posted 13 days ago on techdirt
Last month I noted how longtime domain registrar Tucows had decided to try and kick-start stagnant broadband competition by buying a small Virginia ISP by the name of Blue Ridge InternetWorks (BRI). Operating under the Ting brand name, the company said the goal was to bring a "shockingly human experience and fair, honest pricing" to a fixed-line residential broadband market all-too-often dominated by just one or two giant, apathetic players. Ting promised to offer 1 Gbps speeds at a sub-$100 price point, while at the same time promising to respect net neutrality. Fast forward a month and Tucows/Ting have announced the company has struck another deal, this time to operate a municipal broadband network being built in Westminster, Maryland. Westminster began construction on the network last October with plans to serve roughly 9,000 homes and 500 businesses. I've confirmed with Ting that unlike many initiatives (including Google Fiber, who initially paid lip service to the idea then backtracked), this effort will be an open network, meaning additional ISPs will be able to come in and compete with Ting over the city owned-infrastructure. In a blog post, Ting notes that like a growing number of U.S. communities, Westminster simply got tired of waiting for better services from a regional duopoly with no incentive to improve. Westminster City Council President put it this way:"We want to blow this thing up, and we want disruptive services at disruptive pricing," Robert Wack, Westminster's city council president, told me. "We've got Comcast and its usual suite of services, Verizon DSL, with its patchy service areas, and dish and satellite services. Nobody is happy with any of it, and none of it has the capacity we need to take this city into the future."Again, if the the United States broadband market is going to evolve beyond stale monopolies and duopolies, it's certainly not going to be a product of Congress or the incumbent ISPs politicians are beholden to -- it's going to have to happen from the roots up, a handful of towns at a time. Regardless of the small scale of such efforts, as we've seen with Google Fiber, these builds at least open up a dialogue about the lack of competitive options, and inspire cities to demand more than the slow, over-priced, and badly supported services we've grown accustomed to. The first step in allowing that to happen is to start eliminating the miserable, protectionist laws written and lobbied for by incumbent ISPs in nearly two-dozen states nationwide. Under the pretense of concern for the taxpayer, ISPs like Comcast, AT&T, CenturyLink and Time Warner Cable have been allowed to write laws that either restrict or outright ban community broadband improvements (or in some cases even public/private partnerships), even in neighborhoods these companies refuse to upgrade. Ting joins Westminster as part of a slow-but-growing movement to stop whining and actually do something about it.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
Chicago is a big city -- big enough to contain two universities diametrically opposed on the issue of free speech. The University of Chicago recently updated its free speech policy to, you know, actually protect free speech, unlike many universities who feel protecting free speech means protecting every student's feelings. On the other end, we have Chicago State University, which has abused both its administrative powers and IP rights to shut down free speech. A couple of years back, CSU issued a cease-and-desist order against a critical blog, claiming its trademarks were being infringed by the inclusion of the university's name and logo. Of course, no such infringement was occurring because trademarks protect use in commerce, not criticism. But this sort of free speech-muting activity is fairly common at CSU. At one point, it instituted a policy forbidding anyone but the school's "authorized media representatives" from speaking to the press. It also said prior approval would be needed for everything from social media posts to opinion pieces. It also retaliated against its own school newspaper for publishing critical articles, ultimately resulting in a lawsuit in which the school paid out $200,000 in legal fees. In the midst of all of this, the school also played hardball on FOIA requests, refusing them for clearly spurious reasons and firing one of its attorneys for having the unmitigated gall to compile responsive documents. Now, it's in court again, having its motives and legal maneuverings criticized by the presiding judge. Here's what's been happening since we last covered CSU's actions against the bloggers at the CSU Faculty Voice Blog. CSU has engaged in a campaign of intimidation against both professors, starting with a letter demanding that Beverly take down the CSU Faculty Voice blog based on several dubious claims of trademark infringement. Since Beverly refused, CSU has steadily escalated its efforts, including initiating disciplinary hearings against Beverly for holding a class in an unauthorized location when he had the students in his public management seminar attend a Faculty Senate hearing to address censorship on campus. Bionaz was also charged with “cyber-bullying” for comments made to a CSU administrator in a face-to-face conversation. The presiding federal judge, Joan Gottschall, doesn't discuss all of these incidents in her decision to toss the school's motion to dismiss [pdf link], but she does address the cease-and-desist letter, which was nominally about trademark infringement, but was really about telling two bloggers to shut up. She establishes the allegations first: According to the plaintiffs, the defendants collectively attempted to chill their First Amendment right to free speech by sending a cease and desist letter demanding that they shut down the blog. In that letter, in addition to assertions about the use of CSU’s trademarks, Cage states that “the lack of civility and professionalism expressed on the blog violates the University’s values and policies requiring civility and professionalism.” The plaintiffs stress that this letter is dated one business day after a post appeared on the blog contending that a senior CSU administrator (Angela Henderson, CSU’s Interim Provost and Senior Vice President for Academic Affairs) had partially falsified her resume. The plaintiffs allege that they fear discipline under the Computer Usage Policy for publishing the CSU Faculty Voice, even though that the blog is not hosted in CSU’s servers. They also allege that the Computer Usage Policy is improperly vague and overbroad. Finally, they allege that they fear discipline under CSU’s Cyberbullying Policy. And then refuses to cut the university any slack when it tries to have it both ways. In contrast, the defendants contend that the reference to civility in the cease and desist letter does not show that CSU threatened the plaintiffs with legal action based on the Computer Usage or Cyberbullying Policies. The court disagrees… The references to civility do not appear to be related to the claims of trademark infringement raised elsewhere in the cease and desist letter. It is eminently reasonable to read the letter as a demand to shut down the CSU Faculty Voice blog based on its alleged failure to meet CSU on-line civility standards. As the judge notes, the school's civility standards (and cyberbullying policy) are broadly written, and it can be "reasonably inferred" that CSU would seek to use these policies against the blog, even though it isn't hosted on CSU servers. She points out that the policies apply to "electronic communications" that "prohibit any communication which tends to embarrass or humiliate any member of the community." Likewise, the Computer Usage Policy says "includes web sites and blogs hosted on the university's server," rather than specifically restricting CSU's area of control solely to the contents of its servers. And, on top of it all, the school did actually threaten to use these policies against the bloggers. It is not explicitly limited to Internet websites and blog posts hosted on CSU’s server. That is a possible interpretation of the policy but the court cannot make findings of fact at this stage of the proceedings. Similarly, the Cyberbullying Policy is not limited to communications made using CSU’s computer equipment. Thus, the allegation that the blog is hosted on a non-CSU server does not negate the inference that the defendants were threatening the plaintiffs based on the Computer Usage and Cyberbullying Policies. [...] [The court] declines to ignore the fact that a letter ostensibly about alleged trademark violations contains assertions about the tone and content of the CSU Faculty Voice blog. And, once again, the university tries to drag IP rights back into this, even though the plaintiffs aren't even interested in this small part of CSU's actions. (Because criticism is not commerce and the trademark claims wouldn't stick.) And again, the judge kicks this particular crutch out from underneath the school. With respect to redressability, the defendants argue that if the court rules in the plaintiffs’ favor, it “would have no impact on the trademark issues about which [p]laintiffs complain in this lawsuit.” (Dkt. 49 at Page ID# 356). The plaintiffs, however, referred to the defendants’ assertions about trademark infringement to provide context for their claims. They do not seek any relief regarding trademark claims, such as a declaratory judgment finding that their use of CSU’s marks was proper. Instead, they seek relief based on a variety of First Amendment theories. The defendants’ arguments about redressability are, therefore, unconvincing. CSU's motion to dismiss has been denied, and the next time it appears in court, it will be facing the bloggers' motion for a preliminary injunction. So far, the judge seems unimpressed with the school's arguments. When your attempts to bully someone into silence fail, you often find yourself trying to explain your actions to a federal judge. And CSU is trying oh so hard to make it look like it never did any of the things it did. The future of this case doesn't look promising for CSU, but at least it's had previous experience in writing checks out to wronged parties.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
Sprint today shocked everyone with an announcement that the company has decided to throw its support behind Title II-based net neutrality rules, shifting the Title II momentum needle just that much further. In a letter from Sprint’s CTO Stephen Bye to FCC chairman Tom Wheeler (pdf, spotted at GigaOM), Sprint argues that it's fine with Title II, provided the rules allow for sensible network management. To hear Sprint tell it, sensible neutrality rules using Title II and forbearance will also have no impact on its investment strategy, despite plenty of industry hand-wringing on this front:"So long as the FCC continues to allow wireless carriers to manage our networks and differentiate our products, Sprint will continue to invest in data networks regardless of whether they are regulated by Title II, Section 706, or some other light touch regulatory regime." AT&T, Comcast and Verizon have repeatedly tried to claim that Title II-based rules will kill industry investment, even though they've been quietly telling investors Title II really isn't a big deal. As the recent $45 billion spectrum auction and wireless investment (wireless voice falls under Title II) make clear, Title II has never really been an impediment to wireless or wireline investment. Smaller ISPs like Sonic.net have similarly noted that Title II-based neutrality rules are only going to be a problem for companies engaged in bad behavior. Since the announcement makes Sprint the only major wireless carrier supporting Title II, it's sure to piss off the company's friends at the CTIA. The CTIA was of course thrilled when the FCC's original neutrality rules somehow failed to cover wireless networks. Since then, the group has been breathlessly proclaiming that neutrality rules shouldn't apply to wireless because the wireless industry is a hyper-competitive, unique snowflake (never mind the sector isn't particularly price competitive and wireless is where most of the worst anti-competitive abuses currently reside). In addition to being good for consumers, Sprint's announcement is an incredibly clever marketing move. By publicly supporting Title II, Sprint has thrown a spotlight directly on T-Mobile's failure to support net neutrality. While T-Mobile has made an often justified reputation the last year for being a fierce consumer advocate, the company has opposed Title II and shown through its Music Freedom program that it may not even understand what net neutrality is. Sprint's support for Title II by proxy demands that T-Mobile and snarky CEO John Legere walk the talk. Of course we'll still have to see well-constructed rules crafted after a lot more bickering over what "differentiated products" and "fast lanes" actually are. The rules will then have to run the endless gauntlet of ISP lawsuits and emerge intact on the other end, then remain intact should there be a party change impacting FCC leadership. Still, judging from recent comments, there's every indication that FCC boss Tom Wheeler is going to shrug off concerns about his lobbyist past and actually do something good for consumers here, something that was unfathomable to most just one year ago. That's big, however you slice it.Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
