The FREAK (Factoring RSA Export Keys) flaw allows bad men to exploit those secret intimate moments shared between certain web browsers and HTTPS websites. Just when your copy of Safari begins rubbing the website’s knee and mumbling “you know you want it” in its ear, FREAK allows the hooligan element of the online world to tip-toe unnoticed into the room. By the time Safari has finished sweet-talking the website and is fumbling with its zip before establishing a “safe connection”, the rascals have stolen its johnnies.
The weakness in the connection security at this stage was the result of a governmental directive some 20 years ago that good encryption should not be exported to that dark and dangerous place outside the US known as “the rest of the world” (AKA “terrorists”).
In many cases, security flaws are loopholes left behind due to the complexity of the digital antagonism between trying to enable a thing while preventing that thing. FREAK, on the other hand, was created as a deliberate act of self-sabotage, determined by the Powers That Be in full knowledge of the potential consequences.
Blame politicians for their lack of long-term vision if you like, but this is hardly the point. Politicians come and go and fill their pockets and die: this is what we expect politicians to do and we vote them into office so that they can do it. If there’s any lack of forward-thinking involved, it starts at the ballot box.
But in this instance, lots of people at the time said that relaxing encryption was A Stupid Idea. So the politicians and their advisers knew it was daft and still went ahead.
Consider the Y2K bug or the 2038 bug or whatever. The very fact that these things have names suggests that someone somewhere had the foresight to think about them in advance. They began as oversights and go on to be exploited, and then go on to be fixed.
It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it.
Despite what we already know, not least what we have learnt this FREAK week, someone somewhere is probably still advising the British prime minister that message encryption was invented by Osama bin Laden and should be zero-dark-thirtied at the first opportunity. National security, he is being advised, can only be achieved by criminalising er… security. Duh.
I blame these same advisors for the reckless re-emergence of biometric checks as a form of authentication. Surely it’s obvious to everyone that the fingerprint login on iPhones 6 and iPad Air devices is just a bit of fun, not a serious stab at effective security. Yet RBS and NatWest banks are introducing fingerprint access for accounts via mobile devices, and the scary bit is that they’re not laughing.
Biometrics are bollocks. Some El Reg readers may recollect Steve Jobs years ago demonstrating VoicePrint verification in Mac OS 9: “My name is my password”. It was just a little joke, though: a laugh, a trick to delight the kids. It certainly wasn’t secure.
By the way, if you do remember this short-lived feature, well done: most long-time Mac users have already forgotten this turd of biometric nonsense.
In sci-fi action films, when a retina scan or a fingerprint is required to gain access to the high-security lab of an evil genius, the hero plucks out or hacks off that item from an unsuspecting minion in a lab coat and simply waves the relevant bloodied body part in front of the clichéd scanner thingy. For voice-activation, I wouldn’t be surprised to see a cinematic hero trying to blow though the vocal cords he’d ripped out of the chief scientist’s neck.
Of course, for voice activation, all you’d need to do is to hire a voice actor for your crack team, or invite that bloke down the pub who can do impersonations. Just imagine if James Earl Jones had voice activation on his bank account: you could break into it using a Darth Vader voice-changer from a toy shop.
Tag: USA
Mississippi Attorney General Jim Hood Demands $2,100 To Reveal The Emails He’s Had With The MPAA
As you may know, we’ve been covering the story of Mississippi Attorney General Jim Hood and his campaign against Google. A few years ago, we noted how bizarre it was that Hood and other state Attorneys General seemed to be blaming Google for all kinds of bad things online. It seemed to show a fundamental lack of understanding about how the internet (and the law!) worked. Of course, things became somewhat more “understandable” when emails leaked in the Sony Hack revealed that the MPAA had an entire “Project Goliath” designed around attacking Google, and the centerpiece of it was funding Jim Hood’s investigation into Google, including handling most of the lawyering, writing up Hood’s letters to Google and even the “civil investigative demand” (CID — basically a subpoena) that he could send.
