thread to be just fine for the current Apple vs USgov discussion, we can consider a separate thread if the volume gets frickin' huge, but that seems unlikely.

[QUOTE=rogue;427533]Am I missing a thread on the "Apple vs FBI" issue? I would have expected a poll or at least a number of people arguing one side or the other.[/QUOTE]I don't care about the outcome actually. The important point is that if one uses a short passcode then they are essentially relying upon the goodwill of apple to not allow others access to their data. And any security that relies upon the actions (or non-actions) of others is not the sort of security that I want to use.

[size=1]Use a long and strong passcode then you'll be good.[/size]

The ramifications are significant both ways. I am highly concerned about the "slippery slope" that will happen if Apple loses.

Can the government force companies to make back doors into their operating systems? Can they outlaw OSes that don't have back doors? Even without a subpoena, we know that the government will use those back doors. The government can't be punished for doing things that are illegal, can it? Normally one or two people might be fired, but they probably won't go to jail. In any case, it doesn't mean that the law or behaviors will change. Even if the government would have to get a subpoena, they also own all the cards WRT whom they call a terrorist. To me this is far worse than the idea of the government taking away all of our guns (which we know will never happen).

On the other hand I recall one case where a child pornographer had many GB of encrypted child pornography on computer and the government was trying to force that person to decrypt it so that they could try to determine who the victims were and to track down other child pornographers. The defendant (who was already convicted) refused, pleading the fifth. I don't recall what happened in that case.

What scares me is that if there is a back door, then we know that it will eventually become public because we know our government is not great a keeping secrets. I can understand Microsoft's opinion on this issue, since Windows already has so many security issues with its OS they have little to lose. Forcing the competition to become as insecure as their own is a good thing for them.

I would error on the side of saying "No" to the government for the simple reason that they have other means to get much of the information they are looking for: interviewing (re water-boarding), etc. And for those of you afraid of "underground" organizations taking advantage of my position, they already exist and there are more of them than any of us know about.

[URL="https://bgr.com/2016/02/23/fbi-vs-apple-iphone-mdm-software/"]FBI battle over locked iPhone could have been avoided with a $4 piece of software[/URL]

[quote]. . .

“The county government that owned the iPhone in a high-profile legal battle between Apple Inc. and the Justice Department paid for but never installed a feature that would have allowed the FBI to easily and immediately unlock the phone…,” the report reads in part. “The service costs $4 per month per phone.”

. . .[/quote]I heard that if the Justice Department had just asked politely and quietly for Apple's assistance, Apple might've cooperated ... [I]just as it has 70 times in the past, without publicity[/I].

But noooo..., this time the government had to be heavy-handed, invoking a 19th-century law to try to force Apple to cooperate in a particular way that would make other devices' encryption vulnerable.

[QUOTE=ch4;427624][URL="https://bgr.com/2016/02/23/fbi-vs-apple-iphone-mdm-software/"]FBI battle over locked iPhone could have been avoided with a $4 piece of software[/URL]

I heard that if the Justice Department had just asked politely and quietly for Apple's assistance, Apple might've cooperated ... [I]just as it has 70 times in the past, without publicity[/I].

But noooo..., this time the government had to be heavy-handed, invoking a 19th-century law to try to force Apple to cooperate in a particular way that would make other devices' encryption vulnerable.[/QUOTE]
But they [I]want[/I] to do it this way. They want to attack privacy provisions. That this is a high profile case is exactly what they want because if it was something smaller, people would be saying "WTF are you doing destroying rights over a two bit case?"

A view from Oz (as in down-under-stan, not emerald-city-stan) - my only quibble is with the "has gone" tense, and the hero-worship w.r.to Apple which only recently decided to get out of bed with the NSA, probably less on principle than because it had suddenly become bad for business (OK, I admit that's 2 quibbles):

[url=https://medium.com/@jamesallworth/the-u-s-has-gone-f-ing-mad-52e525f76447#.wvrcvlb9k]The U.S. has Gone F&*%ing Mad[/url] — Medium

Folks,

I just stumbled across an [I]ars technica[/I] article that made me realize that I hadn't been using enough imagination to envision what the government might have in mind.

[B]This is much, much worse than I had previously imagined.[/B]

[QUOTE=only_human;427642]< snip > They want to attack privacy provisions.[/QUOTE]

That's what I had been thinking, too ... until I read this [I]ars technica[/I] article.

No, the target is much bigger than mere privacy provisions.

[quote=only_human]But they [I]want[/I] to do it this way.[/quote]

Yes, but "this way" (as described in the [I]ars technica[/I] article) is much more sinister than what _I_ had previously envisioned.

_I_ had been thinking only in terms of the FBI's trying to force Apple to give them software that was a more general encryption-breaker, that could be used on a wider variety of devices than only the particular type of iPhone in this case.

But, as the article explains, what the government is after is something that doesn't merely decrypt, but renders all Apple software on any device vulnerable not just to have its encryption broken, but to allow the government to change [U]any software it wants to change in any way it wants to[/U].

How?

