Brindle

Protip: maybe don't laugh off accusations that you're bad at cybersecurity in emails on a network that has already been infiltrated by hackers. That message did not make it through to one Eric Walker, deputy communications director for the Democratic National Committee. As you've heard by now, the DNC got hacked and all the emails were posted on Wikileaks. An anonymous user in our comments pointed us to a now revealed email from Walker brushing off a story in BuzzFeed, quoting cybersecurity professionals arguing that both the RNC and the DNC are bad at cybersecurity, mainly because they're handing out USB keys at their conventions.

Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.

“Who does that anymore? It’s just asking to get infected with any variety of malware,” said Ajay Arora, CEO of VERA, a cybersecurity firm. “Those thumb drives are the number one way to infect a computer… It is borderline stupidity to give them out to people, or for people to even think of using them.”

Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive — from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.

That's a reasonable assessment. It's dumb to hand out USB keys these days and anyone should be aware of that by now. But Walker's email sarcastically mocked this:

The thesis: we hand out thumb drives at events, which could infect the reporters/attendees' computers. So that means that we're bad at cybersecurity. Okay.

Well, truth be told, there are many reasons why you may be bad at cybersecurity, including the fact that you apparently let a group of hackers sit on your network for a year or more. But also, handing out USB keys is a super bad idea too.

Permalink | Comments | Email This Story

Niantic Labs filled nearly 6,000 seats at a San Diego Comic-Con auditorium to talk about Pokemon GO, and some juicy information was on tap from the company's CEO John Hanke.

It wasn't long after Pokemon GO launched that Nintendo enjoyed a great deal of success. The company saw a 24% bump in shares in their home country of Japan thanks to its overnight success. But it's Pokemon GO's success that's also possible for the 14% they just tanked.

Earlier this week there was a fascinating piece in the New Yorker by Jane Mayer, interviewing Tony Schwartz, who is credited as the co-author to Donald Trump's first and most famous book, The Art of the Deal (Schwartz is interchangeably referred to as the ghostwriter or co-author -- his name appears on the book as the much smaller type-faced co-author, which is unlike most ghostwriters -- but Schwartz claims he really wrote the book after just following Trump around for a bit and getting some ideas from him). The interview with Schwartz is great storytelling and focuses on his belief that Trump would be a disastrous President (and the fact that The Art of the Deal was exaggerated reality).

Despite the fact that the Republican National Convention happened this week, where Trump was officially nominated as the Republican Party candidate for President, Trump apparently found the time to have his lawyer dash off a ridiculously stupid cease and desist letter. It's the kind of cease and desist letter that we tend to see from complete cranks, rather than serious businessmen, let alone the official nominee for President from a major political party. Everything about the letter is flat out ridiculous (and at points, contradictory). Throughout it, Trump's Chief Legal Officer, Jason Greenblatt, keeps saying that Schwartz's statements are defamatory, but fails to name a single one. As has been pointed out many times, if you're screaming "defamation" but fail to point to a factual statement that is defamatory, you're just making noise.

The letter also claims that Schwartz is attempting to "rewrite history" and even starts out suggesting that Schwartz's claim of writing the book is an exaggeration, because the contract was merely to "provide certain services." But, rather than actually follow through on that line of argument, Greenblatt then more or less admits it, while arguing something totally different: that the book was successful because of Trump's association with it, not because of Schwartz. But Schwartz never argued otherwise, and that's completely besides the point.

Mr. Trump hired you to provide certain services in connection with the preparation of the Book. Although it has long-suited you to dramatically overstate your work on the Book in order to further your own career, (for example, telling George Stephanopoulos on Good Morning America that, "I wrote every word of [the Book], Donald Trump made a few red marks when I handed him the manuscript, but that was it."), let me set the record straight about the origin of the Book: Mr. Trump was the source of all of the material in the Book and the inspiration for every word in the Book. You would not have had access to any of the information that appeared in the Book without Mr. Trump. He was the mastermind behind the deals described in the Book, and he provided you with the facts and facets of each of these deals in order for you to write them down. What's more, Mr. Trump is wholly responsible for the great success of the Book, not you. It was his ingenuity that made the deals described in the Book happen, and it was his promotion of the Book that made it a runaway success.

Again, so what? That's got nothing to do with Schwartz's point and is nowhere near defamatory. Greenblatt also goes on to weirdly attack the one claim from Schwartz that he's pretty sure that many of the things in The Art of the Deal are false. Greenblatt wastes many perfectly good English words arguing that the book contract gave Schwartz the right to make changes to the book to make sure it was accurate, and somehow suggesting that his failure to change things proved that he didn't actually believe things in the book were false. Of course, again, this is not what Schwartz was arguing. He was saying that the stuff Trump told Schwartz, which Schwartz then crafted into the narrative of the book, were lies told by Trump. That should be obvious to anyone with basic reading comprehension skills.

Also, the above accusation is doubly weird, because just a page earlier in the letter, Greenblatt was arguing that Schwartz was a mere conduit and was basically just hired to scribble down Trump's words of wisdom. If he played such a minor part, then isn't that more or less admitting that Schwartz would have no say in correcting falsehoods in the book? The letter also tries to claim that Schwartz has been begging Trump for more work for decades and recently signed an agreement for royalties on the audiobook version of it. Schwartz, for his part, denies ever asking Trump for more work and says he actually turned down the offer to work on the sequel. The agreement on the audiobooks may be true, but it's difficult to see how that matters. Schwartz now speaking out against Trump, if anything, would likely diminish the interest in the book, and would impact Schwartz's own royalties (for which Schwartz has pledged to charity for any works purchased this year).

Even more hilariously, Greenblatt ends the letter by demanding Schwartz not only shut up, but also return all the royalties earned over the years from the book, including his half of the $500,000 advance.

Thankfully, Schwartz had lawyer Elizabeth McNamara at Davis Wright Tremaine respond to the letter, calling bullshit on it. The whole thing is worth a read (it's really only two pages), but here's a snippet:

Your letter alludes vaguely to "defamatory statements," "outright lies" and "downright fabrications," but you do not identify a single statement by Mr. Schwartz that is factually false, let alone defamatory. Instead, it is self-evident that Mr. Trump is most concerned with Mr. Schwartz's well-founded expressions of his own opinion of Mr. Trump's character, as well as Mr. Schwartz's accurately taking credit for the writing of The Art of the Deal, which you pointedly do not contest. Also, in Mr. Trump's eyes, Mr. Schwartz has been "very disloyal" in speaking out on these issues, as he is quoted saying to Mr. Schwartz in the recent New Yorker article by Jane Mayer.

The fact that Mr. Trump would spend time during the week of the Republican National Convention focused on settling a score with and trying to censor his co-author on a thirty-year-old book is, frankly, baffling, but only further underscores the very basis for Mr. Schwartz's criticisms. In any event, the demands you make in the letter are without any foundation in law or fact. Mr. Schwartz will not be returning any of the advance or royalties from the Book, and he has no intention of retracting any of his opinions about the character of the Republican nominee for the presidency, nor does he have any obligation or intention to remain silent about this issue going forward.

Of course, as we've noted in the past, this is kind of par for the course for Trump. When people say mean things about him, his lawyers tend to go ballistic, threatening (and sometimes suing for) defamation, even when there clearly is no defamation at all. This is why it's so ridiculous when Trump talks about "opening up" libel laws to go after those who write or say mean things about him.

Being so thin skinned and willing to at least threaten to drag an author to court for stating his opinion hardly seems particularly Presidential.

Permalink | Comments | Email This Story

The administration's brief flirtation with converting occupying forces back into police departments is apparently over. In the wake of the Ferguson protests, the administration announced its plan to rein in police departments which had been availing themselves of used military gear via the Defense Department's 1033 program. This itself was short-lived. A year later, the administration mustered up enough enthusiasm for another run at scaling back the 1033 program, but it has seemingly lost some steam as Obama heads for the exit.

The images of police greeting protesters with assault rifles, armored vehicles, grenade launchers, and officers who appeared to mistake the Midwest for downtown Kabul apparently was a bit too much. It looked more like an occupation than community-oriented policing -- something every administration has paid lip service (and tax dollars) to over the past few decades while simultaneously handing out grants that turned police officers into warfighters.

That's all off the table now. Two recent shootings of police officers have effectively dismantled the dismantling of militarized police forces.

The White House will revisit a 2015 ban on police forces getting riot gear, armored vehicles and other military-grade equipment from the U.S. armed forces, two police organization directors told Reuters on Thursday.

Shortly after the recent shooting deaths of police officers, President Barack Obama agreed to review each banned item, the two law enforcement leaders said.

