Tag Archives: tsa

Should US Border Cops Need a Warrant To Search Devices?

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/nkJXOQKsHkU/

The answer from me is, OF COURSE, f&ck yes. They can’t search your home, car and anywhere else in the country, they would need a warrant to search devices too. A case by the EFF (Electronic Frontier Foundation) is heading to the Fifth Circuit Court of Appeals in the US to find out what should […]

The post Should US Border Cops Need a…

Read the full post at darknet.org.uk

Court Hands Internet Textbook Pirates Suspended Sentences

Post Syndicated from Andy original https://torrentfreak.com/court-hands-internet-textbook-pirates-suspended-sentences-170624/

All types of media content can be exploited online with movies, TV shows, and music among the most popular among pirates. However, in recent years books have proven desirable, especially those that otherwise have hefty price tags.

Textbooks are particularly well known for their stiff pricing, something which presents a thorn in the side for thousands of students every year. Making matters worse, books are often marginally tweaked per revision, ensuring that second owner books lose their value. This isn’t something that affects pirates though.

Over the years, many file-sharing sites have catered to people seeking textbooks for free, with many building up a dedicated following. Others, however, have seen the opportunity to make some money, offering broad but illegal access to textbooks for a nominal fee.

That was the case with Denmark-based website LendStudy. It provided students with access to hundreds of textbooks for a comparatively reasonable price of 300 kroner ($45.00) per semester. Unfortunately, that attracted the attention of anti-piracy outfit Rights Alliance, who pursued a case against its operators.

In court this week, three men aged 26, 31 and 71 stood accused of scanning and then making available at least 198 copyrighted textbooks to paying members. Between August 2013 and October 2014 it was alleged the textbooks were downloaded from the site 2,574 times, netting the men revenues of around $3,500.

According to local media, all three men initially pleaded not guilty but later admitted being operators of the site.

The court heard how RightsAlliance tried to create an account on LendStudy but its request for membership was discovered and rejected by the site’s operators. Other evidence presented by the prosecution included photographs of the men loading computers, scanners, and other IT equipment into a car.

“It is expensive for students to acquire new knowledge. Lendstudy wanted to spread knowledge in the form of books that give students more opportunities for new knowledge,” the 31-year-old defendant said in court.

Unfortunately for the site’s operators, the desire to enrich the minds of students failed to persuade the court that piracy could be ignored. All three were found guilty of criminal copyright infringement and handed four-month conditional jail sentences. The LundStudy.dk domain was confiscated.

The notice on the LendStudy site

“If textbooks are made freely available or sold illegally, publishers have less incentive to produce textbooks,” said Martin Lindø Westeraaard from University Press of Southern Denmark.

“It will be detrimental both for publishers and for the students, who will lose the opportunity to read Danish-language textbooks.”

A claim for damages against the men will now be pursued by Rights Alliance in a civil case.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Amazon Lightsail Update – 9 More Regions and Global Console

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/amazon-lightsail-update-9-more-regions-and-global-console/

Amazon Lightsail lets you launch Virtual Private Servers on AWS with just a few clicks. With prices starting at $5 per month, Lightsail takes care of the heavy lifting and gives you a simple way to build and host applications. As I showed you in my re:Invent post (Amazon Lightsail – The Power of AWS, the Simplicity of a VPS), you can choose a configuration from a menu and launch a virtual machine preconfigured with SSD-based storage, DNS management, and a static IP address.

Since we launched in November, many customers have used Lightsail to launch Virtual Private Servers. For example, Monash University is using Amazon Lightsail to rapidly re-platform a number of CMS services in a simple and cost-effective manner. They have already migrated 50 workloads and are now thinking of creating an internal CMS service based on Lightsail to allow staff and students to create their own CMS instances in a self-service manner.

Today we are expanding Lightsail into nine more AWS Regions and launching a new, global console.

New Regions
At re:Invent we made Lightsail available in the US East (Northern Virginia) Region. Earlier this month we added support for several additional Regions in the US and Europe. Today we are launching Lightsail in four of our Asia Pacific Regions, bringing the total to ten. Here’s the full list:

  • US East (Northern Virginia)
  • US West (Oregon)
  • US East (Ohio)
  • EU (London)
  • EU (Frankfurt)
  • EU (Ireland)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)

Global Console
The updated Lightsail console makes it easy for you to create and manage resources in one or more Regions. I simply choose the desired Region when I create a new instance:

I can see all of my instances and static IP addresses on the same page, no matter what Region they are in:

And I can perform searches that span all of my resources and Regions. All of my LAMP stacks:

Or all of my resources in the EU (Ireland) Region:

I can perform a similar search on the Snapshots tab:

A new DNS zones tab lets me see my existing zones and create new ones:

Creation of SSH keypairs is now specific to a Region:

I can manage my key pairs on a Region-by-Region basis:

Static IP addresses are also specific to a particular Region:

Available Now
You can use the new Lightsail console and create resources in all ten Regions today!