By subverting the software update capability.

[quote]That this is a high profile case is exactly what they want because if it was something smaller, people would be saying "WTF are you doing destroying rights over a two bit case?"[/quote]Exactly,

Very, very few of the general public will understand how dangerous this is.

Think: [B]Suppose the government could force Apple to give it a way to fool any software that had an update capability into accepting the government's own updates to that software.[/B]

That doesn't just let the government decrypt stuff, but [B]lets the government install [U]any software[/U] it wants[/B] onto a device with automatically-updatable software.

So why does it endanger NON-Apple devices?

Because if it can force Apple to allow this, [I]it can force any other company to allow it to subvert [U]that other company[/U]'s auto-updatable software[/I], via malicious updates.

That's why Apple cannot afford to give in. It's not just Apple's future at stake!!

- - -

This may have started to look a bit like mad ravings, so it's time for me to direct your attention to the explanatory article:

(Forgive me for quoting almost the entire article. [U]This is very important.[/U])

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

[URL]http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/[/URL]

[B]Most software already has a “golden key” backdoor: the system update[/B]

Software updates are just another term for cryptographic single-points-of-failure.

[quote]. . .

... here is a sad joke that happens to describe the reality we presently live in:

[quote][INDENT]Q: What does almost every piece of software with an update mechanism, including every popular operating system, have in common?


A: Secure golden keys, cryptographic single-points-of-failure which can be used to enable total system compromise via targeted malicious software updates.
[/INDENT][/quote]I'll define those terms: By "malicious software update," I mean that someone tricks your computer into installing an inauthentic version of some software which causes your computer to do things you don't want it to do. A "targeted malicious software update" means that only the attacker's intended target(s) will receive the update, which greatly decreases the likelihood of anyone ever noticing it. To perform a targeted malicious software update, an attacker needs two things: (1) to be in a position to supply the update and (2) to be able to convince the victim's existing software that the malicious update is authentic. Finally, by "total system compromise" I mean that the attacker obtains all of the authority held by the program they're impersonating an update to. In the case of an operating system, this means that the attacker can subvert any application on that computer and obtain any encryption keys or other unencrypted data that the application has access to.


A backdoored encryption system which allows attackers to decrypt arbitrary data that their targets have encrypted is a significantly different kind of capability than a backdoor which allows attackers to run arbitrary software on their targets' computers. I think many informed people discussing [I]The Washington Post'[/I]s request for a "secure golden key" assumed they were talking about the former type of backdoor, though it isn't clear to me if the editorial's authors actually understand the difference.


From an attacker perspective, each capability has some advantages. The former allows for passively-collected encrypted communications and other surreptitiously obtained encrypted data to be decrypted. The latter can only be used when the necessary conditions exist for an active attack to be executed, but when those conditions exist it allows for much more than mere access to already-obtained-but-encrypted data. Any data on the device can be exfiltrated, including encryption keys and new data which can be collected from attached microphones, cameras, or other peripherals.


Many software projects have only begun attempting to verify the authenticity of their updates in recent years. But even among projects that have been trying to do it for decades, most still have single points of devastating failure.


This problem exists in almost every update system in wide use today. Even my favorite operating system, Debian, has this problem. If you use Debian or a Debian derivative like Ubuntu, you can see how many single points of failure you have in your update authenticity mechanism with this command:


sudo apt-key list | grep pub | wc -l


For the computer I'm writing this on, the answer is nine. When I run the apt-get update command, anyone with any one of those nine keys who is sitting between me and any of the webservers I retrieve updates from could send me malicious software and I will run it as root.


How did we get here? How did so many well-meaning people build so many fragile systems with so many obvious single points of failure?


I believe it was a combination of naivety and hubris.[/quote]


Sorta like Y2k ... but this is more sinister.


[quote]They probably thought they would be able keep the keys safe against realistic attacks, and they didn't consider the possibility that their governments would actually compel them to use their keys to sign malicious updates.


Fortunately, there is some good news. The FBI is presently demonstrating that this was never a good assumption, which finally means that the people who have been saying for a long time that we need to remove these single points of failure can't be dismissed as unreasonably paranoid anymore.


I won't write much about the specifics of the FBI/Apple situation, because there are already plenty of [URL="https://arstechnica.com/series/apples-encryption-battle/"]in-depth accounts[/URL] of the many details of the case. The important thing to understand is that the FBI is demanding that Apple provide them with a signed software update which will disable an iPhone feature which deletes data after a certain number of failed attempts at guessing the PIN (which, along with a per-device secret, is the seed from which the encryption key is derived). On iPhones with relatively short PINs, this effectively "breaks" the encryption because a small key space can be quickly searched.


(On my Debian system, such a feature doesn't even exist. If someone has my encrypted hard drive, they can freely attempt to brute-force my disk passphrase—but hopefully most people's disk crypto passphrases on computers with keyboards are stronger than a short PIN. If an attacker can convince my computer to run arbitrary code while the disk is decrypted, the key can be exfiltrated and the strength of the passphrase becomes irrelevant.)



