m Quec.lim's republished posts.http://quec.li/~m /When Amateur Photographers Make the Front Pagehttp://lightbox.time.com/2014/09/01/amateur-photographers-scapegoats-photojournalism/http://lightbox.time.com/?p=100512Mon, 01 Sep 2014 04:00:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Flightbox.time.com%2Ffeed%2F&entry=http%3A%2F%2Flightbox.time.com%2F%3Fp%3D100512Cell Phone Kill Switches Mandatory in Californiahttps://www.schneier.com/blog/archives/2014/08/cell_phone_kill.htmltag:www.schneier.com,2014:/blog//2.5939Fri, 29 Aug 2014 13:31:00 -0400<p>California <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/27/the-smartphone-kill-switch-explained/">passed</a> <a href="http://www.pcworld.com/article/2598680/california-passes-law-mandating-smartphone-kill-switch.html">a</a> <a href="http://bits.blogs.nytimes.com/2014/08/25/california-governor-signs-law-requiring-a-kill-switch-on-smartphones/">kill-switch</a> law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one.</p> <p>I worry more about the <a href="http://www.wired.com/2014/08/how-cops-and-hackers-could-abuse-californias-new-phone-kill-switch-law/">side effects</a>: once the feature is in place, it can be used by all sorts of people for all sorts of reasons.</p> <blockquote><p>The law raises concerns about how the switch might be used or abused, because it also provides law enforcement with the authority to use the feature to kill phones. And any feature accessible to consumers and law enforcement could be accessible to hackers, who might use it to randomly kill phones for kicks or revenge, or to perpetrators of crimes who might -- depending on how the kill switch is implemented -- be able to use it to prevent someone from calling for help. <p>"It's great for the consumer, but it invites a lot of mischief," says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, which opposes the law. "You can imagine a domestic violence situation or a stalking context where someone kills [a victim's] phone and prevents them from calling the police or reporting abuse. It will not be a surprise when you see it being used this way."</p></blockquote> <p>I <a href="https://www.schneier.com/essays/archives/2008/06/ive_seen_the_future.html">wrote about this</a> in 2008, more generally:</p> <blockquote><p>The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards. <p>Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?</p></blockquote> <p>The law only affects California, but phone manufacturers won't sell two different phones. So this means that <i>all</i> cell phones will eventually have this capability. And, of course, the procedural controls and limitations written into the California law don't apply elsewhere.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5939Senior Pentagon official: Marines followed a ?jackass? to find insurgentshttp://feeds.washingtonpost.com/c/34656/f/636630/s/3db9bfc3/sc/38/l/0L0Swashingtonpost0N0Csenior0Epentagon0Eofficial0Emarines0Efollowed0Ea0Ejackass0Eto0Efind0Einsurgents0C20A140C0A80C210C4c667d30A0Ef5960E4a590Ea7940Ef60A89472a91f0Istory0Bhtml0Dwprss0Frss0Inational0Esecurity/story01.htmhttp://www.washingtonpost.com/senior-pentagon-official-marines-followed-a-jackass-to-find-insurgents/2014/08/21/4c667d30-f596-4a59-a794-f6089472a91f_story.html?wprss=rss_national-securityThu, 21 Aug 2014 11:24:00 -0400<p/> <p>It?s the kind of story that gets shared around the smoke pit at military bases for years.</p> <p>Robert Work, the deputy secretary of defense, shared a ?true story? with U.S. troops while visiting Guam yesterday and it showed the spirit and ingenuity that enlisted personnel bring to the job. A retired Marine colonel, Work said that while Marines were on patrol in Afghanistan, they saw Afghan men apparently hiding improvising explosive devices.</p> <a href="http://www.washingtonpost.com/senior-pentagon-official-marines-followed-a-jackass-to-find-insurgents/2014/08/21/4c667d30-f596-4a59-a794-f6089472a91f_story.html?wprss=rss_national-security">Read full article &#62;&#62;</a><img width="1" height="1" src="http://feeds.washingtonpost.com/c/34656/f/636630/s/3db9bfc3/sc/38/mf.gif" border="0" /><br clear='all'/><br/><br/><a href="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/rc/1/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/rc/1/rc.img" border="0" /></a><br/><a href="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/rc/2/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/rc/2/rc.img" border="0" /></a><br/><a href="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/rc/3/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/rc/3/rc.img" border="0" /></a><br/><br/><a href="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/a2.htm"><img src="http://da.