Jeff;

 

Extending the Airplane Laptop Ban

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/extending_the_a.html

The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent fliers to bring their computers with them. This will only exacerbate the divide between the haves and the have-nots — all without making us any safer.

In March, both the United States and the United Kingdom required that passengers from 10 Muslim countries give up their laptop computers and larger tablets, and put them in checked baggage. The new measure was based on reports that terrorists would try to smuggle bombs onto planes concealed in these larger electronic devices.

The security measure made no sense for two reasons. First, moving these computers into the baggage holds doesn’t keep them off planes. Yes, it is easier to detonate a bomb that’s in your hands than to remotely trigger it in the cargo hold. But it’s also more effective to screen laptops at security checkpoints than it is to place them in checked baggage. TSA already does this kind of screening randomly and occasionally: making passengers turn laptops on to ensure that they’re functional computers and not just bomb-filled cases, and running chemical tests on their surface to detect explosive material.

And, two, banning laptops on selected flights just forces terrorists to buy more roundabout itineraries. It doesn’t take much creativity to fly Doha-Amsterdam-New York instead of direct. Adding Amsterdam to the list of affected airports makes the terrorist add yet another itinerary change; it doesn’t remove the threat.

Which brings up another question: If this is truly a threat, why aren’t domestic flights included in this ban? Remember that anyone boarding a plane to the United States from these Muslim countries has already received a visa to enter the country. This isn’t perfect security — the infamous underwear bomber had a visa, after all — but anyone who could detonate a laptop bomb on his international flight could do it on his domestic connection.

I don’t have access to classified intelligence, and I can’t comment on whether explosive-filled laptops are truly a threat. But, if they are, TSA can set up additional security screenings at the gates of US-bound flights worldwide and screen every laptop coming onto the plane. It wouldn’t be the first time we’ve had additional security screening at the gate. And they should require all laptops to go through this screening, prohibiting them from being stashed in checked baggage.

This measure is nothing more than security theater against what appears to be a movie-plot threat.

Banishing laptops to the cargo holds brings with it a host of other threats. Passengers run the risk of their electronics being stolen from their checked baggage — something that has happened in the past. And, depending on the country, passengers also have to worry about border control officials intercepting checked laptops and making copies of what’s on their hard drives.

Safety is another concern. We’re already worried about large lithium-ion batteries catching fire in airplane baggage holds; adding a few hundred of these devices will considerably exacerbate the risk. Both FedEx and UPS no longer accept bulk shipments of these batteries after two jets crashed in 2010 and 2011 due to combustion.

Of course, passengers will rebel against this rule. Having access to a computer on these long transatlantic flights is a must for many travelers, especially the high-revenue business-class travelers. They also won’t accept the delays and confusion this rule will cause as it’s rolled out. Unhappy passengers fly less, or fly other routes on other airlines without these restrictions.

I don’t know how many passengers are choosing to fly to the Middle East via Toronto to avoid the current laptop ban, but I suspect there may be some. If Europe is included in the new ban, many more may consider adding Canada to their itineraries, as well as choosing European hubs that remain unaffected.

As passengers voice their disapproval with their wallets, airlines will rebel. Already Emirates has a program to loan laptops to their premium travelers. I can imagine US airlines doing the same, although probably for an extra fee. We might learn how to make this work: keeping our data in the cloud or on portable memory sticks and using unfamiliar computers for the length of the flight.

A more likely response will be comparable to what happened after the US increased passenger screening post-9/11. In the months and years that followed, we saw different ways for high-revenue travelers to avoid the lines: faster first-class lanes, and then the extra-cost trusted traveler programs that allow people to bypass the long lines, keep their shoes on their feet and leave their laptops and liquids in their bags. It’s a bad security idea, but it keeps both frequent fliers and airlines happy. It would be just another step to allow these people to keep their electronics with them on their flight.

The problem with this response is that it solves the problem for frequent fliers, while leaving everyone else to suffer. This is already the case; those of us enrolled in a trusted traveler program forget what it’s like to go through “normal” security screening. And since frequent fliers — likely to be more wealthy — no longer see the problem, they don’t have any incentive to fix it.

Dividing security checks into haves and have-nots is bad social policy, and we should actively fight any expansion of it. If the TSA implements this security procedure, it should implement it for every flight. And there should be no exceptions. Force every politically connected flier, from members of Congress to the lobbyists that influence them, to do without their laptops on planes. Let the TSA explain to them why they can’t work on their flights to and from D.C.

This essay previously appeared on CNN.com.

EDITED TO ADD: US officials are backing down.