Just because something offends a person (or someone is offended on behalf of someone else -- more on that in a moment) doesn't mean it's illegal. And just because you're eating a meal in full uniform doesn't mean you can use your law enforcement powers to magically turn non-criminal acts into criminal ones. (via Legal Juice) Tye Trujillo was arrested at IHOP, 3546 E. Main St. in Farmington [New Mexico], by three Farmington police officers after allegedly saying the word "F---" several times shortly before midnight on June 11, 2013, according to an arrest report. The officers — Dennis Ronk, Albert Boognl and Tamara Smith — were eating dinner at the restaurant in full uniform when the offensive language was used, the report states. Trujillo, 32, was at the restaurant with several friends. A family with three small children were seated near them, the report states. According to the report, Ronk approached the men and told them that if they said the word one more time, he would arrest them. Trujillo allegedly used the word again and Ronk followed through on his threat, the report states. Trujillo was cited for disorderly conduct and was found guilty of violating city code in Farmington Municipal Court on April 10. Not noted in the coverage of the story, but included in the complaint [pdf link] is this bit of information that indicates the officer wasn't personally offended, but was acting on behalf of someone he assumed to be offended. From the arrest report: I noticed a young couple sitting at a table directly behind the male subject's and there was a family of three small children (approximately 3 to 8 years of age) and two adults sitting near my location. Officer Ronk tried to gather more damning darning incriminating evidence to back up his "you must be offended" arrest, but the person he took offense on behalf of provided no help. After placing Plaintiff into cuffs, Officer Ronk contacted a family, which included young children, who was also patronizing the restaurant at this time and sitting near Plaintiff's table. One of the female adults at the table told Officer Ronk that she could hear the males using the "f word" but she kept the children busy and did not wish to provide information or get involved in the matter. And why would she? Presumably she knew that loud swearing in public is something that happens from time to time and, at worst, reflects negatively on the person doing it, but is not actually a criminal act. Officer Ronk painted himself into a corner by issuing a "direct order" (no, really -- that's what it says in the arrest report) to Trujillo to stop saying "Fuck" and backing it up with the threat of an arrest. Trujillo called his bluff, leaving him no choice but to follow through. Of course, the charges didn't stick. The judge acquitted the plaintiff of the charges because saying the word "fuck" in a public space -- even a public space containing children "approximately 3 to 8 years of age" -- does not rise to the level of "disorderly conduct." The Farmington city code states that disorderly conduct (in terms of speech) must be: "...obscene, indecent, profane challenging or other words which are inherently likely to provoke an immediate violent reaction in an average person." Seeing as the mother's immediate reaction was to distract her children rather than punch Trujillo in his foul mouth, it stands to reason that the "average person" would not be "provoked into an immediate violent reaction" by the indiscriminate use of profanity. (On the other hand, directed profanities can provoke "immediate violent reactions" in some police officers, so be aware of that when combining the two.) Because Officer Ronk couldn't resist the urge to make a public space "safe" for someone else's kids, the City of Farmington will likely be handing over a settlement to Trujillo in the near future. And once it does, constituents will be left holding the tab for a very expensive "fuck" they neither asked for nor enjoyed. Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won't be able to catch criminals if it can't immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don't have access to "every means of communication." Considering many of these voices decrying encryption presumably have access to top secret briefings and documents otherwise unseen by the general public, it's rather surprising they've ignored previous advice from intelligence officials to the contrary. A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough. [...] The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data. This document comes from The Guardian's stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA's own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner). But this recommendation doesn't come from an outside source. It's an intelligence council that reports directly to the head of national intelligence. And yet, the word didn't spread very far. The NSA isn't thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same "problem." Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo. And it's not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance. Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks. The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”.... The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world. The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”. GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency. Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks. You can't make a nation safer by destroying its safety features. There's a bigger picture that these agencies refuse to see -- even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation's cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn't them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency's notice. And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we'll all have to do without. Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
It's pretty rare that a trial has a real "surprise" unveiling or twist. It happens all the time in TV and movie courtrooms, but in real courtrooms... not so much. Most people know the basics. Someone may admit something surprising, or testimony can go awry, but the "big dramatic reveal" isn't so common. Yet in the trial of Ross Ulbricht, concerning whether he was or wasn't the "Dread Pirate Roberts" behind the Silk Road hidden market, things are already off to quite a start. We'd already mentioned his "some other dude did it" defense (while he admits that he did create the site, he argues he handed it over to someone else long before that). However, during yesterday's testimony Ulbricht's lawyer revealed who they believed the "other" Dread Pirate Roberts really was: Apparently they believe it was Bitcoin pariah and Mt. Gox CEO, Mark Karpeles. If you don't follow the Bitcoin space, you might not recognize the name. However, in the Bitcoin space, Karpeles is widely despised. For a long time, Mt. Gox was the Bitcoin exchange for people who wanted to buy or sell Bitcoin. However it mysteriously shut down over a year ago under questionable circumstances -- with Karpeles arguing that Mt. Gox had all its Bitcoins stolen, while many people claimed that the evidence didn't suggest that at all, and that there may have been a lot of other fraud going on. In short, if you wanted to pick someone who is widely hated among Bitcoin supporters, Karpeles is the perfect "villain." And Ulbricht's lawyers make the case that the Homeland Security Investigator who infiltrated Silk Road and helped nab Ulbricht, Jared DerYeghiayan, originally suspected Karpeles: "I have a wealth of evidence to prove that [Karpeles] is Dread Pirate Roberts," the agent wrote at the time. Karpeles, who is from France, ran what was once the world's largest Bitcoin exchange, Mt. Gox, which was based in Tokyo. DerYeghiayan's theory was that Karpeles wanted to create a market that used Bitcoin in order to keep the price of the semi-anonymous cryptocurrency robust, which he believed was probable cause for Karpeles's arrest. (Mt. Gox went bankrupt in early 2014.) "[Silk Road] would be a device for leveraging the value of Bitcoin, and if he could create a site independent of Bitcoin, you could control the value of Bitcoin," Dratel said, reading from DerYeghiayan's emails. DerYeghiayan believed his evidence was so strong that he even drafted a search warrant for Karpeles's email in May of 2013. Later, prosecutors objected to this effort, but the judge, Katherine Forrest, correctly pointed out that the idea was to "raise reasonable doubt that the defendant is the real DPR." Karpeles, not surprisingly, is denying that he is DPR. According to Ars Technica: "This is probably going to be disappointing for you, but I am not Dread Pirate Roberts," Karpeles told Ars via e-mail. "The investigation reached that conclusion already—this is why I am not the one sitting during the Silk Road trial, and I can only feel defense attorney Joshua Dratel trying everything he can to point the attention away from his client." He also posted this to Twitter: During the trial, the prosecution did also reveal that other investigators, in Baltimore, had seized a site that was run by Karpeles. The Vice article doesn't name that site, but Sarah Jeong points out that it was SilkRoadMarket.org. In his denial to Ars Technica, Karpeles discusses that domain: "I have nothing to do with Silk Road and do not condone what has been happening there," Karpeles continued. "I believe Bitcoin (and its underlying technology) is not meant to help people evade the law, but to improve everyone's way of life by offering never thought before possibilities. As for the silkroadmarket.org domain, it was registered by a KalyHost.com customer and paid in Bitcoins (KalyHost is a service of Tibanne that has been up since 2009)." Tibanne was Karpeles' company that supposedly purchased Mt. Gox. However, his argument here seems a bit questionable, as the Feds have released the seizure warrant showing that Karepeles was directly involved. As another article on Ars Technica summarizes: Homeland Security used a confidential informant, based in Maryland, to conduct the investigation. The informant simply created accounts with Dwolla and Mt. Gox, bought bitcoins, and then changed them back into dollars. Tracing that money, HSI was able to see that the money passed through a Wells Fargo account, number 7657841313, which was created by a single authorized signer: Mark Karpeles, the president and CEO of Mt. Gox. The Dwolla account shows transfers to Dwolla going back to at least December 2011, according to the warrant. That account was registered to Mutum Sigillum LLC, which is the company that supposedly registered the silkroadmarket.org domain. And the reason Karpeles got in trouble: Mutum Sigillum, when it opened the account, denied that it was in the money services business, even though it clearly was. All of this is a bit of a mess. Either way, the point here isn't to necessarily prove that Karpeles absolutely was DPR, but rather to show reasonable doubt to get Ulbricht off the hook. While a fascinating turn of events all around, this still seems like an uphill battle for Ulbricht's lawyers.Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
Last week we wrote about how a ruling by Europe's highest court, the EUCJ, that blanket data retention was "invalid," had received a further boost from an analysis by the European Parliament's legal services. That, in its turn, made it more likely that more overbroad data retention laws in EU nations would be challenged, as has already happened in the UK and Sweden. Here's one such move in the Netherlands, as reported by Computerworld in Australia: After evaluating that ruling [of the EUCJ] the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances. By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws. The fact that the Dutch government decided to maintain its data retention law despite advice from experts to the contrary, coupled with the latest report from the European Parliament, means that the legal challenge -- from the civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and the telecom companies VOYS and SpeakUp -- might stand a chance of being successful. While it would be premature to celebrate, the fact that this is even a possibility is a useful reminder of how the surveillance landscape in Europe has shifted over the last year thanks to the EUCJ ruling. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