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/a2.img" border="0" /></a><img width="1" height="1" src="http://pi.feedsportal.com/r/204366859093/u/197/f/636630/c/34656/s/3db9bfc3/sc/38/a2t.img" border="0" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.washingtonpost.com%2Frss%2Fworld%2Fnational-security&entry=http%3A%2F%2Fwww.washingtonpost.com%2Fsenior-pentagon-official-marines-followed-a-jackass-to-find-insurgents%2F2014%2F08%2F21%2F4c667d30-f596-4a59-a794-f6089472a91f_story.html%3Fwprss%3Drss_national-securityEditor's Choicehttp://www.reuters.com/article/2014/08/21/24-hours-in-pictures-idUSRTR437PS?feedType=RSS&amp;feedName=RCOMUS_24http://www.reuters.com/article/2014/08/21/24-hours-in-pictures-idUSRTR437PS?feedType=RSS&amp;feedName=RCOMUS_24Thu, 21 Aug 2014 10:05:00 -0400Our top photos from the last 24 hours.http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2FReutersPictures&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2014%2F08%2F21%2F24-hours-in-pictures-idUSRTR437PS%3FfeedType%3DRSS%26amp%3BfeedName%3DRCOMUS_24Researchers Show Flaws in Airport Scannerhttps://freedom-to-tinker.com/blog/felten/researchers-show-flaws-in-airport-scanner/https://freedom-to-tinker.com/?p=10325Thu, 21 Aug 2014 09:57:00 -0400<p>Today at the <a href="https://www.usenix.org/conference/usenixsecurity14" title="" target="">Usenix Security Symposium</a> a group of researchers from UC San Diego and the University of Michigan will present a <a href="https://radsec.org/paper.html" title="" target="">paper</a> demonstrating flaws in a full-body scaning machine that was used at many U.S. airports. In this post I&#8217;ll summarize their findings and discuss the security and policy implications.<br /> <span></span><br /> (The researchers offer a <a href="https://radsec.org/" title="" target="">page</a> with images, a FAQ, etc.)</p> <p>The study looked at a Rapiscan machine, which uses backscatter technology. These machines were used in many U.S. airports, but they have been replaced by new machines that uses a different detection technology, millimeter waves. The backscatter machines have been redeployed to jails, courthouses, cruise ships, and other settings.</p> <p><strong>Detection of Guns and Explosives</strong></p> <p>The researchers confirmed that the machine would detect casual attempts to smuggle guns or explosives through a checkpoint. A gun in the pocket or a big block of plastic explosives under the shirt would show up on the scanner. </p> <p>Unfortunately it proved possible for a more clever attacker to carry a gun or explosives undetectably. To understand why, let&#8217;s review how the machines work. They produce a grayscale image of the front and rear of the subject seen from the front and rear. The background (i.e. where the body is not) is very dark, and the brightness of other materials depends on the atomic weight of the material. </p> <p>The bad news is that guns have high atomic weight, so they show up as very dark&#8212;the same color as the background. So a gun placed against the side of the body will look just like the background that one expects to see next to the body. Here&#8217;s a scan of a person with a pistol taped next to their knee.</p> <p><img src="https://radsec.org/img/pistol-tape.png" alt="Image with hidden pistol" /></p> <p>The other bad news is that plastic explosives have almost exactly the same atomic weight as flesh, which means that explosives are the same color as flesh on the scans. (The researchers actually used a commercial simulant which is designed to look just like explosives on these scans, and is used for testing detectors.) Here&#8217;s a comparison: on the left a person with no explosives, on the right with about half a pound of explosive simulant taped to the belly. (The &#8220;navel&#8221; is really a metal detonator.)</p> <p><img src="https://radsec.org/img/explosive.png" alt="" /></p> <p>After passing through the security checkpoint, an attacker could remove and reshape the explosives and detonator.