Hood lashed out angrily about all of this, even as the NY Times revealed that the metadata on the letter he sent Google showed that it was really written by top MPAA lawyers. Hood continued to angrily lash out, demonstrating how little he seemed to understand about the internet. He made claims that were simply untrue — including pretending that Google would take users to Silk Road, the dark market hidden site that could never be found via a Google search. Hood also dared reporters to find any evidence of funding from Hollywood, and it didn’t take us long to find direct campaign contributions to his PAC from the MPAA and others.
Given all of this, we filed a Mississippi Public Records request with his office, seeking his email communications with the MPAA, its top lawyers and with the Digital Citizens Alliance, an MPAA front-group that has released highly questionable studies on “piracy” and just so happened to have hired Hood’s close friend Mike Moore to lobby Hood in Mississippi. Moore was the Mississippi Attorney General before Hood and helped Hood get into politics.
We’ve had to go back and forth with Hood’s office a few times. First, his office noted that Google had actually filed a similar request, and wanted to know if we were working for Google in making the request. We had no idea Google made such a request and certainly were not working on behalf of Google in making our request — but Hood’s office helpfully forwarded us Google’s request, which was actually a hell of a lot more detailed and comprehensive than our own. This actually is helpful in pointing to some other areas of interest to explore.
However, after some more back and forth, Hood’s office first said that it would refuse to share the emails between Hood and the MPAA’s lawyers as they “constitute attorney-client communications” or “attorney work product” and that finding the rest of the emails would… require an upfront payment of $2,103.10
Albuquerque Police Dept. ‘Complies’ With Records Request By Releasing Password-Protected Videos… But Not The Password
If there’s one thing the Albuquerque Police Department (APD) does well — or at least, frequently –it’s shoot and kill Albuquerque residents. Its officers’ obvious preference for excessive and/or deadly force attracted the notice of the DOJ, which issued a (mostly) scathing review that was tempered somewhat by the DOJ’s appreciation of the inherent risks of the job, as well as all the hard work the city’s officers do when not shooting Albuquerque residents.
On May 3rd of last year, Gail Martin called the APD to help her when her husband, Armand Martin, threatened her and her two children with a gun. This turned into a lengthy standoff which finally ended when APD officers shot Martin as he ran from the house. According to the police, Martin was holding two guns at the time.
The APD released a number of records, including footage captured before and after the shooting, but nothing containing the shooting itself. Local law firm Kennedy Kennedy & Ives, representing Gail Martin for a possible civil rights lawsuit, requested a copy of police recordings containing the actual shooting under New Mexico’s Inspection of Public Records Act (IPRA).
Over a month later, the APD responded. Sort of.
The Kennedy Kennedy & Ives Law Practice in the lawsuit said the department in mid-August released six CDs containing records on the May 3 shooting death of Armand Martin, a 50-year-old Air Force veteran, in response to the firm’s records request. But three of the CDs were password protected.
Now, this could have been a simple oversight, but if so, the problem would be solved already. Instead, it looks as though the APD is looking to keep the law firm from viewing the videos it requested.
The firm has tried to get the password from APD records, evidence and violent crimes personnel to no avail, according to the complaint…
Now the APD’s being sued. The firm is seeking not only access to the password-protected videos, but also damages and legal fees. According to the firm, access to these videos is crucial to determining whether or not Gail Martin has a legitimate civil rights case. Without them, the firm is no better positioned to make this call than the general public, which has only seen the lead-in and aftermath of the shooting.
This isn’t the APD’s only legal battle related to its IPRA non-compliance. Late last year, KRQE of Albuquerque sued it for “serial violations” of the law. That’s in addition to the one it filed over a 2012 incident, in which the PD stalled on its response to a journalist’s public records request before releasing the requested footage at a press conference, basically stripping the reporter of her potential “scoop.”
It’s common knowledge that law enforcement agencies are less than helpful when it comes to releasing documentation of alleged wrongdoing. It’s the one part they can’t completely seal off when circling the wagons. This leads to weeks, months… even years of obfuscation. And this often leads to lawsuits, paid for by the same public it doesn’t want to hold it accountable.