If you haven't heard about MSRA (methicillin-resistant Staphylococcus aureus) yet, it's a strain of bacteria that can't be killed by common antibiotic drugs. Antibiotic drugs have been over-used or mis-used in various situations, and bacteria are evolving resistance to the drugs we've been using for decades. Without antibiotics, healthcare would be thrust back into the dark ages. No surgeries could be done safely without antibiotics. Very common infections might kill off people regularly, instead of being the mild inconvenience that they are today. Check out these links for more info on superbugs and how we can deal with them. Surprisingly, we're still finding new antibiotics in nature -- like teixobactin which was found in soil-dwelling bacteria that had never been cultured before. This is a new class of antibiotic compound that bacteria don't seem to be able to develop a resistance to. It disrupts how bacterial cell walls are made, but unfortunately, it's only effective against certain kinds of microbes. Also, it won't become a drug approved for human use for several years. [url] Thankfully, there are a few different strategies for dealing with a world that has developed bacteria resistant to all of our currently known antibiotics. We could 1) take advantage of bacteriophages (viruses that kill bacteria), 2) use bacteriocins from bacteria that already fight off microbes in nature (and modify them for our own purposes), 3) design DNA mimics that block specific bacterial genes necessary for reproduction, 4) use gene editing techniques (CRISPR) to artificially induce immunity in hosts, and there may be other tactics we haven't yet discovered/invented... [url] Topic-Qx is a solution of plant materials that claims to have antibacterial properties from anti-quorum sensing compounds found in a jungle. This could be another example of a way to attack intractable bacteria, but many anti-quorum sensing compounds are hard to formulate into nice shelf-stable drugs. That's not to say we'll never find one that isn't.... [url] Before antibiotics, one out of nine people who got a skin infection died, and three out of ten people with pneumonia didn't survive. We already live in a post-antibiotic world of superbugs, but it would be horrible to revert back to death statistics like those before the 1940s. [url] If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks to prevent customers from using tethered modems or mobile hotspots at the company's Gaylord Opryland Hotel and Convention Center in Nashville. Marriott's ingenious plan involved blocking visitors and convention attendees from using their own cellular connections so they'd be forced to use Marriott's historically abysmal and incredibly expensive wireless services (in some cases running up to $1,000 per device). When pressed by the FCC, Marriott pretended this was all to protect the safety and security of their customers. The company also tried to claim that what it was doing was technically legal under the anti-jamming provisions of section 333 of the Communications Act, since the deauth attacks being used (which confuse devices into thinking they're connecting to bogus, friendly routers) weren't technically jamming cellular signals. The FCC didn't agree, and neither did industry giants like Microsoft, Google, AT&T and Verizon, who collectively filed opposition documents with the FCC arguing that Marriott was clearly violating the law. After carefully surveying a battlefield scattered with millions of pissed off consumers, annoyed regulators, and angry, bottomless-pocketed technology giants, Marriott has apparently concluded that maybe its shallow ploy to make an extra buck isn't worth fighting over. In a statement posted to the company's website, Marriott states it's going to stop acting like a nitwit, maybe:"Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels. Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels. We will continue to look to the FCC to clarify appropriate security measures network operators can take to protect customer data, and will continue to work with the industry and others to find appropriate market solutions that do not involve the blocking of Wi-Fi devices."You'll notice the selectively-worded statement doesn't completely put the issue to rest, and clings fast to the argument that Marriott is just really concerned about visitor security, suggesting this may not be the last we hear of this.Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
Given what has happened in recent months, with two grand juries returning no bills in two controversial officer-related deaths -- Michael Brown in Ferguson, MO and Eric Garner in New York City -- it's almost unbelievable to read the following: The district attorney in Albuquerque has charged two police officers on single counts of open murder—meaning they don't know yet what degree of killing the state intends to prove at trial—in connection with the killing of homeless camper James Boyd, caught on body camera last April. The incident was captured on officers' body cams. What started out as a homeless man (James Boyd) being rousted for illegal camping "escalated" into him being shot multiple times and dying at the scene. "Escalated" is in quotes because the man had agreed to surrender to the Albuquerque police officers, who for whatever reason decided to release a dog, hit him with a concussion grenade and then fire several bullets at him. The officers who shot him (Dominique Perez and Keith Sandy -- the latter of which was allowed to retire after the incident) claimed they were forced to because the man produced two knives. In a statement sent Monday morning, Sandy's attorney Sam Bregman claimed the charges are unjustified and that Sandy, "had not only the right, but the duty to defend a fellow officer from a mentally unstable, violent man wielding two knives. Keith did nothing wrong. To the contrary, he followed his training and probably saved his fellow officer's life." Bregman did not specify which of the four other officers who were confronting Boyd at the end of a four-hour standoff was saved. The attorney for Perez, Luis Robles, also pointed to the judgement calls police officers make during critical moments. He told News 13 in a statement, "This is truly a shame. Throughout his career, Officer Perez has been called upon to make life-altering decisions while protecting Albuquerque citizens and his fellow officers. And having made one of those decisions, Officer Perez now faces an open count of murder. Regardless, I am confident that the facts will vindicate Officer Perez's actions in this case." Of course, the threat Boyd presented was also 20-30 feet away uphill and the officers had no shortage of non-lethal options at their disposal. But they chose to take the "hail of bullets" route, killing Boyd essentially for camping without a permit. Being charged with murder is going to cut into former Detective Sandy's free time. His fortuitious retirement allowed him to bypass internal accountability as well as ensuring a steady income for the rest of his life. News 13 has learned Sandy had accrued just shy of 19 years service credit from his time with both NMSP and APD. Under his pension plan, he’s allowed to buy up to a year of “airtime” that adds to that service time. That allows Sandy to get to a magic number, 20 years of service credit. After 20 years of service, APD officers can retire and get about 70 percent of their pay in an annual pension. A year less, and Sandy would have to wait until he’s 61 to start collecting that money, likely costing him at least a million dollars. News 13 has also learned Sandy had recently been ordered to sit down with internal affairs investigators. Retiring allows him to avoid that interview. The DA's unusual move hasn't made here any friends within the Albuquerque PD (which was recently slammed by the DOJ for its habitual use of excessive force). Kari Brandenburg -- and her office -- are now persona non grata at the PD. A top prosecutor for District Attorney Kari Brandenburg’s office was shut out of a briefing after a fatal police shooting near San Mateo and Constitution NE on Tuesday evening, Brandenburg told KRQE News 13. Police officials and others were gathering to discuss the most recent developments in the investigation a few hours after the shooting, Brandenburg said. Chief Deputy DA Sylvia Martinez attempted to join the briefing, but Deputy City Attorney Kathryn Levy would not let Martinez attend. At least the PD was upfront about why it was suddenly locking out its former best friends. Levy invoked the charges in barring Martinez from the briefing, according to Brandenburg. “Sylvia was told that our office has a conflict of interest because we charged the officers,” she said. This frosty move violates 2004 written agreement between the PD and DA's office on the investigation of police shootings -- one that was included as part of the reforms handed down by the DOJ after its 18-month investigation. But that's what happens to anyone who doesn't treat cops as above reproach (or punishment), even entities that are nominally on the "same team," like prosecutors. Notably, it's an open murder charge, meaning there's lots of leeway for the defense. It will also be a tough sell. The prosecutors will need to prove that the officers deliberately acted to end James Boyd's life, as well as surmount the additional protections afforded officers who kill citizens in the line of duty. New Mexico does have a grand jury process so it's notable that it has been bypassed for these charges. The DA's office claims to have seen something in the evidence that led it to move forward with murder charges, and it possibly felt that dumping into a grand jury's hands would either be unpopular or less likely to result in an indictment. Either way, it seems to indicate the DA's office knows how screwed up the grand jury system is, what with its "ham sandwich, unless it's a police officer" track record. Whatever's contained in that evidence must be pretty damning. DA's offices are rarely interested in prosecuting police officers since they're both on the law enforcement side of the equation. No doubt the noticeable drop in cooperation from law enforcement, should they move forward with charges, factors into the rarity of these situations as well. While it would be tempting to see that as an indicator that more accountability is on the way, it's far more likely that this will remain the exception to rule. But it is good to see someone attacking the argument that officer safety is paramount, even if from an oblique angle. Calling Boyd's shooting "murder" makes the statement that the cops who shot him had no interest in simply neutralizing the threat. Instead, they opened fire and kept firing until Boyd was dead. Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
We all know that the First Amendment of the Constitution is there to protect us from government interference with free speech. It has no impact on private companies and how they treat your expression. However, with so much speech now happening on the internet these days, private companies almost always have some ability to get in the way of your expression. Sometimes, we think this is good -- as it can be used to prevent harassment. But, it also means that there are always points of attack, where anyone (including the government) can put tremendous pressure on private actors to stifle free expression. For many of us, when it comes to free expression, the First Amendment of the Constitution isn't so much in play as private companies' terms of service are. Yes, those terms of service that no one reads and are often written up by bored lawyers to include so much legalize as to confuse everyone, are often all that now really stands between you and your ability to express yourself. Should we be concerned at how modern speech is almost always controlled by private terms of service, rather than the First Amendment, or is there enough openness and competition online that it doesn't really matter? Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes, or simply plug the RSS feed into your favorite podcatcher app. Of course, you can also keep up with all the latest episodes right here on Techdirt. Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new "stealth" supercookies that can track a subscriber's web activity and location, and can't be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users' traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads -- not the traffic modification and tracking. AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn't true) and that the data was perfectly anonymous (though as we've long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon's website insisted that "it is unlikely that sites and ad entities will attempt to build customer profiles" using these identifiers. As such, you'll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers. Not only that, they're using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer (and tested and confirmed by ProPublica), an online advertising clearinghouse by the name of Turn has been using Verizon's modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:"When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address." Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied." Like Verizon's implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn't fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it's actually using Verizon's UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn't working:"Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."Even if Turn's being honest, there are plenty of companies that aren't going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren't necessary because public shame would keep them honest, pretty clearly isn't interested in stopping the practice without legal or regulatory intervention. So yeah, again, we've got a new type of supercookie that tracks everything you do, can't be opted out of, and is turning consumer privacy completely on its ear, but there's absolutely nothing here you need to worry your pretty little head about.Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