</p> <p><strong>Security and Policy Implications</strong></p> <p>The backscatter machines replaced the magnetometers (metal detectors) that were used previously. Compared to magnetometers, the backscatter machines were less effective at detecting guns&#8212;able to detect casually carried guns but missing side-positioned guns. However, the backscatter machines were better at detecting explosives&#8212;detecting casually carried explosives which the magnetometers would have missed. If you had to choose one or the other, the choice would depends on which attacks seemed more likely damaging.</p> <p>A better option, from a security standpoint, would be to use both a magnetometer and a backscatter machine. Then you could detect all metal guns as well as casually carried explosives.</p> <p>Significantly, the tricks shown above (side-carried gun and body-molded explosives) were described by previous researchers based on an understanding of the physics of backscatter. The researchers&#8217; access to the machines allowed them to advance the public debate by confirming these attacks, but access was not required to figure out that the attacks were likely possible.</p> <p>Although the backscatter machines are no longer used in U.S. airports, our security did rely on them for years, so it is useful to consider the wisdom of the decision to deploy them. </p> <p>It&#8217;s possible that TSA knew about the machines&#8217; flaws but decided to deploy them in place of the previous magnetometers anyway. This seems like a questionable security decision since the machines were expensive, privacy-invasive, and worse at detecting guns. A decision to use backscatter plus magnetometers would have been defensible from a security standpoint, but that option was not taken.</p> <p>Or perhaps TSA did not know about the machines&#8217; flaws, which reflects a lack of due diligence on their part. A decision this important and expensive should not have been made without considering the efficacy of the machines. The researchers present some evidence that pre-deployment testing was not thorough enough, but there is still a lot we don&#8217;t know.</p> <p>My guess&#8212;and it&#8217;s only an educated guess&#8212;is that the truth lies somewhere in the middle, that TSA had evidence of the flaws but convinced themselves, with the help of the vendor, that they shouldn&#8217;t worry about the problems. Programs like this take on a momentum that can be difficult to stop, and TSA was under pressure to be seen changing to a higher-tech security approach.</p> <p><strong>Implications for Today&#8217;s Security</strong></p> <p>What does this mean for the security of the millimeter-wave machines used today? It&#8217;s hard to say. Some will probably argue that the deployment of millimeter-wave is evidence that it is probably better, but the same argument could have been made about backscatter&#8212;and we now know it would have been wrong.</p> <p>My guess would be that millimeter-wave machines have their own vulnerabilities that are different. The researchers argue in their paper that the computer systems that operate the machines may have signficant security vulnerabilities, and it wouldn&#8217;t surprise me to learn that was the case.</p> <p>The most important question&#8212;whether the new airport security regime makes us any safer than we were before&#8212;is still open.</p>http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10325See Inside Fukushima?s Lethal Reactorhttp://lightbox.time.com/2014/08/21/fukushima-nuclear-reactor-meltdown-lethal/http://lightbox.time.com/?p=98534Thu, 21 Aug 2014 07:00:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Flightbox.time.com%2Ffeed%2F&entry=http%3A%2F%2Flightbox.time.com%2F%3Fp%3D98534Californiahttp://xkcd.com/1410/http://xkcd.com/1410/Wed, 20 Aug 2014 00:00:00 -0400<img src="http://imgs.xkcd.com/comics/california.png" title="58% of the state has gone into plaid." alt="58% of the state has gone into plaid." />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1410%2FNight Lights: Breathtaking Photographs of Naturehttp://lightbox.time.com/2014/08/16/night-nature-photography-takehito-miyatake/http://lightbox.time.com/?p=96209Sat, 16 Aug 2014 04:00:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Flightbox.time.com%2Ffeed%2F&entry=http%3A%2F%2Flightbox.time.com%2F%3Fp%3D96209The Switchboard: What happens when you start liking everything on Facebookhttp://feeds.washingtonpost.com/c/34656/f/636544/s/3d6c0b27/sc/21/l/0L0Swashingtonpost0N0Cthe0Eswitchboard0Ewhat0Ehappens0Ewhen0Eyou0Estart0Eliking0Eeverything0Eon0Efacebook0C20A140C0A80C120C3ae32a150E6240A0E48560E85510E6eeb550Abbab90Istory0Bhtml0Dwprss0Frss0Itechnology/story01.htmhttp://www.washingtonpost.com/the-switchboard-what-happens-when-you-start-liking-everything-on-facebook/2014/08/12/3ae32a15-6240-4856-8551-6eeb550bbab9_story.html?wprss=rss_technologyTue, 12 Aug 2014 07:12:00 -0400<p/> <p> <em>Published every weekday, the Switchboard is your morning helping of hand-picked stories from the Switch team.