So when Apple says the FBI is trying to "force us to build a backdoor into our products," what they are really saying is that the FBI is trying to force them to use a backdoor which already exists in their products. (The fact that the FBI is also asking them to write new software is not as relevant, because they could pay somebody else to do that. The thing that Apple can provide which nobody else can is the signature.)


Is it reasonable to describe these single points of failure as backdoors? I think many people might argue that industry-standard systems for ensuring software update authenticity do not qualify as backdoors, perhaps because their existence is not secret or hidden in any way. But in the present Apple case where they are themselves using the word "backdoor," abusing their cryptographic single point of failure is precisely what the FBI is demanding.


Apple might prevail in their current conflict with the FBI, but the fact that they could also lose means they may have already lost to someone else. Imagine if some other murderous criminal organization wanted to access data on a PIN-encrypted iPhone. What if they, like the FBI has now done, found some people who understand how the technology works and figured out who needs to be coerced to make it possible? Having access to a "secure golden key" could be quite dangerous if sufficiently motivated people decide that they want access to it.


I'm optimistic that the demands the FBI is making to Apple will serve as a wakeup call to many of the people responsible for widely-used software distribution infrastructures. I expect that in the not-too-distant future, for many applications at least, attackers wishing to perform targeted malicious updates will be unable to do so without compromising a multitude of keys held by many people in many different legal jurisdictions. There are a number of promising projects which could help achieve that goal, including the DeDiS [URL="https://github.com/dedis/cothority"]Cothority[/URL] and the Docker project's [URL="https://github.com/docker/notary"]Notary[/URL].


Being free of single points of failure should be a basic requirement for any new software distribution mechanisms deployed today.[/quote]"Being free of single points of failure should be a basic requirement for any new software distribution mechanisms deployed today."

More on Apple v FBI
 

[URL="https://theintercept.com/2016/03/08/snowden-fbi-claim-that-only-apple-can-unlock-phone-is-bullshit/"]Snowden: FBI Claim That Only Apple Can Unlock Phone Is “Bullshit”[/URL]
-The Intercept
[QUOTE]NSA whistleblower Edward Snowden says the FBI’s ostensibly last-ditch attempt to unlock San Bernardino shooter Syed Rizwan Farook’s iPhone is a sham.

The FBI last month persuaded a federal judge that the only way to get into the phone was to make Apple write code to undermine its own security protocols. Apple is refusing to comply.

“The FBI says Apple has the ‘exclusive technical means’” to unlock the phone,
Snowden said during a [URL="http://www.commoncause.org/video/events/blueprint-2016/conversation-on-surveillance-democracy-civil-society.html?referrer=https://t.co/M97e2h0xRU"]discussion[/URL] at Common Cause’s Blueprint for Democracy conference.
“Respectfully, that’s bullshit,” he said, over a video link from Moscow.
[/QUOTE]The link below is cited in the article above.
[URL="https://www.aclu.org/blog/free-future/one-fbis-major-claims-iphone-case-fraudulent"]One of the FBI’s Major Claims in the iPhone Case Is Fraudulent [/URL]
-ACLU blog
[QUOTE]In the FBI’s court order requesting Apple's assistance in unlocking the work iPhone 5c used by the San Bernardino shooter, the bureau's first and most urgent demand is that Apple disable the iPhone's “auto-erase” security feature. This feature (which is not enabled by default on most iPhones) protects user data on a device from would-be snoops by wiping the phone after 10 failed passcode attempts. This protects you and me from thieves trying to guess our passcodes and access our data for identify theft, for example.

But the truth is that even if this feature is enabled on the device in question, the FBI doesn't need to worry about it, because they can already bypass it by backing up part of the phone (called the “Effaceable Storage”) before attempting to guess the passcode. I'll go into the technical details (which the FBI surely already knows) below.
[/QUOTE]

[URL="https://www.techdirt.com/articles/20160315/15505433916/apples-response-to-doj-your-filing-is-full-blatantly-misleading-claims-outright-falsehoods.shtml"]Apple's Response To DOJ: Your Filing Is Full Of Blatantly Misleading Claims And Outright Falsehoods[/URL]
[QUOTE]In fact, in a footnote, Apple goes even further in not just blasting the DOJ's suggestion that Congress didn't really consider a legislative proposal to update CALEA to suck in requirements for internet communications companies, but also highlighting the infamous quote from top intelligence community lawyer Robert Litt about how [B]they'd just wait for the next terrorist attack[/B] and get the law passed in their favor at that point.[/QUOTE]
[QUOTE]The filing is basically Apple, over and over again, saying, "uh, what the DOJ said was wrong, clueless, technically ignorant, or purposely misleading." Hell, they even attack the DOJ's claim that the All Writs Act was used back in 1807 to force Aaron Burr's secretary to decrypt one of Burr's cipher-protected letters. Apple points out that the DOJ is lying.[/QUOTE]

Fun links from the article linked above.

