Prev

RISKS Digest 28.42

Friday 19 December 2014

Drone blimps over Washington DC

Marc Rotenberg <alert@epic.org>

Date: Fri, 19 Dec 2014 11:52:46 -0500

Excerpt from the EPIC Alert 21.24, 19 Dec 2014 Electronic Privacy Information Center (EPIC), Washington, DC http://www.epic.org/alert/epic_alert_21.24.html

On Friday, December 19, 2014, the U.S. Army will deploy drone surveillance blimps just north of the nation's capital. The surveillance blimp system, known as "JLENS," is comprised of two 250-foot blimps. As deployed in Iraq, one blimp contains aerial and ground surveillance technology that covers a 340-mile range, while the other has targeting capability including HELLFIRE missiles. The surveillance blimps fly as high as 10,000 feet and can remain operational for up to 30 days straight.

The JLENS system is manufactured by defense contractor Raytheon. Raytheon has tested the JLENS system with the company's MTS-B Multi-Spectral Targeting System. The MTS-B offers long-range video surveillance that allows the real-time tracking of moving targets, including vehicles and persons, on the ground.

Earlier in 2014, EPIC filed a Freedom of Information Act lawsuit to gain more information about the JLENS system. EPIC asked the Army for technical specifications as well as any policies limiting domestic surveillance. EPIC's goal in the FOIA request and subsequent FOIA lawsuit is to determine what surveillance data the Army plans to collect during the three-year JLENS test, as well as how the Army plans to process, store, redact or delete data.

Preliminary documents obtained by EPIC suggested that the blimps would be equipped with video surveillance, though the Army since has claimed that video surveillance will not be deployed. However, documents obtained by EPIC in another FOIA case demonstrate that Customs and Border Protection is operating surveillance blimps with video surveillance. Raytheon also has demoed a video surveillance upgrade for the JLENS system.

EPIC has urged Congress to establish privacy safeguards for aerial drones. EPIC also recommended requiring notice of all drone surveillance policies through the Administrative Procedure Act.

The Freedom of Information Act lawsuit is EPIC v. Army, No. 14-776 (D.D.C. filed May 6, 2014).

Raytheon: JLENS http://www.raytheon.com/capabilities/products/jlens/

EPIC: FOIA Request to Dept. of Army re: JLENS (Nov. 1, 2013) http://epic.org/foia/army/FOIA-Request.pdf

EPIC: Complaint v. Dept. of Army (May 6, 2014) http://epic.org/foia/army/Complaint.pdf

EPIC: Testimony before Congress re: Drone Privacy (Jul. 12, 2012) http://www.epic.org/privacy/testimony/EPIC-Drone-Testimony-7-12.pdf

CBP: Privacy Assessment on Aerial Surveillance (Aug. 29, 2014) http://epic.org/redirect/121914-cpb-aerial.html

EPIC: EPIC v. Army

Drone blimps over Washington DC

PGN <"Peter G. Neumann" <neumann@csl.sri.com>

Date: Fri, 19 Dec 2014 10:26:54 PST

Perhaps someone has had second thoughts about having a remotely programmable drone system capable of launching HELLFIRE missiles aimed at our own buildings or even people in Washington DC, as a result of attackers who had been able to subvert the presumably not-secure-enough computer systems and networks? However, if certain government folks tell us that it the system is totally impervious to attack and adequately secure against subversion, misuse, and denial of service attacks—*perhaps because it has been designed and operated by experts*—RISKS readers will know better. The Manchurian blimp?

Interesting slip from *The NYTimes* on Sony and North Korea?

Sanger/Perlroth via Prashanth Mundkur <prashanth.mundkur@gmail.com>

Date: Thu, 18 Dec 2014 21:08:10 -0800

David E. Sanger and Nicole Perlroth, New York Times, Dec. 17, 2014 http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html

It is not clear how the United States determined that Mr. Kim's government had played a central role in the Sony attacks. North Korea's computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country's computer operations, including its elite cyberteam, and to establish `implants' in the country's networks that, like a radar system, would monitor the development of malware transmitted from the country.

Rather amazing that *The NYTimes* is reporting clear as day that the NSA is targeting an entire country's computer network. For a change, something that is almost surely *not* from a Snowden document?