Facebook / WhatsApp: ЕК налага глоба по регламента за сливанията

Post Syndicated from nellyo original https://nellyo.wordpress.com/2017/05/18/facebook-whatsapp-%D0%B5%D0%BA-%D0%BD%D0%B0%D0%BB%D0%B0%D0%B3%D0%B0-%D0%B3%D0%BB%D0%BE%D0%B1%D0%B0-%D0%BF%D0%BE-%D1%80%D0%B5%D0%B3%D0%BB%D0%B0%D0%BC%D0%B5%D0%BD%D1%82%D0%B0-%D0%B7%D0%B0-%D1%81/

Европейската комисия взема решение да наложи на Facebook  глоба в размер 110 милиона евро за предоставяне на неточна или подвеждаща информация относно придобиването от Facebook на WhatsApp. Според комисаря по конкуренцията Вестагер Комисията трябва да може да взема решения относно въздействието на сливанията върху конкуренцията при пълното познаване на точните факти.

За първи път Комисията налага глоба на дружество за предоставяне на невярна или подвеждаща информация след влизането в сила на Регламента за сливанията от 2004 г. Решението на ЕК не е свързано с въпроси, свързани с неприкосновеността на личния живот, защитата на данните или защитата на потребителите, които могат да възникнат  относно Facebook / WhatsApp, нито с процедури на национално ниво в ЕС.

Съгласно Регламента за сливанията Комисията може да налага глоби в размер до 1% от общия оборот на дружествата, които умишлено или по непредпазливост предоставят на Комисията неточна или подвеждаща информация. В случая невярна и подвеждаща инфорпмация е предоставена два пъти – във формуляра за уведомление за сливане от 2014 и в отговора на искане на Комисията за информация от 2016.

Медиите отбелязват, че това е поредният технологичен гигант, с който се занимава ЕК –  след  Amazon и Apple и при  текущи процедури срещу Google.

Съобщението на ЕК

Filed under: Digital, EU Law

News from the AWS Summit in Berlin – 3rd AZ & Lightsail in Frankfurt and Another Polly Voice

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/news-from-the-aws-summit-in-berlin-3rd-az-lightsail-in-frankfurt-and-another-polly-voice/

We launched the AWS Region in Frankfurt in the fall of 2014 and opened the AWS Marketplace for the Region the next year.

Our customers in Germany come in all shapes and sizes: startups, mid-market, enterprise, and public sector. These customers have made great use of the new Region, building and running applications and businesses that serve Germany, Europe, and more. They rely on the broad collection of security features, certifications, and assurances provided by AWS to help protect and secure their customer data, in accord with internal and legal requirements and regulations. Our customers in Germany also take advantage of the sales, support, and architecture resources and expertise located in Berlin, Dresden, and Munich.

The AWS Summit in Berlin is taking place today and we made some important announcements from the stage. Here’s a summary:

  • Third Availability Zone in Frankfurt
  • Amazon Lightsail in Frankfurt
  • New voice for Amazon Polly

Third Availability Zone in Frankfurt
We will be opening an additional Availability Zone (AZ) in the EU (Frankfurt) Region in mid-2017 in response to the continued growth in the use of AWS. This brings us up to 43 Availability Zones within 16 geographic Regions around the world. We are also planning to open five Availability Zones in new AWS Regions in France and China later this year (see the AWS Global Infrastructure maps for more information).

AWS customers in Germany are already making plans to take advantage of the new AZ. For example:

Siemens expects to gain additional flexibility by mirroring their services across all of the AZs. It will also allow them to store all of their data in Germany.

Zalando will do the same, mirroring their services across all of the AZs and looking ahead to moving more applications to the cloud.

Amazon Lightsail in Frankfurt
Amazon Lightsail lets you launch a virtual machine preconfigured with SSD storage, DNS management, and a static IP address in a matter of minutes (read Amazon Lightsail – The Power of AWS, the Simplicity of a VPS to learn more).

Amazon Lightsail is now available in the EU (Frankfurt) Region and you can start using it today. This allows you to use it to host applications that are required to store customer data or other sensitive information in Germany.

New Voice for Amazon Polly
Polly gives you high-quality, natural-sounding male and female speech in multiple languages. Today we are adding another German-speaking female voice to Polly, bringing the total number of voices to 48:

Like the German voice of Alexa, Vicki (the new voice) is fluent and natural. Vicki is able to fluently and intelligently pronounce the Anglicisms frequently used in German texts, including the fully inflected versions. To get started with Polly, open up the Polly Console or read the Polly Documentation.

I’m looking forward to hearing more about the continued growth and success of our customers in and around Germany!

Jeff;

ЕС: Facebook и личните данни

Post Syndicated from nellyo original https://nellyo.wordpress.com/2017/05/17/%D0%B5%D1%81-facebook-%D0%B8-%D0%BB%D0%B8%D1%87%D0%BD%D0%B8%D1%82%D0%B5-%D0%B4%D0%B0%D0%BD%D0%BD%D0%B8/

На Facebook е наложена глоба от 150 000 евро във Франция. Френският регулатор в областта на личните данни  CNIL  констатира шест нарушения, включително събиране на информация за потребителите за реклама “без правно основание”. Установено е проследяване на потребителите, докато сърфират в мрежата. Потребителите нямат контрол върху използването на личните им данни, според  изявление на регулатора от 16 май 2017. 