Snowden Docs: New Zealand Spying On Friendly Neighboring Countries For The NSA
More Snowden docs have been released, covering the extent of GCSB’s (New Zealand’s intelligence agency) spying on supposedly “friendly” island nations. As is par for the course for intelligence programs, the documents show massive bulk collections of data and communications — all of which are immediately shared with the other members of the “Five Eyes” club.
Since 2009, the Government Communications Security Bureau intelligence base at Waihopai has moved to “full-take collection”, indiscriminately intercepting Asia-Pacific communications and providing them en masse to the NSA through the controversial NSA intelligence system XKeyscore, which is used to monitor emails and internet browsing habits.
This sort of spying — while apparently “normal,” in light of previously-released documents — indicates many governments enjoy spying for spying’s sake, rather than for the justifications they often offer in defense of untargeted surveillance.
The documents, provided by US whistleblower whistleblower Edward Snowden, reveal that most of the targets are not security threats to New Zealand, as has been suggested by the Government.
Instead, the GCSB directs its spying against a surprising array of New Zealand’s friends, trading partners and close Pacific neighbours. These countries’ communications are supplied directly to the NSA and other Five Eyes agencies with little New Zealand oversight or decision-making, as a contribution to US worldwide surveillance.
WordPress Wins $25,000 From DMCA Takedown Abuser
Automattic, the company behind the popular WordPress blogging platform, has faced a dramatic increase in DMCA takedown notices in recent years.
Most requests are legitimate and indeed targeted at pirated content. However, there are also cases where the takedown process is clearly being abused.
To curb these fraudulent notices WordPress decided to take a stand in court, together with student journalist Oliver Hotham who had one of his articles on WordPress censored by a false takedown notice.
Hotham wrote an article about “Straight Pride UK” which included a comment he received from the organization’s press officer Nick Steiner. The latter didn’t like the article Hotham wrote, and after publication Steiner sent WordPress a takedown notice claiming that it infringed his copyrights.
WordPress and Hotham took the case to a California federal court where they asked to be compensated for the damage this abuse caused them.
The case is one of the rare instances where a service provider has taken action against DMCA abuse. The defendant, however, failed to respond in court which prompted WordPress to file a motion for default judgment.
The company argued that as an online service provider it faces overwhelming and crippling copyright liability if it fails to take down content. People such as Steiner abuse this weakness to censor critics or competitors.
“Steiner’s fraudulent takedown notice forced WordPress to take down Hotham’s post under threat of losing the protection of the DMCA safe harbor,” WordPress argued.
“Steiner did not do this to protect any legitimate intellectual property interest, but in an attempt to censor Hotham’s lawful expression critical of Straight Pride UK. He forced WordPress to delete perfectly lawful content from its website. As a result, WordPress has suffered damage to its reputation,” the company added.
After reviewing the case United States Magistrate Judge Joseph Spero wrote a report and recommendation in favor of WordPress and Hotham, and District Court Judge Phyllis Hamilton issued a default judgment this week.
“The court finds the report correct, well-reasoned and thorough, and adopts it in every respect,” Judge Hamilton writes.
“It is Ordered and Adjudged that defendant Nick Steiner pay damages in the amount of $960.00 for Hotham’s work and time, $1,860.00 for time spent by Automattic’s employees, and $22,264.00 for Automattic’s attorney’s fees, for a total award of $25,084.00.”
The case is mostly a symbolic win, but an important one. It should serve as a clear signal to other copyright holders that false DMCA takedown requests are not always left unpunished.
Suburban Express Changes Terms Of Service To Screw Sued College Students Out Of University-Provided Legal Aid
Dennis Toeppen of Suburban Express is still deploying his highly-peculiar brand of “customer service” — something that includes doxxing unhappy customers, suing unhappy customers, suingunhappy customers, suing unhappy customers and being arrested for “harassment through electronic communications.”