As you may recall, one of the big Snowden revelations was the fact that the NSA "took control" over a key security standard allowing backdoors to be inserted (or, at least, a weakness that made it easy to crack). It didn't take long for people to realize that the standard in question was Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. It also came out that the NSA had given RSA $10 million to push this compromised random bit generator as the default. That said, as we noted, many had already suspected something was up and had refused to use Dual_EC_DRBG. In fact, all the way back in 2007, there was a widespread discussion about the possibility of the NSA putting a backdoor in Dual_EC_DRBG, which is why so few actually trusted it. Still, to have the details come out in public was a pretty big deal, so it also seemed like a fairly big deal to see that the Director of Research at the NSA, Dr. Michael Wertheimer (also former Assistant Deputy Director and CTO in the Office of the Director of National Intelligence), had apparently written something of an apology in the latest Notices of the American Mathematical Society. In a piece entitled, "The Mathematics Community and the NSA," Wertheimer sort of apologizes, admitting that mistakes were made. After admitting that concerns were raised by Microsoft researchers in 2007, and again with the Snowden documents (though without saying why they were raised the second time), here's Wertheimer's "apology." With hindsight, NSA should have ceased supporting the Dual_EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the Dual_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise. Nevertheless, we understand that NSA must be much more transparent in its standards work and act according to that transparency. That effort can begin with the AMS now. However, as security researcher/professor Matthew Green quickly shot back, this is a bullshit apology, because he's really only apologizing for not dropping the standard when they got caught red handed back in 2007. The trouble is that on closer examination, the letter doesn't express regret for the inclusion of Dual EC DRBG in national standards. The transgression Dr. Wertheimer identifies is simply the fact that NSA continued to support the algorithm after major questions were raised. That's bizarre. Green also takes on Wertheimer's weak attempt to still defend pushing the compromised Dual_EC_DRBG as ridiculous. Here were Wertheimer's arguments for why it was still okay: The Dual_EC_DRBG was one of four random number generators in the NIST standard; it is neither required nor the default. The NSA-generated elliptic curve points were necessary for accreditation of the Dual_EC_DRBG but only had to be implemented for actual use in certain DoD applications. The trapdoor concerns were openly studied by ANSI X9F1, NIST, and by the public in 2007. But, again, those don't make much sense and actually make Wertheimer's non-apology that much worse. As Green notes, even though there were other random number generators, the now infamous RSA deal did lead some to use it since it was the "default" in a popular software library and because NIST had declared the standard safe, meaning that people trusted it. Green also goes into great detail describing how the second point is also incredibly misleading. It's worth reading his full explanation, but the short version is that despite some people fearing the NSA's plan would have a backdoor, the details and the possible "alternatives" to avoid that were completely hidden away and more or less dropped. And that final point, well... really? Again, that's basically saying, "Well, people thought we might have put in a backdoor, but couldn't prove it, but there, you guys had your chance to debate it." Nevermind the fact that there actually was a backdoor and it wasn't confirmed until years later. And, as Green notes, many of the concerns were actually raised earlier and swept under the rug. Also, the standard was pushed and adopted by RSA as a default long before some of these concerns were raised as well. This might all be academic, but keep this in mind: we now know that RSA Security began using the Dual EC DRBG random number generator in BSAFE -- as the default, I remind you -- in 2004. That's three years during which concerns were not openly studied by the public. To state that the trapdoor concerns were 'openly' studied in 2007 is absolutely true. It's just completely irrelevant. In other words, this isn't an apology. It's an apology that the NSA got caught (and didn't stop pushing things the first time it got caught), and then a weak defense of why they still went ahead with a compromised offering. Wertheimer complains that this one instance has resulted in distrust from the mathematics and cryptography community. If so, his weak response isn't going to help very much.Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
Last summer, the American Federation of Musicians hit videogame composer Austin Wintory (Monaco, Journey) with a $50,000 fine for working on The Banner Saga in violation of its (nonexistent) game music contract. Thanks to the union's own stubbornness and greed, none of its members were allowed to compose music for videogames. A contract put together in 2012 without the input of AFM's members was so skewed towards the union that no videogame producers were willing to agree to it. (It wasn't until 2014 that Microsoft agreed to the terms of AFM's revamped contract. It remains the sole company to do so.) When Wintry worked on the game without its permission, AFM got angry and threw its toys out of the crib. Its own Local 47 (Los Angeles) took issue with the union's BS and issued a resolution supporting Wintory in October. Perhaps due to this internal pressure, the AFM reduced Wintory's fine to $2,500. Now, it's threatening to expel Wintory because he hasn't paid up. A long-running dispute between video game composer Austin Wintory and his union, the American Federation of Musicians, has come to a head this week: Variety reports that Wintory has refused to pay a $2,500 fine imposed by the AFM for his non-union work as a composer on The Banner Saga. The union has threatened to expel him if he doesn't pay up by January 19th. Wintory is investigating his legal options to combat such a decision, and has offered to write a $2,500 check to the L.A.-based Education Through Music charity in lieu of paying the union fine. Wintory is weighing his options. A good one would seem to be telling AFM where to stick its toys (and contracts) and ditching the union altogether. But that can have an adverse effect on finding work in other union-heavy industries, like movies and regular, old non-videogame music. These entities tend to require the hiring of union members, so the lack of an AFM card could keep Wintory from being hired should he choose to branch out. Other AFM members have worked around the union's stupid videogame contract by recording in Nashville (Tennessee is a right-to-work state) or overseas. Wintory incensed his "representatives" by ditching Los Angeles -- an area it firmly controls -- in favor of London, which was cheaper, didn't hit the game's producer for additional "future use" fees and didn't force anyone to adhere to a one-sided contract. So, it's still out to get its pound of flesh in hopes of discouraging other members from bypassing the contract they were never given the chance to agree to. In true AFM fashion, it is implementing another contract and letting its members know the specifics after the fact. Meanwhile, the Recording Musicians Association (RMA), the “player conference” within the AFM that represents many studio musicians, announced over the weekend that the union had concluded negotiations with the AMPTP on a new multiyear contract for recording TV and film scores. Details of the pact, however, were being kept under wraps Sunday. Musicians are expected to be informed of the details late Monday during meetings of the RMA and Local 47 membership. So, who's working for who? Unions are supposed to represent their members. That's why members pay fees. AFM seems to genuinely have no concern about the well-being of its artists. (It doesn't care much for the general public either.) It fines them when they seek to do work they've been locked out of by a contract they never wanted and it keeps its negotiations with other entities secret until the ink has dried on all the signatures -- none of which belong to the members supposedly being "represented." Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
The US government has basically declared war over the Sony hacking, offering full-throated support for the beleaguered embarrassed company. Why this one -- rather than the countless hacks of corporate networks (including those where credit card data and personal information were compromised) -- remains a mystery. The end result has been a call for more government intrusion and a reanimation of CISPA's lumbering corpse. "Share with us," says the government. "Gird yourself for the cyber Pearl Harbor," say its supporters. "Let us handle it," say those whose desire for expanded government power exceeds their crippling myopia. Yeah, let's do that. Let's allow the government to set the rules on cybersecurity. Let's give agencies like the DHS -- which can't even be bothered to secure its own assets -- more leeway to investigate and react to cyberthreats. (h/t to NextGov) DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014. That's the Government Accountability Office's assessment of the DHS's qualifications as a potential cybersecurity agency. [pdf link] This is the agency tasked with securing federal assets and ensuring the safety of not only government employees, but Americans in general. And it can't do it. In fact, it can't even begin to do it. Despite being specifically directed by 2002's Federal Information Security Management Act (FIMSA) to periodically assess risks, report on them and DO SOMETHING ABOUT IT, the agency has managed to blunder into 2015 with no specific plan to tackle cyberthreats to the federal buildings under its protection. And, while the President and those pushing the revived CISPA seem rather keen on "sharing info," it's a one-way street, apparently. The DHS can't even be bothered to share with other government agencies. The Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report that identifies numerous undesirable events. Whatever the DHS/ISC has managed to glean from situations like 2009's hacking of a Dallas hospital's HVAC system or 2006's hacking of Los Angeles traffic signals hasn't been passed on to other government agencies because the ISC believes "active shooters" and "workplace violence" are bigger threats. Maybe so, in terms of actual physical violence, but that's no excuse for ignoring something the government as a whole considers to be its next battlefield. So, why is the DHS so bad at this? It would seem to be two things: the DHS is too big to move at the speed the threat mandates and it's always someone else's job. Because it has failed to take charge of the situation (despite a federal mandate and a 2013 presidential policy directive [p. 8-9]), no one seems to know what to do, how to do it or even who should do it. [B]ecause DHS has not developed a strategy, several components within DHS have made different assertions about their roles and responsibilities. For example, FPS’s Deputy Director for Policy and Programs said that FPS’s authority includes cybersecurity. However, FPS is not assessing cyber risk because, according to this official, it does not have the expertise. Furthermore, although ICS-CERT has developed a tool to assess cyber risk, it also is not assessing cyber risk to building and access control systems at federal facilities. Moreover, NPPD’s Federal Network Resilience is to, among other things, identify common cybersecurity requirements across the federal government, but it also is not working on issues regarding the cyber risk of building and access control systems in the federal government. An official from the Office of the Under Secretary of NPPD acknowledged that NPPD has not yet determined roles and responsibilities, including what entity should conduct cyber risk assessments of FPS-protected facilities or what assessment tool should be used. This official said that the Department has not developed a strategy, in part, because cyber threats involving building and access control systems are an emerging issue. Somehow, despite being well-financed and incredibly large, the DHS can't find the time to properly assess the facilities it's supposed to be "securing." Moreover, GSA [General Services Administration -- reports to the DHS] has not conducted security control assessments for all of its systems that are in about 1,500 FPS- protected facilities. In November 2014, GSA information technology officials said that from 2009 to 2014, the agency conducted 110 security assessments of the building control systems that are in about 500 of its 1,500 facilities. GSA has not yet assessed the security of control systems with network or Internet connections in about 200 buildings. GSA officials stated that they plan to assess these systems during fiscal year 2015. The GSA isn't just being outpaced by hackers. It's being outpaced by the government's own slow stagger into the connected future. 