FT съобщава, че подобно е становището на регулатора в Белгия, в Холандия е установено разполагане на реклами според заявените сексуални предпочитания, а WhatsApp е глобена 3 милиона евро в Италия – тъй като условията за ползване включват задължително съгласие  за обмен на данни с Facebook, компанията – собственик на WhatsApp.

Френският регулатор работи съвместно с регулаторите в областта на личните данни в Холандия, Германия, Белгия, Испания и др.

Източник FT

Filed under: Digital, EU Law

Streaming Site Operator Jailed For Three Years After Landmark Trial

Post Syndicated from Andy original https://torrentfreak.com/streaming-site-operator-jailed-for-three-years-after-landmark-trial-170516/

Founded more than half a decade ago, Swefilmer grew to become Sweden’s most popular movie and TV show streaming site. It was credited alongside another streaming portal for serving up to 25% of all online video streaming in Sweden.

With this level of prominence, it was only a question of time before authorities stepped in to end the free streaming bonanza. In 2015, that happened when an operator of the site in his early twenties was raided by local police.

This was followed by the arrest of a now 26-year-old Turkish man in Germany, who was accused of receiving donations from users and setting up Swefilmer’s deals with advertisers.

The pair, who had never met in person, appeared at the Varberg District Court in January, together accused of making more than $1.5m from their activities between November 2013 and June 2015.

As the trial progressed, it was clear that the outcome was not likely to be a good one for the men.

Prosecutor Anna Ginner described the operation as being like “organized crime”, with lawyer Henrik Pontén of RightsAlliance claiming that the evidence only represented a small part of the money made by the pair.

From the beginning, it was always claimed that the 26-year-old was the main player behind the site, with the now 23-year-old playing a much smaller role. While the latter received an estimated $4,000 of the proceeds, the former was said to have enriched himself with more than $1.5m in advertising revenue.

The Varberg District Court has now handed down its ruling and it’s particularly bad news for the 26-year-old, who is reported to have led a luxury lifestyle with proceeds from the site.

In a short statement the court confirmed he had been convicted of 1,044 breaches of copyright law and serious money laundering offenses. He was sentenced to serve three years in prison and ordered to forfeit $1.59m. The Court was far more lenient with the younger man.

After being found guilty of four counts of copyright infringement but playing almost no role in the site’s revenue operations, no sentencing for money laundering was handed down. He was instead handed probation and ordered to complete 120 hours of community service, a sentence that was positively affected by his age when the offenses were committed.

It’s worth noting that the sentence received by the 26-year-old goes way beyond the sentences handed down even in the notorious Pirate Bay case, where defendants Fredrik Neij, Peter Sunde and Gottfrid Svartholm received 10 months, 12 months and 8 months respectively.

However, with Henrik Pontén describing the Swefilmer case as being primarily about money laundering, his group is clearly unhappy that copyright offenses aren’t considered serious enough to warrant lengthy sentences in their own right.

“We welcome the judgment, but it is clear that copyright law must be adapted to today’s serious piracy. The penalty for copyright infringement should in itself be enough to deter people from crime,” Pontén says.

“The low level of penalties allows foreign piracy organizations to locate their operations in Sweden. The trend is very worrying.”

An important factor in the case moving forward is that in determining whether infringement had taken place, the Court drew heavily on the GS Media ruling handed down by the European Court of Justice last September.

In that decision, the Court found that linking to copyrighted material is only allowed when there is no intent to profit and when the linker is unaware that the content is infringing.

When there is a profit motive, which there clearly was in the Swefilmer case, operators of a site are expected to carry out the “checks necessary” to ensure that linked works have not been illegally published.

The operators of Swefilmer failed on all counts, so the local court determined that the platform had communicated copyrighted works to the public, in breach of copyright law.

Speaking with TorrentFreak, the 23-year-old expressed relief at his relatively light sentence but noted it may not be over yet.

“I was really happy when the judgment came. The long wait is finally over,” he said.

“RightsAlliance will appeal because they did not receive any compensation for the trial. But the prosecutor is satisfied with the judgment so it is only RightsAlliance who are dissatisfied.”

According to IDG, the lawyer of the 26-year-old believes that his client’s sentence is far too severe, so there may be an appeal in that direction too.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Why Is the TSA Scanning Paper?

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/why_is_the_tsa_.html

I’ve been reading a bunch of anecdotal reports that the TSA is starting to scan paper separately:

A passenger going through security at Kansas City International Airport (MCI) recently was asked by security officers to remove all paper products from his bag. Everything from books to Post-It Notes, documents and more. Once the paper products were removed, the passenger had to put them in a separate bin to be scanned separately.

When the passenger inquired why he was being forced to remove the paper products from his carry-on bag, the agent told him that it was a pilot program that’s being tested at MCI and will begin rolling out nationwide. KSHB Kansas City is reporting that other passengers traveling through MCI have also reported the paper-removal procedure at the airport. One person said that security dug through the suitcase for two “blocks” of Post-It Notes at the bottom.

Does anyone have any guesses as to why the TSA is doing this?