From thehill.com: FBI accuses North Korea of hack

Armando Stettner <aps@stettner.com>

Date: Dec 19, 2014 1:03 PM

[From Dave Farber]

http://thehill.com/policy/cybersecurity/227689-fbi-official-blames-north-korea-for-sony-hack

The FBI officially blamed North Korea in the cyberattack that has devastated Sony Pictures Entertainment, damaging the studio's reputation, costing it millions of dollars and causing it to cancel the release of its controversial comedy, *The Interview*

The attack is unprecedented, the FBI said in a release. “The destructive nature of this attack, coupled with its coercive nature,sets it apart.''

The hack has been referred to as the first successful, large-scale destructive cyberattack on a U.S. company (Sony Pictures Entertainment is an American subsidy of a Japanese multinational conglomerate, Sony). The hackers not only stole data, but permanently deleted files on Sony's servers. They later threatened 9/11-style attacks on any theater that screened *The Interview,* which depicts a fictional assassination of North Korean leader Kim Jong-un.

The FBI confirmed rampant speculation that the attack's methods tied it back to the reclusive East Asian regime.

“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed,'' the bureau said in a release.

“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea,'' it said.

Specifically, the FBI linked the tools used in the Sony hit to a round of North Korean cyberattacks on South Korean bands and media companies in March 2013.

While the bureau stopped short of calling the action a terrorist attack or act of war—as many lawmakers have over the past few days—it did have strong words for Pyongyang.

FBI: “North Korea's actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior.''

ICANN e-mail accounts, zone database breached in spearphishing attack

Dan Goodin via Werner U <werneru@gmail.com>

Date: Thu, 18 Dec 2014 20:59:22 +0100

Dan Goodin, Ars Technica, 17 Dec 2014 Password data, other personal information of account holders exposed. <http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/>

Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group.

ICANN, which oversees the Internet's address system, said in a release published Tuesday <https://www.icann.org/news/announcement-2-2014-12-16-en> that the breach also gave attackers administrative access to all files stored in its centralized zone data system <https://czds.icann.org/en>, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs.

"We believe a 'spear phishing' attack was initiated in late November 2014," Tuesday's press release stated. "It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members."

Earlier this month, ICANN officials discovered the compromised credentials were used to gain unauthorized access to the zone data system. Other compromised systems included the ICANN GAC Wiki <https://gacweb.icann.org/display/gacweb/Governmental+Advisory+Committee>, where attackers were able to view a members-only index page and one individual user's profile page; the ICANN Whois information portal <http://whois.icann.org/>; and the ICANN blog <http://blog.icann.org/>. The most sensitive information exposed appears to be the personal information of account holders of the centralized zone system. ICANN recommended holders immediately change their accounts passwords...

As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets. Tuesday's advisory warning that several employees were successfully breached should come as a wake up call to similar groups and serve as a reminder of just how hard it is to prevent social-engineering attacks.

Ars Technica public stmt and reaction to hack on 14 Dec ...

Werner U <werneru@gmail.com>

Date: Thu, 18 Dec 2014 20:22:21 +0100

Ars was briefly hacked yesterday; here's what we know <http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/> Readers, please change your passwords. by Ars Staff - Dec 16, 2014 9:52 pm UTC (If you have an account on Ars Technica, please change your password today. See below for more details.)

At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core. That song, "All the Things <http://dualcoremusic.bandcamp.com/album/all-the-things>," features the chorus:

Drink all the booze, hack all the things!

The hacker didn't have long to drink all the booze and hack all the things, fortunately; by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further.

Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). ...

[NOTE the interesting discussion in the "PROMOTED COMMENTS" about MD5+salt encrypted passwords in the user database.]

"Misfortune Cookie" CVE-2014-9222

Bob Gezelter <gezelter@rlgsc.com>

Date: Thu, 18 Dec 2014 10:46:24 -0700

Paraphrasing a blog entry on the vulnerability, "Misfortune Cookie" is believed to afflict 12 million devices in 189 countries. The vulnerability is a bug in the web server component RomPager from AllegroSoft, used by many hardware vendors for embedded devices, including SOHO routers. Reportedly, the weakness would allow an attacker to subvert the firewall, exposing credentials and interior systems to attack. A blog entry going into more detail is at: http://blog.norsecorp.com/2014/12/18/millions-at-risk-from-misfortune-cookie-soho-router-vulnerability/ Bob Gezelter, http://www.rlgsc.com

"12 million home and business routers vulnerable to critical hijacking hack"

Dan Goodin via Gene Wirchenko <genew@telus.net>

Date: Fri, 19 Dec 2014 09:45:33 -0800

Dan Goodin - 18 Dec 2014 Bug exposes user data, as well as computers, Web cams, and other connected devices. http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/