That could result in changes to the ban imposed in May 2015 on the transfer of some equipment from the military to police, said Jim Pasco, executive director of the Fraternal Order of Police, and Bill Johnson, executive director of the National Association of Police Organizations.

The law enforcement lobbyists met with the President and Vice President, and it appears Obama has sent the administration's chief legal counsel to "review" the ban. The law enforcement organizations claim police need greater protections now, even though the recent clustering of officer deaths doesn't put the nation on track for anything more than an average year of on-duty deaths.

But, while the chance of being killed in the line of duty remains steady, agencies are pushing for a return to pre-2015 levels of military gear, including tracked vehicles and grenade launchers "to deal with riots." It doesn't appear that any words were wasted discussing the underlying causes of the protests officers are now facing -- none of which will be resolved with increased police militarization. Put someone in war gear and they're going to be pretty sure they're in a war, rather than serving the public as a trusted member of the community.

Permalink | Comments | Email This Story

Get your project managment skill polished and up to date with theAgile Scrum Bundle. Agile Scrum is a project management methodology used to promote teamwork, improve communication, and increase the quality and predictability of projects. Whether you are new to Scrum or want to improve your skills, these 5 comprehensive courses will help you master the ins and outs of Agile Scrum in your organization, with reference to the Project Management Institute's Agile Certified Practitioner Handbook. You'll also earn 87 PDUs toward your project management education for certification with PMI. This bundle is on sale in the Techdirt Deals Store for $49.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Permalink | Comments | Email This Story

A German software company, Bitmanagement Software, is now suing the US government for copyright infringement and demanding almost $600 million. The lawsuit, which was filed in the US Court of Federal Claims (basically a special court set up just for cases involving suing the US government for money), says that the US Navy copied Bitmanagement's 3D virtual reality software, BS Contact Geo. Apparently, the Navy had tested the software and had an evaluation license allowing the software to be used on 38 computers. And then the Navy just copied it onto hundreds of thousands of computers.

The lawsuit notes that the Navy had specifically requested the removal of Bitmanagement's usage tracking code, and then told the company that it wanted to license the software for upwards of 500,000 computers -- but also that it started doing those installs while the company was still negotiating a license. While that negotiation was ongoing, someone (accidentally, apparently) forwarded an email to Bitmanagement indicating that the software had already been installed on 104,922 computers. Apparently, a few months later, the Navy also disabled some other tracking software, called Flexwrap. This part is a bit confusing in the lawsuit, since earlier it notes that the evaluation contract required Bitmanagement to remove tracking software, but then the lawsuit notes that later on it was the Navy that removed Flexwrap, "in violation of the terms" of the license.

This is also a rare copyright case where the plaintiff is asking for actual damages, rather than mere statutory damages. That's partly because it notes that a single license of its software runs approximately $1,000 -- and it believes the software may have ended up on 558,466 computers. Thus, it's asking for $596,308,103, which is the market value of the unpaid licenses. If it had sought statutory damages, it would have been limited to just $150,000, as that's the maximum per "work infringed." But it's also because the US government has a special super power, called sovereign immunity when it comes to copyright claims, basically allowing it to avoid a copyright lawsuit in a regular ("Article III") district court. However, at least based on my understanding of the law, they can still go to the Federal Claims court (as Bitmanagement is) and seek the actual licensing fees.

It will be interesting to see how the US government responds. After all, this is the very same US government that regularly insists that copyright infringement is a horrible evil and that we need to ratchet up punishment for it. Yet, here is the Navy doing what appears to be fairly blatant direct infringement on software that it was evaluating, but failed to fully license. In the past, the US government has found itself negotiating settlements in similar cases. But, of course, none of that has resulted in the government recognizing that perhaps its hardline position on infringement by others is a bit extreme, considering its own behavior.

Permalink | Comments | Email This Story

Iamthecheese writes: Trump hates him. Clinton misrepresented him. Most mainstream media outlets call him a traitor and worse. But if you vote Stein, Snowden will be in the presidential Cabinet. "The presumptive Green Party presidential nominee Dr. Jill Stein promises to grant NSA whistleblower Edward Snowden -- who many describe as a true American hero -- not just a full pardon, but a promotion to the upper echelons of government should she win the White House," reports Zero Hedge. "[Snowden] has done an incredible service to our country at great cost to himself for having to live away from his family, his friends, his job, his network, to basically live as an expatriate," Stein asserted during a town hall live-streamed to supporters on her Facebook page, US Uncut reported. "I would say not only bring Snowden back, but bring him into my administration as a member of the Cabinet," she continued, "because we need people who are part of our national security administration who are really, very patriotic. If we're really going to protect our American security, we also have to protect our Constitutional rights, and that includes our right to privacy." Her pardons would also extend to CIA whistleblower John Kiriakou and Chelsea Manning. Kiriakou first revealed proof of waterboarding and various other torture tactics employed by the government, while Manning leaked the Afghan War Diary and Iraq War Logs, which included footage of U.S. helicopter airmen deliberately gunning down journalists, to Wikileaks. Reddit co-founder and MIT student, Aaron Swartz, who leaked academic research to the public, would also receive a pardon under her presidency. "[Swartz] was a proponent of free and liberated internet and for sharing our resources on that internet, who was basically hounded into suicide by a very oppressive Department of Justice. So, he -- in my mind -- is another one of these heroes that we need to remember and be very thankful for."

Read more of this story at Slashdot.

Iowa congressman Steve King Steve King of Iowa loves his "sub-group" of people. Here's what he said on a televised panel on MSNBC:

“This whole ‘old white people’ business does get a little tired, Charlie. I’d ask you to go back through history and figure out where are these contributions that have been made by these other categories of people that you are talking about? Where did any other subgroup of people contribute more to civilization?”

“Than white people?” Mr. Hayes asked.

Mr. King responded: “Than Western civilization itself that’s rooted in Western Europe, Eastern Europe and the United States of America, and every place where the footprint of Christianity settled the world. That’s all of Western civilization.”

Even if King's proudly ignorant statement was true, which it most assuredly is not, the fact remains that King himself hasn't invented anything, other than fabulist history. To be proud of someone else's invention because you have the same color skin as them is just about the stupidest thing a human being could think. It's unfortunate that this nincompoop has enough admirers to vote him into office.

Quartz put together a list of things not invented by white people. I wonder if Rep King sullies his hands by touching any of them?

• numerals
• mathematics
• religion
• Christianity
• irrigation
• novels
• paper
• ink
• dance
• music
• gunpowder
• guns
• bombs
• time bombs
• the seismograph
• the compass
• just-in-time manufacturing
• CD players
• MP3 players
• Pokemon
• calculators
• karaoke
• lithium ion batteries
• yoga
• martial arts
• silk
• umbrellas
• tea
• noodles
• instant noodles
• shampoo
• punk futurism
• futures markets

Given the cultural phenomenon that is Pokemon Go, it was only a matter of time before security-conscious government agencies would be forced to confront the inevitable: that their employees would be joining in the quasi-AR madness.

Kristan J. Wheaton of the Sources and Methods blog was handed an apparently official document from the Defense Department that lays down several common sense rules for employees throwing imaginary balls at imaginary creatures. (A screenshot of the original document can be seen in Thomas Rid's tweet, embedded at the bottom of this post.)

One of my contacts (Thanks!) within the intel community put together a tip sheet for friends and family and, having read it, it sounds like good advice for anyone who wants to play Pokemon Go with a reasonable level of safety and privacy. Remember, it is a tip sheet and is designed to be helpful, not comprehensive. If it is not covered here, just remember D²S² – Don’t Do Stupid Stuff.

Considering the source, the list of do's and do not do's is straightforward and on point. And, as Wheaton points out, good advice for anyone playing the game, not just those with high-level security clearances chasing down rarities behind CIA filing cabinets.

In short, make sure you're downloading the authentic application, be aware your location will be recorded, and -- more importantly, given the nature of DoD components -- the photos taken during Pokemon hunts might accidentally reveal something meant to stay hidden.

Be mindful of your surroundings when using this augmented reality (AR) mobile game, especially when taking pictures of Pokemon during the capture process. Note what's in the foreground and background, including reflective surfaces and information revealing identity and or location (street signs, vehicle license plates, Government buildings, etc.). Disabling AR makes Pokemon easier to catch! The location where you take a picture of a Pokemon is also likely embedded in the picture's metadata.

In addition, the DoD suggests employees use something other than their personal Google account to log in and to select usernames that do not reflect their IRL names.

Some classic military-industrial complex paranoia surfaces in the penultimate bullet point, however.