Fallout:
[url]https://www.techdirt.com/articles/20160314/16561133907/white-house-begins-to-realize-it-may-have-made-huge-mistake-going-after-apple-over-iphone-encryption.shtml[/url]

John Oliver:
[url]https://www.techdirt.com/articles/20160314/08023233897/john-oliver-explains-why-you-should-side-with-apple-over-fbi-better-than-most-journalists.shtml[/url]

Lindsey Graham(!):
[url]https://www.techdirt.com/articles/20160314/09144433899/senator-lindsey-graham-finally-talks-to-tech-experts-switches-side-fbi-v-apple-fight.shtml[/url]

In-depth piece on the profit-motivated side of our headlong societal rush towards universal surveillance by Shoshana Zuboff of the [i]Frankfurter Allgemeine Zeitung[/i]:

[url=www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-zuboff-secrets-of-surveillance-capitalism-14103616.html]The Secrets of Surveillance Capitalism[/url] : [i]Governmental control is nothing compared to what Google is up to. The company is creating a wholly new genus of capitalism, a systemic coherent new logic of accumulation we should call surveillance capitalism. Is there nothing we can do?[/i]
[quote]The very idea of a functional, effective, affordable product as a sufficient basis for economic exchange is dying. The sports apparel company Under Armour is reinventing its products as wearable technologies. The CEO wants to be like Google. He says, “If it all sounds eerily like those ads that, because of your browsing history, follow you around the Internet, that’s exactly the point–except Under Armour is tracking real behavior and the data is more specific… making people better athletes makes them need more of our gear.” The examples of this new logic are endless, from smart vodka bottles to Internet-enabled rectal thermometers and quite literally everything in between. A Goldman Sachs report calls it a “gold rush,” a race to “vast amounts of data.”[/quote]
Came across a seemingly-unrelated article on Biotech cos. "mining for gold in the personal microbiome" that same day, and it quickly dawned on me that these things are not unrelated at all ... with respect to the issue of “Great. Big Pharma IP in my gut biome. What could go wrong?” — Just think, by combining this research with the kind of miniaturization embodied in the “smart internet-connected rectal thermometer” described above, a pharma corp could actually discover a novel and useful microbe in your gut and patent it before you ever knew about it. Market efficiency there, my friends! Then they could turn around and sue you, the host of said microbe, under the in-final-secret-negotiations TPP/TTIP's ISDS dispute resolution [a.k.a. 'corporate-captured kangaroo court'] provision for patent infringement, requesting the court that you pay a hefty fine and undergo a course of personal-biome-nuking antibiosis … using the same PharmaCorp's incredibly expensive antibiotics, of course, and at your own expense. But hey, the cost of the drugs will help you reach your ACA-caused colossal insurance deductible for the year. Man, big-data-enhanced free-market capitalism is so awesome.

[QUOTE=retina;427542]I don't care about the outcome actually. The important point is that if one uses a short passcode then they are essentially relying upon the goodwill of apple to not allow others access to their data. And any security that relies upon the actions (or non-actions) of others is not the sort of security that I want to use.[/QUOTE]I have changed my mind on this. I hope that Apple [u]lose[/u] this case, and that they are forced to help in creating the demanded software.

My reasons are three-fold (in no particular order):[list][*]It will showcase the existing weaknesses of the digital devices people use and highlight the dangers of storing everything without regard for who may gain access in the future.[*]It will encourage engineers designing devices to make them unreachable to anyone without the passcode, regardless of what software is runnable, and with all desired timeouts and lockouts remaining active and effective. I'm sure most companies would not like to be in Apple's position and they will try to find a way to avoid it in the future.[*]It will send a signal to people using their digital devices (the users) that they cannot rely upon the stated goodwill and good intentions of companies to keep them secure, because other parties can coerce the companies to act in ways that may harm them.[/list]

My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend. Not being married (and thus not subject to e-leash laws) I only turn it on once per day to check messages and make a needed call or two; everyone who knows me well enough to possibly need to reach me in emergency fashion knows alternate means of doing so. I have no landline - ditched that ~10 years ago, as soon as CA passed a law requiring mobile carriers to allow people to transfer an existing number to a mobile phone.

Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.

[QUOTE=ewmayer;429761]Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.[/QUOTE]So your phone software is :poop:. If it was bug free then no doubt you wouldn't have this problem. And is the passcode used to encrypt the data or is it just a simple software gate that is useless if someone scans the flash storage directly?

However why not just wipe the whole thing and restore from backup? If you don't have any backups then what would you have done if you had had it stolen, or lost it, or accidentally dropped it into molten lava? If the data are important enough to spend time going through up to 10000 PIN trials then they should also be important enough to spend 2 minutes backing it up occasionally. I guess hindsight is a wonderful thing.

[QUOTE=retina;429721]and highlight the dangers of storing everything without regard for who may gain access in the future.[/QUOTE]

With the amount of intimate photos and personal details put on facebook marked as public or friends of friends, I seriously doubt people are going to care about storing it safely.