</em> </p> <p> <a data-xslt="_http" href="http://money.cnn.com/2014/08/11/technology/uber-fake-ride-requests-lyft/"> <strong>Uber's dirty tricks quantified: Rival counts 5,560 canceled rides.</strong> </a> CNN reports: "New data provided by Lyft, a competitor, shows that Uber employees have ordered and canceled more than 5,000 Lyft rides since last October. The data was provided to CNNMoney per a request made when reporting another story on the competition between the two companies."</p> <a href="http://www.washingtonpost.com/the-switchboard-what-happens-when-you-start-liking-everything-on-facebook/2014/08/12/3ae32a15-6240-4856-8551-6eeb550bbab9_story.html?wprss=rss_technology">Read full article &#62;&#62;</a><img width="1" height="1" src="http://feeds.washingtonpost.com/c/34656/f/636544/s/3d6c0b27/sc/21/mf.gif" border="0" /><br clear='all'/><br/><br/><a href="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/rc/1/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/rc/1/rc.img" border="0" /></a><br/><a href="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/rc/2/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/rc/2/rc.img" border="0" /></a><br/><a href="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/rc/3/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/rc/3/rc.img" border="0" /></a><br/><br/><a href="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/a2.htm"><img src="http://da.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/a2.img" border="0" /></a><img width="1" height="1" src="http://pi.feedsportal.com/r/204366564301/u/197/f/636544/c/34656/s/3d6c0b27/sc/21/a2t.img" border="0" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.washingtonpost.com%2Frss%2Fbusiness%2Ftechnology&entry=http%3A%2F%2Fwww.washingtonpost.com%2Fthe-switchboard-what-happens-when-you-start-liking-everything-on-facebook%2F2014%2F08%2F12%2F3ae32a15-6240-4856-8551-6eeb550bbab9_story.html%3Fwprss%3Drss_technologyIrrational Fear of Risks Against Our Childrenhttps://www.schneier.com/blog/archives/2014/08/irrational_fear.htmltag:www.schneier.com,2014:/blog//2.5915Mon, 11 Aug 2014 10:34:00 -0400<p>There's a <a href="http://www.theatlantic.com/national/archive/2014/07/arrested-for-letting-a-9-year-old-play-at-the-park-alone/374436/">horrible story</a> of a South Carolina mother arrested for letting her 9-year-old daughter play alone at a park while she was at work. The article linked to another <a href="http://www.salon.com/2014/06/03/the_day_i_left_my_son_in_the_car/">article</a> about a woman convicted of "contributing to the delinquency of a minor" for leaving her 4-year-old son in the car for a few minutes. That article contains some excellent commentary by the very sensible <a href="http://www.freerangekids.com/">Free Range Kids</a> blogger Lenore Skenazy:</p> <blockquote><p>"Listen," she said at one point. "Let's put aside for the moment that by far, the most dangerous thing you did to your child that day was put him in a car and drive someplace with him. About 300 children are injured in traffic accidents every day -- and about two die. That?s a real risk. So if you truly wanted to protect your kid, you'd never drive anywhere with him. But let?s put that aside. So you take him, and you get to the store where you need to run in for a minute and you?re faced with a decision. Now, people will say you committed a crime because you put your kid 'at risk.' But the truth is, there?s some risk to either decision you make.? She stopped at this point to emphasize, as she does in much of her analysis, how shockingly rare the abduction or injury of children in non-moving, non-overheated vehicles really is. For example, she insists that statistically speaking, it would likely take 750,000 years for a child left alone in a public space to be snatched by a stranger. "So there is some risk to leaving your kid in a car," she argues. It