Brindle

The FBI's production of privacy impact assessments (PIAs) lags far behind its deployment of privacy-impacting technology. From facial recognition software to Stingray devices to its drone usage, the FBI has always violated privacy first and assessed the damage later. In some cases, it hasn't bothered to assess the impact at all, despite repeated assurances to questioning lawmakers that the required report (and it is required) is (forever) nearing completion.

Its biometric database, which pulls in photos from all over the place for its facial recognition software to peruse, rolled out without the required PIA in 2012. Two years later, the FBI is still promising Eric Holder that the PIA will be completed literally any month now, even as it hopes to have the system fully operational by the end of the 2014 fiscal year.

It has supposedly cranked out a PIA for its drone use -- again lagging far behind its first reported deployments in "late 2006." But the public apparently isn't allowed to know how the agency's drone use impacts its privacy. Instead of placing the assessment on its website for public viewing (the default method), the FBI has stashed it behind every shady government entity's favorite FOIA exception: b(5).

Here's the entirety of the "responsive documents" returned to MuckRock.

As Shawn Musgrave reports, the FBI withheld EVERYTHING.

Federal law requires the FBI to assess surveillance technologies for potential privacy and/or civil liberties issues. These technology assessments are typically prepared for public posting and review. When it comes to drones, however, the FBI has redacted these privacy reviews in full…

Even the cover sheets have been withheld. The reviews are recognizable only from their titles as provided on the disc of responsive documents sent in May: “1218644-0 - Drone PIA - Drone PIA.PDF” and “1218644-0 - Drone PIA - Drone PIA-Drone PIA Section 2.PDF.”

While the DOJ does allow for redactions and the withholding of documents for certain reasons ("classified, sensitive otherwise protected information"), it also requires responding agencies to file a document stating their reasons for withholding PIAs. The FBI also withheld this document -- assuming it even exists.

If I was a betting man, I'd say it's going to take a lawsuit to get this assessment released. The government's track record on transparency is horrific, even without the specter of "terrorism" or "drugs" being cited in the FOIA refusal. Since the FBI deals with both, it's a given that it will fight to withhold information that concerns its surveillance programs' impact on the public from the same public whose privacy it's invading. A Privacy Impact Assessment should never be private. While some information will probably need to be redacted, the complete refusal to release this document should be taken as an insult by the public, and as a further indicator of the government's inherent untrustworthiness.

Permalink | Comments | Email This Story

LAS VEGAS — Def Con is one of the world’s biggest hacker conventions, an annual gathering of security experts, cryptographers and at least a few people who could surreptitiously drain your bank account if they wanted. They come to Las Vegas to learn about the latest computer vulnerabilities and exploits, show off their skills, and […]

Last year, when hackers Charlie Miller and Chris Valasek showed they could hijack the steering and brakes of a Ford Escape and a Toyota Prius with nothing but laptops connected to the cars, they raised two questions: Could hackers perform the same tricks wirelessly, or even over the Internet? And even more pressing: Is your […]

The fight over the redactions of the CIA's torture report continue. Last week, Senator Dianne Feinstein noted that she and her staff were somewhat taken aback by the amount of redacted information when they received back the black ink-drenched copy of the executive summary to the $40 million, 6,300 page "devastating" report on the CIA's torture program prepared by the Senate Intelligence Committee. In response, James Clapper shot back that the redactions were "minimal" and over 85% of the document was free from black ink (it's not clear if he was counting the margins as well...).

Of course, as Marcy Wheeler has pointed out, this is just about the executive summary of the report -- which was specifically written to be published. In other words, the really "secret" stuff is in the rest of the report, but the 408 page exec summary was written with public disclosure in mind -- meaning that the Senate Intelligence Committee staffers certainly wrote it with the expectation that it would need few, if any, redactions. So the fact that large chunks of it were redacted immediately set off some alarms.

On Tuesday, multiple Senators on the Intelligence Committee spoke out angrily about the redactions. It kicked off with Feinstein who noted that the review her staff went through of the redactions shows that the censors are trying to hide information that should be public:

“After further review of the redacted version of the executive summary, I have concluded the redactions eliminate or obscure key facts that support the report’s findings and conclusions. Until these redactions are addressed to the committee’s satisfaction, the report will not be made public.