[QUOTE=0PolarBearsHere;429764]With the amount of intimate photos and personal details put on facebook marked as public or friends of friends, I seriously doubt people are going to care about storing it safely.[/QUOTE]I think there is more to it than simple photos people choose to make public. These pocket computers can do much more. For starters they can contain private messages/pictures/whatevers that people don't want to put on [strike]vanitybook[/strike] [strike]egobook[/strike] facebook. They can contain stored passwords for banking, CC numbers, health information, etc. If people care about these things then they should inform themselves about just what they are getting into when they decide to put everything in there.

[QUOTE=ewmayer;429761]My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend...[/QUOTE]
Here in Europe, the 4 digit PIN people type into a non-smart mobile phone does not protect access to the physical phone but access to the SIM (smart card) inside it with the crypto keys for the network connection. Thus, what is protected by the PIN is the subscriber's account with the phone company.

I am back in ... yesterday I decided to try to be smart about things and try all possible single-bit-flips applied to the old PIN, assuming each digit stored as a hex char, i.e. in the binary range 0000-1001. No joy, so continued my brute-force enumeration, and got thru the first 1000 possibles (0000-0999) last night. Was just now settling in for another during-TV-ads evening sessions, and hit it on the 4th try. The new lock code, 1003, turns out to match the last 4 digits of my phone #, which is

[1] Annoying, in that it points to a software bug of some kind - I never have occasion to enter my own number, and have never used it as a basis for a PIN.

[2] Relieving, in that it is at the lower end of the "how many tries needed on average" scale.

One final annoyance - it seems on this model phone, once you PIN-protect access, you can only *change* your PIN, not unselect the PIN protection option. Shy of wiping the entire memory, that is.

[QUOTE=ewmayer;429931]The new lock code, 1003, turns out to match the last 4 digits of my phone #, [/QUOTE]

I guess the question now is, is the last four digits of your phone number a secondary pin that the telco uses? Anyone you know that uses the same phone and provider that you could test with?

[QUOTE=Nick;429775]Here in Europe, the 4 digit PIN people type into a non-smart mobile phone does not protect access to the physical phone but access to the SIM (smart card) inside it with the crypto keys for the network connection. Thus, what is protected by the PIN is the subscriber's account with the phone company.[/QUOTE]

Same in Australia. It's the SIM pin, with PUK and PUK2 codes if you do it wrong too many times.

[QUOTE=0PolarBearsHere;429934]I guess the question now is, is the last four digits of your phone number a secondary pin that the telco uses? Anyone you know that uses the same phone and provider that you could test with?[/QUOTE]

Same provider, yes. Same phone, doubtful - mine is over 10 years old, no one I know uses one anywhere near that age. But I will poke around online to see if I can find anything about my carrier using last-4-digits as a secondary PIN - an interesting possibility, thanks for noting it.

[QUOTE=ewmayer;429943]Same provider, yes. Same phone, doubtful - mine is over 10 years old, no one I know uses one anywhere near that age. But I will poke around online to see if I can find anything about my carrier using last-4-digits as a secondary PIN - an interesting possibility, thanks for noting it.[/QUOTE]You could test this yourself. Change to PIN to something else and see if 1003 still works.

[QUOTE=retina;429944]You could test this yourself. Change to PIN to something else and see if 1003 still works.[/QUOTE]

Yes, but devising that kind of experimental scheme would require > 2 functioning brain cells to think of. :)

Tried it - no go, only the new code works. So last-4-digits appears to be some kind of default-on-glitch reset. All my other data appear intact, no clue what kind of glitch may have occurred.

Oh, and I misspoke about being permanently forced to use a lock code once one enables said option - the menu I assumed was asking me for a new code is in fact simply re-asking the user to re-enter the current code in order to access this (and similar) security-settings-change menus. Sensible - I turn-on/unlock my phone, lose it while it's still on and unlocked, someone finding it shouldn't be able to change said settings so as to lock me out of my own phone. (That privilege is reserved, as noted, for the hnadset-manufacturer/software-coders and possibly some select subset of 'other interested parties' which shall remain nameless, but which frequently go by 3-letter initialisms here in the US.)

I had sent e-mail to Kyocera (handset mfr) on Monday - heard back from them today:
[quote]Thank you for contacting Kyocera Communications Inc. This email message is in regards of your inquiry.

We are sorry for the trouble and appreciate the opportunity to assist you. Since this device is been long since discontinued our tools to troubleshoot this devices are no longer available. However, for this old phones there is a service code for resetting to default settings. You have to dial ##786# and then the phone will ask for a 6 digits MSL code, this code it is usually 000000 but if it is not your service provider can easily provide it to you.[/quote]
I thanked them, noted I had in the meantime brute-force-cracked my new PIN, but that the above might well prove handy in future.