EDITED TO ADD (5/11): This article says that the TSA has stopped doing this. They blamed it on their contractor, Akai Security.

Swefilmer Piracy Trial Ends, Operators Face Years in Jail

Post Syndicated from Andy original https://torrentfreak.com/swefilmer-piracy-trial-ends-operators-face-years-in-jail-170428/

Founded more than five years ago, Swefilmer grew to become Sweden’s most popular movie and TV show streaming site. It was once said to have accounted for 25% of all web TV viewing in Sweden.

In 2015, a 22-year-old Swefilmer operator revealed he’d been raided and in 2016 a Turkish national was arrested in Germany on a secret European arrest warrant. The now 26-year-old was accused of receiving donations from users and setting up Swefilmer’s deals with advertisers.

The pair appeared at the Varberg District Court in January, accused of making more than $1.5m from their activities between November 2013 and June 2015.

After a few weeks’ suspension, the case got back underway this month, when details of the investigation into the site were revealed to the Court.

This week the trial concluded with prosecutor Anna Ginner describing the Swefilmer streaming operation as being like “organized crime”, while demanding a 4.5-year prison sentence for the 26-year-old alongside damages of more than $1.5m.

“I say this bears the traits of organized crime. A crime that has drawn in a lot of big money,” said Ginner via video link.

“The aim was to provide all visitors of the website Swefilmer an opportunity to see movies for free. The website even placed advertising to encourage more visitors,” she said.

“The effect of the business has been that thousands of users have done just that, instead of paying for the Swedish film companies. This has damaged the film studios.”

According to local media, the 26-year-old’s lawyer dismissed the prosecution’s claims as “fantasy”, noting that it’s not clear that his client committed any crimes at all.

That assertion wasn’t shared by lawyer Henrik Pontén of RightsAlliance.

“We must not forget that it is only a small part of the money that we have been able to find. There is a large amount of money that has been lost somewhere in the world,” Pontén said.

The prosecution considers the 26-year-old to be the main player behind the site, with the 22-year-old playing a much smaller role. He stands accused of receiving around $4,000 of the proceeds but according to his lawyer Claes Kennedy, no crime was committed, since at the time it had not been established by the EU court that linking to pirated content was illegal.

Nevertheless, the prosecution wants the site’s former administrator to receive a year in jail but may settle for a suspended sentence plus community service, a point on which his lawyer agrees.

For his part, Henrik Pontén hopes the punishments are closer to the top of the scale as a deterrent to others.

“Foreign criminals are attracted to Sweden for the opportunity to earn serious money and receive low penalty rates,” he told Hallands Nyheter.

The district court’s decision is due mid-May.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The TSA’s Selective Laptop Ban

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/03/the_tsas_select.html

Last Monday, the TSA announced a peculiar new security measure to take effect within 96 hours. Passengers flying into the US on foreign airlines from eight Muslim countries would be prohibited from carrying aboard any electronics larger than a smartphone. They would have to be checked and put into the cargo hold. And now the UK is following suit.

It’s difficult to make sense of this as a security measure, particularly at a time when many people question the veracity of government orders, but other explanations are either unsatisfying or damning.

So let’s look at the security aspects of this first. Laptop computers aren’t inherently dangerous, but they’re convenient carrying boxes. This is why, in the past, TSA officials have demanded passengers turn their laptops on: to confirm that they’re actually laptops and not laptop cases emptied of their electronics and then filled with explosives.

Forcing a would-be bomber to put larger laptops in the plane’s hold is a reasonable defense against this threat, because it increases the complexity of the plot. Both the shoe-bomber Richard Reid and the underwear bomber Umar Farouk Abdulmutallab carried crude bombs aboard their planes with the plan to set them off manually once aloft. Setting off a bomb in checked baggage is more work, which is why we don’t see more midair explosions like Pan Am Flight 103 over Lockerbie, Scotland, in 1988.

Security measures that restrict what passengers can carry onto planes are not unprecedented either. Airport security regularly responds to both actual attacks and intelligence regarding future attacks. After the liquid bombers were captured in 2006, the British banned all carry-on luggage except passports and wallets. I remember talking with a friend who traveled home from London with his daughters in those early weeks of the ban. They reported that airport security officials confiscated every tube of lip balm they tried to hide.

Similarly, the US started checking shoes after Reid, installed full-body scanners after Abdulmutallab and restricted liquids in 2006. But all of those measure were global, and most lessened in severity as the threat diminished.

This current restriction implies some specific intelligence of a laptop-based plot and a temporary ban to address it. However, if that’s the case, why only certain non-US carriers? And why only certain airports? Terrorists are smart enough to put a laptop bomb in checked baggage from the Middle East to Europe and then carry it on from Europe to the US.

Why not require passengers to turn their laptops on as they go through security? That would be a more effective security measure than forcing them to check them in their luggage. And lastly, why is there a delay between the ban being announced and it taking effect?