“I am sending a letter today to the president laying out a series of changes to the redactions that we believe are necessary prior to public release. The White House and the intelligence community have committed to working through these changes in good faith. This process will take some time, and the report will not be released until I am satisfied that all redactions are appropriate.

“The bottom line is that the United States must never again make the mistakes documented in this report. I believe the best way to accomplish that is to make public our thorough documentary history of the CIA’s program. That is why I believe taking our time and getting it right is so important, and I will not rush this process.”

Senator Carl Levin then came out with a much more strongly worded condemnation of the redactions suggesting that they were clearly designed to hide embarrassing information, which is not a legitimate reason for redactions:

“The redactions that CIA has proposed to the Intelligence Committee’s report on CIA interrogations are totally unacceptable. Classification should be used to protect sources and methods or the disclosure of information which could compromise national security, not to avoid disclosure of improper acts or embarrassing information. But in reviewing the CIA-proposed redactions, I saw multiple instances where CIA proposes to redact information that has already been publicly disclosed in the Senate Armed Services Committee report on detainee abuse that was reviewed by the administration and authorized for release in 2009. The White House needs to take hold of this process and ensure that all information that should be declassified is declassified.”

Senator Mark Udall issued a statement in which he notes that the "strategic" redactions are used to distort the nature of what's in the report:

"While Director Clapper may be technically correct that the document has been 85 percent declassified, it is also true that strategically placed redactions can make a narrative incomprehensible and can certainly make it more difficult to understand the basis for the findings and conclusions reached in the report. I agree wholeheartedly that redactions are necessary to protect intelligence sources and methods, but the White House must work closely with this committee to reach this goal in a way that makes it possible for the public to understand what happened.

"I am committed to working with Chairman Feinstein to declassify the Senate Intelligence Committee's study to the fullest extent possible, correct the record on the CIA's brutal and ineffective detention and interrogation program, and ensure the CIA learns from its past mistakes. And in light of the importance of the work the Senate Intelligence Committee has undertaken, I believe that the chairman should take all necessary time to ensure that the redactions to the executive summary are appropriate — not merely made to cover up acts that could embarrass the agency.

"The CIA should not face its past with a redaction pen, and the White House must not allow it to do so."

All three of those Senators are well aware of what's in the report, and it appears they recognize that the black ink was being used not to protect national security or "sources and methods" but rather to hide or distort the facts of the CIA's torture program.

Permalink | Comments | Email This Story

We recently wrote about Keith Alexander claiming that he's worth as much as $1 million a month (actually, the number is now being lowered to $600k) because he's magically come up with a totally brand new anti-hacking concept that will have many patents. As we noted, this story raised all sorts of questions. First, if he had such a brilliant idea to stop hackers, why didn't he use it back when he was in charge of the NSA and the US Cyber Command? His answer to that was that he magically came up with it after he left office in March. Of course, if that's the case, it's difficult to see how it can be worth many hundreds of thousands of dollars per month because it's a totally untested and totally brand new idea. He can't both be claiming that his years of NSA experience make it worthwhile and that this idea has nothing to do with his work at the NSA -- but he seems to be doing exactly that.

Either way, he's given an interview to the Associated Press in which he tries (and fails) to defend himself concerning the new operation, IronNet Cybersecurity:

"If I retired from the Army as a brain surgeon, wouldn't it be OK for me to go into private practice and make money doing brain surgery?" he asked. "I'm a cyber guy. Can't I go to work and do cyber stuff?"

The "brain surgery" analogy is not even close to be analogous. This is more like he was the administrator of an army hospital who has now retired and says, despite never having personally done a brain surgery, he's now invented a miraculous new way to do brain surgeries so powerful people have only dreamed of them before. Naturally, most people should be skeptical of such claims.

And, of course, most actual cybersecurity folks I know don't consider Alexander to really be a "cyber guy." He's not. Yes, he managed various groups that could hack into systems, but that doesn't make him any sort of expert on cybersecurity. Just the fact that he's diving into the murky waters of "behavioral modeling" as his anti-hacking technique should raise some flags. It's an area that has been talked about a lot, but solutions haven't been any good at all.