800 systems are expected to switch from "standalone" to networked in the near future. The GSA plans to re-assess these systems' security after the changeover, but it's still working its way through the last half-decade's backlog. With its parent agency unable to provide guidance and its other agencies unwilling to share information, the GSA becomes the third prong in this triumvirate of failure. And what it does actually get around to assessing isn't much help, either. Being crossed off the GSA's to-do list means being no more safe than you were before the agency finally strolled through the door. Further, our review of 20 of 110 of GSA’s security assessment reports (between 2010 and 2014) show that they were not comprehensive and not fully consistent with NIST guidelines. For example, in 5 of the 20 reports we reviewed, GSA assessed the building control device to determine if a user’s identity and password were required for login but did not assess the device to determine if password complexity rules were enforced. This could potentially lead to weak or insecure passwords being used to secure building control devices. GSA also conducted its assessments of building control systems in a laboratory setting which allowed it to test components and to identify weaknesses in their default configuration. However, GSA does not conduct further assessments after installation when configuration settings may no longer reflect their default values. As a result, GSA has limited assurance that the configurations assessed reflect the configurations implemented in the facility, thereby increasing the risk that vulnerabilities in building control systems may not be detected. This is the government that wants the nation's companies to "partner up" against cyberthreats and cyberterrorism: the same government that can't even ensure its own infrastructure is protected. And no one cares because compromising control systems doesn't make for very sexy copy or hawkish soundbites about being "tough on cybercrime." If you need a solid argument against the government's desire to play the part of (cyber)security guard to the nation's companies, look no further than the GAO's list of "Related GAO Products" (p. 34) that follows this report. Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. GAO-14-459. Washington, D.C.: June 5, 2014. Information Security: Agencies Need to Improve Cyber Incident Response Practices. GAO-14-354. Washington, D.C.: April 30, 2014. Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness. GAO-13-776. Washington, D.C.: September 26, 2013. Cybersecurity: National Strategy, Roles, and Responsibilities Need to BeBetter Defined and More Effectively Implemented. GAO-13-187. Washington, D.C.: February 14, 2013. Cybersecurity: Threats Impacting the Nation. GAO-12-666T. April 24, 2012. Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011. Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008. Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. GAO-07-1036. Washington, D.C.: September 10, 2007. The government doesn't have the skills necessary to ply its wares in the cybersecurity business. If it can't lock down its own assets -- despite seemingly limitless funding and manpower -- it has nothing to offer the private sector but intrusiveness and harmful regulation. Now, if you're a fan of bad news, you're going to love the worse news. The fight over who should head up the government's War on All Things Cyber doesn't put the DHS at the front of the list -- but it's not because the agency clearly can't handle the job. It's because agencies that are even more intrusive than the DHS want a piece of the action, namely the FBI and the NSA. If either of these two end up in that position, expect to find domestic surveillance rules relaxed. The latter agency defines cybersecurity as "peeking in at everyone," which is at odds with those on the receiving end (US companies) who believe being secure means removing backdoors or otherwise locking everyone out, not just the "bad guys." That isn't going to sit well with the FBI and NSA -- one of which believes no one should be able to "lock out" law enforcement and one that intercepts hardware and inserts backdoors when not deploying malware for the same purpose. So, the DHS may be the lesser of three evils, if only because its incompetence exceeds its reach. Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
One of the consolations of spending far too much time online is that you get to witness the birth of new ideas and new terms, along with new uses of existing ones. On Medium, Chris Messina points out two recent examples of creative re-purposing of older ideas and words. The first is the apparently trivial idea of "unlisted" content: My first personal experience with "unlisted” content online was likely on YouTube. Making a video unlisted means that only people who have the link to the video can view it. It also means that the content won't be broadcast to followers, or appear on the creator's public profile. This is known as security through obscurity since the video isn't secret, it's just hard to find. An unlisted video can be viewed without requiring authentication. Services seem to offer "unlisted" publishing to simplify sharing while providing more flexibility. It's a pragmatic solution to address the challenge that what people think they want (i.e. 100% secrecy and control) isn't in practice what they're willing to put up with. It comes down to behavioral economics: if the value of keeping something secret is less than the frustration caused by maintaining its secrecy, people will route around the system designed to keep the thing secret. As he points out, in addition to YouTube, "unlisted" services are now available from Flickr, Dropbox, Google Drive, Vimeo and Medium. His other cultural find is at a much earlier stage of its development: the "burner account." Like most people, "burner" connoted cheap, prepaid, disposable phones used by drug dealers to evade surveillance to me. ... It's not the phone that the drug dealers care about  -- it's the repudiability. A burner essentially makes fungible the association between an attribute (like a phone number) and an individual. This is important. Whereas a social security number is used as a lifelong attribute (and is therefore not fungible), a phone number is useful as an identifier only as long as the owner chooses to keep it. Once the number has served its owner's purpose, it can be recycled back into the pool of available numbers without being traceable to the former owner. As an example of its evolution, he cites a product called simply "Burner," created by a friend of his: Burner is your "other" number -- a smart privacy layer for the smartphone era, giving users the power to take control of their communications and personal data. Enabling users to obtain and manage additional phone numbers for voice, SMS, and MMS communications, Burner is fast, safe and private. Burner lets users get as many numbers as they want, use each as a private line on an iPhone or Android phone, and keep numbers indefinitely or 'burn' numbers they no longer need. But Messina points out that the meme is beginning to spread beyond a single product: I recently noticed that [Gawker Media's] Kinja has adopted the "burner" nomenclature for anonymous commenting on its site -- the first example I've seen of this language being used on the web As well as their intrinsic value in extending the online ecosystem in novel ways, it's interesting that both "unlisted" publishing and "burner" accounts are about giving people more control over who knows what they are doing on the Internet, including the ability to hide it in different ways. Maybe that desire for privacy is a response to Snowden's revelations that we don't actually have as much of it as we thought. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
Strange things happen when cops face grand juries. The system -- which is generally a streamlined prosecutorial rubber stamp -- seizes up. Two grand juries, within a few weeks of each other, faced the sort of "challenge" they face day after day: meet the low bar of "probable cause" to return an indictment. This "probable cause" bar is even lower than what cops face when they seek warrants. All there has to be is enough of a hint of evidence that the criminal case can be pursued. In both cases -- New York and Ferguson -- no indictment was returned. Suspicions that prosecutors went into the proceedings acting as defense counsels for the accused cops have been confirmed. The massive amount of evidence presented to the Ferguson grand jury was released to the public in a gesture of transparency, but it only served to show that the accused cop's case was handled much differently than the average citizen's would be. A recently-filed lawsuit seeking to overturn the lifetime ban on discussing grand jury cases detailed an unnamed juror's observations about the proceedings, noting they were significantly different than previous cases the juror had served on. The same day the ACLU filed its lawsuit, a St. Louis citizen's group called The Ethics Project filed an misconduct complaint against Bob McCulloch with the Office of Chief Disciplinary Counsel. The complaint [pdf link] alleges several violations, including the introduction of perjured testimony, presentation of unconstitutional and outdated legal instructions to the grand jury and actively guiding the proceedings to their eventual outcome. The complaint also names assistant county prosecutors Kathy Alizadeh and Sheila Whirley. Frankly, as much as I'd like to see a deeper probe into the Ferguson grand jury's handling, I doubt this complaint will be the one to light the fuse. It's a mess. The presentation is sloppy and elliptical. Complaints are presented, only to be fully rehashed pages later. Arguments lapse into near-incoherence and writers needlessly insert inflammatory language, making it difficult to take the complaint seriously. Sentences like this will do very little to encourage the disciplinary office to move forward with an investigation. Prosecutors were not only negligent and acted with incompetence by failing to present a case that would be most favorable to the plaintiff, The State of Missouri, prior and subsequent actions of the County Prosecutor when viewed in their totality suggest that the case was intentionally represented in such a manner and to such a degree that it failed to render justice in this case by indicting Darren Wilson and has perpetuated a dangerous precedence of protecting law enforcement from prosecution no matter how egregious, reckless or intentional their acts of brutality or murder. The underlying point -- that grand juries "indict ham sandwiches" because they are supposed to view the evidence in a light "most favorable to the plaintiff" (the prosecutor) -- is muffled by the sudden, sharp noise of ax-grinding. A formal complaint is no place for language this opinionated. A majority of the complaint is on point, if repetitively and at excessive length. The key complaint here is the presentation of contradicting and outdated instructions to the jury. Kathi Alizadeh, with the assistance of Sheila Whirley and presumably the knowledge of McCulloch, presented an outdated statute towards the beginning of the Grand Jury hearings on September 16th (Volume 5 page 5) In a so-called attempt to correct the misleading the Grand Jurors were updated with more misinformation on (November 21st 2014 volume 24 page 132). Nineteen days and countless testimonies later the grand jurors are presented a 'reduced down statute so that it is applicable to this case.' The statement sounds leading and the statute is yet altered and not explained to the jurors correctly. Alizadeh hands the jurors a statement titled 'law enforcements officer's use of force when making an arrest.' The transcripts provide more insight into this misconduct claim. The Sept. 16th transcript has the outdated statute being presented to the grand jury, along with the seemingly unnecessary information that there is a concurrent federal investigation into Michael Brown's shooting. I'm going to pass out to you all, you all are going to receive a copy of a statute. It is section 563.046, and it is, it says law enforcement officers use of force in making an arrest -- what is permissible, what force is permissible and when in making an arrest by a police officer. I also want to point out to you, I know you have probably heard or know that there also is a joint federal investigation that's going on at the same time. And several of our witnesses that you are going to hear from are also being interviewed by FBI agents or federal agents. And I want you to make sure you understand the issues that are before you, may be different than the issues in any federal investigation. Their investigation involves civil rights violations. This investigation involves whether there is criminal liability on the part of the officer involved in the shooting. So I can't tell you what the law is on the civil rights issues, but don't be confused about, you know, for example, what are the policies of the police department necessarily doesn't have anything to do with your decision. You certainly have the right to know these things if you wish to know these things, but keep in mind that there is a separate and distinct investigation going on by the feds involving civil rights violation or potential civil rights violation. This leads directly into Alizadeh's admission that she's mislabeled two exhibits related to a certain witness, another of the misconduct allegations contained in the complaint. As the complaint points out, this outdated use of force statute was half-heartedly retracted by Alizadeh when presenting the grand jurors with the charges to be considered. From the Nov. 21st transcript: MS WHIRLEY: We have prepared the law for you, we have prepared the relevant statutes, and Kathi