Even more confusing, the New York Times reported that “officials called the directive an attempt to address gaps in foreign airport security, and said it was not based on any specific or credible threat of an imminent attack.” The Department of Homeland Security FAQ page makes this general statement, “Yes, intelligence is one aspect of every security-related decision,” but doesn’t provide a specific security threat. And yet a report from the UK states the ban “follows the receipt of specific intelligence reports.”

Of course, the details are all classified, which leaves all of us security experts scratching our heads. On the face of it, the ban makes little sense.

One analysis painted this as a protectionist measure targeted at the heavily subsidized Middle Eastern airlines by hitting them where it hurts the most: high-paying business class travelers who need their laptops with them on planes to get work done. That reasoning makes more sense than any security-related explanation, but doesn’t explain why the British extended the ban to UK carriers as well. Or why this measure won’t backfire when those Middle Eastern countries turn around and ban laptops on American carriers in retaliation. And one aviation official told CNN that an intelligence official informed him it was not a “political move.”

In the end, national security measures based on secret information require us to trust the government. That trust is at historic low levels right now, so people both in the US and other countries are rightly skeptical of the official unsatisfying explanations. The new laptop ban highlights this mistrust.

This essay previously appeared on CNN.com.

EDITED TO ADD: Here are two essays that look at the possible political motivations, and fallout, of this ban. And the EFF rightly points out that letting a laptop out of your hands and sight is itself a security risk — for the passenger.

ЕК се активизира към Facebook, Twitter и Google

Post Syndicated from nellyo original https://nellyo.wordpress.com/2017/03/18/google-facebook/

В края на миналата година в  Ню Йорк Таймс се появи статия с красноречиво заглавие – Забравете за AT&T. Реалните монополи са Google и Facebook.

Поводът беше предполагаемата сделка между AT&T и Time Warner – но ако се интересуваме от медийни монополи, да погледнем към Силициевата долина, написа Ню Йорк Таймс , компаниите с господстващо положение в разпространението на медийно съдържание в наши дни са  Facebook, Google, Apple и Amazon.

Не става дума само за журналистически публикации.

Eвропейската комисия в последно време  предприема действия както по линията на конкурентното право, така и по линията на защита на потребителите, които заслужават отбелязване:

  • Що се отнася до защитата на конкуренцията, за Google в Европа се е писало доста, темата е преференциално третиране на собствени продукти и услуги.  За Facebook  актуална тема е сделката с WhatsApp.
  • Но сега има и втора линия на активни действия: според съобщение от 17 март 2017 г.  Европейската комисия и органите за защита на потребителите на държавите  изискват от дружествата, управляващи социалните медии, да спазват правилата на ЕС за защита на потребителите. Тук вече се засягат Facebook, Twitter и Google +.

 

 

Filed under: Digital, EU Law, Media Law

Defense against Doxing

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/03/defense_against.html

A decade ago, I wrote about the death of ephemeral conversation. As computers were becoming ubiquitous, some unintended changes happened, too. Before computers, what we said disappeared once we’d said it. Neither face-to-face conversations nor telephone conversations were routinely recorded. A permanent communication was something different and special; we called it correspondence.

The Internet changed this. We now chat by text message and e-mail, on Facebook and on Instagram. These conversations — with friends, lovers, colleagues, fellow employees — all leave electronic trails. And while we know this intellectually, we haven’t truly internalized it. We still think of conversation as ephemeral, forgetting that we’re being recorded and what we say has the permanence of correspondence.

That our data is used by large companies for psychological manipulation ­– we call this advertising –­ is well known. So is its use by governments for law enforcement and, depending on the country, social control. What made the news over the past year were demonstrations of how vulnerable all of this data is to hackers and the effects of having it hacked, copied, and then published online. We call this doxing.

Doxing isn’t new, but it has become more common. It’s been perpetrated against corporations, law firms, individuals, the NSA and — just this week — the CIA. It’s largely harassment and not whistleblowing, and it’s not going to change anytime soon. The data in your computer and in the cloud are, and will continue to be, vulnerable to hacking and publishing online. Depending on your prominence and the details of this data, you may need some new strategies to secure your private life.

There are two basic ways hackers can get at your e-mail and private documents. One way is to guess your password. That’s how hackers got their hands on personal photos of celebrities from iCloud in 2014.

How to protect yourself from this attack is pretty obvious. First, don’t choose a guessable password. This is more than not using “password1” or “qwerty”; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the XKCD scheme or the Schneier scheme, and to use large random passwords stored in a password manager for everything else.

Second, turn on two-factor authentication where you can, like Google’s 2-Step Verification. This adds another step besides just entering a password, such as having to type in a one-time code that’s sent to your mobile phone. And third, don’t reuse the same password on any sites you actually care about.

You’re not done, though. Hackers have accessed accounts by exploiting the “secret question” feature and resetting the password. That was how Sarah Palin’s e-mail account was hacked in 2008. The problem with secret questions is that they’re not very secret and not very random. My advice is to refuse to use those features. Type randomness into your keyboard, or choose a really random answer and store it in your password manager.