Is it possible that Alexander has broken through on an idea that has stumped many people who actually do spend all their time hacking away at systems, looking for security holes and how to fix them? Sure. It's possible, but it's improbable. And the claims by themselves should require significant proof before they're taken seriously. As we've said for years, ideas are one thing. Execution is another, and Alexander has shown no evidence that his solution is actually any good. So why are companies paying him upwards of six figures a month? Good question. It seems unlikely that they truly believe he has found the holy anti-hacking grail. It seems more likely that they like his government connections.

Permalink | Comments | Email This Story

I hate to sour the mood, but one day you’re going to die. It might be easier to ignore that fact, but all too often that’s exactly what we do, and in our wake we leave a mountain of complications that cause interfamily conflict, legal battles, and obnoxious amounts of wasted time.

We take day-to-day things, like E-Mail, for granted- but what if something were to happen to you? Would your entire account including your pictures, movies, and documents, collect dust and eventually disappear without someone who knows or who can recover your password?

Or perhaps just the opposite. Maybe you’ve got a lot of private facets of your life that you wish to remain private: could family or friends legally gain access to your account, uncovering some secrets that are so embarrassing that you blush in the afterlife?

Not if you use Google’s Inactive Account Manager, a feature I accidentally stumbled upon yesterday.

Here’s how it works:

• Set a time period after which, if you haven’t logged in for that duration, you’re considered inactive
• When that time approaches, Google will warn you via TXT and E-mail alerts
• Once officially deemed “inactive”, Google will notify up to 10 pre-selected contacts that you’re inactive
• These contacts will gain limited access to your account, based on settings you select
• You can set an auto-response for incoming e-mail, warning them of your inactivity

It’s a pretty brilliant solution if you’ve got the gusto to set it up- and you should. This tool could be especially valuable if you’ve disappeared without a trace, perhaps giving law enforcement additional information that leads to a resolution. I know, I know… this is a depressingly sinister topic, but a little preparation can go a long way.

You can even customize what Google services each separate contact can access (see above) and have a custom message prepared for each one (see below):

Almost got a little teary eyed typing that… and hopefully it never gets sent, but if it does, could be fun to leave a little custom goodbye to your loved ones. And honestly, having to write them in the first place provides a nice little sense of reflection on your life and what’s important.

The service isn’t perfect and there are two things I’d specifically like to see changed:

1. The minimum length before you’re considered “inactive” is 3 months. If I haven’t used Google services for 24 hours someone should probably start a search party. I can appreciate the reasons why the longer durations should be the default, but even a 1 month or 2 month option would make a lot of sense.
2. Certain services should have more fine grained access options. Perhaps I have some private e-mails in my account but they’re relegated to a certain tag or folder, why not allow users to selectively provide or deny access to these specific areas? Access to everything or nothing makes for some tough decision making.

Alternatively, if instead of being worried about giving people access you want to make sure nobody gets access, you can delete your entire account on the spot the moment you’re considered inactive.

Privacy paranoia people, weird fetish folks, cheating-on-your-spouse crapheads, and others take note: you’ll probably want to set this up right now. Or maybe you just don’t want family and friends dragging out the grieving process by hanging on every little word you’ve written, picture you’ve taken, etc…

Now that I’ve thoroughly depressed you, take a few minutes to reflect on the people most important to you, what you’d want to say to them in your absence, and if giving them access to your online identify would help them in any way.

We already covered how the CIA has admitted to and apologized for its spying on the Senate, but the CIA's official "unclassified" statement on the matter shows that what the CIA did was even worse than the initial allegations. Here's the basic summary, according to the CIA's Inspector General:

Agency Access to Files on the SSCI RDINet: Five Agency employees, two attorneys and three information technology (IT) staff members, improperly accessed or caused access to the SSCI Majority staff shared drives on the RDINet.

Agency Crimes Report on Alleged Misconduct by SSCI Staff: The Agency filed a crimes report with the DOJ, as required by Executive Order 12333 and the 1995 Crimes Reporting Memorandum between the DOJ and the Intelligence Community, reporting that SSCI staff members may have improperly accessed Agency information on the RDINet. However, the factual basis for the referral was not supported, as the author of the referral had been provided inaccurate information on which the letter was based. After review, the DOJ declined to open a criminal investigation of the matter alleged in the crimes report.