might not be statistically meaningful but it?s not nonexistent. The problem is,"she goes on, "there's some risk to every choice you make. So, say you take the kid inside with you. There?s some risk you'll both be hit by a crazy driver in the parking lot. There?s some risk someone in the store will go on a shooting spree and shoot your kid. There?s some risk he'll slip on the ice on the sidewalk outside the store and fracture his skull. There?s some risk no matter what you do. So why is one choice illegal and one is OK? Could it be because the one choice inconveniences you, makes your life a little harder, makes parenting a little harder, gives you a little less time or energy than you would have otherwise had?" <p>Later on in the conversation, Skenazy boils it down to this. "There?s been this huge cultural shift. We now live in a society where most people believe a child can not be out of your sight for one second, where people think children need constant, total adult supervision. This shift is not rooted in fact. It?s not rooted in any true change. It?s imaginary. It?s rooted in irrational fear."</blockquote"</p> <p>Skenazy has some <a href="http://reason.com/blog/2014/07/14/mom-jailed-because-she-let-her-9-year-ol">choice words</a> about the South Carolina story as well:</p> <blockquote><p>But, "What if a man would've come and snatched her?" said a woman interviewed by the TV station. <p>To which I must ask: In broad daylight? In a crowded park? Just because something happened on <a href="http://www.nbc.com/law-and-order-special-victims-unit">Law & Order</a> doesn't mean it's happening all the time in real life. Make "what if?" thinking the basis for an arrest and the cops can collar anyone. "You let your son play in the front yard? What if a man drove up and kidnapped him?" "You let your daughter sleep in her own room? What if a man climbed through the window?" etc.</p> <p>These fears pop into our brains so easily, they seem almost real. But they're not. Our crime rate today is <a href="http://www.csmonitor.com/USA/Justice/2012/0109/US-crime-rate-at-lowest-point-in-decades.-Why-America-is-safer-now">back to what it was when gas was 29 cents a gallon</a>, according to <i>The Christian Science Monitor</i>. It may feel like kids are in constant danger, but they are as safe (if not safer) than we were when our parents let us enjoy the summer outside, on our own, without fear of being arrested. </p></blockquote> <p>Yes.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5915Obama and New England aviation businesses start their vacationhttp://blogs.law.harvard.edu/philg/2014/08/09/obama-and-new-england-aviation-businesses-start-their-vacation/http://blogs.law.harvard.edu/philg/?p=6228Sat, 09 Aug 2014 16:34:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6228Crypto Daddy Phil Zimmerman says surveillance society is DOOMEDhttp://go.theregister.com/feed/www.theregister.co.uk/2014/08/09/technology_and_market_forces_will_defeat_surveillance_society_claims_crypto_king/tag:theregister.co.uk,2005:story/2014/08/09/technology_and_market_forces_will_defeat_surveillance_society_claims_crypto_king/Sat, 09 Aug 2014 03:58:00 -0400<h4>We?ve been here before when we defeated slavery and the absolute monarchy</h4> <p><strong>Defcon 22</strong> A killer combination of rapidly advancing technology and a desire for greater privacy among the public should condemn current surveillance state to an historical anachronism, according to PGP creator Phil Zimmermann.?</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.theregister.co.uk%2Fheadlines.rss&entry=tag%3Atheregister.co.uk%2C2005%3Astory%2F2014%2F08%2F09%2Ftechnology_and_market_forces_will_defeat_surveillance_society_claims_crypto_king%2FU.S. judge rules against NCAA, says athletes can be paidhttp://feeds.reuters.com/~r/reuters/sportsNews/~3/VymzN5gYc_Y/story01.htmhttp://www.reuters.com/article/2014/08/09/us-ncaa-rules-decision-idUSKBN0G82AI20140809?feedType=RSS&amp;feedName=sportsNewsFri, 08 Aug 2014 21:12:00 -0400SAN FRANCISCO/NEW YORK (Reuters) - The National Collegiate Athletic Association must allow universities to offer student athletes a limited share of revenue, a U.S. judge ruled on Friday, a decision that cuts to the heart of the NCAA's mission to enforce amateurism in college sports.