Finally, you also have to stay alert to phishing attacks, where a hacker sends you an enticing e-mail with a link that sends you to a web page that looks almost like the expected page, but which actually isn’t. This sort of thing can bypass two-factor authentication, and is almost certainly what tricked John Podesta and Colin Powell.

The other way hackers can get at your personal stuff is by breaking in to the computers the information is stored on. This is how the Russians got into the Democratic National Committee’s network and how a lone hacker got into the Panamanian law firm Mossack Fonseca. Sometimes individuals are targeted, as when China hacked Google in 2010 to access the e-mail accounts of human rights activists. Sometimes the whole network is the target, and individuals are inadvertent victims, as when thousands of Sony employees had their e-mails published by North Korea in 2014.

Protecting yourself is difficult, because it often doesn’t matter what you do. If your e-mail is stored with a service provider in the cloud, what matters is the security of that network and that provider. Most users have no control over that part of the system. The only way to truly protect yourself is to not keep your data in the cloud where someone could get to it. This is hard. We like the fact that all of our e-mail is stored on a server somewhere and that we can instantly search it. But that convenience comes with risk. Consider deleting old e-mail, or at least downloading it and storing it offline on a portable hard drive. In fact, storing data offline is one of the best things you can do to protect it from being hacked and exposed. If it’s on your computer, what matters is the security of your operating system and network, not the security of your service provider.

Consider this for files on your own computer. The more things you can move offline, the safer you’ll be.

E-mail, no matter how you store it, is vulnerable. If you’re worried about your conversations becoming public, think about an encrypted chat program instead, such as Signal, WhatsApp or Off-the-Record Messaging. Consider using communications systems that don’t save everything by default.

None of this is perfect, of course. Portable hard drives are vulnerable when you connect them to your computer. There are ways to jump air gaps and access data on computers not connected to the Internet. Communications and data files you delete might still exist in backup systems somewhere — either yours or those of the various cloud providers you’re using. And always remember that there’s always another copy of any of your conversations stored with the person you’re conversing with. Even with these caveats, though, these measures will make a big difference.

When secrecy is truly paramount, go back to communications systems that are still ephemeral. Pick up the telephone and talk. Meet face to face. We don’t yet live in a world where everything is recorded and everything is saved, although that era is coming. Enjoy the last vestiges of ephemeral conversation while you still can.

This essay originally appeared in the Washington Post.

Some comments on the Wikileaks CIA/#vault7 leak

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-ciavault7.html

I thought I’d write up some notes about the Wikileaks CIA “#vault7” leak. This post will be updated frequently over the next 24 hours.

The CIA didn’t remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There’s no evidence of them doing so remotely over the Internet. If you aren’t afraid of the CIA breaking in an installing a listening device, then you should’t be afraid of the CIA installing listening software.

The CIA didn’t defeat Signal/WhatsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption — but such phrases used by Wikileaks are highly misleading, since nothing related to Signal/WhatsApp is happening. What’s happening is the CIA is bypassing/defeating the phone. Sometimes. If they’ve got an exploit for it, or can trick you into installing their software.

There’s no overlap or turf war with the NSA. The NSA does “signals intelligence”, so they hack radios and remotely across the Internet. The CIA does “humans intelligence”, so they hack locally, with a human. The sort of thing they do is bribe, blackmail, or bedazzle some human “asset” (like a technician in a nuclear plant) to stick a USB drive into a slot. All the various military, law enforcement, and intelligence agencies have hacking groups to help them do their own missions.

The CIA isn’t more advanced than the NSA. Most of this dump is child’s play, simply malware/trojans cobbled together from bits found on the Internet. Sometimes they buy more advanced stuff from contractors, or get stuff shared from the NSA. Technologically, they are far behind the NSA in sophistication and technical expertise.

The CIA isn’t hoarding 0days. For one thing, few 0days were mentioned at all. The CIA’s techniques rely upon straightforward hacking, not super secret 0day hacking Second of all, they aren’t keeping 0days back in a vault somewhere — if they have 0days, they are using them.

The VEP process is nonsense. Activists keep mentioning the “vulnerability equities process”, in which all those interested in 0days within the government has a say in what happens to them, with the eventual goal that they be disclosed to vendors. The VEP is nonsense. The activist argument is nonsense. As far as I can tell, the VEP is designed as busy work to keep people away from those who really use 0days, such as the NSA and the CIA. If they spend millions of dollars buying 0days because it has that value in intelligence operations, they aren’t going to destroy that value by disclosing to a vendor. If VEP forces disclosure, disclosure still won’t happen, the NSA will simply stop buying vulns.

But they’ll have to disclose the 0days. Any 0days that were leaked to Wikileaks are, of course, no longer secret. Thus, while this leak isn’t an argument for unilateral disarmament in cyberspace, the CIA will have to disclose to vendor the vulns that are now in Russian hands, so that they can be fixed.