When physically visiting Pokestops and gyms, maintain awareness of your surroundings. Travel with a buddy or remain in your vehicle with the doors locked. It is not necessary to physically enter the real-world establishment where a Pokestop or gym is located, you may be able to interact with the Pokestop/gym from the curb or even across the street.

While there have been reports of strongarm robberies at bogus Pokestops, the whole "situational awareness" vibe adds far more cloak-and-dagger than seems absolutely necessary.

The full list at Wheaton's blog is worth a read, though, whether you're a normal citizen or a DC insider neck deep in redacted drone strike reports/Rattatas.

Permalink | Comments | Email This Story

Former Speaker of the House Newt Gingrich is making some news today for some silly remarks he made on Fox News last night in response to the attack last night in Nice, France. It comes right at the beginning of this video: All of the press -- for good reason -- is focusing on the first part of what he said, about deporting anyone "of Muslim background" (whatever that means) who "believes in Sharia." We'll skip over why this is totally clueless and unconstitutional, because plenty of other news sites are handling that.

Instead, we'll move on to the second craziest thing he said, right after that first statement, which is something that fits much more with Techdirt's usual themes: Gingrich then claims two ridiculous things, each only slightly less ridiculous than his first statement:

Anybody who goes on a website favoring ISIS, or Al Qaeda, or other terrorist groups, that should be a felony and they should go to jail. Any organization which hosts such a website should be engaged in a felon. It should be closed down immediately. Our forces should be used to systematically destroy every internet based source...

He then goes on to note that if we can't take them off the internet, we should just kill them all. Which, you know, I'm sure won't anger any more people against us.

Either way, this is idiotic. Merely visiting a website should put you in jail? What if you're a journalist? Or a politician? Or a researcher trying to understand ISIS? That should be a felony? That's not how it works. This also assumes, idiotically, that merely reading a website about ISIS will make people side with ISIS. It's also not, at all, how the law works. Same with the second part about it being a felony to host such content. We're already seeing lawsuits against social media sites like Facebook, Twitter and YouTube for hosting accounts from ISIS, and many are voluntarily taking down lots of those accounts. But making it a felony to keep them up? That's also not how the law works.

Reacting to a very real problem with stupid unconstitutional solutions suggests someone who has no clue what he's doing.

Permalink | Comments | Email This Story

It's Olympics season again. What is normally an expose of how the IOC and the USOC become the biggest IP bullies on the block has had a little spice added to it this year in the form of a host country that by all reports is woefully unprepared for its duties while simultaneously being rocked by a pest-spread disease with the delightful symptom of shrinking the brains of fetuses. And if that doesn't make you believe that some combination of a god and/or the universe wants the Olympics to cease to be, perhaps the fact that the whole fiasco will be broadcast by NBC will.

Yes, running in parallel with our posts about IOC bullying, you will find a history of posts about NBC's strange attempts to turn back the clock on its broadcast of the games. Historically, this has meant limiting the live streaming of most of the events, making it as difficult to find and watch any event as possible, and delaying all kinds of event broadcasts until NBC deems that the public wants to watch them. But have heart, dear friends, for the NBC overlords have listened and have declared that these Rio Olympics will be the "most live Olympics ever."

For Rio 2016, NBC says this will be its "most live Olympics ever" with 4,500 hours of coverage streaming on NBCOlympics.com and the recently renamed NBC Sports app. Also new this time around is that the NBC Sports app is on connected TV devices (it launched on Roku and Apple TV last year), not just mobile.

Now, I'll just go ahead and note here that while NBC has been very busy patting itself on the back for how much more live coverage there will be of the Olympics in Rio compared with previous broadcasts, the fact that there is a time difference of exactly one hour between East Coast time and Brazil means that all the live coverage is probably just happenstance rather than any concerted effort by NBC. But, hey, the company has still gotten the message that live coverage only makes sense in a hyper-connected world where view-on-demand can be achieved by the devices we carry around in our pockets at work and while in transit, right?

Sure! Except for the opening ceremony, because you idiots aren't smart enough to be able to watch that live.

The Rio Olympics formally begin August 5th with the opening ceremony from the Maracanã stadium. Proceedings start at 7 p.m. Eastern Time, only you won’t be able to watch them on NBC until at least an hour later. At a press conference yesterday, NBC execs announced plans to broadcast the ceremony at 8 p.m. Eastern Time and 7 p.m. Central Time, each on one hour delays, and at 7 p.m. Mountain Time and 8 p.m. Pacific Time, on two and four-hour delays respectively.

So why the need for anywhere between a one and four our delay to watch the opening ceremony? Two reasons. First, forget all of that hyperconnectivity thing we just talked about, this shit has to only air during prime time. Also, without post-production and planned narration of the ceremony, you viewers won't get all of the great story lines NBC wants to feed you.

By doing a short tape-delay of one hour, it allows us to put it in a time period when more people are home to watch, because it is a Friday night and they get out of their commute or home from wherever they are. And it allows us to curate it with the narrative and storytelling of our announcers to explain what’s going on. And it allows us to put in commercials without cutting out large chunks of the show.

Also, the opening ceremony is really for all of the penis-less viewers out there. And we all know how the ladies don't really like sports but do like their soap operas, amirite?

The people who watch the Olympics are not particularly sports fans. More women watch the Games than men, and for the women, they’re less interested in the result and more interested in the journey. It’s sort of like the ultimate reality show and mini-series wrapped into one. And to tell the truth, it has been the complaint of a few sports writers. It has not been the complaint of the vast viewing public.

Now, to the point about the prime time coverage. Look, hyperconnected or not, it is certainly true that many adults only have certain hours of the day to which they can dedicate some couch-time and watch a bunch of people from a bunch of countries walk around in a circle for a while. But that doesn't mean NBC couldn't also stream the ceremony live for those that want it live. The commentary might be pared down and perhaps we wouldn't get all of the juicy narrative NBC wants to inject for lady viewers, who we all know universally hate sports and all that, but there is value to live coverage that many people want. It's not just a small number of sports writers.

As for that context it claims it needs to inject, that's not the whole story. What the delay really allows NBC to do is inject commercials wherever it wants without omitting any countries from the ceremony while also being able to cut out any undesirable content (i.e. political content) that shows up in the ceremony.

NBC has an incentive to air the ceremony live, but by delaying, they are sacrificing the chance to be first so they can tailor the coverage, cut out any shenanigans, and pick the best places to cut away to commercial. And, of course, cut anything controversial. As Gary Zenkel, NBCSG’s president, pointed out, it’s a show, not a competition.

Which, fine, if NBC wants to act as the speech filter for its viewers, so be it. But who is going to be surprised when NBC also screams bloody murder at people seeing results, highlights, and even coverage of the opening ceremony that will be available on other streams from other nations' broadcasts, on Twitter and Facebook and the like? NBC can't seriously delay its coverage and get mad when all the customers whose demands it ignores move on to other options.

But that's exactly what will happen. We've been here before, after all. And no matter how "live" these Olympics are this go-round, delaying the broadcast and stream of the opening ceremony leads me to believe I know exactly how it will go this time too.

Permalink | Comments | Email This Story

Note: Larger version HERE if eye-strain isn't the name of your game. The name of my game? Stove hands. We have to wait for my mom to leave for work to play though. This is a flowchart you can use to determine which Game Of Thrones house you belong to. Is it accurate? I doubt it, it seems too simple to be accurate. I'm a very complex person, and there's no way some ultra-basic flowchart is going to pick the proper house for me. "You got a shitty house, didn't you?" Hufflepuff. Thanks to carey, who told me when she went to Hogwarts she got sorted directly into the teaching staff because she's that good at magic.

Evidence acquired using Stingray devices has rarely been suppressed. This is due to the fact that it's almost impossible to challenge. The reason it's almost impossible to challenge is because the FBI -- and the law enforcement agencies it "partners" with (via severely restrictive nondisclosure agreements) -- will throw out evidence and let suspects walk rather than expose the use of IMSI catchers.

Earlier this year, a Baltimore city circuit judge threw out evidence obtained with the Baltimore PD's cell tower spoofing equipment. And this was no run-of-the-mill drug bust. An actual murder suspect had evidence suppressed because of the BPD's warrantless deployment of a Stingray device. Without the use of the Stingray, the BPD would not have been able to locate the suspect's phone. And without this location, there would have been no probable cause to search the apartment he was in. You can't build a search warrant on illegally-obtained probable cause, reasoned the judge. Goodbye evidence.

"I can't play the 'what if' game with the Constitution," [the judge] said, lamenting that it protects people from illegal searches even when the defendant is "likely guilty."

Now, it's finally happened at a higher level. For the first time ever, a federal judge has suppressed evidence obtained by the warrantless use of a Stingray device.