<img width="1" height="1" src="http://reuters.us.feedsportal.com/c/35217/f/654202/s/3d54e5ec/sc/13/mf.gif" border="0" /><br clear='all'/><div> <a href="http://feeds.reuters.com/~ff/reuters/sportsNews?a=VymzN5gYc_Y:hYUsI3U6WSM:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/reuters/sportsNews?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/sportsNews?a=VymzN5gYc_Y:hYUsI3U6WSM:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/reuters/sportsNews?i=VymzN5gYc_Y:hYUsI3U6WSM:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/sportsNews?a=VymzN5gYc_Y:hYUsI3U6WSM:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/reuters/sportsNews?i=VymzN5gYc_Y:hYUsI3U6WSM:V_sGLiPBpWU" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/reuters/sportsNews/~4/VymzN5gYc_Y" height="1" width="1" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2Freuters%2FsportsNews&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2014%2F08%2F09%2Fus-ncaa-rules-decision-idUSKBN0G82AI20140809%3FfeedType%3DRSS%26amp%3BfeedName%3DsportsNewsBeware WarKitteh, the connected cat that sniffs your Wi-Fi privateshttp://go.theregister.com/feed/www.theregister.co.uk/2014/08/09/beware_warkitteh_the_connected_cat_that_sniffs_your_wifi_privates/tag:theregister.co.uk,2005:story/2014/08/09/beware_warkitteh_the_connected_cat_that_sniffs_your_wifi_privates/Fri, 08 Aug 2014 20:57:00 -0400<h4>Inventor says, despite it all, he?s still not a cat person</h4> <p><strong>Defcon 22</strong> An inventive security researcher has successfully tested a war-driving kitty collar ? so its wearer can prowl around the neighborhood exposing the lamentable state of Wi-Fi security.?</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.theregister.co.uk%2Fheadlines.rss&entry=tag%3Atheregister.co.uk%2C2005%3Astory%2F2014%2F08%2F09%2Fbeware_warkitteh_the_connected_cat_that_sniffs_your_wifi_privates%2FJigsaw puzzles and American corporate taxeshttp://blogs.law.harvard.edu/philg/2014/08/08/jigsaw-puzzles-and-american-corporate-taxes/http://blogs.law.harvard.edu/philg/?p=6223Fri, 08 Aug 2014 10:11:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6223Criminal Copyright Sanctions as a U.S. Exporthttps://freedom-to-tinker.com/blog/abridy/criminal-copyright-sanctions-as-a-u-s-export/https://freedom-to-tinker.com/?p=10298Thu, 07 Aug 2014 13:48:00 -0400http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10298The US Intelligence Community has a Third Leakerhttps://www.schneier.com/blog/archives/2014/08/the_us_intellig.htmltag:www.schneier.com,2014:/blog//2.5912Thu, 07 Aug 2014 13:14:00 -0400<p>Ever since <i>The Intercept</i> published <a href="https://firstlook.org/theintercept/article/2014/08/05/watch-commander/">this story</a> about the US government's Terrorist Screening Database, the press has been <a href="http://www.cnn.com/2014/08/05/politics/u-s-new-leaker/index.html?hpt=hp_t1">writing</a> about a "second leaker":</p> <blockquote><p>The Intercept article focuses on the growth in U.S. government databases of known or suspected terrorist names during the Obama administration. <p>The article cites documents prepared by the National Counterterrorism Center dated August 2013, which is after Snowden left the United States to avoid criminal charges.</p> <p>Greenwald has suggested there was another leaker. In July, he said on Twitter "it seems clear at this point" that there was another.</p></blockquote> <p>Everyone's miscounting. This is the third leaker:</p> <ul><li>Leaker #1: Edward Snowden. <p><li>Leaker #2: The person that is passing secrets to Jake Appelbaum, Laura Poitras and others in Germany: the <a href="http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html">Angela Merkle surveillance story</a>, the <a href="http://leaksource.info/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/">TAO catalog</a>, the X-KEYSCORE <a href="https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html">rules</a>. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents.</p> <p><li>Leaker #3: This new leaker, who <i>The Intercept</i> calls "a source in the intelligence community."</ul> <p>Harvard Law School professor Yochai Benkler has written an excellent law-review article on the need for a <a href="http://benkler.org/Benkler_Whistleblowerdefense_Prepub.pdf">whistleblower defense</a>. And there's <a href="http://harvardlawreview.org/2013/12/the-leaky-leviathan-why-the-government-condemns-and-condones-unlawful-disclosures-of-information/">this excellent article</a> by David Pozen on why government leaks are, in general, a good thing.