There’s no false flags. In several places, the CIA talks about making sure that what they do isn’t so unique, so it can’t be attributed to them. However, Wikileaks’s press release hints that the “UMBRAGE” program is deliberately stealing techniques from Russia to use as a false-flag operation. This is nonsense. For example, the DNC hack attribution was live command-and-control servers simultaneously used against different Russian targets — not a few snippets of code. [More here]

This hurts the CIA a lot. Already, one AV researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak. We can develop anti-virus and intrusion-detection signatures based on this information that will defeat much of what we read in these documents. This would put a multi-year delay in the CIA’s development efforts. Plus, it’ll now go on a witch-hunt looking for the leaker, which will erode morale. Update: Three extremely smart and knowledgeable people who I respect disagree, claiming it won’t hurt the CIA a lot. I suppose I’m focusing on “hurting the cyber abilities” of the CIA, not the CIA as a whole, which mostly is non-cyber in function.

The CIA is not cutting edge. A few days ago, Hak5 started selling “BashBunny”, a USB hacking tool more advanced than the USB tools in the leak. The CIA seems to get most of their USB techniques from open-source projects, such Travis Goodpseeds “GoodFET” project.

The CIA isn’t spying on us. Snowden revealed how the NSA was surveilling all Americans. Nothing like that appears in the CIA dump. It’s all legitimate spy stuff (assuming you think spying on foreign adversaries is legitimate).

Update #2: How is hacking cars and phones not SIGINT (which is the NSA’s turf)?[*The answer is via physical access. For example, they might have a device that plugs into the ODBII port on the car that quickly updates the firmware of the brakes. Think of it as normal spy activity (e.g. cutting a victim’s brakes), but now with cyber.

Update #3: Apple iPhone. My vague sense is that CIA is more concerned about decrypting iPhones they get physical access to, rather than remotely hacking them and installing malware. CIA is HUMINT and covert ops, meaning they’ll punch somebody in the face, grab their iPhone, and run, then take it back to their lab and decrypt it.


WikiLeaks Releases CIA Hacking Tools

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/03/wikileaks_relea.html

WikiLeaks just released a cache of 8,761 classified CIA documents from 2012 to 2016, including details of its offensive Internet operations.

I have not read through any of them yet. If you see something interesting, tell us in the comments.

EDITED TO ADD: There’s a lot in here. Many of the hacking tools are redacted, with the tar files and zip archives replaced with messages like:

::: THIS ARCHIVE FILE IS STILL BEING EXAMINED BY WIKILEAKS. :::

::: IT MAY BE RELEASED IN THE NEAR FUTURE. WHAT FOLLOWS IS :::
::: AN AUTOMATICALLY GENERATED LIST OF ITS CONTENTS: :::

Hopefully we’ll get them eventually. The documents say that the CIA — and other intelligence services — can bypass Signal, WhatsApp and Telegram. It seems to be by hacking the end-user devices and grabbing the traffic before and after encryption, not by breaking the encryption.

New York Times article.

EDITED TO ADD: Some details from The Guardian:

According to the documents:

  • CIA hackers targeted smartphones and computers.
  • The Center for Cyber Intelligence is based at the CIA headquarters in Virginia but it has a second covert base in the US consulate in Frankfurt which covers Europe, the Middle East and Africa.
  • A programme called Weeping Angel describes how to attack a Samsung F8000 TV set so that it appears to be off but can still be used for monitoring.

I just noticed this from the WikiLeaks page:

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

So it sounds like this cache of documents wasn’t taken from the CIA and given to WikiLeaks for publication, but has been passed around the community for a while — and incidentally some part of the cache was passed to WikiLeaks. So there are more documents out there, and others may release them in unredacted form.

Wired article. Slashdot thread. Two articles from the Washington Post.

EDITED TO ADD: This document talks about Comodo version 5.X and version 6.X. Version 6 was released in Feb 2013. Version 7 was released in Apr 2014. This gives us a time window of that page, and the cache in general. (WikiLeaks says that the documents cover 2013 to 2016.)

If these tools are a few years out of date, it’s similar to the NSA tools released by the “Shadow Brokers.” Most of us thought the Shadow Brokers were the Russians, specifically releasing older NSA tools that had diminished value as secrets. Could this be the Russians as well?

EDITED TO ADD: Nicholas Weaver comments.

EDITED TO ADD (3/8): These documents are interesting:

The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

This is being spun in the press as the CIA is pretending to be Russia. I’m not convinced that the documents support these allegations. Can someone else look at the documents. I don’t like my conclusion that WikiLeaks is using this document dump as a way to push their own bias.

AWS Week in Review – February 20, 2017

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/aws-week-in-review-february-20-2017/

By popular demand, I am producing this “micro” version of the AWS Week in Review. I have included all of our announcements, content from all of our blogs, and as much community-generated AWS content as I had time for. Going forward I hope to bring back the other sections, as soon as I get my tooling and automation into better shape.

Monday

February 20

Tuesday

February 21

Wednesday

February 22

Thursday

February 23

Friday

February 24

Saturday

February 25

Jeff;