Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Excerpt from the EPIC Alert 21.24, 19 Dec 2014
Electronic Privacy Information Center (EPIC), Washington, DC
http://www.epic.org/alert/epic_alert_21.24.html
On Friday, December 19, 2014, the U.S. Army will deploy drone surveillance
blimps just north of the nation's capital. The surveillance blimp system,
known as "JLENS," is comprised of two 250-foot blimps. As deployed in Iraq,
one blimp contains aerial and ground surveillance technology that covers a
340-mile range, while the other has targeting capability including HELLFIRE
missiles. The surveillance blimps fly as high as 10,000 feet and can remain
operational for up to 30 days straight.
The JLENS system is manufactured by defense contractor Raytheon. Raytheon
has tested the JLENS system with the company's MTS-B Multi-Spectral
Targeting System. The MTS-B offers long-range video surveillance that allows
the real-time tracking of moving targets, including vehicles and persons, on
the ground.
Earlier in 2014, EPIC filed a Freedom of Information Act lawsuit to gain
more information about the JLENS system. EPIC asked the Army for technical
specifications as well as any policies limiting domestic surveillance.
EPIC's goal in the FOIA request and subsequent FOIA lawsuit is to determine
what surveillance data the Army plans to collect during the three-year JLENS
test, as well as how the Army plans to process, store, redact or delete
data.
Preliminary documents obtained by EPIC suggested that the blimps would be
equipped with video surveillance, though the Army since has claimed that
video surveillance will not be deployed. However, documents obtained by EPIC
in another FOIA case demonstrate that Customs and Border Protection is
operating surveillance blimps with video surveillance. Raytheon also has
demoed a video surveillance upgrade for the JLENS system.
EPIC has urged Congress to establish privacy safeguards for aerial
drones. EPIC also recommended requiring notice of all drone surveillance
policies through the Administrative Procedure Act.
The Freedom of Information Act lawsuit is EPIC v. Army, No. 14-776
(D.D.C. filed May 6, 2014).
Raytheon: JLENS
http://www.raytheon.com/capabilities/products/jlens/
EPIC: FOIA Request to Dept. of Army re: JLENS (Nov. 1, 2013)
http://epic.org/foia/army/FOIA-Request.pdf
EPIC: Complaint v. Dept. of Army (May 6, 2014)
http://epic.org/foia/army/Complaint.pdf
EPIC: Testimony before Congress re: Drone Privacy (Jul. 12, 2012)
http://www.epic.org/privacy/testimony/EPIC-Drone-Testimony-7-12.pdf
CBP: Privacy Assessment on Aerial Surveillance (Aug. 29, 2014)
http://epic.org/redirect/121914-cpb-aerial.html
EPIC: EPIC v. Army – Surveillance Blimps
https://epic.org/foia/army/
EPIC: Spotlight on Surveillance - Eyes in the Sky (Oct. 2014)
https://epic.org/privacy/surveillance/spotlight/1014/drones.html#_ftn
EPIC: Unmanned Aerial Vehicles (UAVs) and Drones
https://epic.org/privacy/drones/
Current and back issues are available at: http://www.epic.org/alert
Perhaps someone has had second thoughts about having a remotely programmable drone system capable of launching HELLFIRE missiles aimed at our own buildings or even people in Washington DC, as a result of attackers who had been able to subvert the presumably not-secure-enough computer systems and networks? However, if certain government folks tell us that it the system is totally impervious to attack and adequately secure against subversion, misuse, and denial of service attacks—*perhaps because it has been designed and operated by experts*—RISKS readers will know better. The Manchurian blimp?
David E. Sanger and Nicole Perlroth, New York Times, Dec. 17, 2014 http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html It is not clear how the United States determined that Mr. Kim's government had played a central role in the Sony attacks. North Korea's computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country's computer operations, including its elite cyberteam, and to establish `implants' in the country's networks that, like a radar system, would monitor the development of malware transmitted from the country. Rather amazing that *The NYTimes* is reporting clear as day that the NSA is targeting an entire country's computer network. For a change, something that is almost surely *not* from a Snowden document?