is going to grab the indictments, they are ready. We just need to bring them in here and I'll pass this around. We have kind of reduced down the statute so that it is applicable to this case and easier to understand and read… So we're going to the statutes, and will give the foreperson the indictments and I will pick up the extras. MS. ALIZADEH: So the indictments that we have prepared there is an indictment for murder in the first degree, a Class A felony and armed criminal action and unclassified felony, there is two copies. There is indictment for murder in the second degree and armed criminal, two copies. An indictment for voluntary manslaughter, a Class felony, and armed criminal action, two copies. An indictment for involuntary manslaughter in the first degree and armed criminal action, two copies. And involuntary manslaughter in the second degree and armed criminal action, two copies. MS. WHIRLEY: The relevant statute it pretty much lays out the elements of the crimes that you have indictments for. It also has definitions that might be applicable to the crimes that are laid out in the statutes that you are looking at, it is not a statute, it is an indictment. The standard of proof is probable cause, we did confirm that. So you guys, that is what you have been working with probable cause all along since you have been grand jurors and that doesn't change. Even though this has been a very long, arduous task going through this evidence. Your standard of proof is still probable cause. You're not here to determine guilt or not guilty, it is probable cause, is it enough to go to trial. [The emphaized sentences will become relevant in a little bit.] The prosecutors then switch things up, presenting information that would steer jurors away from an indictment. Now, what makes this a little bit different is that if you will look on page, the first page, it talks about assault of a law enforcement officer in the first degree. And that's part of the indictment because the officer is saying he was arresting him for assaulting him. So that's what you would be considering in your deliberation and we have provided you with definitions of assault in the first degree, on the second page is assault in the second degree and the third degree. And then also a law enforcement officer's use of force in making an arrest. An officer can use force in making an arrest, got that laid out for you. And here comes Alizadeh to admit she screwed up two months earlier by handing out a statute that is both outdated and fails to comply with Supreme Court rulings. MS. ALIZADEH: Real quick, can I interrupt about something? MS . WHIRLEY: Sure . MS. ALIZADEH: Previously in the very beginning of this process I printed out a statute for you that was, the statute in Missouri for the use of force to effect an arrest. So if you all want to get those out. What we have discovered, and we have been going along with this, doing our research, is that the statute in the State of Missouri does not comply with the case law. [...] And so the statute for the use of force to effect an arrest in the State of Missouri does not comply with Missouri Supreme, I'm sorry, United States Supreme Court cases. And so what Sheila has come up with is a statement of the law as to when an officer can use force to effect an arrest, that does track our Missouri Statute, but also takes into consideration what the Supreme Court says, okay. So the statute I gave you, if you want to fold that in half just so that you know don't necessarily rely on that because there is a portion of that that doesn't comply with the law. And then the thing that Sheila is giving you, that statement about use of force to effect an arrest, is that what you called it, is that the title. MS . WHIRLEY: -- of force in making an arrest, yes. MS. ALIZADEH: That does correctly state what when he can use deadly force in effecting an arrest, okay. I don't want you to get confused and don't rely on that copy or that print-out of the statute that I've given you a long time ago. MS. WHIRLEY: Did you have a question? GRAND JUROR: So we're to disregard this. MS. ALIZADEH: It is not entirely I don't know incorrect or inaccurate, but there is something in it that's not correct, ignore it totally. So, the jurors are asked to disregard something they've been using for two months… at the last minute as they head towards their deliberations. And then there's this: [Y]ou must find probable cause to believe that Darren Wilson did not act in lawful self-defense and you must find probable cause to believe that Darren Wilson did not use lawful force in making an arrest. And only if you find those things, which is kind of like finding a negative, you cannot return an indictment on anything or true bill unless you find both of those things. Because both are complete defenses to any offense and they both have been raised in his, in the evidence. Which contradicts Alizadeh's own words from the previous page: And the one thing that Sheila has explained as far as what you must find and as she said, it is kind of in Missouri it is kind of, the State has to prove in a criminal trial, the State has to prove that the person did not act in lawful self-defense or did not use lawful force in making, it is kind of like we have to prove the negative. So, after making it clear that a grand jury doesn't deliver a guilty/not guilty verdict (see above), Alizadeh instructs the grand jury to act like a trial jury and make determinations as to whether Darren Wilson's shooting of Michael Brown was defensible. The grand jury only has to determine whether probable cause exists to move forward with criminal charges, but here the prosecutors instruct the grand jury to weigh both sides and only true bill if its able to "prove a negative." That's now how this is supposed to work. These moments are the strongest evidence of prosecutorial misconduct. There are others listed, but the presentation of an outdated (and unconstitutional) statute -- one walked back at the last minute -- aligns the best with the "candor towards tribunal" rule cited at the beginning of the complaint. Also noted are the prosecution's leading questions -- particularly in terms of its very friendly interview with Darren Wilson, in which the officer was guided back on point anytime he strayed into murkier areas. There's also the fact that knowingly false testimony was introduced by the prosecution. Bob McCulloch's long-winded post-no bill statement mentioned the contradictory testimony given by several witnesses, indicating he knew he was putting liars on the stand (so to speak). Additionally, Wilson's own testimony regarding his knowledge of Michael Brown's participation in a robbery changed over the course of time. Statements given prior to the grand jury proceedings made it clear Wilson did not know this fact when he encountered Brown, but his sworn testimony claims he did. This change of memory went unchallenged by the county's prosecutors. The complaint also calls attention to McCulloch's inexplicable (but not really) decision to stall the announcement of the grand jury's findings. While this may not be actual evidence of prosecutorial misconduct, there's no question this announcement would have been better received during daylight hours. His choice to deliver it at 8 pm -- eight hours after the grand jury had reached its decision -- was deliberate, allowing him to chastise the media even as it filled with images of burning buildings and looters. This allowed McCulloch to send the only message he didn't feel like vocalizing -- that Michael Brown and his supporters were violent criminals and the only thing standing between civilized society and the chaos filling the screen were brave officers like Darren Wilson. There may eventually be an investigation into the handling of this case, but I don't expect any damning findings or meaningful disciplinary actions to come of it. The lack of an indictment speaks for itself. The prosecutorial lap dog remains steadfast. Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
Artificial intelligence software has been getting better and better over the years at beating humans at their own games. Games like Connect Four and Checkers are already solved, and while we humans might like to point out that there are games like Othello, Go, Diplomacy and Calvinball that still favor human players, it may only be a matter of time before computers outwit us at those games, too. Check out a few more games that algorithms are learning to play better than human brains. A specific version of Texas Hold 'em (heads-up limit Texas Hold ’em) will likely be dominated by computer players now that an algorithm has minimized a "regret" function for playing it. Poker hasn't been solved, but humans better watch out when playing online to make sure their opponents are actually other humans (if it's even possible to tell). [url] A computer simulating ant behavior has found almost half a million novel solutions to the "knight's tour" problem in chess. This isn't really a game, but it shows how AI can use some pretty wild strategies to solve game-related challenges. [url] The game of Go (aka wei qi) isn't going to be solved by a computer any time soon, but Go-playing software is getting better against human opponents. To make move decisions, advanced Go AI programs play randomized simulations of entire games to try to pick between move options. That's not quite how humans play the game, but apparently it's a somewhat winning strategy to use against human players. [url] If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
We recently reported on extraordinarily wide-ranging censorship imposed on Internet users in India. That's rather obscured another story that's been playing out there: an attempt to undermine net neutrality in the country. Here's how it began (via Slashdot): Bharti Airtel Ltd, India's largest telecommunications carrier by subscribers, will soon start charging users extra money for using services such as Skype as Indian operators look to boost their data network and revenues. According to the company website, internet or data plans that give customers discounted rates will only be valid for internet browsing and will exclude Voice over IP services (VoIP). VoIP services include those such as Skype, Line and Viber that typically let users make free calls through the internet. That's a clear attack on the principle that all IP packets should be treated equally, and prompted the creation of the site Net Neutrality India to raise awareness of what's at stake, as well as vague promises from the Indian government to "look into it." Shortly afterwards, Airtel took the hint that its move was not going down well, reported here by Medianama: Bharti Airtel has issued a statement that it is withdrawing the launch of its VoIP packs, given that the TRAI [Telecom Regulatory Authority of India] has issued a statement that it will issue a consultation paper on issues relating to “services offered by OTT [Over-The-Top] players including VOIP." Here's part of Airtel's statement: We have no doubt that as a result of the consultation process a balanced outcome would emerge that would not only protect the interests of all stakeholders and viability of this important sector but would also encourage much needed investments in spectrum and roll out of data networks to fulfil the objective of digital India. That's a standard position for telecom operators around the world, which claim that killing net neutrality is necessary to "encourage much needed investments" -- as if companies wouldn't invest in their networks anyway. Unfortunately, Airtel's optimism that TRAI will bless its anti-net neutrality moves is echoed by the Net Neutrality India site, which warns: Though Airtel backed off, we should not forget that TRAI looks pro-operator. Regarding Airtel, they simply said that it violates net neutrality but is not illegal. We need solid regulations for this. TRAI will start the consultation soon about the issue. Clearly, the battle for net neutrality in India is about to begin in earnest. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