German Researchers Discover a Flaw That Could Let Anyone Listen to Your Cell Calls

Craig Timberg <technews@hq.acm.org>

Date: Fri, 19 Dec 2014 11:45:34 -0500 (EST)

[PGN-Excerpted from ACM TechNews, Friday, December 14, 2014]

(Craig Timberg, *The Washington Post*, 18 Dec 2014)

German researchers have discovered security flaws that could enable hackers, spies, and criminals to listen to private phone calls and intercept text messages. This revelation is just the most recent indication of widespread insecurity on the SS7 network. The flaws are actually functions built into SS7 for other purposes that hackers can repurpose for surveillance because of the lax security on the network. Although researchers did not find evidence that their latest discoveries have been marketed to governments on a widespread basis, vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the U.S. National Security Agency or Britain's GCHQ, but not revealed to the public. The researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cellphone's forwarding function. In the second technique, hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. The researchers also discovered new ways to track the locations of cellphone users through SS7. In addition, they found it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d259x2c39bx062021&

SS7 hackdoors allow ANYONE to listen to your calls

Henry Baker <hbaker1@pipeline.com>

Date: Thu, 18 Dec 2014 16:14:00 -0800

FYI—“When I really need a confidential conversation, I use a fixed-line''—which shows how clueless this politician is (SS7 is used for ALL phone calls, fixed-line OR wireless).

https://en.wikipedia.org/wiki/Signalling_System_No._7 http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/

"Microsoft vs. DoJ: The battle for privacy in the cloud"

Simon Phipps via Gene Wirchenko <genew@telus.net>

Date: Wed, 17 Dec 2014 10:58:40 -0800

Simon Phipps, InfoWorld, 17 Dec 2014 Is a U.S. warrant enough to force an American company to breach privacy laws abroad? Microsoft with the support of friends and foes alike, says no. http://www.infoworld.com/article/2859897/internet-privacy/microsoft-vs-doj-the-battle-for-privacy-in-the-cloud.html

selected text:

To put it more succinctly, the position Microsoft and so many others are opposing "argues that, unlike your letters in the mail, emails you store in the cloud cease to belong exclusively to you. Instead, according to the government, your emails become the business records of a cloud provider."

This is a fundamentally important case for cloud computing, so it's no surprise to see OpenStack cornerstones HP and Rackspace standing shoulder-to-shoulder with their competitor. It's also fundamentally important to digital rights globally, which is why the EFF and the ACLU are joined by Digital Rights Ireland and the U.K.'s Open Rights Group (of which I am a director). Let's hope the Supreme Court can see past the technical and business details to the real issue—the privacy of the citizens of every country where America trades, as well as American citizens.

LU Wei editorial in the *HuffPost*

Dave Farber <ip@listbox.com>

Date: Wed, 17 Dec 2014 10:31:13 -0500

China's new cyber Czar, Minister LU Wei has a new editorial on the HuffingtonPost of all places that emphasizes the need for "cyber sovereignty" see below.

His remarks below are nearly identical to those he gave at the U.S.-China Internet Industry Forum earlier this month in Washington D.C. http://m.huffpost.com/us/entry/6324060

Public Reactions to Snowden

Bruce Schneier <schneier@schneier.com>

Date: Tue, 16 Dec 2014 15:43:47 -0600

https://www.schneier.com/blog/archives/2014/12/over_700_millio.html

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."

The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users—which is not everybody—who have heard of him. So it's much less than 39%.)

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey cover only 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world. [...]

FBI Agents Pose as Repairmen to Bypass Warrant Process

Bruce Schneier <schneier@schneier.com>

Date: Mon, 15 Dec 2014 02:15:29 -0600

This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant.

> From the motion to suppress:

The next time you call for assistance because the Internet service in your home is not working, the "technician" who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have "consented" to an intrusive search of your home.

Basically, the agents snooped around the hotel room, and gathered evidence that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians.

This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can't be sure they are not government agents in disguise, then we've lost quite a lot of our freedom and liberty.

[PGN-Excerpted from CRYPTO-GRAM, 15 Dec 2014. Incidentally that issue of CRYPTO-GRAM also has items on Regin, the AURORA attack, and the Sony hack.]

INSERT

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books—including "Liars and Outliers: Enabling the Trust Society Needs to Survive"—as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.