[From Dave Farber] http://thehill.com/policy/cybersecurity/227689-fbi-official-blames-north-korea-for-sony-hack The FBI officially blamed North Korea in the cyberattack that has devastated Sony Pictures Entertainment, damaging the studio's reputation, costing it millions of dollars and causing it to cancel the release of its controversial comedy, *The Interview* The attack is unprecedented, the FBI said in a release. “The destructive nature of this attack, coupled with its coercive nature,sets it apart.'' The hack has been referred to as the first successful, large-scale destructive cyberattack on a U.S. company (Sony Pictures Entertainment is an American subsidy of a Japanese multinational conglomerate, Sony). The hackers not only stole data, but permanently deleted files on Sony's servers. They later threatened 9/11-style attacks on any theater that screened *The Interview,* which depicts a fictional assassination of North Korean leader Kim Jong-un. The FBI confirmed rampant speculation that the attack's methods tied it back to the reclusive East Asian regime. “Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed,'' the bureau said in a release. “The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea,'' it said. Specifically, the FBI linked the tools used in the Sony hit to a round of North Korean cyberattacks on South Korean bands and media companies in March 2013. While the bureau stopped short of calling the action a terrorist attack or act of war—as many lawmakers have over the past few days—it did have strong words for Pyongyang. FBI: “North Korea's actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior.''
Dan Goodin, Ars Technica, 17 Dec 2014 Password data, other personal information of account holders exposed. <http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/> Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday <https://www.icann.org/news/announcement-2-2014-12-16-en> that the breach also gave attackers administrative access to all files stored in its centralized zone data system <https://czds.icann.org/en>, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs. "We believe a 'spear phishing' attack was initiated in late November 2014," Tuesday's press release stated. "It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members." Earlier this month, ICANN officials discovered the compromised credentials were used to gain unauthorized access to the zone data system. Other compromised systems included the ICANN GAC Wiki <https://gacweb.icann.org/display/gacweb/Governmental+Advisory+Committee>, where attackers were able to view a members-only index page and one individual user's profile page; the ICANN Whois information portal <http://whois.icann.org/>; and the ICANN blog <http://blog.icann.org/>. The most sensitive information exposed appears to be the personal information of account holders of the centralized zone system. ICANN recommended holders immediately change their accounts passwords... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets. Tuesday's advisory warning that several employees were successfully breached should come as a wake up call to similar groups and serve as a reminder of just how hard it is to prevent social-engineering attacks.
Ars was briefly hacked yesterday; here's what we know <http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/> Readers, please change your passwords. by Ars Staff - Dec 16, 2014 9:52 pm UTC (If you have an account on Ars Technica, please change your password today. See below for more details.) At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core. That song, "All the Things <http://dualcoremusic.bandcamp.com/album/all-the-things>," features the chorus: Drink all the booze, hack all the things! The hacker didn't have long to drink all the booze and hack all the things, fortunately; by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). ... [NOTE the interesting discussion in the "PROMOTED COMMENTS" about MD5+salt encrypted passwords in the user database.]