Office of Security Review of SSCI Staff Activity: Subsequent to directive by the D/CIA to halt the Agency review of SSCI staff access to the RDINet, and unaware of the D/CIA’s direction, the Office of Security conducted a limited investigation of SSCI activities on the RDINet. That effort included a keyword search of all and a review of some of the emails of SSCI Majority staff members on the RDINet system.

Lack of Candor: The three IT staff members demonstrated a lack of candor about their activities during interviews by the OIG.

So, the first bit we already knew. That's what Senator Feinstein initially revealed -- and Brennan pretended to deny, while actually admitting to the facts about them accessing the Senate Intelligence Committee's private network where they were storing documents for their investigation into the CIA's torture program.

We also knew that the CIA had bogusly reported the Senate staffers to the DOJ, claiming they had "improperly accessed" CIA information. However, now the CIA is admitting that "the factual basis for the referral was not supported." In other words, for all of Brennan's blustering about how awful the Senate staffers were and how they were breaking the law, it appears that the CIA knew they were making it up. That's really bad.

But it's the next item where things get really dicey. After all of this came out and Brennan told the CIA folks to knock it off, CIA people spied on the emails of the Senate staffers. Let's repeat that. After Feinstein had already made this public and called the CIA out on its spying of intelligence committee staff members and after Brennan told them to knock if off, the CIA went and directly spied on emails. The AP is further reporting that "the CIA used classified "hacking tools" and created a fake user account in an effort to retrieve documents the CIA believed the Senate staffers had improperly accessed."

This is a major problem, and something of a Constitutional issue, given the separation of powers. No wonder Mark Udall is demanding Brennan's resignation.

Oh, and then we find out that the CIA staffers involved "demonstrated a lack of candor" about all this during the internal investigation by the CIA? Sure, it's an intelligence agency that's built on lying, but it certainly looks like the culture of professionally lying all the time is pretty deep there. Over at Foreign Policy, Shane Harris has gone through the many statements Brennan made vehemently denying the spying. It appears that all of them were false and in some cases, blatant lies.

And, remember, this is only what the CIA has deemed worthy of revealing publicly. The full Inspector General report may be even more devastating.

Permalink | Comments | Email This Story

Last May, in President Obama's big speech at the National Defense University -- where he tried to establish his legacy as being the president to "end" the US's role in wars in Afghanistan and Iraq -- he did admit to the fact that the US "compromised our basic values -- by using torture to interrogate our enemies." That admission got somewhat lost in the wider scope of what he was saying, and thus, to this day, many government officials still refuse to call the CIA's torture program "torture."

However, at a press conference today, President Obama appeared to more breezily admit to it by noting "we tortured some folks." That seems like a... rather informal way to talk about war crimes, committed by the US government, which Obama himself refused to do anything about. Again, we feel the need to remind people that the only person in jail concerning the CIA's torture program... is the guy who blew the whistle on the program, John Kiriakou.

And, of course, the obedient White House press corps that Obama was speaking to didn't seem to probe. As Conor Friedersdorf points out, a good question a reporter might have asked in response would have been: How many people who were involved in torturing "folks" are still employed at the CIA?

Meanwhile, the president also said that he completely stands behind CIA director John Brennan, even following the revelations of the spying scandal (and, more importantly, Brennan's lies about the scandal).

“I have full confidence in John Brennan,” Obama said in a White House press conference. “I think he has acknowledged — and directly apologized to [Senate Intelligence Committee Chairwoman] Sen. [Dianne] Feinstein — that CIA personnel did not properly handle an investigation into how certain documents that were not authorized to be release to the Senate staff got somehow into the hands of the Senate staff.

“It’s clear from the [inspector general] report that some very poor judgment was shown in terms of how that was handled," Obama added. "Keep in mind, though, that John Brennan was the person who called for the IG report, and he’s already stood up a task force to make sure that lessons are learned and mistakes are resolved."

Yes, but John Brennan also angrily insisted that no spying was done (multiple times) and claimed that it was the Senate staffers his CIA employees were spying on who had broken the law, and even referred them to the DOJ for possible criminal prosecution -- all without any basis at all. Brennan hasn't shown that he's interested in "learning lessons" or "resolving mistakes." He took a reflexively bogus position, lying to defend the CIA. And this isn't the beginning. Much of this came about because of Brennan's earlier attempts to shred the Senate Intelligence Committee's report on how "we tortured some folks" by insisting it was inaccurate. It was only when the Senate Intelligence Committee was given (apparently by accident) an internal CIA report that confirmed their own findings, that Brennan was questioned about this, leading the CIA to start spying on the staffers.

