Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In the post-Snowden era, a report written by Susan McGregor <susan.e.mcgregor@gmail.com> (Columbia University's Tow Center for Digital Journalism) is timely and highly relevant—especially to digital journalists and lawyers who might wish to defend them! (I believe Susan would welcome constructive comments, because this online report has not yet been published in final form. PGN) http://susanemcg.gitbooks.io/digital-security-for-journalists/ [This topic is clearly a source-pot (or sore-spot, if you prefer). What's Source for the Goose may goose the ganderer. PGN]
[Note: This item comes from friend David Rosenthal. DH] [via Dave Farber, who commented: 'It's hard to be cynical enough ...'] digby's blog, 2 Nov 2014 http://digbysblog.blogspot.com/2014/11/all-governments-must-protect-ability-of.html This is very special: The White House, Office of the Press Secretary For Immediate Release November 02, 2014 Statement by the President on the First-Annual International Day to End Impunity for Crimes Against Journalists History shows that a free press remains a critical foundation for prosperous, open, and secure societies, allowing citizens to access information and hold their governments accountable. Indeed, the Universal Declaration of Human Rights reiterates the fundamental principle that every person has the right “to seek, receive, and impart information and ideas through any media and regardless of frontiers.'' Each and every day, brave journalists make extraordinary risks to bring us stories we otherwise would not hear - exposing corruption, asking tough questions, or bearing witness to the dignity of innocent men, women and children suffering the horrors of war. In this service to humanity, hundreds of journalists have been killed in the past decade alone, while countless more have been harassed, threatened, imprisoned, and tortured. In the overwhelming majority of these cases, the perpetrators of these crimes against journalists go unpunished. All governments must protect the ability of journalists to write and speak freely. On this first-ever International Day to End Impunity for Crimes against Journalists, the United States commends the priceless contributions by journalists to the freedom and security of us all, shining light into the darkness and giving voice to the voiceless. We honor the sacrifices so many journalists have made in their quest for the truth, and demand accountability for those who have committed crimes against journalists. Well, some of the time anyway. In a speech today in Washington, AP President and CEO Gary Pruitt [said]: The actions of the DOJ against AP are already having an impact beyond the specifics of this case. Some longtime trusted sources have become nervous and anxious about talking with us—even on stories unrelated to national security. In some cases, government employees we once checked in with regularly will no longer speak to us by phone. Others are reluctant to meet in person. In one instance, our journalists could not get a law enforcement official to confirm a detail that had been reported elsewhere. Imagine: officials were so fearful of talking to AP they wouldn't even confirm a fact that had already been reported by numerous other media. And I can tell you that this chilling effect on news gathering is not just limited to AP. Journalists from other news organizations have personally told me that it has intimidated both official and nonofficial sources from speaking to them as well. Now, the government may love this. But beware a government that loves too much secrecy. [...]
G.W. Schulz, Center for Investigative Reporting, 20 Oct 2014 While revelations from Edward Snowden about the National Security Agency's massive database of phone records have sparked a national debate about its constitutionality, another secretive database has gone largely unnoticed and without scrutiny. The database, which affects unknown numbers of people, contains phone records that at least five police agencies in southeast Virginia have been collecting since 2012 and sharing with one another with little oversight. Some of the data appears to have been obtained by police from telecoms using only a subpoena, rather than a court order or probable-cause warrant. Other information in the database comes from mobile phones seized from suspects during an arrest. ... http://www.wired.com/2014/10/virginia-police-secretively-stockpiling-private-phone-records/
Megan Geuss, Ars Technica, 30 Oct 2014 Although her face was blurred out, image had "part of her breast exposed." Earlier this month, a Quebecois court in Montreal decided that Google owed a woman $2,250 for picturing her with "part of her breast exposed" in a Street View image. The woman was sitting in front of her house, and although her face was blurred out, she was still identifiable by her coworkers, especially as her car was parked in the driveway without the license plate blurred out. ... http://arstechnica.com/tech-policy/2014/10/google-ordered-to-pay-a-woman-2250-for-street-view-image-showing-cleavage/
Virginia judge: Police can demand a suspect unlock a phone with a fingerprint But passcodes need not be divulged as per the Fifth Amendment, court says. Megan Geuss, Ars Technica, 31 Oct 2014 A Virginia Circuit Court judge ruled on Thursday that a person does not need to provide a passcode to unlock their phone for the police. The court also ruled that demanding a suspect to provide a fingerprint to unlock a phone would be constitutional. ... http://arstechnica.com/tech-policy/2014/10/virginia-judge-police-can-demand-a-suspect-unlock-a-phone-with-a-fingerprint/
Cyrus Farivar, Ars Technica, 31 Oct 2014 California Highway Patrol officer suspect: image trading was a years-old game. Prosecutors in Contra Costa County, directly across the bay from San Francisco, have filed criminal felony charges against a former California Highway Patrol (CHP) officer, Sean Harrington, who is accused of seizing and distributing racy photos copied from arrestees' phones. ... http://arstechnica.com/tech-policy/2014/10/cop-charged-with-stealing-nude-pics-from-womens-phones/
Tam Harbert, Computerworld, 30 Oct 2014 The help desk can be caught in the middle in more ways than one when users put risque' material on their personal devices http://www.infoworld.com/article/2841557/security/the-icky-part-of-tech-support-porn-and-other-nsfw-surprises.html opening text: As the recent scandal over leaked celebrity photographs reminded us all, people use their electronic devices for very personal pursuits in the era of smartphone ubiquity. Depending on the age and inclination of its owner, a modern-day digital device might contain not just nude selfies like those that were shared online, but images from dating sites like Tinder and Grindr, creepshots, or other salacious or even illegal material downloaded from the backwaters of "the dark Web" via anonymizers like Tor. As blogger Kashmir Hill summed up as the selfie scandal was unfolding, "Phones have become sex toys."