Paraphrasing a blog entry on the vulnerability, "Misfortune Cookie" is believed to afflict 12 million devices in 189 countries. The vulnerability is a bug in the web server component RomPager from AllegroSoft, used by many hardware vendors for embedded devices, including SOHO routers. Reportedly, the weakness would allow an attacker to subvert the firewall, exposing credentials and interior systems to attack. A blog entry going into more detail is at: http://blog.norsecorp.com/2014/12/18/millions-at-risk-from-misfortune-cookie-soho-router-vulnerability/ Bob Gezelter, http://www.rlgsc.com
Dan Goodin - 18 Dec 2014 Bug exposes user data, as well as computers, Web cams, and other connected devices. http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/
[PGN-Excerpted from ACM TechNews, Friday, December 14, 2014] (Craig Timberg, *The Washington Post*, 18 Dec 2014) German researchers have discovered security flaws that could enable hackers, spies, and criminals to listen to private phone calls and intercept text messages. This revelation is just the most recent indication of widespread insecurity on the SS7 network. The flaws are actually functions built into SS7 for other purposes that hackers can repurpose for surveillance because of the lax security on the network. Although researchers did not find evidence that their latest discoveries have been marketed to governments on a widespread basis, vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the U.S. National Security Agency or Britain's GCHQ, but not revealed to the public. The researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cellphone's forwarding function. In the second technique, hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. The researchers also discovered new ways to track the locations of cellphone users through SS7. In addition, they found it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d259x2c39bx062021&
FYI—“When I really need a confidential conversation, I use a fixed-line''—which shows how clueless this politician is (SS7 is used for ALL phone calls, fixed-line OR wireless). https://en.wikipedia.org/wiki/Signalling_System_No._7 http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/
Simon Phipps, InfoWorld, 17 Dec 2014 Is a U.S. warrant enough to force an American company to breach privacy laws abroad? Microsoft with the support of friends and foes alike, says no. http://www.infoworld.com/article/2859897/internet-privacy/microsoft-vs-doj-the-battle-for-privacy-in-the-cloud.html selected text: To put it more succinctly, the position Microsoft and so many others are opposing "argues that, unlike your letters in the mail, emails you store in the cloud cease to belong exclusively to you. Instead, according to the government, your emails become the business records of a cloud provider." This is a fundamentally important case for cloud computing, so it's no surprise to see OpenStack cornerstones HP and Rackspace standing shoulder-to-shoulder with their competitor. It's also fundamentally important to digital rights globally, which is why the EFF and the ACLU are joined by Digital Rights Ireland and the U.K.'s Open Rights Group (of which I am a director). Let's hope the Supreme Court can see past the technical and business details to the real issue—the privacy of the citizens of every country where America trades, as well as American citizens.
China's new cyber Czar, Minister LU Wei has a new editorial on the HuffingtonPost of all places that emphasizes the need for "cyber sovereignty" see below. His remarks below are nearly identical to those he gave at the U.S.-China Internet Industry Forum earlier this month in Washington D.C. http://m.huffpost.com/us/entry/6324060
https://www.schneier.com/blog/archives/2014/12/over_700_millio.html There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations." The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users—which is not everybody—who have heard of him. So it's much less than 39%.) Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.) Note that the countries in this survey cover only 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world. [...]
This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. > From the motion to suppress: The next time you call for assistance because the Internet service in your home is not working, the "technician" who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have "consented" to an intrusive search of your home. Basically, the agents snooped around the hotel room, and gathered evidence that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians. This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can't be sure they are not government agents in disguise, then we've lost quite a lot of our freedom and liberty. [PGN-Excerpted from CRYPTO-GRAM, 15 Dec 2014. Incidentally that issue of CRYPTO-GRAM also has items on Regin, the AURORA attack, and the Sony hack.] INSERT Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books—including "Liars and Outliers: Enabling the Trust Society Needs to Survive"—as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.