U.S. District Judge William Pauley in Manhattan on Tuesday ruled that defendant Raymond Lambis' rights were violated when the U.S. Drug Enforcement Administration used such a device without a warrant to find his Washington Heights apartment.

The DEA had used a stingray to identify Lambis' apartment as the most likely location of a cell phone identified during a drug-trafficking probe. Pauley said doing so constituted an unreasonable search.

"Absent a search warrant, the government may not turn a citizen's cell phone into a tracking device," Pauley wrote.

The opinion [PDF] notes the DEA first tried to locate Lambis using cell site location info but found it wasn't precise enough. So, it deployed a Stingray to track him down, ultimately ending with a DEA tech roaming an apartment's hallways with a cell site simulator until Lambis was located.

A few hours later, DEA agents showed up at the apartment, where Lambis' father allowed them to enter and Lambis himself consented to a search of his room and belongings.

It's pretty tough to work your way backwards from a consensual search to a suppression order, but Lambis' lawyer was apparently up to the challenge. But -- as in the Baltimore PD case -- the DEA would never have known which apartment Lambis was located in without the use of a cell site simulator, and that's where it all falls apart for the DEA.

The government tried to argue that two fairly recent cases involving thermal imaging (Kyllo) and drug dogs (Thomas) weren't applicable, as its "limited search" only disclosed information it could obtain without a warrant: cell site location. This is at odds with its reasons for deploying the cell site simulator -- which was that the CSLI it obtained wasn't precise enough to locate the suspect.

The court finds the government's attempt to route around these two precedential decisions unavailing, noting that the use of a cell site simulator is actually more intrusive than the search methods used in the cases the DEA's lawyers wanted to have ignored.

The Government attempts to diminish the power of Second Circuit precedent by noting that Thomas represents a minority position among circuit courts. But this Court need not be mired in the Serbonian Bog of circuit splits. An electronic search for a cell phone inside an apartment is far more intrusive than a canine sniff because, unlike narcotics, cell phones are neither contraband nor illegal. In fact, they are ubiquitous. Because the vast majority of the population uses cell phones lawfully on a daily basis, “one cannot say (and the police cannot be assured) that use of the relatively crude equipment at issue here will always be lawful.”

The court also points out that the DEA -- for whatever reason -- obtained a warrant for the cell site location info. It wonders why it didn't bother to obtain a warrant for the cell site simulator deployment, seeing as it obtained a warrant for information it could have obtained without one. It also notes that a warrant for CSLI is not the same as a warrant for obtaining precise location info via the use of sophisticated electronic equipment.

The fact that the DEA had obtained a warrant for CSLI from the target cell phone does not change the equation. “If the scope of the search exceeds that permitted by the terms of a validly issued warrant . . . , the subsequent seizure is unconstitutional without more.” Horton v. California, 496 U.S. 128, 140 (1990)... Here, the use of the cell-site simulator to obtain more precise information about the target phone’s location was not contemplated by the original warrant application. If the Government had wished to use a cell-site simulator, it could have obtained a warrant. And the fact that the Government previously demonstrated probable cause and obtained a warrant for CSLI from Lambis’s cell phone suggests strongly that the Government could have obtained a warrant to use a cell-site simulator, if it had wished to do so.

The government also tried to use the Supreme Court's horrendous Strieff decision to save the evidence, but the court notes that the "temporal proximity" between the illegal Stingray search and the consensual search of the apartment was too close to allow the illegality of the original search to dissipate.

The government also tried to use the Third Party Doctrine to salvage its warrantless search, but the court refuses to be sold on this bad idea.

This Court need not address whether the third party doctrine is “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayer, J., concurring), because even under the historic framework of the doctrine, it is not available to the Government here. The doctrine applies when a party “voluntarily turns over [information] to third parties.” Smith v. Maryland, 442 U.S. 735, 744 (1979) [...] However, the location information detected by a cell-site simulator is different in kind from pen register information: it is neither initiated by the user nor sent to a third party.

[...]

Unlike CSLI, the “pings” picked up by the cell-site simulator are not transmitted in the normal course of the phone’s operation. Rather, “cell site simulators actively locate phones by forcing them to repeatedly transmit their unique identifying electronic serial numbers, and then calculating the signal strength until the target phone is pinpointed.”

These points are good. The following, though, is even better. The court finds the government can't attempt to use the Third Party Doctrine when it has chosen to act as the "third party" in this equation.

For both the pen register and CSLI, the Government ultimately obtains the information from the service provider who is keeping a record of the information. With the cell-site simulator, the Government cuts out the middleman and obtains the information directly. Without a third party, the third party doctrine is inapplicable.

The Second Circuit has yet to make a decision on the reasonable expectation of privacy in CSLI. If this is appealed, it may finally have to handle that question. Then again, CSLI is only partially implicated here and it may be able to let the Fourth Amendment's reach be determined on a case-by-case basis until something more directly addressing the issue comes along. If nothing else, the ruling here should encourage more federal agencies operating in this district to get a warrant "just in case." Then again, the secrecy surrounding Stingray devices discourages the creation of paper trails, so it may be that the government will continue to roll the Fourth Amendment dice until a higher court tells them otherwise.

Permalink | Comments | Email This Story

For many, many, many, many years, we've followed the rather crazy trials and tribulations of trying to get an international treaty signed to make it easier for the blind to access copyright-covered works (basically requiring countries to allow visually-impaired accessible versions to be reproduced and distributed). This is a treaty that people have tried to get in place for years and years and years, and it was blocked again and again -- often by legacy copyright industries who flat out refuse to support any kind of agreement that could be seen as strengthening user rights, which they see (ridiculously, and incorrectly) as chipping away at copyright. Amazingly, despite a last minute push by the MPAA and the Association of American Publishers, an agreement was reached and signed in 2013, called the Marrakesh Agreement. As we noted at the time, we fully expected the legacy copyright industries to refocus their efforts on blocking ratification in the US, and that's exactly what's happened.

Hell, it took almost three years for the White House to finally send over the treaty to the Senate for ratification. That happened back in February, and they sent it together with another copyright-related treaty, the very troubling Beijing Treaty that creates an entirely new form of copyright for performers. So far, the Senate has moved on neither issue. However, to have the Marrakesh Treaty go into effect, it needed 20 countries to ratify it. And while the US has sat still, a few weeks ago, Canada became the 20th country to complete the ratification process. That means the agreement officially goes into effect on September 30th of this year. As the EFF noted:

That’s another significant step for a treaty that has already made some important breakthroughs as the first international treaty focused exclusively on the rights of users of copyrighted material. Typically, if user’s rights are considered at all, they’re relegated to a section on “limitations and exceptions” or even as non-binding introductory text. In the Marrakesh Agreement, they are front and center.

That post also noted that it should be a no brainer for the US to ratify this:

United States law is already compliant with Marrakesh, but the government has not yet ratified the agreement. To do so requires a two-thirds vote from the Senate, and then a formal ratification from the President. Even at a time when passing legislation has proven exceedingly difficult, the Marrakesh Agreement would be a relatively easy and uncontroversial way to demonstrate leadership internationally and help bring books to millions of blind, visually impaired, and print-disabled people around the world.

But why hasn't it happened? According to KEI, a group that fought hard for many years to get the agreement in place, the legacy copyright industries are working hard to block it in Congress:

The Obama Administration has asked the US Congress to ratify the treaty... but Congress has yet to act, in large part due to lobbying from the Association of American Publishers.... The AAP lobbied the Administration for changes in the U.S. ratification package, and now have asked the Congress for changes that they failed to obtain in the interagency review process. The U.S. ratification already represents compromises, including limitations of exports to countries that have ratified the treaty, a provision that currently excludes all of Africa and Europe. But the AAP continues to press for additional amendments to the ratification legislation.

This isn't a huge surprise, the AAP more or less admitted that they would refuse to support anything that established greater user rights, since that would be seen as an attack on "their rights." And, of course, the MPAA has also been working hard to block it, whining that this treaty could (gasp!) "affect other future treaties."

All of that is just shameful. This is a no-brainer situation. Helping the visually impaired get access to these works is something everyone should agree is a good thing. And yet, because they're so scared of user rights expanding in any way at all, the legacy industries have to block it.

Permalink | Comments | Email This Story

Pokémon GO is now the most popular mobile game in the history of the U.S. It has surpassed Draw Something and Candy Crush Saga in daily active users.