This isn't the kind of thing you just wave away. All of this -- the torture, the coverup, the lying and the spying -- are pretty big deals. And it's immensely troubling that the insider DC response seems to be "eh, a few mistakes were made, but it's okay."

Permalink | Comments | Email This Story

This is the Darth Vader mask wood-burning stove built by Instructables member doddieszoomer. You can go to the Instructables website and follow his directions to build your own. Or you can follow the Google Maps directions to his house and steal this one. I'm kidding, please don't do that. Make your own. You'll do a way shittier job, but it will be your way shittier job. Just own it. Keep going for one more, less fiery shot. Thanks to hairless, who may or may not have gotten to close to the fire at some point.

This is a portrait-mode video (come on, lady -- you've had that phone for years!) of a teensy little girl somehow managing to hold on to the rotating barrel at the exit of a carnival funhouse and perform a loopty loop. How the hell did she do that? Was she squeezing it with her legs? Regardless, if the ringleader catches wind of this I've got the feeling somebody has a bright future as this carnival's next strongwoman. Me? I'm going to get a pair of fake tits and become the bearded lady. I'll kiss you for a nickel! Keep going for the video. Thanks to BBQ, who would have gone for two full rotations. Then a cotton candy and funnel cake.

Note: I'm pretty sure the censor bar is NOT covering her closest nipple in the brief clip at 1:10. I mean, not that I notice those sorts of things. This is clip from a 1997 VHS video titled 'How To Have Cybersex On The Internet'. Haha, I owned that one. A real cult classic. Apparently the protip on how to cybersex involves entering a chatroom and telling a stranger, "i'm very horny and im looking for some good cybersex are you interested?" If you're lucky, they'll respond, "yesssssssssss" like the make-believe stud in the video. Then it's just a matter of rubbing yourself/beating your meat against the desk until it's time to smoke a cigarette and take a nap. Bonus points for signing off before your partner finishes. Keep going for the video, maybe you'll learn a thing or two. Thanks to Michael M, who's still convinced cybersex involves sticking your penis in the hole of the CD-ROM tray. Ahahahahhahaha! No, Michael, that's called virtual sex (and it's awesome).

David Schwen | Wheel: Getty Hackers Charlie Miller and Chris Valasek have proven more clearly than anyone in the world how vulnerable cars are to digital attack. Now they’re proposing the first step towards a solution. Last year the two Darpa-funded security researchers spent months cracking into a Ford Escape and a Toyota Prius, terrifying […]

General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement. It is still the world's most highly-assured OS. And here's the code.

We've been covering the ridiculous ruling in the EU on the "right to be forgotten," which was interpreted to mean that search engines could be forced to delete links to perfectly truthful stories (and even if those stories are allowed to be kept online). Google has been trying to comply with the over 90,000 requests it has received -- nearly half of which it has approved -- and removed from its European searches. The company has been struggling to figure out how to comply with the ruling, and those struggles continue. Originally, it was going to place a notice on search results pages where links had been removed (like it does with copyright takedowns) alerting people that stories were missing. However, regulators told Google that would defeat the purpose. So now, Google's European search results show a message on nearly every search on a "name" that results might have been removed.

Either way, once Google started removing the requested stories, it did the right thing, alerting the websites that links were being removed. Of course, that just resulted in many of those publications writing about it, and bringing the original news back into the public eye.

In response to all of this, European regulators are apparently quite angry again, summoning representatives from Google, Yahoo and Microsoft (but mainly Google) to argue that the removals should be global, not just for Europe and that the companies should stop informing websites if their stories were removed. One hopes that these three companies would fight strongly against either such proposal. The idea that Europe can dictate how search engines in other parts of the world work is dangerous. We've already noted that a Canadian court seems to think it has similar powers, and that's going to create a huge mess. Any time courts and regulators in one country think they can dictate how websites work in other countries, that is creating a massive jurisdictional mess (where contradictory rulings may run into each other), as well as allowing oppressive states to claim they, too, have the right to dictate how the web works in more open countries.