Evolution sells drugs, guns, and more—but no “services related to murder.'' Cyrus Farivar, Ars Technica, 19 Dec 2914 http://arstechnica.com/business/2014/12/after-two-silk-road-takedowns-dark-web-drug-sites-still-thriving/ Over a year after the shuttering of the original Silk Road website and over a month after the seizure of Silk Road 2 and other similar sites, the sketchiest of Dark Web sites still persist. According to a new report published Thursday from the Digital Citizens Alliance (DCA), an advocacy group, Evolution Marketplace has long passed Silk Road “as the largest illegal black market for drugs before the takedown.'' Others include Agora Marketplace, Nucleus Marketplace, and a number of smaller ones. As of this week, Evolution has over 26,000 listings for drugs, weapons, pornography, and more. “Evolution Marketplace is a much different animal than Silk Road,'' Dan Palumbo, the group's research director, said in a statement. “They sell weapons, stolen credit cards, and more nefarious items that were forbidden on both versions of Silk Road. Silk Road sold a lot of dangerous things, but operators drew the line at their version of `victimless crimes', i.e.. no child pornography, weapons, or identity theft. Now, four of the top five DarkNet Marketplaces sell weapons while three of the top five sell stolen financial data. This is a darker DarkNet. It speaks to the challenge facing law enforcement as they knock one set of bad actors offline, another comes along with bigger and bolder intentions." We have standards, after all(!) Like the previous incarnations of Silk Road, Evolution (or `Evo' as it's known to its users) requires Tor to use and boasts a slew of questionable goods, all available for sale in bitcoins. Evo itself takes in between 2.5 and 4 percent of all transactions. Signing up for the site takes just a few moments --no e-mail address or anything else is even required. Ars decided to create an account and take a dive into Evolution. (Like our previous account on Silk Road 2, this reporter has created an account on Evolution under the username `cfarivar', but has zero intention to purchase or sell any items.) In a look on Thursday, Ars found nearly 15,000 drug-related listings, by far the most popular on the site: cocaine, methamphetamine, marijuana, and other controlled substances were listed. Amongst other popular categories of digital goods were various hacking guides, pirated software, and even malware. A fake Colorado driver's license sells for just 0.257 bitcoins ($80). [...]
Given a) the recent ICANN attack; b) the recent Sony attack; c) the results of the recent Congressional election; d) the attack by ATT/Verizon/etc. on "net neutrality"; e) the ongoing attack by MPAA/et al on "piracy"; and f) the ongoing embarrassment of the NSA/GCHQ by Snowden; it now appears that the current DNS system may have less than 6 months to live, as the new Congress is poised to give all of these folks exactly what they've paid handsomely for through campaign contributions over the past many years. The technologists of the Internet should be coming up with backup plans (and backup programming) for a post-DNS world; or at least a DNS world in which "root" is controlled by NSA/GCHQ/ATT/Verizon/Hollywood. It would be far more difficult for this unholy alliance to destroy IPv4 or IPv6, because that would require replacing every router in the world. But DNS is definitely on the bubble. Forget about "certificate pinning"; all of the browsers will now have to support multiple DNS mechanisms for different countries and different "protection" (rackets?) domains. It may be timely to utilize Tor ubiquitously, if only just for DNS lookup. https://s3.amazonaws.com/s3.documentcloud.org/documents/1382881/250250989-comms-act-and-dmca-safe-harbor.pdf "At the same time, even this narrow limitation on ISPs' immunity could have the salutary effect of requiring ISPs to respond to takedown notices by DNS lookups of pirate sites through the ISPs' own DNS servers, which is not currently a general practice." https://www.techdirt.com/articles/20141217/17533629473/mpaas-secret-plan-to-reinterpret-dmca-into-vast-censorship-machine-that-breaks-core-workings-internet.shtml The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine That Breaks The Core Workings Of The Internet from the how-very-nice-of-them dept Yes, all the attention these days about the Sony hack is on the decision to not release The Interview, but it still seems like the big story to come out of the hack is the sneaky plans of the MPAA in its bizarre infatuation with attacking the Internet. We've already covered the MPAA's questionably cozy relationship with state Attorneys General (to the point of both funding an investigation into Google and writing documents for those AGs to send in their names), as well as the continued focus on site blocking, despite an admission that the MPAA and the studios still don't have the slightest clue about the technology implications of