In the usual grandiose fashion, the Russian law-makers attempt to up even Omaha administration. The law project No. 1039149-6 includes this proposal in Article 7 (Google-translated):
[QUOTE="http://asozd.duma.gov.ru/main.nsf/%28Spravka%29?OpenAgent&RN=1039149-6"][B]Carriers[/B] are required to keep the territory of the Russian Federation [B]for three years[/B] of information about the facts of reception, [B]transmission, delivery and (or) [COLOR=DarkRed]voice[/COLOR] information processing and text messages, including their contents, as well as [COLOR=DarkRed]images, sounds[/COLOR], or other user messages communication services and provide[/B] the authorized state bodies, engaged in the operational-search activity or the security of the Russian Federation, the said information, user information and communication services on services rendered communications and other information necessary to perform their tasks of these authorities, in the cases established by federal laws.[/QUOTE]
Where are they going to store that much information remains a mystery (as most of those lawmakers cannot be concerned with such pesky little details, nor perhaps even estimate them).

GCHQ has joined Twitter:
[URL]https://www.gchq.gov.uk/news-article/hello-world-gchq-has-officially-joined-twitter[/URL]

[QUOTE=Nick;403819]It's that time of year again, the venue this time is Telfs-Buchen (Austria) and the new participants are:
[URL]http://www.bilderbergmeetings.org/participants2015.html[/URL]

[/QUOTE]
This year's Bilderberg group meeting will begin shortly in Dresden.
If you want a list of people in North America and Europe who are currently in power but not necessarily in the spotlight, click here:
[URL]http://www.bilderbergmeetings.org/participants.html[/URL]

Background: [URL]https://en.wikipedia.org/wiki/Bilderberg_Group[/URL]

[QUOTE=Batalov;432364]In the usual grandiose fashion, the Russian law-makers attempt to up even Omaha administration. The law project No. 1039149-6 includes this proposal in Article 7 (Google-translated):

Where are they going to store that much information remains a mystery (as most of those lawmakers cannot be concerned with such pesky little details, nor perhaps even estimate them).[/QUOTE]
Looks bad
[URL="http://www.washingtontimes.com/news/2016/jun/23/russia-weighs-strict-new-surveillance-measures-pen/"]Russia weighs strict new surveillance measures, penalties for protesters[/URL]
A brief skim elsewhere suggested the only change coming might be removing a provision that could illegally strip a person's citizenship.

PS
Here's something I mentioned elsewhere about Google's evil stance in favor of the TPP:
[QUOTE]In their defense, this is a pretty important point to me "The TPP requires the 12 participating countries to allow cross-border transfers of information and prohibits them from requiring local storage of data." From what I've heard elsewhere, article seven of a law possibly about to be implemented in Russia is requiring carriers to store data for three years: Законопроект № 1039149-6
[/QUOTE]

What is your name?
What is your quest?
[URL="http://www.bbc.co.uk/news/technology-36650857"]What is your Facebook ID?[/URL]

[QUOTE=xilman;437228][URL="http://www.bbc.co.uk/news/technology-36650857"]What is your Facebook ID?[/URL][/QUOTE]

I wonder how many eyebrows would be raised by "I don't remember; haven't used it in years. I can give you my MersenneForum ID."?

[QUOTE=chalsall;437230]I wonder how many eyebrows would be raised by "I don't remember; haven't used it in years. I can give you my MersenneForum ID."?[/QUOTE]

Facebook: I didn't inhale, and I didn't like it. I would have to ask Firefox about the ID or password, if even it remembers at this distance. I used my account for a week or two, then inactivated it, which is one step removed from outright cancellation.

Ha! I guess I am the oddest here, with "never had and never will have a fb account" (lowercase is intentional).

[QUOTE=LaurV;437317]Ha! I guess I am the oddest here, with "never had and never will have a fb account" (lowercase is intentional).[/QUOTE]
I created a Facebook account but never used it. My Twitter account was used merely once to say something snarky about Sarah Palin. My twitter name is a one character long. really.

[QUOTE=only_human;437318]My twitter name is a one character long. really.[/QUOTE]
Whoa! I guess you can sell it for a lot of money then? hehe...
For other sites and online games where I used to activate in my youth (:razz:) all good and short names were taken, and [STRIKE]people[/STRIKE]nerds would pay real money to get one. I usually ended up with 8-10 letter names, even longer when the sites won't accept numbers and would title-case automatically, etc (common practice to avoid names like biGRuNner or c23x%_#Pq, only small letters allowed and the first is automatically capitalized).

[QUOTE=LaurV;437326]Whoa! I guess you can sell it for a lot of money then? hehe...
For other sites and online games where I used to activate in my youth (:razz:) all good and short names were taken, and [STRIKE]people[/STRIKE]nerds would pay real money to get one. I usually ended up with 8-10 letter names, even longer when the sites won't accept numbers and would title-case automatically, etc (common practice to avoid names like biGRuNner or c23x%_#Pq, only small letters allowed and the first is automatically capitalized).[/QUOTE]
I think if I actually use the account actively it may get shut down because the particular single character can't be typed on most systems. It is the highest value in a seven bit ASCII table, 127[SUB]10[/SUB].