As for blocking sites from being informed, that would clearly go against basic transparency principles, and lead to yet another huge mess for websites which will (quite reasonably) wonder why their stories have gone totally missing from Google searches (especially if forced to extend it around the globe).

Of course, the real problem here is with the original ruling. The idea that public information that is widely disseminated already can magically be made private because someone thinks it's embarrassing and that it's no longer important is simply a ridiculous assertion in the first place. All of the problems that have come in implementing this are because the initial premise -- trying to disappear public information -- is so messed up.

Permalink | Comments | Email This Story

Senator Ron Wyden is apparently getting tired of waiting for the White House to use up its buckets of black ink in redacting everything important in the Senate's big torture report. He's publicly pondering the idea of using Senate privilege to just release it himself.

As you may recall, the Senate Intelligence Committee spent years and $40 million investigating the CIA's torture program, and the 6,000+ page report is supposedly devastating in highlighting (1) how useless the program was and (2) how far the CIA went in torturing people (for absolutely no benefit) and (3) how the CIA lied to Congress about all of this. The CIA, not surprisingly, is not too happy about the report. At all. Still, despite its protests, the Senate Intelligence Committee voted to declassify the executive summary of the report.

However, the CIA got to take first crack at figuring out what to redact, which seemed like a massive conflict of interest. Either way, the CIA apparently finally ran out of black ink in late June, and asked the White House to black out whatever else was left. The State Department has already expressed concerns that releasing anything will just anger the public (our response: probably should have thought of that before sending the CIA to torture people). And, now it appears the report is being held up due to "security" concerns.

At least some are getting anxious about this. Senator Wyden has apparently deliberately mentioned Senate Resolution 400 to two separate reporters recently. The key part of Resolution 400 is as follows:

The Select Committee may, subject to the provisions of this section, disclose publicly any information in the possession of such committee after a determination by such committee that the public interest would be served by such disclosure. Whenever committee action is required to disclose any information under this section, the committee shall meet to vote on the matter within five days after any member of the committee requests such a vote. No member of the Select Committee shall disclose any information, the disclosure of which requires a committee vote, prior to a vote by the committee on the question of the disclosure of such information or after such vote except in accordance with this section

Now, this still means he'd need to get the rest of the Committee to go along with the plan, which could be difficult. But, really, it seems that this move is just an effort to remind the White House that if it keeps dragging its feet, the Intelligence Committee (the majority of whom have already supported releasing this document) can take matters into its own hands.

Permalink | Comments | Email This Story

Leave your ring of cut-brass secrets unattended on your desk at work, at a bar table while you buy another round, or in a hotel room, and any stranger---or friend---can upload your keys to their online collection.

Human Rights Watch has just published a report containing the facts needed to back up everyone's suspicions that the FBI counterterrorism efforts are almost solely composed of breaking up "plots" of its own design. And the bigger and more high-profile the "bust" was, the better the chance that FBI agents laid the foundation, constructed the walls… basically did everything but allow the devised plot to reach its designed conclusion. (via Reason)

All of the high-profile domestic terrorism plots of the last decade, with four exceptions, were actually FBI sting operations—plots conducted with the direct involvement of law enforcement informants or agents, including plots that were proposed or led by informants. According to multiple studies, nearly 50 percent of the more than 500 federal counterterrorism convictions resulted from informant-based cases; almost 30 percent of those cases were sting operations in which the informant played an active role in the underlying plot.

Of those four exceptions, two (Boston Bombing/LAX shooting) were successfully pulled off. Feeling safer with the g-men's increased focus on preventing terrorist attacks?

Within the report is even more damning information that shows the FBI preyed on weak individuals in order to rack up "wins" in the War on Terror.

Although an FBI agent even told Ferdaus’ father his son “obviously” had mental health problems, the FBI targeted him for a sting operation, sending an informant into Ferdaus’ mosque. Together, the FBI informant and Ferdaus devised a plan to attack the Pentagon and US Capitol, with the FBI providing fake weaponry and funding Ferdaus’ travel. Yet Ferdaus was mentally and physically deteriorating as the fake plot unfolded, suffering weight loss so severe his cheek bones protruded, loss of bladder control that left him wearing diapers, and depression and seizures so bad his father quit his job to care for Ferdaus. He was eventually sentenced on material support for terrorism and explosives charges to 17 years in prison with an additional 10 years of supervised release.