site blocking. Last week, TorrentFreak noted the various options that were under discussion by the MPAA for blocking sites, and now The Verge has published more information, including the analysis by MPAA's favorite hatchetmen lawyers at Jenner & Block about how site blocking might work in practice [pdf] by breaking DNS. For years, actual technology experts have explained why DNS blocking is a really bad idea, but the MPAA just can't let it go apparently. It's just, this time, it's looking for ways to do it by twisting existing laws, rather than by getting a new SOPA-like law passed. To understand the plan, you have to first understand the DMCA section 512, which is known as the safe harbor section, but which includes a few different sections, with different rules applying to different types of services. 512(a) is about "transitory digital network communications" and basically grants very broad liability protection for a network provider who isn't storing anything—but just providing the network. There are good reasons for this, obviously. Making a network provider liable for traffic going over the network would be a disaster for the Internet on a variety of levels. The MPAA lawyers appear to recognize this (though they make some arguments for getting around it, which we'll get to in a follow-up post), but they argue that a specific narrow attack via DMCA might be used to force ISPs to break the basic Internet by disabling entries in their own DNS databases. The trick here is twisting a different part of the DMCA, 512(d), which is for "information location tools." Normally, this is what's used against search engines like Google or social media links like those found on Twitter. But the MPAA argues that since ISPs offer DNS service, that DNS service is also an "information location tool" and... ta da... that's how the MPAA can break DNS. The MPAA admits that there's an easy workaround for end-users—using third-party DNS providers like OpenDNS or Google's DNS service—but many users won't do that. And the MPAA would likely go after those guys as well. At the same time, even this narrow limitation on ISPs disabling immunity could have the salutary effect of requiring ISPs to respond to takedown notices by disabling DNS lookups of pirate sites through the ISPs' own DNS servers, which is not currently a general practice. Importantly, the argument for such a requirement need not turn on the Communications Act, but can instead be based on the DMCA itself, which expressly limits ISPs' immunity to each `separate and distinct' function that ISPs provide. See 17 U.S.C. § 512(n). A reasonable argument can be made that DNS functionality is an *information location tool* as contemplated by DMCA Section 512(d) and, therefore, that ISPs are required, as a condition of the safe harbor, to cease connecting users to known infringing material through their own DNS servers. Should this argument hold—and we believe that it has a reasonable prospect of success—copyright owners could effectively require ISPs to implement a modest (albeit easily circumvented) form of DNS-based site blocking on the basis of only a takedown notice rather than litigation. In short, since DMCA takedown notices apply to "information location tools," but not to "transitory network communications," the MPAA would like to argue that just the DNS lookup functionality is an information location tool -- and can thus be censored with just a takedown notice. This is both really slimy (though brilliant in its nefariousness) and insanely dangerous for the Internet and free speech. We see so many bogus DMCA takedowns of basic content today, and here the MPAA is looking to effectively, and sneakily expand that to whole sites by misrepresenting the law (badly). DNS is not an "information location tool" in the sense of a search engine. It's the core underpinning of how much of the Internet works. At no point in the 16 years the DMCA has been around has anyone made an argument that the DNS system was covered by the "information location tools" definition. Because that's clearly not what it was written to cover. The MPAA's lawyers (in this "confidential" memo) appear to recognize that this argument doesn't fully make sense because of that, but they seem to think it's worth a go: To be sure, the argument is not guaranteed to succeed, as unlike a pointer or hyperlink text, DNS provides a user's browser with specific information (IP routing information) that the user has requested by other means (alphanumeric Internet addresses), as opposed to providing the user with an active interface allowing the user to request information online, as they might from a clickable page of search results. But at least in the literal sense, DNS appears to fit within the list of Section 512(d) functions and a reasonable argument can be made that DNS is more like a directory than the provision of routing and should be treated accordingly under the statute as a Section 512(d) function rather than a