Here's some good news. After decades of ridiculously bad management, it appears that the Library of Congress has a real leader. Dr. Carla Hayden has been approved by the Senate as our new Librarian of Congress by a wide margin, 74 to 18. And that's despite a last minute push by the ridiculous Heritage Foundation to argue that the Librarian of Congress should not be a librarian (and one with tremendous administrative experience). Heritage Foundation's alerts can often sway Republican Senators, so the fact that only 18 still voted against her is quite something. Hayden was also able to get past ridiculous claims that she was pro-obscenity or pro-piracy based on people who just didn't like the idea of an actually qualified person in the position.

She's an exceptionally qualified librarian with administrative and leadership experience. And while I'm sure I won't agree with everything she does, it seems like a massive improvement on the previous librarian, James Billington, who famously resisted any kind of modernization efforts, and who the Government Accountability Office had to call out multiple times for his leadership failings. Billington was so bad that when he resigned, the Washington Post was able to get people to go on the record celebrating.

The reaction inside the library was almost gleeful, as one employee joked that some workers were thinking of organizing a conga line down Pennsylvania Avenue. Another said it felt like someone opened a window.

“There is a general sense of relief, hope and renewal, all rolled into one feeling,” said one staffer who spoke on the condition of anonymity for fear of reprisal. “Like a great weight has been lifted from our shoulders.”

Maureen Moore, who retired in 2005 but volunteers at the library, said she and her friends were thrilled.

“It’s a great day for the library. The man has had 27 years to do good things, and he hasn’t,” she said.

It's a low bar, but Hayden will almost certainly be better than that -- and hopefully a lot better as well. She's shown in the past a willingness to stand up and fight against government surveillance and for freedom of speech and access to information. Her positions on copyright are less clear, but as she's now in charge of the Copyright Office, hopefully she'll bring some much needed balance to that office, and a greater recognition, as a librarian, of the importance of access to information, rather than locking up all info.

Of course, given all that, I can pretty much guarantee that Hollywood and other legacy copyright industries are going to pump up their fight to move the Copyright Office out of the Library of Congress, and either set it up as its own agency, or dump it into the Dept. of Commerce, perhaps as part of the Patent and Trademark Office. Expect to see a big push on that very soon, including all sorts of bullshit arguments in favor of it. But remember, copyright was designed to benefit the public, and not as some sort of commercial tool that belongs in the Dept. of Commerce.

Permalink | Comments | Email This Story

Techdirt has run many articles about China's direct assault on Internet freedom. Indeed, its attempts to muzzle online dissent are so all-encompassing you might think it has run out of things to censor. But you'd be wrong: China is now reining in games for mobile phones, as a post on Tech in Asia explains:

A little over a month ago, Chinese censorship bureau SAPPRFT announced new rules that require every mobile game launched in China to be pre-approved by SAPPRFT (already-launched games will have to get retroactive approval before the grace period ends in October). Before the rules had even gone into effect, developers and analysts alike were predicting things could be bad, and that the rules might dismantle China’s indie mobile gaming scene entirely.

Making sure games aren't seditious in any way might be expected, but there's a rather weird twist to this latest move:

One developer's rant has gone viral in the Chinese web after their game was supposedly rejected by SAPPRFT for containing English words. Not offensive English words, mind you, but completely innocuous ones like "mission start" and "warning." "I'm really fucking surprised," wrote the developer of the rejection.

Another developer confirmed that their game had been rejected for the same reason: including English words like "go" and "lucky." SAPPRFT's rules also forbid the use of traditional Chinese characters.

The use of English here is hardly subversive. The words in question form part of a global gaming language that has little to do with either the US or the UK. The ban on traditional Chinese characters, as opposed to the simplified ones that are generally used in China, is more understandable: Taiwan still uses the traditional form, so their inclusion might be seen as some kind of subliminal political statement.

The consequence is likely to be fewer games from smaller Chinese software companies, who are less able to meet the stringent new demands. As the Tech in Asia post rightly points out:

We could be facing a future where China's entire mobile game catalogue consists only of the games produced by powerful corporations like Tencent and Netease, with no room for startups and indies.

And that is probably the real reason for this latest move: big companies tend to be far more willing to toe the government line than smaller independents, since they have far more to lose. So, as with other apparently arbitrary moves, the latest unexpected clampdown by the Chinese government looks to be yet another example of its shrewd and subtle control of the online world.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Permalink | Comments | Email This Story

Relive the 80s when the Nintendo Classic Mini: Nintendo Entertainment System launches in stores on 11th November. The classic NES is back in a familiar-yet-new form as a mini replica of Nintendo's original home console. Plugging directly into a high-definition TV using the included HDMI cable, the console comes complete with 30 NES games built-in, including beloved classics like Super Mario Bros., The Legend of Zelda, Metroid, Donkey Kong, PAC-MAN and Kirby's Adventure. The Nintendo Classic Mini: Nintendo Entertainment System comes packaged with an HDMI cable, a USB cable for powering the system*, and one Nintendo Classic Mini: NES Controller. And whether it's rediscovering an old favourite or experiencing the joy of NES for the first time, the fantastic collection of NES classics included with each and every system should have something for all players. It's a tiny little NES! A tiny little NES! With games built-in! Yes, I know there are tons of clones and emulators out there, but nothing beats a trustworthy product from the actual manufacturer. There's still a ton of things we don't know - is it an ARM chip with an emulator? An actual NES miniaturised? Does it have the ability to load new games? Is it hackable? - but this is a 100% instabuy for me. This thing is just too much of an adorable steal not to buy.

All I have to do is say that this is a story that involves the Olympics and you probably already know exactly what kind of story this is going to be. That's because we here at Techdirt have posts going back years that detail how the IOC and the USOC go about bullying, threatening, berating and downright pestering anyone it can over even the slightest of intellectual property concerns. The fact that these international games come around every two years now, instead of four, only means this bullying occurs now in near perpetuity instead of at a pace of a half-a-decade staccato.

So, with the Rio Olympics right around the zika-infested, super-bacteria-in-the-water corner, it's time to start relaying the most predictable news possible: the USOC are still bullying people over laughably slight trademark concerns. Though I will credit the USOC this much: they're finding new and inventive ways to come off as petty and money-grubbing as possible. The link above details the USOC's demands that Oiselle, an athletic apparel company that sponsors Olympic athlete Kate Grace, take down the following Instagram posts.

The USOC said these posts were trademark violations and that Oiselle was using them to confuse the public into thinking it was sponsoring the Olympics. Now, Kate Grace is sponsored as an athlete by Oiselle. The posts above appear to be a runner's sponsor alerting its followers at the accomplishment of one of its athletes. You know, exactly the kind of thing that a corporate sponsor should be expected to do. So, are you confused as to what any of the above has to do with the USOC's claim that Oiselle is trying to trade off of the trademarks of the Olympics?

Sally Bergesen, CEO of Oiselle, told the Orange County Register that she received an email from the U.S. Olympic Committee informing her that the posts violated USOC trademark guidelines, requesting that Oiselle to take down all images of Grace and other Oiselle athletes competing at the Trials. The USOC official, Carol Gross, asked that Oiselle stop all “Olympic-related advertising” and take down images by “close of business” Wednesday, July 6.

“This is about USOC’s intellectual property, ownership of the terms Rio, Road To Rio, the rings—all of the branding they use,” Bergesen said by phone. “By using the caption ‘She’s heading to Rio’ and showing the branding [#RoadToRio, Olympic rings] on her bib, which is ironed onto her Oiselle top, they’re saying it’s akin to creating advertising, that we’re making it look like we’re part of Team USA and doing Olympic advertising. They’re saying that our reporting is advertising; we differ with that.”

Yes, because the USOC has managed to get all kinds of generic trademarks on words and locations that have no business being trademarked at all, and because the athlete was wearing a bib while competing that showed some valid IOC trademarks, suddenly the image and caption can't be put on social media. Does anyone actually look at that picture and caption and immediately conclude that Oiselle is an Olympic sponsor? Even the hashtags, a brand new insane place for people to fight over trademark concerns, don't conjure up an association with the olympics.

But here's where we can see the USOC's intentions laid bare. Keep in mind that Kate Grace is sponsored by Oiselle, just not for the Olympics. Instead, she's a sponsored athlete for all of her non-Olympic competition and training. Meaning that Oiselle is part of what got Kate Grace to the Olympics, but now that company can't even tweet out a picture of her success.

Bergesen says she understands the USOC’s position with regard to maintaining the value of trademarks, but takes issue with the fact that the neither the USOC nor its major corporate sponsors support athletes’ training, nor pay athletes for competing at the Olympics, but make vast sums from the event. “It comes down to how the money is spent,” she said. “I would be somewhat okay [with non-USOC rmarketing restrictions] if some of the money were getting to athletes. But the reality is, if it were not for small private entities who actually support athletes, you’d have a beautifully branded stadium with no athletes in it.”