After Silk Road takedowns, Dark Web drug sites still thriving

Cyrus Farivar via Dewayne Hendricks <dewayne@warpspeed.com>

Date: Dec 19, 2014 12:59 PM

Evolution sells drugs, guns, and more—but no “services related to murder.'' Cyrus Farivar, Ars Technica, 19 Dec 2914 http://arstechnica.com/business/2014/12/after-two-silk-road-takedowns-dark-web-drug-sites-still-thriving/

Over a year after the shuttering of the original Silk Road website and over a month after the seizure of Silk Road 2 and other similar sites, the sketchiest of Dark Web sites still persist.

According to a new report published Thursday from the Digital Citizens Alliance (DCA), an advocacy group, Evolution Marketplace has long passed Silk Road “as the largest illegal black market for drugs before the takedown.'' Others include Agora Marketplace, Nucleus Marketplace, and a number of smaller ones.

As of this week, Evolution has over 26,000 listings for drugs, weapons, pornography, and more.

“Evolution Marketplace is a much different animal than Silk Road,'' Dan Palumbo, the group's research director, said in a statement. “They sell weapons, stolen credit cards, and more nefarious items that were forbidden on both versions of Silk Road. Silk Road sold a lot of dangerous things, but operators drew the line at their version of `victimless crimes', i.e.. no child pornography, weapons, or identity theft. Now, four of the top five DarkNet Marketplaces sell weapons while three of the top five sell stolen financial data. This is a darker DarkNet. It speaks to the challenge facing law enforcement as they knock one set of bad actors offline, another comes along with bigger and bolder intentions."

We have standards, after all(!)

Like the previous incarnations of Silk Road, Evolution (or `Evo' as it's known to its users) requires Tor to use and boasts a slew of questionable goods, all available for sale in bitcoins. Evo itself takes in between 2.5 and 4 percent of all transactions. Signing up for the site takes just a few moments --no e-mail address or anything else is even required. Ars decided to create an account and take a dive into Evolution. (Like our previous account on Silk Road 2, this reporter has created an account on Evolution under the username `cfarivar', but has zero intention to purchase or sell any items.)

In a look on Thursday, Ars found nearly 15,000 drug-related listings, by far the most popular on the site: cocaine, methamphetamine, marijuana, and other controlled substances were listed. Amongst other popular categories of digital goods were various hacking guides, pirated software, and even malware. A fake Colorado driver's license sells for just 0.257 bitcoins ($80). [...]

Emergency? DNS TTL < 6 months?

Henry Baker <hbaker1@pipeline.com>

Date: Thu, 18 Dec 2014 15:50:47 -0800

Given

a) the recent ICANN attack; b) the recent Sony attack; c) the results of the recent Congressional election; d) the attack by ATT/Verizon/etc. on "net neutrality"; e) the ongoing attack by MPAA/et al on "piracy"; and f) the ongoing embarrassment of the NSA/GCHQ by Snowden;

it now appears that the current DNS system may have less than 6 months to live, as the new Congress is poised to give all of these folks exactly what they've paid handsomely for through campaign contributions over the past many years.

The technologists of the Internet should be coming up with backup plans (and backup programming) for a post-DNS world; or at least a DNS world in which "root" is controlled by NSA/GCHQ/ATT/Verizon/Hollywood.

It would be far more difficult for this unholy alliance to destroy IPv4 or IPv6, because that would require replacing every router in the world. But DNS is definitely on the bubble.

Forget about "certificate pinning"; all of the browsers will now have to support multiple DNS mechanisms for different countries and different "protection" (rackets?) domains.

It may be timely to utilize Tor ubiquitously, if only just for DNS lookup.

https://s3.amazonaws.com/s3.documentcloud.org/documents/1382881/250250989-comms-act-and-dmca-safe-harbor.pdf

"At the same time, even this narrow limitation on ISPs' immunity could have the salutary effect of requiring ISPs to respond to takedown notices by DNS lookups of pirate sites through the ISPs' own DNS servers, which is not currently a general practice."

https://www.techdirt.com/articles/20141217/17533629473/mpaas-secret-plan-to-reinterpret-dmca-into-vast-censorship-machine-that-breaks-core-workings-internet.shtml

The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine That Breaks The Core Workings Of The Internet

from the how-very-nice-of-them dept

Yes, all the attention these days about the Sony hack is on the decision to not release The Interview, but it still seems like the big story to come out of the hack is the sneaky plans of the MPAA in its bizarre infatuation with attacking the Internet. We've already covered the MPAA's questionably cozy relationship with state Attorneys General (to the point of both funding an investigation into Google and writing documents for those AGs to send in their names), as well as the continued focus on site blocking, despite an admission that the MPAA and the studios still don't have the slightest clue about the technology implications of site blocking.