Section 512(a) function. Pushing this argument would raise many of the problems found with the original DNS-breaking proposal in PIPA/SOPA. It would raise even more serious questions about the First Amendment and prior restraint. Effectively, it would be moving the definition of "information location tool" down the stack, such that rather than requiring the removal of access to the specific infringing content, it would require removal of access to an entire site based on a single accusation of infringement. Someone uploaded an infringing video to YouTube? Under this interpretation, the MPAA can force Verizon to make YouTube disappear from the Internet for all users relying on Verizon's DNS. The censorship implications are massive here, especially with no court proceeding at all. This wouldn't require anything in court—just a single takedown notice, of which copyright holders send millions. Rather than sending all those notices to Google and getting them delisted from search, copyright holders could turn the firehose towards Verizon, AT&T and Comcast, and basically take down half the Internet on their say so alone. Yes, sites could counternotice, but ISPs would have 10 business days in which they can keep sites off their DNS entirely. The results would be insane. And that doesn't even touch on the technical havoc this would wreak. As we've noted earlier, the MPAA admits it's not clear on the technical implications of this plan, but let's just point back to Paul Vixie's discussion of how SOPA/PIPA would break the Internet by mucking with the core DNS functionality, no matter how it was implemented. What this goes back to is the core purpose of DNS, which is merely to translate a URL into a numeric equivalent to connect. It's not an information location tool for helping people "find" information—it's just the basic plumbing of how the Internet works. It's how basically all pieces of the Internet expect to work. If you put in a URL here, then DNS returns the proper IP addresses to follow through there. Breaking that, effectively fracturing the Internet, and creating a patchwork of different DNS systems would create a huge list of problems not easily fixed. And, yet, because the MPAA can't figure out how to adapt to the times, it appears to be willing to give it a shot. Because, hey, it's better than innovating. 250250989 Comms Act and DMCA Safe Harbor (PDF) https://www.documentcloud.org/documents/1382881/250250989-comms-act-and-dmca-safe-harbor.pdf
At the mercy of statistics ... again! The larger point is that it is not about you—it is about you as a statistic. This relates challenge in explaining why racial discrimination is a problem. You might be part of a group that is statistically more prone to crime. Should that "fact" be used to penalize you? I put the word fact in quotes because there are many measures that can be used and there is a tendency to use correlations or statistics in the absence of understanding. Should your arrest (but not conviction) record be used to judge you? After all lots of arrests make you more likely to be a criminal ... or maybe just look like someone who is the usual suspect. As a society we need to have an understanding of the mindlessness of such a dependence on numbers and the consequences as the assumptions become increasingly remote from how the numbers are used.
> We could laugh about this one—how could anyone get a power cord wrong? By using modular design and forgetting Ohm's law. If you design your power supply cable to be identical around the world except for the wall plug—that's smart visual design, but poor engineering design—then you end up with a US cable that needs to shed twice as much heat as cables elsewhere. 110V versus 220V-ish gets you that. I do note that Lenovo's recall was worldwide, though. I wonder if they really needed to.
Dual SIM cellphones are pretty common, although for obvious reasons you're never going to get one from a carrier. (Try eBay.) You could have one sim with your regular month to month plan, and the other with a cheap prepaid plan. Google Voice numbers are free and can send and receive SMS messages. I find them a dandy way to make the two-factor crowd happy.
I, too, have encountered a few Web sites that request my cell phone number when I login. All but one of them gives me the option to indicate that I do not have a cell phone. I do not have one; but if I did, I would still select that option. The one exception is Yahoo, which requests my cell phone number at least once a week. I have exchanged E-mail with Yahoo support personnel, asking how this could be stopped. After several messages and replies, I learned that Yahoo has no plans to end this annoying request. My exchange of E-mail messages can be seen abut 1/4 down the page at <http://www.rossde.com/quips/index.html>.
In my case the question assumes a personal cell phone not in existence.
Having a cell phone is not mandatory, any more than having a land line phone
or a driver's license.