Filled with all the branding in the world and nobody there to take pictures of it all and tweet them out, because the athletes are actually supported by the very people unable to congratulate them on social media. Gold medal for asshole-ery goes to the USOC.

Permalink | Comments | Email This Story

I don't get to use the phrase "with alacrity" that often, but Baton Rouge store owner Abdullah Muflahi's filing of a lawsuit against the Baton Rouge police can only be described as that.

Following the shooting of Alton Sterling by Baton Rouge police officers, Muflahi's store was raided by law enforcement officers who took the hard drive containing the store's surveillance camera footage of the altercation. So far, everyone involved has refused to discuss the illegal seizure of Muflahi's recording equipment, deferring to the FBI and its investigation of the shooting -- which would be something if the FBI would answer questions about the seizure and current location of the hard drive.. but it won't talk about it either.

Hence the speedily-filed lawsuit by Muflahi, as reported by Mike Hayes of Buzzfeed:

The owner of the Triple S Food Mart in Baton Rouge where Alton Sterling was fatally shot on July 5 says police detained him for hours while seizing his security footage of the incident without a warrant, according to a lawsuit [PDF] filed Monday.

28-year-old Abdullah Muflahi says that police at the scene placed him in a locked police car for four hours and denied him access to his cell phone, preventing him from contacting his family or an attorney.

According to the lawsuit, police wouldn't even allow Muflahi to go back into his store to use the restroom during his detention, forcing him to urinate outside of his store in full view of the public. And his detention didn't end there. Muflahi was taken back to the Louisiana State Police headquarters and held for another two hours while officers questioned him.

This all sounds very suspicious, illegal, and retaliatory. Muflahi not only had CCTV footage of the shooting, but also filmed it with his own cell phone, providing one of the two "unofficial" accounts of the arrest. While it's fantastic that a recent Supreme Court decision may have resulted in officers' reluctance to seize/search Muflahi's cell phone, the Fourth Amendment itself seemed to have little effect on their decision to enter his store and seize his recording equipment without a warrant. While the recording could correctly be described as "evidence," that doesn't excuse a warrantless entry or seizure.

The lawsuit, unfortunately, is a little thin when it comes to establishing anything that might overcome the immunity that shields individual officers from the consequences of their actions. While it does suggest the Baton Rouge Police Department's training is inadequate, it really doesn't go into detail as to why the court should be expected to believe this assertion. However, it does make an allegation that could be interesting if the court decides to explore it.

[Baton Rouge Police Chief Carl Dabadie] has negotiated a contract with a union representing police officers that provides a blanket indemnification for police officers who are sued by the public from all claims no matter what the circumstances under which the claim arise and further provides that meritorious complaints about police officers are purged from employment files after only 18 months. Both contract provisions encourage aggressive conduct by police officers by minimizing consequences.

It's common knowledge that police union contracts are generally constructed to shield officers from not only public scrutiny, but internal misconduct investigations as well. Most of these are complemented by a "Law Enforcement Bill of Rights" that gives officers up to three days to ignore questions about alleged misconduct or excessive force. These "extra rights" are often granted in the face of police union pressure, and the unions themselves are heavily-involved in the drafting of department discipline policies. Unions also help fired officers regain their positions, making it even harder for law enforcement agencies to rid themselves of the "bad apples" continually spoiling the rest of the "bunch."

While there's zero chance any decision would result in an alteration of the union's relationship with the Baton Rouge police department or the policies it helped draft, any discussion would at least shine a little more light on how these unions tend to make bad policing/policies even worse.

Permalink | Comments | Email This Story

When my brain started combining the complexity of being Black in America with the real world proposal of wandering and exploration that is designed into the gamplay of Pokemon GO, there was only one conclusion. I might die if I keep playing. This week has proven he's not wrong.

The TSA -- still reeling from an investigation showing agents couldn't find explosives in a fireworks factory and mounting complaints about long screening lines stemming from its unofficial work slowdown, one that began shortly after the agency's inception -- has decided to generate more positive PR by brutalizing a disabled nineteen-year-old girl with a brain tumor.

If this sounds like broad satire of the often-thuggish agency rather than real life, read on and be amazed/dismayed. First, let's take a quick look at the threat to traveler safety TSA agents neutralized at the Memphis International Airport.

The unarmed nineteen-year-old somehow set off the metal detectors. TSA agents swiftly moved in to secure the threat, blowing right past Hannah Cohen's mother, who tried to inform them that sudden, violent motions were not going to be exactly helpful. (via Raw Story)

“They wanted to do further scanning, she was reluctant, she didn't understand what they were about to do," said her mother Shirley Cohen.

Cohen told us she tried to tell TSA agents her daughter is partially deaf, blind in one eye, paralyzed, and easily confused, but said she was kept at a distance by police.

Hannah Cohen -- suffering from multiple physical ailments -- reacted badly. She tried to run. The TSA reacted the only way it knows how.

She's trying to get away from them but in the next instant, one of them had her down on the ground and hit her head on the floor. There was blood everywhere,” said Cohen.

Rather than chalk this up to a big, bloody misunderstanding, the TSA and local authorities worked together to lock Hannah up overnight while her and her family's baggage continued on to Chattanooga without them. Charges were dropped, but that's not going to be the end of it. Cohen has filed a lawsuit against the TSA and Memphis law enforcement agencies.

The TSA, meanwhile, took immediate steps to mitigate the damage by stating that Hannah's parents should have called ahead if it didn't want their child terrorized and tackled.

Sari Koshetz of TSA released a statement that said, “Passengers can call ahead of time to learn more about the screening process for their particular needs or medical situation.”

No apology. No admission that this might have been handled better. No recognition that the agents' failure to listen to Hannah Cohen's mother might have resulted in a brain tumor patient covered in less blood and fear. Just a bit of victim blaming where the TSA implies that agents may not have reacted so badly to a metal detector beep if only they'd been informed ahead of time that the alarm would go off and Hannah Cohen would react badly to swiftly escalating screening efforts.

The most ridiculous thing about the spokesperson's comment is that we're supposed to believe the TSA will listen to parents of disabled travelers if they call ahead -- when it's plainly apparent they won't listen to them when they're STANDING RIGHT NEXT TO THEM.

Permalink | Comments | Email This Story

The Office of the Director of National Intelligence (ODNI) has been going through something of an awkward phase the last few years. The Office, which is a part of the White House, and is supposed to direct and coordinate various parts of the intelligence community, has been trying to figure out how to be more open and "transparent" to the public since the Snowden documents began flowing. Given that historically the intelligence community has focused on being as secret as is humanly possible, it's not very good at this whole transparency thing. And sometimes it's just really, really awkward. Just try (really) to watch this video it put out on Wednesday, telling US travelers abroad to fear everyone and everything. That's not to say that there isn't some good advice mixed in there, but it's mixed in with some ridiculous claims, an overreaching level of paranoia, and some incredibly bad acting. The basic premise, though, is that wherever you go, even if you're visiting a US ally country, basically every person you meet has an ulterior motive, and it's to get your digital stuff. The border patrol guy who welcomes you to the country clicks a button that says "INITIATE SURVEILLANCE" (literally) and apparently suddenly every living human being in this foreign country now knows to spy on Frank. He checks into his hotel, and the person at the front desk is friendly, but apparently having been tipped off by border patrol to spy on Frank, she immediately texts his room number to a sketchy guy. We know he's sketchy because he wears a leather jacket. When Frank heads out of his hotel room, he puts his tablet in the room safe, and as soon as he's gone, Mr. Sketchy comes in and opens the safe and downloads everything. To be clear: hotels are not very secure and people get electronics stolen all the time. And, yes, if you're a serious target, people may target your electronics. Of course, many of those people may actually work for the US government. Isn't that part of how the NSA hacks into various global companies? It seems like this video is giving up more US procedures than anything else.

Then the video just gets weirder. A smug asshole shows up claiming he's someone who "knows better" and tells Frank not to bring so many electronic gadgets with him. He actually recommends getting a burner phone and a throwaway email address for travel overseas. Yes, this is part of the same US intelligence community that has talked about how burner phones have created problems for its surveillance efforts, though which these days also is pretty good at connecting burner phones to individuals by merging various databases together. Smug guy also says not to post on Facebook (or, rather, "Friend Basket" in the video) that you'll be travelling overseas. Now, that's also not necessarily a bad recommendation, but it depends on context quite a bit. If the fear is that you're alerting foreigners to target you, given the earlier paranoia in the video, it's unlikely that those targeting you are finding out because of your social media posts.