The United States Trade Representative (USTR) office is a complete joke. For many years, we've been discussing how the office is one of the most secretive there is, despite negotiating agreements that impact every American. And for years, the USTR has responded with a series of flat out lies, while insisting that it's being transparent. As we've noted, the USTR is really about as transparent as pea soup, with an institutional focus on secrecy. The negotiating positions that it takes on various trade agreements are shrouded in secrecy. When other countries push to be more transparent, the USTR inevitably rejects those pleas. While lobbyists get full access to some of the documents (including the ability to log in and see the latest texts), members of Congress who want to see the details have to go to the USTR, aren't allowed to bring any staffers, and aren't allowed to make any copies or take any notes. And, it tries to actually make it difficult for most members of Congress to read the docs anyway. The big lie from the USTR has long been that because it "listens" to anyone who wants to come in and talk, it's being transparent. Or it claims that because it (sorta) listens to Congress and Congress is "the people's representative" that it's being transparent. But, as we've explained over and over and over again, the USTR is confusing "listening" with "transparency." In the past, we've been fairly explicit about how the USTR is wrong about this: Listening: People ---- information -----> USTR Transparency: USTR --- information ----> The Public But the USTR keeps trotting this one out. It's released a new, almost entirely bogus "fact sheet" on Transparency and the Obama Trade Agenda. Take a look at the "facts" and see which ones are actually about "transparency" and which ones are about pretending to listen: The Administration is working to cast a wide net to draw in the views of the public and to share information at every step of the negotiating process. To that end, for the negotiations currently ongoing, the Administration has: Solicited public comments on negotiation aims, priorities and concerns, including through the Federal Register.Held public hearings inviting input on the negotiations.Organized first-of-a-kind stakeholder events where the negotiations are suspended so that a diverse group of stakeholders can meet with negotiators. These sessions are open to the public and provide a valuable opportunity for U.S. negotiators to hear and respond to critiques and suggestions.Shared information on the current status of negotiations through blog posts, trade policy updates, press releases, statements, conference calls with stakeholders and the press, and tweets. That last one actually involves sharing some information, but always in a half-hearted and misleading way. It talks about the status of the negotiations, sure, but not about the actual text. And it's the actual text that matters. But in USTR-lala-land, we don't get to see the actual text until it's too late to change it. That's the whole point of the USTR seeking "fast track authority" from Congress, meaning that effectively what it hands in can't be changed at all. That allows the lobbyists to tinker with the details and change the language in dangerous ways, without giving anyone who understands the impact of these things to comment on it until it's too late. The USTR insists that it can't "negotiate in public," but that's bullshit. Other international agreements frequently involve proposals and negotiating texts released to the public for comment. There is no good reason that the USTR can't do the same. The only real reason that's been given by the USTR is that actual transparency would lead to public opposition. And that's not a valid reason. The USTR can fix this by changing to true transparency, but this argument has been going on for years, and instead of doing the right thing, it just issues more bogus "fact sheets" where it obfuscates reality by pretending to be transparent, while actually being anything but transparent.Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
Over the weekend in Paris there was a so-called "Unity March" in response to last week's Charlie Hebdo attack. The photographs from the march were striking -- even if the famed photo of many world leaders holding hands and marching together turned out to a photo op on a closed street, rather than with the rest of the marchers. And, of course, this was all a facade. Many of the leaders who were there oversee governments that don't believe in free speech or a free press at all. Here, for example, is Jillian York trying to figure out if any of the leaders truly support freedom of expression. And, to just put a big underline on the whole thing, just days later, France has arrested a famous and controverisal French comedian, Dieudonné, who has quite a reputation for his outspoken anti-semitism. The arrest was over a Facebook post that Dieudonné put up that basically mocked the "Je Suis Charlie" campaign that had become the rallying cry following the Charlie Hebdo attack, and instead indicated that he identified more with Amédy Coulibaly, a gunman who killed four people at a Jewish supermarket on Friday. Dieudonné's views may be offensive, ridiculous or despicable, but it's much more offensive, ridiculous and despicable to have him arrested for a comment on Facebook. And, it's even more ridiculous to do it when his comment concerns the way people were expressing support for freedom of the press and freedom of expression. To then immediately arrest someone for using that freedom to give a counter-view, just seems ridiculous. And while it's the most high profile, Dieudonné is hardly the only target, apparently. According to the BBC, France has really ramped up attacks on free speech in response to all this damn support of free speech: The justice ministry said earlier that 54 cases had been opened since the murders of 17 people in Paris last week. Of those, 37 cases involved condoning terrorism and 12 were for threatening to carry out terrorist acts. Some fast-track custodial sentences have already been handed down under anti-terror legislation passed last November A man of 22 was jailed on Tuesday for a year for posting a video mocking one of the three murdered policemen A drunk driver was given four years in prison after making threats against the police who arrested him Three men in their twenties were jailed in Toulouse for condoning terrorism A man of 20 was jailed in Orleans for shouting "long live the Kalash[(nikov]" at police in a shopping center Hey, France, I don't quite think you're getting the message. "I support free speech... so long as it is free speech that I sort of agree with" kind of misses the point. The views of some of these people expressing support for killers or terrorists or hatred towards certain types of people is speech that I find, personally, to be despicable. But those expressing it should be allowed to express it -- broadcasting their own confusion and ignorance to the world, and allowing others to counter that speech. Arresting people based on their speech only reinforces the ridiculous idea that they've come upon some truth or that they're speaking "truth to power." They're not. They're speaking nonsense, but in a free society we allow nonsense to be spoken.Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
Don't let the fact that no crime occurred stop you from attempting to prosecute someone, Sparky. (via PINAC) Naperville Police Chief Robert Marshall said he is consulting the city's legal department after the three-minute video posted on YouTube by user JPDrone came to his attention. Shot at night, a drone camera flies over City Hall and several downtown streets, providing a unique view of seasonal decorations while cars and pedestrians move around city streets below. Photography Is Not A Crime points out that there is no law in Illinois that addresses what happened here. The closest the state gets to private drone prohibition involves a very specific set of circumstances. While Illinois has passed a law making it a crime to use a drone to interfere with hunting and fishing, there are no other state laws preventing the public from using “drones,” more appropriately called RC (remote-controlled) copters. If the local lawyers can't figure out some way to nail John Pauley for his not-illegal act, Chief Marshall is willing to go over his own head. "Obviously, if they're flying over a public area, you have to ask if there's any risk to public safety, who's the operator and if he's abiding by the regulations set in place by the FAA," Marshall said. "There was a request from an individual who wanted to fly a drone camera overhead at Ribfest last summer, and we did not allow that." Ah, "public safety." The one-size-fits-all hammer for every annoying nail that refuses to fit neatly into existing legal confines. The thing is, John Pauley has been very careful about his drone usage ever since his run-in with the Geneva (IL) police department officers, who expressed concern about his flying camera. Since then, Pauley has made an effort to notify proper employees before taking to the air. This includes the Naperville Police Department. He said he called Naperville police before doing the nighttime video, which he said was filmed from less than 200 feet above the city. This statement remains unaddressed. Neither confirmed nor denied or even acknowledged. So, it's Pauley's word against the Naperville PD's, the latter of which hasn't offered any words contradicting his claim. Maybe Chief Marshall is just suffering from drone envy. Illinois state laws do prohibit the use of drones by law enforcement. Section 10. Prohibited use of drones. Except as provided in Section 15, a law enforcement agency may not use a drone to gather information. The Section 15 exceptions (and there are a lot of them) are: preventing a terrorist attack, with a warrant, imminent harm to life, locating a missing person (but notably, not as part of a criminal investigation), and crime scene/crash photography. Flying over private land for the latter also requires the acquisition of a search warrant. "Freedom from drone surveillance," as the law is titled. That applies to law enforcement only. It says nothing about private use. The FAA may choose to fine Pauley if Chief Marshall decides to rat him out (the FAA restricts private drone usage to daytime hours), but it appears there's little he can actually do about this from his end. Marshall appears to believe that if he thinks something's illegal, it must actually be, even if all evidence points in the other direction -- really not the sort of attitude you want in a law enforcement official. As of yet, no charges have been filed, but never underestimate the creativity of law enforcement personnel whose common sense has been shouted down by their desire to prosecute.Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
We've written before about faulty legal activities based on nothing stronger than an IP address. An IP address is not a person, but many entities have decided it's "close enough." Fortunately, the judicial system has (occasionally) stepped in to correct this assumption, usually in the context of copyright infringement lawsuits. There are those in the law enforcement arena that know an IP address can't be used as an identifier. Careless statements get made about the "danger" of open WiFi connections, or it's suggested that accessing open networks should be illegal. This doesn't have much to do with keeping citizens safe, but it does have everything to do with easing law enforcement's investigative workload. A lawsuit filed against the Evansville, Indiana police department is being allowed to move forward. [pdf link] The suit centers on the raid of a 68-year-old woman's house -- a raid predicated on an IP address related to an unprotected WiFi connection. In June of 2012, threats against the police department were posted to Topix.com. The following posts were discovered under the heading “EPD leak!!! All officers addresses are being passed around Evansville”: “Me n my boys need them copys asap.need to pay a few a visit.” “[Chief] Bolin lives behind parkside” “Lol at all da cops commenting,f#+k the police.you mfs need to b taught a lesson,always harassing n violating mfs rights. 4th of July a cops house gonna got hit.dont care about your kids or btchs lives.I dnt even care about my own life.I got my reasons…times ticking.?” “Cops be aware.Note:I am proud of my county,but I hate police of any kind..I have explosives.:) made in America.Evansville will feel my pain.guess who’s in the river.” The police -- possibly tipped off by a news reporter (there were also unverified claims about the FBI contacting the EPD) -- began an investigation. The EPD subpoenaed Topix and the local cable provider to discover the user's information. The information traced back to 68-year-old Louise Milan's house. Information was verified by police wardriving, confirming that there was an open WiFi connection in the vicinity of Milan's residence. Also discovered during the initial surveillance was known gang member Derrick Murray, who was two houses down sitting on his mother's porch. A search warrant for the Milan residence was obtained, but notably did not include mention of either Derrick Murray or the unsecured wireless network. Instead, the warrant request asserted that the device from which the threats had been posted was actually in Milan's home. The request also stated that “in order for a particular electronic device to utilize a particular IP address, . . . [it] requires the electronic device to be IN the residence of 616 E. Powell Avenue to access the internet provided . . . to the residence.” Further investigation uncovered the criminal activities of Milan's stepson, Anthony Milan and HIS son, Anthony Milan, Jr. This was used by the EPD -- despite neither of these Milans having resided at Louise Milan's residence for over four years -- to tie Milan's home in with the online threats. Using this information -- much of it faulty or circumstantial -- the EPD determined that the only "safe" way to approach the Milan residence was a SWAT raid. This plan moved ahead despite statements made indicating the EPD knew it was raiding the wrong person's house. This decision was made, and ultimately carried out, despite the fact that Murray—and not Milan or her relatives—was identified during the “pre-raid briefing” as likely being “ultimately responsible” for the threats. Helmet cam video of the raid shows how it went down. It was not a "no-knock" warrant, but the "knock" delivered by the SWAT team had very little to do with announcing its presence and everything to do with giving itself permission to smash through the front door and hurl flashbangs into the house. Louise Milan and her 18-year-old granddaughter were