Last week, TorrentFreak noted the various options that were under discussion by the MPAA for blocking sites, and now The Verge has published more information, including the analysis by MPAA's favorite hatchetmen lawyers at Jenner & Block about how site blocking might work in practice [pdf] by breaking DNS.

For years, actual technology experts have explained why DNS blocking is a really bad idea, but the MPAA just can't let it go apparently. It's just, this time, it's looking for ways to do it by twisting existing laws, rather than by getting a new SOPA-like law passed.

To understand the plan, you have to first understand the DMCA section 512, which is known as the safe harbor section, but which includes a few different sections, with different rules applying to different types of services. 512(a) is about "transitory digital network communications" and basically grants very broad liability protection for a network provider who isn't storing anything—but just providing the network. There are good reasons for this, obviously. Making a network provider liable for traffic going over the network would be a disaster for the Internet on a variety of levels.

The MPAA lawyers appear to recognize this (though they make some arguments for getting around it, which we'll get to in a follow-up post), but they argue that a specific narrow attack via DMCA might be used to force ISPs to break the basic Internet by disabling entries in their own DNS databases. The trick here is twisting a different part of the DMCA, 512(d), which is for "information location tools." Normally, this is what's used against search engines like Google or social media links like those found on Twitter. But the MPAA argues that since ISPs offer DNS service, that DNS service is also an "information location tool" and... ta da... that's how the MPAA can break DNS. The MPAA admits that there's an easy workaround for end-users—using third-party DNS providers like OpenDNS or Google's DNS service—but many users won't do that. And the MPAA would likely go after those guys as well.

At the same time, even this narrow limitation on ISPs disabling immunity could have the salutary effect of requiring ISPs to respond to takedown notices by disabling DNS lookups of pirate sites through the ISPs' own DNS servers, which is not currently a general practice. Importantly, the argument for such a requirement need not turn on the Communications Act, but can instead be based on the DMCA itself, which expressly limits ISPs' immunity to each `separate and distinct' function that ISPs provide. See 17 U.S.C.

Re: SmartDriver: a 16-year-old can see the risks

Bob Frankston <bob2-53@bob.ma>

Date: 17 Dec 2014 11:23:00 -0500

At the mercy of statistics ... again!

The larger point is that it is not about you—it is about you as a statistic. This relates challenge in explaining why racial discrimination is a problem. You might be part of a group that is statistically more prone to crime. Should that "fact" be used to penalize you? I put the word fact in quotes because there are many measures that can be used and there is a tendency to use correlations or statistics in the absence of understanding. Should your arrest (but not conviction) record be used to judge you? After all lots of arrests make you more likely to be a criminal ... or maybe just look like someone who is the usual suspect.

As a society we need to have an understanding of the mindlessness of such a dependence on numbers and the consequences as the assumptions become increasingly remote from how the numbers are used.

Re: Lenovo recalls more than 500,000 power cords due to spark, burn risk

Morten Welinder <mwelinder@gmail.com>

Date: Thu, 18 Dec 2014 22:04:57 -0500

> We could laugh about this one—how could anyone get a power cord wrong?

By using modular design and forgetting Ohm's law.

If you design your power supply cable to be identical around the world except for the wall plug—that's smart visual design, but poor engineering design—then you end up with a US cable that needs to shed twice as much heat as cables elsewhere. 110V versus 220V-ish gets you that.

I do note that Lenovo's recall was worldwide, though. I wonder if they really needed to.

Re: "Your cell phone number: To give or not to give"

John Levine <johnl@iecc.com>

Date: 17 Dec 2014 05:55:12 -0000

Dual SIM cellphones are pretty common, although for obvious reasons you're never going to get one from a carrier. (Try eBay.) You could have one sim with your regular month to month plan, and the other with a cheap prepaid plan.

Google Voice numbers are free and can send and receive SMS messages. I find them a dandy way to make the two-factor crowd happy.

Re: "Your cell phone number: To give or not to give"

David E. Ross <david@rossde.com>

Date: Wed, 17 Dec 2014 15:05:02 -0800

I, too, have encountered a few Web sites that request my cell phone number when I login. All but one of them gives me the option to indicate that I do not have a cell phone. I do not have one; but if I did, I would still select that option.