Then, the paranoia goes deeper. Frank meets a woman and they agree to go for drinks. Smug Jackass basically says that anyone that friendly to Frank must be evil. Then, he reminds Frank never to send a work email, even though he's traveling for work. And then he actually says: "Besides, who's got time for work? You're traveling! Get out there! Live a little!" Remember that literally a minute earlier, Smug Guy was berating Frank for doing exactly that.

Yes, there are certainly some people where this kind of thing applies to them when travelling abroad. But this video isn't likely to help them, and it applies to a fairly limited population of people. Meanwhile, this video really kinda reveals the paranoia with which the US intelligence community lives. They spy on absolutely everyone, so they assume that absolutely everyone is getting spied on everywhere as well. It's also somewhat bizarre that they're pushing disposable email and burner phones on people while warning about terrorists using the same.

The key messages: the US intelligence community is creepy and smug, and they want you to be deathly terrified of anyone you encounter in a foreign country.

Permalink | Comments | Email This Story

We've seen government officials do some pretty questionable things to avoid turning over documents to FOIA requesters. The most common method is just to stick requesters with a bill they can't pay. Stonewalling is popular, too -- so much so that the federal government sends out "Still interested?" notices to people whose requests have been backburnered for years.

More rarely, officials will race requesters to the courthouse, hoping to secure a judgment in their favor stating that they've already fully complied with a FOIA request -- even when they've done nothing but withhold and redact. Stripped of all the legal wrangling, this is basically the government suing individuals for asking for documents, forcing taxpayers to go out-of-pocket if they hope to counter the officials' assertions.

But one thing we haven't seen is a government official securing a grand jury indictment against open records requesters… for making open records requests.

A North Georgia newspaper publisher was indicted on a felony charge and jailed overnight last week – for filing an open-records request.

Fannin Focus publisher Mark Thomason, along with his attorney Russell Stookey, were arrested on Friday and charged with attempted identity fraud and identity fraud. Thomason was also accused of making a false statement in his records request.

The pair had been going after local judge Brenda Weaver and other court staff for some time, tracing back to her predecessor's (former judge Roger Bradley) use of a racial slur in the courtroom. The slur was attached to a defendant's name, and this slur was repeated by the district attorney and court deputies. Thomason acquired a copy of a transcript only to find the repeated use of the slur by court deputies had been removed. He asked for the audio recording of the hearing and was rejected.

This led to an article by Thomason in which he noted the missing slurs and presumably questioned the court stenographer's skills/honesty. The court stenographer sued Thomason for defamation, seeking $1.6 million in damages. The suit was dropped when it became clear Thomason, like many journalists, is judgment-proof -- i.e., there's no way he had anything close to $1.6 million laying around. The case was closed by a judge who determined Thomason had no proof that the transcript was inaccurate.

The court stenographer then filed a motion to recover legal fees, despite the fact that then-Judge Bradley had already cut her a check for $16,000 to reimburse her for her legal costs. That led to the current run of subpoenas and records requests in which Thomason hoped to show a judge that the stenographer had already recovered her legal fees.

Judge Weaver's response to this lawful dig for pertinent records was to work in concert with the district attorney to bring charges against the pair -- claiming ridiculously that "Thomason would use the banking information on those checks for himself."

Weaver's accusations -- pushed past a grand jury by District Attorney Alison Sosebee -- are exactly that: she's accusing Thomason of seeking to take funds from Weaver's bank account. According to Count One of the indictment [PDF], Thomason's subpoena -- which sought front/back copies of checks issued from the account -- was nothing more than a failed attempt at identity fraud.

...with intent to unlawfully appropriate resources of said victim, contrary to the laws of this State…

The next count is just charge stacking: attempt to commit identity fraud. The third, however, seeks to make the filing of a public records request a criminal act.

…[w]hen the accused requested documents pursuant to the Open Records Act… to Robert P. Jones [Chairman of the Pickens County Board of Commissioners] and specifically requested "the actual cleared checks (front/back) that Pickens County had written to Judge Brenda Weaver and Judge Roger Bradley for Pickens County's portion of the quarterly operating account expenses for the judges from the years 2013, 2014, and 2015" and further stated "after reviewing only the checks written on behalf of Fannin County for the 2015 year and finding that, according to several banks, some of these checks appear to have not been deposited but cashed illegally," knowing the same to contain a false and fictitious representation…

In short, Judge Weaver claims the requesters lied on their request... which is apparently against the law... somehow. While the statute does forbid the use of false statements in documents submitted to officials, there's no indication it was meant to cover allegedly inaccurate assertions made in open records requests. On top of that, the quoted request makes it clear the assertion of illegality was made by "several banks," not the requesters themselves.

It could be that Judge Weaver is simply trying to shield courtroom employees from what she apparently views as harassing behavior. But the decision to handle the situation with a grand jury indictment, rather than litigating the open records request itself, definitely gives the situation the appearance of a concerted coverup. The subpoenas may be more legally questionable, but the application of this statute to an open records request looks like someone with a keen interest in keeping requested documents out of the hands of the journalist seeking them.

Permalink | Comments | Email This Story

Having the ability to sniff cellular traffic can be very helpful when analyzing certain mobile and IoT devices. One of the tools that we use to do this is a Range Networks OpenBTS 5150 unit. OpenBTS is open source software that simulates a GSM network-in-a-box using a Software Defined Radio (SDR) to transmit/receive GSM protocols, and route them appropriately to other phones and the internet. Inside the 5150, OpenBTS converts voice calls from your mobile phone into SIP messages and uses Asterisk to route calls to real phones using a VoIP provider or route locally to other phones connected to the OpenBTS. It also has software to send, queue, and receive SMS messages and to let you connect to the internet over GPRS. This allows you to create your own (small) GSM network enabling voice, SMS, and GPRS services. 

RangeNetworks now calls the 5150 their "OpenCell" product. The 5150 is a small PC ITX board running Ubuntu connected to a custom SDR. The PC runs the open source OpenBTS software and allows us to create a small 2G GSM network supporting GPRS in the 1900 frequency band (which is what the SDR came tuned to). This turned out to be perfect for testing in our lab to find a way to intercept the GPRS connection and to create a .pcap of collected traffic.

Note: If you are not familiar with GSM or telecommunications, you should know that every service provider (AT&T, T-Mobile, Verizon, etc) internationally has assigned Mobile Country Codes (MCCs) and Mobile Network Codes (MNCs). MCCs are a standard code defined by the International Telecommunications Union to allocate numeric codes to every country with cellular networks in order to distinguish between them, along with the help of the MNC. The MNC is used to identify network providers within a country (within a MCC). A MCC with 001 is used as a test network code, so for our setup, we used that. We were also keeping the RF power attenuated so we did not disrupt our neighbors.

Warning: Following these steps, you may disrupt cellular service to phones in the area. I take no responsibility for anything that happens to you or your neighbors if you try these steps. You do so at your own risk.

Here are the basic steps I went through:

1. Get OpenBTS running and connected to the Internet
2. Have a smartphone attached & registered on the voice and GPRS sides of OpenBTS
3. Sniff all the phone's packets and get a .pcap
4. Win.

Here's how we set it up to sniff GPRS traffic.

Equipment:

1. OpenBTS 5150 unit (aka OpenCell)
2. VGA Monitor
3. USB Keyboard
4. Wired internet connection
5. SIM Cards
6. SIM reader/writer
7. GSM compatible tri/quad-band phone

Step 1 - Get OpenBTS running and on the Internet

If you have never worked with OpenBTS, I recommend starting with their free O'Reilly book to get comfortable installing, configuring, and running the system. The book is well written and should help you get it up and running using a standard SDR, like an Ettus Research B210, foe example. We opted for a hardware solution using the 5150.

Image 1 - OpenBTS 5150 opened up in our lab and connected to a VGA monitor and USB keyboard (not pictured). Note the PC on the left & the custom SDR on the right.

The 5150 should automatically start the OpenBTS software. Once the system boots up, you can configure networking for Ubuntu by modifying /etc/services/networking to use static or dynamic IPs. We have DHCP in our lab so we left this alone. Note the last "pre-up" line was added, and is referenced, in the OpenBTS book:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/OpenBTS/iptables.rules

Once you've got it on the network, you can SSH to it for remote administration and the OpenBTS CLI. On to step 2!