Cyrus Farivar, Ars Technica, Oct 31 2014 His accomplice was sentenced to 6 months and was released for time served. After being convicted of "hacking and gross damage," Gottfrid Svartholm Warg, better known by his nom de hacker "anakata," was sentenced (Google Translate) to 3.5 years in prison by a Danish court on Friday. One day earlier, the Pirate Bay co-founder was found guilty of illegally accessing the country's driver's license database (Google Translate), social security database, and the shared IT system across the Schengen zone, Europe's common passport regions. Using this access, he obtained the e-mail accounts and passwords of 10,000 police officers and tax officials. All of that data was managed by CSC, a large American IT contractor. ... http://arstechnica.com/tech-policy/2014/10/after-massive-danish-hack-gottfrid-svartholm-warg-sentenced-to-3-5-years/
Electronic Frontier Foundation Media Release
Peter Eckersley, Technology Projects Director, Electronic Frontier Foundation
pde@eff.org, +1 415 436-9333 x131
Rebecca Jeschke, Media Relations Director, Electronic Frontier Foundation,
press@eff.org, +1 415 436-9333 x177
Which Messaging Technologies Are Truly Safe and Secure?
EFF's 'Secure Messaging Scorecard' Rates Digital Communication Tools
San Francisco - In the face of widespread Internet data collection and
surveillance, we need a secure and practical means of talking to each other
from our phones and computers. Many companies offer "secure messaging"
products - but how can users know if these systems actually secure? The
Electronic Frontier Foundation (EFF) released its Secure Messaging Scorecard
today, evaluating dozens of messaging technologies on a range of security
best practices.
"The revelations from Edward Snowden confirm that governments are spying on
our digital lives, devouring all communications that aren't protected by
encryption," said EFF Technology Projects Director Peter Eckersley. "Many
new tools claim to protect you, but don't include critical features like
end-to-end encryption or secure deletion. This scorecard gives you the
facts you need to choose the right technology to send your message."
The scorecard includes more than three dozen tools, including chat clients,
text messaging apps, email applications, and technologies for voice and
video calls. EFF examined them on seven factors, like whether the message
is encrypted both in-transit and at the provider level, and if the code is
audited and open to independent review. Six of these tools scored all seven
stars, including ChatSecure, CryptoCat, Signal/Redphone, Silent Phone,
Silent Text, and TextSecure. Apple's iMessage and FaceTime products stood
out as the best of the mass-market options, although neither currently
provides complete protection against sophisticated, targeted forms of
surveillance. Many options--including Google, Facebook, and Apple's email
products, Yahoo's web and mobile chat, Secret, and WhatsApp--lack the
end-to-end encryption that is necessary to protect against disclosure by the
service provider. Several major messaging platforms, like QQ, Mxit, and the
desktop version of Yahoo Messenger, have no encryption at all.
"We're focused on improving the tools that everyday users need to
communicate with friends, family members, and colleagues," said EFF Staff
Attorney Nate Cardozo. "We hope the Secure Messaging Scorecard will start a
race-to-the-top, spurring innovation in stronger and more usable
cryptography."
The Secure Messaging Scorecard is part of EFF's new Campaign for Secure and
Usable Cryptography, and was produced in collaboration with Julia Angwin at
ProPublica and Joseph Bonneau at the Princeton Center for Information
Technology Policy.
For the full Secure Messaging Scorecard:
https://www.eff.org/secure-messaging-scorecard
For this release:
https://www.eff.org/press/releases/which-messaging-technologies-are-truly-safe-and-secure
[Of course, the correct answer to the titled question,
Which Messaging Technologies Are Truly Safe and Secure?
is generally NONE of them—under any realistic threat model that
includes penetration of typically nonsecure operating systems and
insider misuse. RISKS readers should know that by now. PGN]
Daily Dot via NNSquad http://www.dailydot.com/politics/eff-secure-messaging-scorecard-critics/ "The EFF scorecard gives Skype two check marks for being encrypted in transit and encrypted so the provider can't read it. That was a hard sell for many privacy advocates, who immediately pointed to reports from the Edward Snowden, leaks saying the National Security Agency (NSA) had tripled the amount of Skype video calls being collected through Prism."