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5912The hidden perils of cookie syncinghttps://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/https://freedom-to-tinker.com/?p=10264Thu, 07 Aug 2014 06:29:00 -0400http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10264Monkey Selfie Lands Photographer in Legal Quagmirehttp://lightbox.time.com/2014/08/06/monkey-selfie/http://lightbox.time.com/?p=100488Wed, 06 Aug 2014 17:01:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Flightbox.time.com%2Ffeed%2F&entry=http%3A%2F%2Flightbox.time.com%2F%3Fp%3D100488Bible left in North Korean sailor's club triggered U.S. tourist's arresthttp://feeds.reuters.com/~r/Reuters/worldNews/~3/Q1OrixsPwEQ/story01.htmhttp://www.reuters.com/article/2014/08/02/us-northkorea-usa-idUSKBN0G200W20140802?feedType=RSS&amp;feedName=worldNewsFri, 01 Aug 2014 23:09:00 -0400SEOUL (Reuters) - American tourist Jeffrey Fowle was arrested by North Korean authorities for leaving a bible under a bin in the toilet at a club for foreign sailors, a source familiar with Fowle's case told Reuters.<img width="1" height="1" src="http://reuters.us.feedsportal.com/c/35217/f/654198/s/3d1b93c7/sc/8/mf.gif" border="0" /><br clear='all'/><br/><br/><a href="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/rc/1/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/rc/1/rc.img" border="0" /></a><br/><a href="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/rc/2/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/rc/2/rc.img" border="0" /></a><br/><a href="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/rc/3/rc.htm" rel="nofollow"><img src="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/rc/3/rc.img" border="0" /></a><br/><br/><a href="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/a2.htm"><img src="http://da.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/a2.img" border="0" /></a><img width="1" height="1" src="http://pi.feedsportal.com/r/204366115534/u/49/f/654198/c/35217/s/3d1b93c7/sc/8/a2t.img" border="0" /><div> <a href="http://feeds.reuters.com/~ff/Reuters/worldNews?a=Q1OrixsPwEQ:GanNsfcsuOU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/Reuters/worldNews?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/Reuters/worldNews?a=Q1OrixsPwEQ:GanNsfcsuOU:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/Reuters/worldNews?i=Q1OrixsPwEQ:GanNsfcsuOU:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/Reuters/worldNews?a=Q1OrixsPwEQ:GanNsfcsuOU:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/Reuters/worldNews?i=Q1OrixsPwEQ:GanNsfcsuOU:V_sGLiPBpWU" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/Reuters/worldNews/~4/Q1OrixsPwEQ" height="1" width="1" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2FReuters%2FworldNews&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2014%2F08%2F02%2Fus-northkorea-usa-idUSKBN0G200W20140802%3FfeedType%3DRSS%26amp%3BfeedName%3DworldNewsThe NSA's Patentshttps://www.schneier.com/blog/archives/2014/08/the_nsas_patent.htmltag:www.schneier.com,2014:/blog//2.5907Fri, 01 Aug 2014 07:54:00 -0400<p><a href="http://complex.foreignpolicy.com/posts/2014/07/30/the_nsas_patents_in_one_searchable_database_0">Here</a> are all the NSA's patents, in one searchable database.</p> <p>If you find something good, tell us all in the comments.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5907Why were CERT researchers attacking Tor?https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/https://freedom-to-tinker.com/?p=10247Thu, 31 Jul 2014 13:18:00 -0400<p>Yesterday the Tor Project issued an <a href="https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack">advisory</a> describing a large-scale identification attack on Tor hidden services. The attack started on January 30 and ended when Tor ejected the attackers on July 4. It appears that this attack was the subject of a Black Hat talk that was <a href="https://www.blackhat.com/latestintel/07212014-a-schedule-update.html">canceled</a> abruptly.</p> <p>These attacks raise serious questions about research ethics and institutional responsibilities.<br /> <span></span></p> <p>Let&#8217;s review the timeline as we know it (all dates in 2014):</p> <ul> <li>30 January: 155 new machines join the Tor network as relays, carrying out an ongoing, novel identification attack against Tor hidden services.