cuffed and led from the house at gunpoint. Their computer was seized. Two days later, the police raided Derrick Murray's residence and recovered the device used to post the threats to Topix. Notably, Murray watched the raid of Milan's house go down from the comfort of his mother's porch. Shortly thereafter, Milan filed suit against the police department and the city of Evansville, claiming her rights were violated by the SWAT team raid. [pdf link] Judge William T. Lawrence addresses each of Milan's complaints and, unfortunately, dismisses most of them. For Milan's claim of unreasonable search and seizure, Lawrence states: When Detective Brown made this statement, however, he knew that an unsecured Wi-Fi network in a residence may be accessed from outside the home. The Court is troubled by Detective Brown’s statement. Even so, the Court finds that his statement did not render the search warrant invalid. Even if Detective Brown had stated that Milan’s router could be accessed from outside the home, the warrant would still be supported by probable cause. The threats were made using Milan’s IP address; “though it was possible that the transmissions originated outside of the residence to which the IP address was assigned, it remained likely that the source of the transmissions was inside that residence.” The dismissal of the false arrest claims follows in line with Judge Lawrence's determination that the search warrant was valid, despite Detective Brown's false assertions. If the search warrant was valid, the detainment was valid. That Milan was only detained for 20 minutes also factored into this decision. But when it comes to Milan's accusation of unreasonable force, Judge Lawrence finds enough evidence to allow the lawsuit to proceed. Officers are allowed to use tactics and force they deem necessary to control a potentially dangerous situation. Law enforcement agencies are granted a lot of leeway by the courts when it comes to raids like these. But Judge Lawrence finds the EPD's assertion that the methods used were necessary because of the potential danger short on evidence of actual danger. He points again to the the fact that the pre-raid briefing made it clear that Derrick Murray -- not anyone in the Milan residence -- was the most likely suspect. The fact that the posted threats declared July 4th (still two weeks away at the time of raid) to be the day the acts would be carried out also indicated that there was minimal danger in approaching the Milan residence. Furthermore, the police chief invited a news crew to be on hand for the raid (as "repayment" for the threat tip) -- again suggesting the danger level was rather low. Coupled with the fact that the SWAT team broke through the glass door and threw (rather than carefully placed) distraction devices into the home within seconds of arrival brings Judge Lawrence to the following conclusion. It is questionable whether the officers had sufficient time to look inside to ensure that no one would be injured by the devices. It is also undisputed that the officers were not carrying a fire extinguisher during the search. These facts lead the Court to conclude that there are questions of fact regarding whether the Defendants’ actions were unreasonable and excessive. Thus, summary judgment on this issue is not appropriate. The Court therefore DENIES summary judgment as to this claim. Then Judge Lawrence goes further, declaring that the excesses of the EDP's use of force are enough to strip it of qualified immunity. As detailed above, the decision to use the SWAT team and the distraction devices was made based solely on the nature of the threats and the small possibility that Milan, Sr., Milan, Jr., or Marc were responsible for the threats and would be found inside Milan’s home—that is it. The officers, however, did not see any of those men enter or leave Milan’s residence during their period of surveillance. Additionally, the officers suspected that Milan’s WAP was unsecured and that Murray was “ultimately responsible” for the threats long before they executed the search warrant at Milan’s home. Thus, there was little—if any—evidence that they would encounter a violent person. As discussed above, there was also no emergency situation (as the threat was for July 4), the officers did not carry a fire extinguisher, and the videos arguably indicate that the officers did not have sufficient time to look inside the residence for individuals who might be harmed before tossing (rather than placing) the distraction devices into Milan’s home. Lastly, there did not appear to be a dangerous point of entry. It was a clear day, and the front door (but not the storm door) was open when the SWAT team arrived. For these same reasons, the Court also concludes that the EPD’s use of force “so clearly exceeded the bounds of reasonableness in the circumstances that it cannot be said to lie near the ‘hazy border between excessive and acceptable force’ along which qualified immunity shields officers from liability for their snap judgments, if those judgments prove to be wrong upon further reflection.” Id. at 786. These were not snap judgments; they were methodical and deliberate decisions, which were based on limited facts and an incomplete investigation. A reasonable officer would know that the EPD’s actions were constitutionally excessive. While Judge Lawrence's decision to overlook Detective Brown's portrayal of an open WiFi network as a positive indicator of a device's location is unfortunate, his refusal to grant summary judgement against claims of excessive force and his stripping of the principals' qualified immunity somewhat mitigates this. This entire debacle was based on a purposefully wrong assertion, but the Evansville PD has been spared having to answer directly for this misrepresentation. Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
On Monday, President Obama gave a speech kicking off his big push on cybersecurity, with many of the details being released on Tuesday and they don't look very good. There are a lot of different pieces, but we'll just highlight the two that concern us the most. First up: information sharing/"cybersecurity." The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity "information sharing" bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal is not "endorsing CISPA." The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn't wonderful, but it's better than the other two alternatives. Companies can still give the info to the NSA or FBI (or others), but won't get full immunity from lawsuits if they do. But, where the new proposal falls woefully short is in its lack of privacy protections. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren't written yet, and they're fairly important here. Instead, there's just a plan to make them: The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the Department of Homeland Security and Department of Justice, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, the heads of sector-specific agencies and other appropriate agencies, and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act Yes, it promises that those guidelines will limit the "acquisition, interception, retention, use and disclosure" of information, but it's still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed. People keep saying that we need "information sharing" because of "cyberthreats" but no one argues why that information sharing can't happen today, or points out what regulations today get in the way. That's because they don't. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out. The second concerning proposal is with the update to the CFAA (the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused "anti-hacking" law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as "hacking." While some courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would "enhance [the CFAA's] effectiveness against attacks on computers and computer networks." But that's not the problem with the CFAA. The problem is that it's already seriously overbroad and used in dangerous ways. That's barely addressed. The main "fix" is that if you "intentionally exceed authorized access" the, there are conditions necessary to meet to trip the CFAA wire -- and a key one is that the value of the information obtained must "exceed $5,000." But, of course with the way the gov't inflates the value of information... that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to "exceeds authorized access." This is the whole bit that's been used as evidence of "terms of service" violations. The key case that rejected this theory is the Nosal case and that seems to be completely wiped out with this little addition to exceeding authorized access: for a purpose that the accesser knows is not authorized by the computer owner; This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have "knowledge" and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you've broken the law. It is also possible to read this section to mean that using someone else's Netflix or HBOGO password... could violate the law. Yikes! Of course, one hopes that law enforcement wouldn't go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it "knows [it] is not authorized by the computer owner." Basically, it requires the government to argue that whoever they're going after should have known that the computer owner "would like" it. That... opens up a big can of worms that the DOJ will abuse like crazy. The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group." It also ups the penalties for things that might be considered "actual hacking" (i.e., getting around technological barriers to access a computer) -- making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you're violating the CFAA. Looks like law enforcement can now go "shopping" for computers. Once again, we seem to be facing a situation where the administration is more focused on what law enforcement wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse. That's really unfortunate. A massive missed opportunity to actually do something productive here.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
On Tuesday, the trial for Ross Ulbricht, the guy accused of being the "Dread Pirate Roberts" behind Silk Road (1.0) began, and apparently the defense's legal strategy is to claim some other guy was the real DPR, and Ulbricht was just the fall guy. According to Andy Greenberg: In his opening statement in a Manhattan courtroom, defense attorney Joshua Dratel began with a surprising admission: that his client Ross Ulbricht was in fact the founder of the Silk Road. But Dratel went on to explain that the site was meant merely to be a kind of “economic experiment” that Ulbricht only controlled for a brief time. The eventual adoptive owners of the Silk Road, Dratel claimed, would later trick Ulbricht into serving as the “fall guy” when they sensed an impending law enforcement crackdown. “After a few months, he found it too stressful for him, and he handed it over to others,” Dratel told the jury, describing the Silk Road’s early days. “At the end, he was lured back by those operators to…take the fall for the people running the website.” That's.... a different argument than has been suggested in the past. It also seems like it would require a bit more evidence. And that's going to be tough. The admission that he created the Silk Road apparently was necessary, as Ulbricht had apparently confessed that to an old friend whom the prosecutor plans on calling as a witness. However, Ulbricht's lawyer claims they may know who the real Dread Pirate Roberts is, but, again, this seems like it's a massive legal long shot. While I have many concerns about how Ulbricht was found out, and about whether or not merely operating an online marketplace should be illegal (leaving aside the question of whether and how Ulbricht participated in that market...), to argue that "some other guy did it" and then (conveniently) set Ulbricht up to be the fall guy... seems extremely far fetched. Greenberg's summary: The new operators of the Silk Road “had been alerted the walls were closing in,” Dratel said. “That’s what compelled the Dread Pirate Roberts to put his escape plan into action,” framing Ulbricht, according to Dratel’s telling. In Dratel’s version of events, Ulbricht’s store of bitcoins was simply the earnings from his early investments in the cryptocurrency, not the Silk Road profits the prosecutors allege. He points out that the bitcoins seized from Ulbricht are only a “small fraction” of the full $18 million the government has said the Dread Pirate Roberts earned in Silk Road commissions. And he implied that the evidence found on Ulbricht’s computer at the time of his arrest was falsified to “leave him holding the bag when the real operators of Silk Road knew their time was up.” He didn’t elaborate on how evidence could have been planted on Ulbricht’s PC. “[The Dread Pirate Roberts] is someone who studiously avoided revealing his identity to anyone on the site…This same person goes to a public library and uses a public Wifi connection?” Dratel asked the jury. “That Ross is DPR is a contradiction so fundamental that it defies common sense.” There's no doubt, if the US's argument is accurate, that Ulbricht was somewhat sloppy, but using that sloppiness as "proof" that he wasn't really DPR, while admitting he had founded Silk Road and when he was found logged into the admin... just seems unbelievable.Permalink | Comments | Email This Story

Read More...