The one exception is Yahoo, which requests my cell phone number at least once a week. I have exchanged E-mail with Yahoo support personnel, asking how this could be stopped. After several messages and replies, I learned that Yahoo has no plans to end this annoying request. My exchange of E-mail messages can be seen abut 1/4 down the page at <http://www.rossde.com/quips/index.html>.

Re: "Your cell phone number: To give or not to give"

Kelly Bert Manning <Kelly.Manning@ncf.ca>

Date: Thu, 18 Dec 2014 04:15:12 -0500 (EST)

In my case the question assumes a personal cell phone not in existence.

Having a cell phone is not mandatory, any more than having a land line phone or a driver's license.

Never had a personal cell phone myself and don't plan to. Neither has my wife or our youngest son. We live in a cell service reception and transmission nearly dead area, among other reasons. I carry work cell phones when I get paid to, and get paid for each incoming call, but at my home they are no more useful than a pager. One employer even paid for a second home phone modem / on call land line for more than a decade.

I am surprised that someone with an @telus.net email address would ask this question, but Gene Wirchenko seemed to be quoting a USA article. The USA is an international privacy backwater, compared to the Council of Europe and Canada.

Most TELUS customers live in BC or Alberta, which have very similar PIPA acts `Substantially Similar' to the National PIPEDA statute. The Federal PIPEDA Act applies to Federally Regulated Enterprises such as TELUS for their operations within Canada. PIPEDA applies in Provinces that do not have `Substantially Similar' Provincial Private Sector Privacy Statutes. Inter-provincial commerce falls under PIPEDA.

Within Canada someone faced with a demand for excessive personal information can simply point out that the demand is contrary to law and contact the Relevant Privacy Commissioner if an enterprise or not for profit organization persists with the demand.

www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html

Section 9 of the Quebec privacy statue in effect since 1994 Jan 1 says: “No person may refuse to respond to a request for goods or services or to a request relating to employment by reason of the applicant's refusal to disclose personal information except where (1) collection of that information is necessary for the conclusion or performance of a contract; (2) collection of that information is authorized by law; or (3) here are reasonable grounds to believe that the request is not lawful. In case of doubt, personal information is deemed to be non-necessary.''

Trying to cobble together a contractual performance excuse such as texting confirmations should at least get sharp questioning from Commissioners about why Canada Post or email could not be used, and the number could only be used for the purposes stated at the time it was collected from you. Function Creep is not permitted without prior consent in Canada.

Customers can refuse to allow advertising to be folded in with monthly bank, telephone or cable statements, and can prohibit marketing calls. I got a $100 credit the last time Shaw Cable ignored the Do Not Solicit flag on my account in Shaw's Client database, but I had to complain to the Federal Privacy Commissioner to get the attention of Shaw's Corporate Head of Legal and collect my fee for the prohibited telemarketing calls and personalized Canada Post mail. I followed the Robert Bulmash / Private Citizen Inc. algorithm of serving Shaw with prior notice of my fee, in writing.

Shaw apologized, giving a variation on the "Rogue Marketer" story that Bell Canada used when they got a $1.3 million fine from the CRTC. You only get one guess about who manages the Canadian Do No Call List for the CRTC. Hiring someone else to make prohibited telemarketing calls does not buy you a free pass in Canada.

www.crtc.gc.ca/eng/com100/2010/r101220.htm

There was discussion of having 2 line cell phones. Don't many cell phone users have multiple phones with different numbers? There was a recent USA Supreme Court case where Chief Justice John Roberts asked “what is your authority'' in response to an appeal lawyer stating that carrying 2 or more cell phones is not proof of criminality and is common. Sometimes folks in an older generation just do not get it.

www.scientificamerican.com/article/how-many-cell-phones-does-it-take-to-arouse-a-supreme-court-justice-s-suspicion/ Isn't Call forwarding to a single cell phone another option?

Giving made up numbers, or a dial a prayer or similar, is a bad idea, although some people would recognize a 555-0100 to 555-0199 phone number as pure fiction for most area codes. Some times they just want something to fill in the screen. I find that giving H0H 0H0 to sales clerks who ask for my Postal Code speeds things up and makes my point without wasting their time or mine. Most Canadians recognize that valid code, particularly around XMAS.

An IT contractor who had a brief ~1990 tenure in the same office as me objected to being placed in the Duty Analyst rotation. The first time someone called the number he gave it turned out to be Dial a Prayer. That did not work out well for him. Contractual Obligation not met.