Nothing has changed. Toeppen is still a lawsuit fan who believes negative reviewers or anyone who doesn’t fully appreciate how hard it is to run a shuttle bus service should be forced to pay $500 (at least) in “liquidated damages.” Now, he’s looking to pave himself a downhill slope for his future lawsuit filing. Techdirt reader Kionae sends over this article from the University of Illinois’ campus newspaper which contains a small detail that shows just how far Toeppen is willing to go to get his $500.
Suburban Express recently changed its “Terms & Conditions” so any legal action arising on the online transaction of tickets should take place in Ford County, roughly 30 miles north of Champaign.
In a statement on its website, the company said it chose Ford County “because of high availability of court dates, efficient court operation, excellent staff work ethic, low costs for both parties, easy parking, and other factors.”
This has nothing to do with “efficient court operations” and has everything to do with making it economically unfeasible for sued college students to fight back. Taking the action 30 miles away strips students of the following protection:
According to the Student Legal Services Operational Plan, Student Legal Services can only represent eligible students who have cases in or originating in Champaign County.
Toeppen’s change of venue is carefully calculated to extract the most money/misery from the situation. That situation, of course, is Toeppen’s inability to run a business and field criticism at the same time. In Toeppen’s defense, he’ll say he’s never wrong and it’s these spoiled brat students with overactive mouths who are to blame. (What? Did you think I was going to half-heartedly defend any aspect of Toeppen’s behavior?)
With students forced to pay for their own defense against Toeppen’s frivolous, vindictive lawsuits, the needle moves towards a higher default judgment rate. That’s what Toeppen wants, considering his legal arguments are mostly indefensible. This should see his lawsuit-filing rate approaching the stratospheric highs of 2012-13, a two-year span in which Suburban Express filed 126 lawsuits. Toeppen is misusing the judicial system. Hopefully, the judges there will recognize his venue-shifting for what it is and push cases back to the proper courts.
Comcast Blocks HBO Go From Working On Playstation 4, Won’t Coherently Explain Wh
About a year ago we noted how Comcast has a weird tendency to prevent its broadband users from being able to use HBO Go on some fairly standard technology, including incredibly common Roku hardware. For several years Roku users couldn’t use HBO Go if they had a Comcast connection, and for just as long Comcast refused to explain why. Every other broadband provider had no problem ensuring the back-end authentication (needed to confirm you have a traditional cable connection) worked, but not Comcast. When pressed, Comcast would only offer a generic statement saying yeah, it would try and get right on that:
“With every new website, device or player we authenticate, we need to work through technical integration and customer service which takes time and resources. Moving forward, we will continue to prioritize as we partner with various players.”
And the problem wasn’t just with Roku. When HBO Go on the Playstation 3 was released, it worked with every other TV-Everywhere compatible provider, but not Comcast. When customers complained in the Comcast forums, they were greeted with total silence. When customers called in to try and figure out why HBO Go wouldn’t work, they received a rotating crop of weird half answers or outright incorrect statements (it should arrive in 48 hours, don’t worry!).
Fast forward nearly a year since the HBO Go Playstation 3 launch, and Sony has now announced an HBO Go app for the Playstation 4 console. And guess what — when you go toactivate the app you’ll find it works with every major broadband ISP — except Comcast. Why? Comcast appears to have backed away from claims that the delay is due to technical or customer support issues, and is now telling forum visitors the hangup is related to an ambiguous business impasse:
“HBO Go availability on PS3 (and some other devices) are business decisions and deal with business terms that have not yet been agreed to between the parties. Thanks for your continued patience.”
Since every other ISP (including AT&T, Verizon, and Time Warner Cable) didn’t have a problem supporting the app, you have to assume Comcast specifically isn’t getting something from Sony or HBO it would like (read: enough money to make them feel comfortable about potentially cannibalizing traditional TV/HBO viewers). It’s a good example of how crafting net neutrality rules is only part of the conversation. It’s great to have rules, but they don’t mean much if bad or outright anti-competitive behavior can just be hidden behind half-answers and faux-technical nonsense for years on end without repercussion.