Those that weren't weak enough were broken.

Abu Ali, a US citizen, was swept up in a mass arrest campaign in Saudi Arabia in 2003. Ali alleged being whipped, denied food, and threatened with amputation, and ultimately provided a confession he says was false to Saudi interrogators.

Ali was given a life sentence and is currently serving it at a Supermax prison.

Uzair Paracha was held in solitary confinement for nearly two years before he was convicted on charges of material support. Nine months after his arrest and while he was refusing to take a plea deal, the federal government moved Paracha to a harsh regime of solitary confinement pursuant to Special Administrative Measures (SAMs)—special restrictions on his contact with others imposed on the grounds of protecting national security or preventing disclosure of classified material—ostensibly due to ties with Al-Qaeda. For a time, Paracha was only permitted to speak to prison guards.

As much as the DHS and FBI have stated concerns about "radicalization" and domestic terrorism, those captured in FBI sting operations were strongly pushed in that direction by informants and undercover agents. The FBI created threats where none existed.

In many of the sting operations we examined, informants and undercover agents carefully laid out an ideological basis for a proposed terrorist attack, and then provided investigative targets with a range of options and the weapons necessary to carry out the attack. Instead of beginning a sting at the point where the target had expressed an interest in engaging in illegal conduct, many terrorism sting operations that we investigated facilitated or invented the target’s willingness to act before presenting the tangible opportunity to do so. In this way, the FBI may have created terrorists out of law-abiding individuals.

This sort of activity should have been treated as "own goals" by the agency and some of the more credulous press. Instead, these busts are touted as evidence of the agency's superior skill and effort, something more closely related to extolling the prowess of someone who has just scored on an empty net.

The FBI took a man whose main hobbies were "watching cartoons" and "playing Pokemon," a man who a forensic psychologist described (during the trial) as "highly susceptible to the suggestions of others" and fashioned him into a supposed terrorist. The planned subway bombing never happened, thanks to the FBI's keenly-honed ability to capture terrorists it created. Arrested with the would-be subway bomber was his "co-conspirator," a high school dropout with drug problems and clinically-diagnosed paranoid schizophrenia.

There's much, much more in the report. Human Rights Watch's investigative work was made extremely difficult by the FBI's disingenuous counterterrorism efforts over the last decade, which made many in the Muslim communities affected deeply suspicious of people who asked too many questions.

There's nothing to celebrate about victories like these. The emphasis on creating plots just to shut them down diverts resources from actual threats -- ones arising without huge amounts of FBI prompting. All this does is ensure the agency's anti-terror funding remains intact -- money that will be largely wasted on the FBI's sting operation Ouroboros. And while the FBI plays with its terrorist dress-up dolls, the real threats will go undetected.

Permalink | Comments | Email This Story

As expected, President Obama outlined basic plans for ending bulk collection of phone records. While the actual details of the plan still haven't been revealed, apparently, the administration has some "enabling legislation" ready to go, which it hopes Congress will pass "quickly." In response to this, Senator Patrick Leahy pointed out that while he's very supportive of the move to end bulk collection of phone records, there's a much easier way to accomplish that. The authority to do so technically runs out on Friday of this week, so if the President wants to end the program, he can just not seek to renew the authority:

I look forward to having meaningful consultation with the administration on these matters and reviewing its proposal to evaluate whether it sufficiently protects Americans’ privacy. In the meantime, the President could end bulk collection once and for all on Friday by not seeking reauthorization of this program. Rather than postponing action any longer, I hope he chooses this path.

Anyone setting odds on the likelihood of this actually happening?

Permalink | Comments | Email This Story

Maybe it's just because I'm an editor, but I think that Weird Al Yankovic's latest song, "Word Crimes"—a parody of Robin Thicke's kinda-creepy song "Blurred Lines"—is a masterpiece. Flossers obviously know the difference between its/it's and there/their/they're, but you'll still probably get a kick out of the lyric video, which you can watch below.

"Word Crimes" comes just a day after Yankovic released "Tacky," a parody of Pharell Williams' "Happy," which is also pretty great. You can get your copy of his new album, Mandatory Fun, here.