Step 2 - Get a smartphone attached & registered on OpenBTS for voice and GPRS

Now the fun begins. I used the OpenBTSCLI (also documented well in the OpenBTS book) for configuring the GSM parameters so that we could connect actual phones. The RangeNetworks 5150 version of OpenBTS included a small web server and web application you could use to modify each of the parameters directly from a browser (which manipulates the underlying sqlite configuration database in /etc/OpenBTS/). This provides the easiest interface for configuring the system and adding subscribers, however you can achieve all this manually using the OpenBTSCLI (located at /OpenBTS/OpenBTSCLI). Here is a screenshot of the web GUI:

Image 2 - Screenshot of the "Wizard" browser based configuration showing the basic parameters.

The most important parameters here are GSM.Identity.MCC and GSM.Identity.MNC. I ensured these were set to our test network, 001 and 04, respectively. Our 5150 only supports one GSM frequency (Band 1900), so everything else can stay at default.

If you click "Full" at the top of the GUI, you can modify a LOT more of the parameters, including those specific to the GGSN. The GGSN is a node in the GSM core network, simulated by software in OpenBTS. The GGSN is essentially the router running DHCP & NAT inside the core network, and sits between the cell network and the Internet. It is what allocates an IP address to your phone when you are connected to your provider.

Each of the configuration parameters can be directly configured in the OpenBTSCLI using the 'config' command and a value, like so:

> config <param> <value>
# example
> config GSM.Identity.MNC 04
# Running config GSM.Identity.MNC simply prints the current value

The "Full" configuration window looks like this once you click "GGSN":

Image 3 - Screenshot of the "Full" wizard, under the "GGSN" tab. Highlighted in yellow are the critical parameters that must be set.

I highlighted in orange two parameters you should verify and change if incorrect: GPRS.Enable which must be "1", and GGSN.DNS which must be set to the IP for the router/DNS server for your network.

The last thing you need to verify is the GSM.LUR.OpenRegistration parameter. This parameter is crucial to configuring who and who is not allowed to attach and register to the network. This parameter's value must be a string that represents a regular expression for the IMSI number series allowed to attach. Below, I only want the IMSIs which start with 00104 (MCCMNC) to be able to connect to our system and no one else.

If you set this to ".*", the system will attach and register ANY IMSI in a phone with the correct frequency range. This would be "A Bad Thing"®, but great for testing and debugging purposes if you are having issues.

Image 4 - Control.LUR.OpenRegistration regex as seen in the web GUI. This can also be configured via command line as shown above using OpenBTSCLI.

The next step is to program a SIM using your SIM reader/writer to use the 001 04 network, cut it (if necessary for your phone), and pop it into your phone and power it on.

We used an Android Nexus 5 for testing. Once we put the SIM in, we had one last thing to do before sweet internet access at 2.5G speeds: we had to set the Access Point Name (APN) in "Settings ➝ Mobile Networks ➝ Access Point Names". An APN is what configures the connection to the gateway between the carrier's cellular network (or in our case, our test network) and the public Internet. The OpenBTS software requires an APN, but it can be anything, it just has to exist and must be enabled. I created a new APN since none existed on my phone, set the name to "test" and APN to "test", saved it, and enabled it. Also make sure "Data enabled" and "Data roaming" are enabled. See this Google page for reference. Here is how to verify & set your APN for iPhones.

To test if your phone attaches & registers on the network, try connecting to the network first (if your phone did not already automatically—it may if the other settings are automatically correct). Go to "Settings ➝ Under Wireless & Networks touch More ➝ Cellular/Mobile networks ➝ Network Operators" and select your OpenBTS's network. Ours is called "Range", but on some phones it simply appears as "001 04". If you select your new network and the phone says "Registered", congratulations! You have attached and registered your phone successfully.

You can easily test voice calls by dialing "2600", which is an echo test number setup in Asterisk by the OpenBTS software by default. If the call connects, you should be able to hear an echo of your voice. Success!

Lastly, let's try the Internet. This gave us some trouble and was a little flakey, but we were able to see it work. Make sure you are attached and registered, and on Android we looked for the "G" in the corner next to the signal strength bars. The G for GPRS shows the phone has registered a data connection and you can start browsing! Really really slowly. Try it! We noticed our OpenBTS did not maintain the GPRS connection for a long time (over 1-2 hours) consistently, but did work reliably if continued to be used. Rebooting the phone and rebooting the OpenBTS sometimes did the trick, but I found cold booting the OpenBTS was the most reliable method to get the GPRS connection to work properly.

3. Sniff all the phone's packets and get a .pcap

Now we can have some fun. Login to the OpenBTS over ssh and have your connected phone handy. As root on your OpenBTS host, you simply have to use tcpdump to sniff GPRS traffic and create a pcap of phone's traffic. Note: If you have multiple phones attached and registered on GPRS with your OpenBTS, this procedure will collect ALL of their traffic as it sniffs the OpenBTS tunneling GPRS network interface. Fortunately, you can filter by IP address in Wireshark later.

Here, you must specify the special sgsntun interface.

tcpdump -i sgsntun -s 1514 -w /path/to/file.pcap

This will run tcpdump until stopped, with a snaplen of 1514 bytes for standard packets, and write all the data collected to a .pcap specified with -w. Hit Ctrl-C to finish and save the .pcap. You can use scp/sftp to copy the file off to your local machine for analysis using Wireshark or your favorite pcap tool. That's it! You have successfully sniffed GPRS traffic from a smartphone over a GSM network.

4. Win.

That's all you have to do, which is quite a lot. This may seem a tedious process, and that's because it is, but it is a good method to obtain cellular traffic for testing and research. Be cautious to not turn your power too high, so as to not affect those around you, and remember to use test IMSIs and test MCC and MNC.

LG has been struggling for some time and has decided to shake up its mobile division by firing a few executives and replacing them with familiar faces.

We talk a lot on this blog about why it's getting harder to fix electronics. Not just because of how those devices are designed, but also because a lot manufacturers don't want anyone to know how to fix them. And those companies can issue legal threats to keep repair information - like schematics and repair manuals - out of public view. It looks like Louis Rossmann, an independent Apple repair tech, is fending off a legal attack from one of those companies. [...] For context, Louis does board-level repairs of Apple laptops. You can't do that and you can't teach other people how to fix boards without circuit schematics - which he shows on his channel. Most electronics companies don't share schematics with the public. And certain companies might argue that showing schematics on video is a violation of their copyright. (Louis, by the way, was one of the most vocal supporters of a Right to Repair law in New York that would have protected independent repair techs and given them more access to repair information. Apple's lobbyists killed the bill before it could be voted on.) Happy 4th of July, America.

A brief review of the many, many posts we've done here about the DMCA and its notice and takedown platform will reveal to even the casual reader that the whole thing is rife with complications, abuse, and inconsistencies. It can be a difficult realm to navigate, but there are times when an entity's claims of ignorance just don't ring true.

Which brings us to one independent Ford dealership that decided to simply yoink an image from a relatively new video game and use it to advertise automobiles.

A Boston-area Ford dealership is dealing with some internet blowback this afternoon after folks realized that the car-seller had swiped artwork from the indie game Firewatch to promote the “Ford Freedom” sales event.

The Consumerist link then provides a side by side comparison of the image from the game and the ad that the Ford dealership put out. As you will see, there wasn't even the barest attempt made to obscure the original image in any way.

So, yeah, they pretty much took an image from the game and slapped some copy on the front and pushed it out to potential car-buyers. That's pretty much as infringe-y as copyright infringement gets. And the use of the image is even somewhat ironic, given that Firewatch is a game that tasks you with traversing the wilderness entirely on foot and this is an ad for a car dealership.

The media began contacting Ford once folks on Twitter alerted the makers of the game to what the dealership had done. Ford washed its hands of the whole thing, stating that the dealership acted as an independent entity. The dealership, when contacted, pushed the calls off onto the dealership's advertising department. The advertising department just flat hung up on some inquirers, before emailing out its, um, "explanation."

The ad exec then wrote back to say clarify that “We always use DMCA compliant sites when getting images,” referring to the Digital Millennium Copyright Act. The ad guy claimed that the Firewatch image was obtained from a DMCA-compliant digital “wallpaper” site, but he seems to be confused about complying with the DMCA actually means.

Very confused, because obtaining an image from a site that complies with the DMCA doesn't suddenly make those images royalty-free, free to use in commerce, or even non-infringing themselves. All it means is that the site would comply with the notice and takedown procedure once alerted to an infringing work on its site. If no notice happens, the takedown might not happen either, which doesn't in any way render the image non-infringing.

The fact that we don't hear of this kind of thing happening more often is likely an indication that the actual rules within the DMCA and how copyrighted images can and can't be used in commercial ad copy is within the lexicon of most companies' advertising departments. This particular Ford dealership might want to give HR a call and get the ball rolling on some staff turnover.

Permalink | Comments | Email This Story