Never had a personal cell phone myself and don't plan to. Neither has my
wife or our youngest son. We live in a cell service reception and
transmission nearly dead area, among other reasons. I carry work cell phones
when I get paid to, and get paid for each incoming call, but at my home they
are no more useful than a pager. One employer even paid for a second home
phone modem / on call land line for more than a decade.
I am surprised that someone with an @telus.net email address would ask
this question, but Gene Wirchenko seemed to be quoting a USA article.
The USA is an international privacy backwater, compared to the Council
of Europe and Canada.
Most TELUS customers live in BC or Alberta, which have very similar PIPA
acts `Substantially Similar' to the National PIPEDA statute. The Federal
PIPEDA Act applies to Federally Regulated Enterprises such as TELUS for
their operations within Canada. PIPEDA applies in Provinces that do not have
`Substantially Similar' Provincial Private Sector Privacy Statutes.
Inter-provincial commerce falls under PIPEDA.
Within Canada someone faced with a demand for excessive personal information
can simply point out that the demand is contrary to law and contact the
Relevant Privacy Commissioner if an enterprise or not for profit
organization persists with the demand.
www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html
Section 9 of the Quebec privacy statue in effect since 1994 Jan 1 says: “No
person may refuse to respond to a request for goods or services or to a
request relating to employment by reason of the applicant's refusal to
disclose personal information except where
(1) collection of that information is necessary for the conclusion or
performance of a contract;
(2) collection of that information is authorized by law; or
(3) here are reasonable grounds to believe that the request is not lawful.
In case of doubt, personal information is deemed to be non-necessary.''
Trying to cobble together a contractual performance excuse such as texting
confirmations should at least get sharp questioning from Commissioners about
why Canada Post or email could not be used, and the number could only be
used for the purposes stated at the time it was collected from you. Function
Creep is not permitted without prior consent in Canada.
Customers can refuse to allow advertising to be folded in with monthly bank,
telephone or cable statements, and can prohibit marketing calls. I got a
$100 credit the last time Shaw Cable ignored the Do Not Solicit flag on my
account in Shaw's Client database, but I had to complain to the Federal
Privacy Commissioner to get the attention of Shaw's Corporate Head of Legal
and collect my fee for the prohibited telemarketing calls and personalized
Canada Post mail. I followed the Robert Bulmash / Private Citizen
Inc. algorithm of serving Shaw with prior notice of my fee, in writing.
Shaw apologized, giving a variation on the "Rogue Marketer" story that Bell
Canada used when they got a $1.3 million fine from the CRTC. You only get
one guess about who manages the Canadian Do No Call List for the CRTC.
Hiring someone else to make prohibited telemarketing calls does not buy you
a free pass in Canada.
www.crtc.gc.ca/eng/com100/2010/r101220.htm
There was discussion of having 2 line cell phones. Don't many cell phone
users have multiple phones with different numbers? There was a recent USA
Supreme Court case where Chief Justice John Roberts asked “what is your
authority'' in response to an appeal lawyer stating that carrying 2 or more
cell phones is not proof of criminality and is common. Sometimes folks in an
older generation just do not get it.
www.scientificamerican.com/article/how-many-cell-phones-does-it-take-to-arouse-a-supreme-court-justice-s-suspicion/
Isn't Call forwarding to a single cell phone another option?
Giving made up numbers, or a dial a prayer or similar, is a bad idea,
although some people would recognize a 555-0100 to 555-0199 phone number as
pure fiction for most area codes. Some times they just want something to
fill in the screen. I find that giving H0H 0H0 to sales clerks who ask for
my Postal Code speeds things up and makes my point without wasting their
time or mine. Most Canadians recognize that valid code, particularly around
XMAS.
An IT contractor who had a brief ~1990 tenure in the same office as me
objected to being placed in the Duty Analyst rotation. The first time
someone called the number he gave it turned out to be Dial a Prayer. That
did not work out well for him. Contractual Obligation not met.
Please report problems with the web pages to the maintainer