Scenic Selfie Station
I feel like Americans were fed a lot of bullshit about American ingenuity and Thomas Edison when they were kids, which produced a generation of adults who view every mundane inconvenience as an opportunity to invent and market a revolutionary problem-solving gadget. In the course of solving some such minor problem, the semblance of reality and practicality fades away as the relentless capitalist logic of the inventor drives him towards the craziest possible solution. He then shits his product onto Kickstarter, where it floats up to the intake of Your Kickstarter Sucks, itself an bizarre invention created to solve the problem of Kickstarters not being made fun of enough.
Ryan wanted to get a picture of himself with his fiancé at Staples Center, but his arms were too short to take a selfie (I am not making this up; watch the video). They were forced to ask a stranger to take a photo, but the stranger’s photo came out bad and Ryan was too shy to ask him to take another. There’s got to be a better way! Well now there is:
The product will be a stationary stand much like the old telescope viewers that still exist at various national monuments. It will stand roughly 4 and 1/2 feet tall. It will have a small camera like those included on an Android or iPhone 6. There will be a touchscreen on the opposite side of the camera for customer’s to log into one of their social media platforms. It will also have a ten second countdown that beeps as those desiring a picture will have that time to pose with their friends for the perfect picture. After the picture is taken, it will be automatically posted onto whatever social media platform the customer has logged into.
Smartphones enable people to take high quality photographs anywhere they want, but what we really need is a $10,000 stationary apparatus mounted in front of Staples Center to save souvenir-craved sports fans the trouble and shame of asking a stranger to take a photograph of them. The best part is it’s totally free to use and funded by nothing more intrusive than corporate logos plastered on your photos:
So… Long story short, we will be offering companies to have their logos included on the customer’s pictures which are taken and then posted on social media and…BOOM! All of the sudden, instead of harassing our social media walls with advertisements that are scrolled through. Companies will now have their logos included on pictures of our friends at beautiful destinations across the nation and eventually globe! Thus using both word of mouth advertising while letting the people be the sole marketers.
The Tsarnaev Trial and the Blind Spots in ‘Countering Violent Extremism’
On April 19, 2013, as Dzhokhar Tsarnaev lay bleeding from gunshot wounds in a suburban Boston backyard, he scrawled a note that contained the following message:
“The US Government is killing our innocent civilians but most of you already know that….I don’t like killing innocent people it is forbidden in Islam but due to said [unintelligible] it is allowed…Stop killing our innocent people and we will stop.”
This message mirrored comments Tsarnaev would later give to investigators, in which he cited grievances over American wars in Afghanistan and Iraq as his motivation for the 2013 bombing of the Boston Marathon.
In his trial, which begins today, more details are expected to emerge about how he went from a popular college student to an alleged homegrown terrorist.
Widely described as a “self-radicalized” terrorist, Tsarnaev now serves as a prime example of the type of individual targeted by Countering Violent Extremist (CVE) programs. Yet in fact, Tsarnaev’s life trajectory leading up to the bombing does not resemble the “path to radicalization” identified in CVE frameworks — raising questions about the capacity of these programs to intervene effectively to preempt terrorism.
Florida Legislators Introduce Bill That Would Strip Certain Site Owners Of Their Anonymity
This week, the Florida state legislature is considering a bill that would make it illegal to run any website or service anonymously, if the site fits a vague category of “disseminat[ing]” “commercial” recordings or videos—even the site owner’s own work. Outlawing anonymous speech raises a serious First Amendment problem, and laws like this one have been abused by police and the entertainment industry.
The bill (Senate and House versions) seems to be catering directly to the entertainment industry and could give local law enforcement City of London Police-esque powers to act as de facto copyright cops. And its potential stripping of anonymity not only requires disclosure to law enforcement, but everyone else on the web.
A person who owns or operates a website or online service dealing in substantial part in the electronic dissemination of commercial recordings or audiovisual works, directly or indirectly, to consumers in this state shall clearly and conspicuously disclose his or her true and correct name, physical address, and telephone number or e-mail address on his or her website or online service in a location readily accessible to a consumer using or visiting the website or online service.