FYI—The NSA TAO is old (black) hat; the FBI wants to implant malware into your computer, too. The FBI is so afraid of "going dark", that it wants to "go black" (hat). http://www.theguardian.com/us-news/2014/oct/29/fbi-powers-hacking-computers-surveillance FBI demands new powers to hack into computers and carry out surveillance Ed Pilkington, *The Guardian*, 29 Oct 2014 Agency requests rule change but civil liberties groups say “extremely invasive'' technique amounts to unconstitutional power grab. The FBI is attempting to persuade an obscure regulatory body in Washington to change its rules of engagement in order to seize significant new powers to hack into and carry out surveillance of computers throughout the US and around the world. Civil liberties groups warn that the proposed rule change amounts to a power grab by the agency that would ride roughshod over strict limits to searches and seizures laid out under the fourth amendment of the US constitution, as well as violate first amendment privacy rights. They have protested that the FBI is seeking to transform its cyber capabilities with minimal public debate and with no congressional oversight. The regulatory body to which the Department of Justice has applied to make the rule change, the advisory committee on criminal rules, will meet for the first time on November 5 to discuss the issue. The panel will be addressed by a slew of technology experts and privacy advocates concerned about the possible ramifications were the proposals allowed to go into effect next year. [... PRUNED FOR RISKS. PGN] https://s3.amazonaws.com/s3.documentcloud.org/documents/1348429/fbi-committee-hearing.pdf
It appears that the Bureau of Industry and Security is showing its teeth with a $750k fine against Wind River Systems for unlawfully exporting encryption software to countries on the BIS list. http://www.goodwinprocter.com/Publications/Newsletters/Client-Alert/2014/1015_Software-Companies-Now-on-Notice-That-Encryption-Exports-May-Be-Treated-More-Seriously.aspx We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS's treatment of violations of the encryption regulations. See also the discussion here: https://news.ycombinator.com/item?id=8551825
http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
In a bid to help harried travelers save time at check-in, a number of major brands are experimenting with letting guests use their phones to unlock their rooms. http://www.nytimes.com/2014/11/04/business/hotels-test-turning-guests-smartphonoes-into-room-keys-.html
In the 20 years since their introduction, banner ads have ruined the appearance and usability of the web, perverted content and diminished privacy. http://www.nytimes.com/2014/11/06/technology/personaltech/banner-ads-the-monsters-that-swallowed-the-web.html
It would not be easy for the average Mac user to be hit by this malware, but it points to new ways in which hackers are targeting Apple products. http://bits.blogs.nytimes.com/2014/11/05/malicious-software-campaign-targets-apple-users-in-china/
While passwords aren't likely to disappear soon, new technology that uses eyes and fingerprints as identifiers can protect data more easily. http://www.nytimes.com/2014/11/06/technology/personaltech/augmenting-your-password-protected-world.html
Relations between tech companies and the intelligence community has been strained recently, but Adm. Michael S. Rogers played down government concerns. http://bits.blogs.nytimes.com/2014/11/03/n-s-a-director-makes-another-visit-to-silicon-valley/
Actually, it's not a matter of being lame. I'm sure many people who work long hours would love having a washing machine which can be tracked and operated over the net, so that e.g. clothes can be put in before leaving for work, and laundry timed to have them ready to dry by the time of arriving back. I know I would like a way to avoid waking out in the morning to find stale clothes in the machine which were left there wet overnight (this had happened quite a few times). However, I don't think I'll be willing to pay four times the price of a dumb machine for that.
*The Boston Globe* on Mayor Menino (who died last week): http://www.bostonglobe.com/metro/2014/10/31/menino-cast-absentee-ballot-upcoming-election/dF6CeR53bbXZUcErwoXegN/story.html But under Massachusetts state law, the secretary of state's office said, the ballot cannot be counted because of the mayor's death. Wanna bet that every town clerk checks the obituaries for the names of every absentee voter? (351 cities and towns in Massachusetts.) The big risk, of course is that some close election will be overturned after a year or so because it is determined that several voters who were presumed living on election day were ultimately discovered to have been dead. The implications of determining that sitting legislators, even Senators, were not actually elected ... [This is not the first time this particular issue has shown up in RISKS. PGN]
“your are [sic] voluntarily waving [sic] your right to a secret ballot'' -- IANAL, but it seems to me that this statement borders on the unconstitutional. Can anyone legally waive such a basic constitutional right? I'd really like to know, maybe a real lawyer can comment on this. (Coming to think of it, perhaps the spelling mistakes are intentional!)
I'm sure John didn't intend for this to be a partisan matter. In fact, votes may be flipping the other way in North Carolina: http://www.rawstory.com/rs/2014/11/north-carolina-voters-report-voting-machines-switching-their-votes-to-gop-candidate/ The article doesn't say, but this one also sounds like a touch screen mis-registration problem, or outright hardware malfunction. (By the time you are reading this, the election may well be over. We can only hope that any such problems haven't affected the outcome in critical races.)
> In addition, there seemed to have been a false assumption that allowing > illegal immigrants to get drivers licenses would not have any deleterious > effects. In fact, obtaining a driver's license allowed those individuals > to also register to vote. This is equivalent to saying "...there seemed to have been a false assumption that allowing illegal immigrants to eat would not have any deleterious effects (on voting)."
Please report problems with the web pages to the maintainer