</li> <li>18 February &#8211; 4 April: Researchers at CERT (part of the Software Engineering Institute at Carnegie Mellon University) submit a presentation proposal to Black Hat, proposing to discuss a new identification attack on Tor.</li> <li>sometime March &#8211; May: Tor Project learns of the research and seeks information from the researchers, who decline to give details. Over time the researchers give a few hints to the Tor Project but withhold most of what they know. The attack continues.</li> <li>early June: Black Hat accepts the presentation and posts an <a href="https://web.archive.org/web/20140705114447/http%3A//blackhat.com/us-14/briefings.html">abstract</a> of the research, referencing the vulnerability and saying the researchers had carried out the attack in the wild.</li> <li>4 July: Tor Project discovers the ongoing attack, ejects the attacking relays from the Tor network, and starts developing a software fix to prevent the attack. The discovery was aided by some hints that the Tor team was able to extract from the researchers.</li> <li>21 July: Black Hat announces cancellation of the scheduled presentation, saying that &#8220;the materials that he would be speaking about have not yet approved by CMU/SEI for public release.&#8221;</li> <li>30 July: Tor Project releases a software update to fix the vulnerability, along with a detailed technical discussion of the attack. Tor Project is still unsure as to whether the attacks they saw were carried out by the CERT researchers, though this seems likely given the similarities between the attacks and the researchers&#8217; presentation abstract.</li> </ul> <p>This story raises some serious questions of research ethics. I&#8217;m hard pressed to think of previous examples where legitimate researchers carried out a large scale attack lasting for months that aimed to undermine the security of real users. That in itself is ethically problematic at least. The waters get even darker when we consider the data that the researchers might have gathered&#8212;data that would undermine the security of Tor users. Did the researchers gather and keep this data? With whom have they shared it? If they still have it, what are they doing to protect it? CERT, SEI, and CMU are not talking.</p> <p>The role of CERT in this story deserves special attention. CERT was set up in the aftermath of the <a href="https://en.wikipedia.org/wiki/Morris_worm">Morris Worm</a> as a clearinghouse for vulnerability information. The purpose of CERT was to (1) prevent attacks by (2) channeling vulnerability information to vendors and eventually (3) informing the public. Yet here, CERT staff (1) carried out a large-scale, long-lasting attack while (2) withholding vulnerability information from the vendor, and now, even after the vulnerability has been fixed, (3) withholding the same information from the public.</p> <p>So CERT has some explaining to do. While they&#8217;re at it, they ought to explain what their researchers did, what data was collected and when, and who has the data now. It&#8217;s too late to cover up what happened; now it&#8217;s time for CERT to give us some answers.</p>http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10247Debit Card Override Hackhttps://www.schneier.com/blog/archives/2014/07/debit_card_over.htmltag:www.schneier.com,2014:/blog//2.5905Thu, 31 Jul 2014 07:55:00 -0400<p><a href="http://www.businessinsider.com/sharron-laverne-parrish-jr-charged-with-apple-credit-card-scam-2014-7">Clever</a>:</p> <blockquote><p>Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank -- except, he wasn?t really calling his bank. <p>So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.</p></blockquote> <p>Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I'll be that fixing the infrastructure will be expensive.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.59051914 ? 1918: The War Years in Photographshttp://lightbox.time.com/2014/07/28/1914-1918-the-war-years-in-photographs/http://lightbox.time.com/?p=99741Mon, 28 Jul 2014 04:00:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Flightbox.time.com%2Ffeed%2F&entry=http%3A%2F%2Flightbox.time.com%2F%3Fp%3D99741Inside Bangladesh?s Cheap Cigarette Factorieshttp://lightbox.time.com/2014/07/24/bangladesh-cigarette-factories/http://lightbox.time.com/?p=97868Thu, 24 Jul 2014 04:30:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Flightbox.time.com%2Ffeed%2F&entry=http%3A%2F%2Flightbox.time.com%2F%3Fp%3D97868