[url]https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/[/url]
[url]http://www.csoonline.com/article/3090502/security/big-brother-is-listening-as-well-as-watching.html[/url]
[url]https://motherboard.vice.com/read/uk-police-accessed-civilian-data[/url]

Robert X. Cringely (a well-known pseudonym) has a 2-part series on Big Data:

[url=www.cringely.com/2016/07/05/thinking-big-data-part-one/]I, Cringely Thinking about Big Data[/url] - Part One

[url=www.cringely.com/2016/07/07/15306/]I, Cringely Thinking about Big Data[/url] - Part Two

Part 2 - with which my one major quibble is no mention of the government's key early role in supporting startup-phase Google - has a hilarious snip illustrating the craziness of the DotCom bubble - did the folks throwing this pile of money around not contain even one person with an engineering background who understood the most basic rudiments of signal processing, by which I mean "orders of magnitude too many bytes for the datapipe"?
[quote]The result of all this irrational exuberance was a renaissance of ideas, most of which couldn’t possibly work at the time. Broadcast.com, for example, purported to send TV over dial-up Internet connections to huge audiences. [i]It didn’t actually work[/i], yet Yahoo still bought Broadcast.com for $5.7 billion in 1999 making Mark Cuban the billionaire he is today.[/quote]
And many people are still naive about how things work - e.g. 'Chris', who asks
[quote]Are you saying Amazon is tracking every mouse click on sites that are hosted on AWS? I’m pretty certain this is not correct. The AWS Customer Agreement states: “We will not access or use Your Content except as necessary to maintain or provide the Service Offerings, or as necessary to comply with the law or a binding order of a governmental body.”[/quote]
Let's add a smidge of text highlighting in order to help Chris out:
[quote]Are you saying Amazon is tracking every mouse click on sites that are hosted on AWS? I’m pretty certain this is not correct. The AWS Customer Agreement states: “We will not access or use Your Content [u]except as necessary to maintain or provide the Service Offerings[/u], or as necessary to comply with the law or a binding order of a governmental body.”[/quote]
A.k.a. "Amazon is tracking every mouse click on sites that are hosted on AWS."

Catalog of spy equipment on offer to police
 

[url]https://theintercept.com/2016/09/01/leaked-catalogue-reveals-a-vast-array-of-military-spy-gear-offered-to-u-s-police/[/url]
Not just spying, but jamming and DOS against particular handsets.
[QUOTE]A confidential, 120-page [URL="https://www.documentcloud.org/documents/3038285-2014-Cobham-TCS-Catalog.html"]catalogue[/URL] of spy equipment, originating from British defense firm Cobham and circulated to U.S. law enforcement, touts gear that can intercept wireless calls and text messages, locate people via their mobile phones, and jam cellular communications in a particular area.

The catalogue was obtained by The Intercept as part of a large trove of documents originating within the Florida Department of Law Enforcement, where spokesperson Molly Best confirmed Cobham wares have been purchased but did not provide further information. The document provides a rare look at the wide range of electronic surveillance tactics used by police and militaries in the U.S. and abroad, offering equipment ranging from black boxes that can monitor an entire town’s cellular signals to microphones hidden in lighters and cameras hidden in trashcans. Markings date it to 2014.[/QUOTE]

[url=https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/]The NSA’s British Base at the Heart of U.S. Targeted Killing[/url] | The Intercept

[url=fivethirtyeight.com/features/internet-tracking-has-moved-beyond-cookies/]Internet Tracking Has Moved Beyond Cookies[/url] | FiveThirtyEight -- The EFF Panopticlick tool linked there is nifty.

Greenwald on Washington Post on Snowden
 

The main drift here, is that the Post got a Pulitzer for some of Snowden's info dump, but they call for his hide all the same. Another point is that Snowden did not [U]publicize [/U]anything. The Post, NYT, The Guardian, and The Intercept made those choices.

[url=https://theintercept.com/2016/09/18/washpost-makes-history-first-paper-to-call-for-prosecution-of-its-own-source-after-accepting-pulitzer/]WashPost Makes History: First Paper to Call for Prosecution of Its Own Source (After Accepting Pulitzer)[/url] | The Intercept
[QUOTE]Three of the four media outlets that received and published large numbers of secret NSA documents provided by Edward Snowden — The Guardian, the New York Times, and The Intercept –– have called for the U.S. government to allow the NSA whistleblower to return to the U.S. with no charges. That’s the normal course for a news organization, which owes its sources duties of protection, and which — by virtue of accepting the source’s materials and then publishing them — implicitly declares the source’s information to be in the public interest.

But not the Washington Post. In the face of a growing ACLU and Amnesty-led campaign to secure a pardon for Snowden, timed to this weekend’s release of the Oliver Stone biopic “Snowden,” the Post editorial page today not only argued in opposition to a pardon, but explicitly demanded that Snowden — the paper’s own source — stand trial on espionage charges or, as a “second-best solution,” accept “a measure of criminal responsibility for his excesses and the U.S. government offers a measure of leniency.”

In doing so, the Washington Post has achieved an ignominious feat in U.S. media history: the first-ever paper to explicitly editorialize for the criminal prosecution of its own source — one on whose back the paper won and eagerly accepted a Pulitzer Prize for Public Service. But even more staggering than this act of journalistic treachery against the paper’s own source are the claims made to justify it.[/QUOTE]

[url=http://www.nakedcapitalism.com/2016/09/louis-proyect-snowden.html]Film review: Snowden[/url] | Louis Proyect, naked capitalism

[I][QUOTE]Last fiddled with by ewmayer on 2016-09-18 at 22:23 Reason: added missing link [/QUOTE]
[/I]Oops. Thanks![I] :smile:
[/I]

[url=https://theconversation.com/feds-we-can-read-all-your-email-and-youll-never-know-65620]Feds: We can read all your email, and you’ll never know[/url] | The Conversation ... Good [url=http://www.nakedcapitalism.com/2016/09/links-92316.html#comment-2673832]reader comment[/url] on this one:
[quote]From Clark Cunningham’s article “Feds: we can read all your email” —
[i]
“To get these [secret email] warrants in the first place, the feds are using the Electronic Communications Privacy Act, passed in 1986.”
[/i]
Rich, huh — a so-called “communications privacy” act destroyed communications privacy, just as the “Bank Secrecy Act” of 1970 destroyed bank secrecy, and the “Foreign” Intelligence Surveillance Act was amended to retroactively legalize bulk domestic wiretapping.

Equally rich are the judicial fiddles described by Cunningham, in which plaintiffs are denied standing to sue for govt theft of their emails because they can’t prove they were subjected to secret warrants. This Catch-22 rationale was perfected in earlier litigation over NSA bulk surveillance of phone calls.

Orwellian statute names and terms such the nazi-inspired “Homeland Security” constitute a kind of malicious wink from our overlords. it’s like a sadistic tormentor inquiring rhetorically, “What am I doing to you, huh? What am I doing to you?”

That this extra-constitutional government has become wholly illegitimate goes without saying.[/quote]

And on the "privacy invasions by commercial interests" front, we [url=http://motherboard.vice.com/read/apple-deleting-the-iphones-audio-jack-is-good-news-for-marketing-companies]have Apple[/url]:
[quote]The reason for the celebration is Bluetooth beacons, a “proximity marketing” technology that’s been pushed by the ad-tech industry for years. The beacons come from tiny Bluetooth Low-Energy (BTLE) transmitters that have already been planted inside many retail stores, airports, and museums, which send signals to nearby mobile devices. If your device has Bluetooth enabled and comes in range of a beacon (say, in a clothing store) any apps you’ve installed that are listening for Bluetooth beacons can determine exactly where you are, target you with ads, or record your real-world shopping habits, among other things.

And now that Apple has gotten rid of the iPhone’s headphone jack, marketers are anticipating that a whole lot of people will soon be leaving their Bluetooth enabled, effectively “opting in” to the beacons’ tracking.[/quote]
But Apple CEO Tim Cook is like, all "progressive" and "gay activist" and stuff, so any criticism marks one as a bigot!

There are many reasons that Apple is on my Evil List. Start with tax dodging.

There's plenty more. Not all of it is directly from Apple. As a PC person in a Mac world (graphics) I dealt with plenty of Mac chauvinists who thought the danged things were totally stable. This was in the days of the Power PC chips. It was also common to stop and wonder if one should reboot before starting work on a, say, 200 MB tif file. Question was, "Will a memory leak kill me before I save?" The same kind of thing applied when considering transmitting said file across a 10 base network. Better be sure everything was right before committing the time involved.

EDIT: If they were totally stable, why did the "Dead Mac" icon and sound even exist?

o [url=https://pando.com/2016/12/21/norman-bates-20-starwood-and-wynn-are-excited-put-camera-and-microphone-your-hotel-room/9ab671d8583160e09c2559978472273b66ee8d17/]Norman Bates 2.0: Starwood and Wynn are excited to hide a camera and microphone in your hotel room[/url] | Pando.com

o [url=www.politico.eu/pro/ecjs-uk-ruling-will-impact-telecoms-internet-companies/]Politico: Europe's top court guts key parts of UK spy law[/url] : [i]Snooper’s Charter decision could still affect Britain after Brexit[/i]

"Want to read the whole article? Become a Pando member."
Yuck.
Added to banlist.

[QUOTE=LaurV;449842]"Want to read the whole article? Become a Pando member."
Yuck.
Added to banlist.[/QUOTE]

The article must've been 24-hour unlocked when I viewed it, because I am not a member. Reloaded just now and see the same as you.

[url=foreignpolicy.com/2017/03/20/the-multibillion-dollar-u-s-spy-agency-you-havent-heard-of-trump/]The Multibillion-Dollar U.S. Spy Agency You Haven’t Heard of[/url] | Foreign Policy

I suspect such surveillance has already been ongoing to a much greater extent than the article claims. To throw out just one obvious stratagem, here are already millions of private and local-government data feeds operational, from traffic cams to police cell-tower-hijacking to security cams of all stripes. Tapping into those would be a readymade way to surveil the citizenry without any telltale instruments like drones circling overhead. Think Room 641A, but now in a distributed local-feed fashion.