Ars Technica's Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear. The fourth line in the record above is Farivar's (long-expired and changed) full credit card. While it may not seem like a huge surprise that the government is basically snooping on everything you tell the airlines (including seat changes, food preferences, any special assistance you might need, etc.), it's stunning that they're passing around and storing credit card info in the clear.

Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.

“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”

Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 -- suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we've seen in the past, if there's one government agency that appears to be able to get away with anything with absolutely no oversight at all, it's Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they're getting all this information on Americans, it seems like they're creating a much bigger security risk in storing (and passing around) all such info in the clear.

Permalink | Comments | Email This Story

We've seen silly trademark suits over all kinds of things before. Common phrases come to mind, as do petty politicians going after parodies and the government feeling it necessary to trademark groups of American heroes lest the House of Mouse gobble them up. The point is we see a lot of dumb 'round these parts, but we rarely see that dumb mixed with sexy.

But now, thanks to The Tilted Kilt franchise going after golf club for having some of their staff wearing completely different looking kilts, we apparently can't say that any longer. The club in question is the Kilted Caddy Club, a golf course that provides female caddies in kilts for some of their golf tournaments, because nothing helps a man concentrate on sinking that twenty-foot sloped birdie putt like a nice pair of legs. The Tilted Kilt franchise, in case you aren't aware, provides bar/restaurants in which scantily-clad women in kilts and low-cut button-down shirts serve you sub-par food while the worst music you can imagine plays around you and your fellow degenerate friends. In other words, we're dealing with two quality organizations here. Well, apparently one side of this equation got their kilts in a bunch to the point of filing a very silly trademark claim.

The Tempe, Ariz.-based Tilted Kilt, which has nearly 100 locations nationwide including one at Broadway at the Beach, says in court documents that the caddy club is copying its distinctive and trademarked “uniforms,” thereby, confusing consumers into thinking the two businesses are related. The Tilted Kilt has asked a judge for a permanent injunction against the Kilted Caddy Club’s use of its name and tantalizing tartan uniforms, as well as unspecified monetary damages.

Now, let's start off with the obvious problem: the two companies aren't in the same line of business. One is a golf course (that of course has a clubhouse bar and food, but meh), the other is a bar/restaurant. They aren't competing against one another. That should probably be enough to toss this thing out already. Add to that the fact that the two uniforms aren't really all that similar beyond incorporating a bastardization of a traditional Scottish kilt, and it's all the more difficult to see this going anywhere. Judge for yourself. Here are some women in their Tilted Kilt uniforms, making their parents proud:



And here are some women from The Kilted Caddy Club.

Now, while it is true that the golf course put out some advertisements for events with girls dressed in garb more similar to Tilted Kilt girls, they still aren't competing against one another and no moron in a hurry is going to think that the restaurant company suddenly went into the golf course business and failed to use their brand name. And besides all of that, the idea of preventing a golf course, a game with Scottish origins, from having a Scottish theme, is sort of silly on its face. Still, because this is a trademark dispute, it must devolve into a silly linguistics lesson from the club's lawyer, Dan Polley.

Polley said, there should be no confusion over the names because the restaurant chain uses the word “tilted” as an adjective for the noun “kilt” while the caddy club uses “kilted” as an adjective for the noun “caddy.”

“The respective marks do not have any closeness in appearance, sound or meaning,” Polley said. “Coupled with the fact that our client’s services are provided solely at its Scottish theme golf course, the chance for confusion is remote.”

Or how about, rather than having everyone get their MLA handbooks out, maybe two companies not competing against each other just don't have to find themselves battling in court. That work for everyone?

Permalink | Comments | Email This Story

The self-assured nature of federal prosecutors can be quite insane. We've talked many times in the past about how the criminal justice system is completely rigged against anything remotely looking like fairness. From grand juries to plea bargains to sentencing guidelines, the entire system is designed to make anyone who enters it presumed guilty until their spirit is crushed and destroyed. In the last few years we've noted an even more disturbing trend: law enforcement creating their own plots, in which they lure (often gullible or marginalized) individuals into a convoluted criminal "plot" in which nearly all of the other players are fellow law enforcement folks (or informants). They then build up this big plot... wait until it's about to go off (knowing it'll never actually happen) and then arrest those they lured into it. It has happened over and over and over and over and over and over and over and over and over and over and over and over again. Courts have found that this is technically not "entrapment," even though it sure appears to come close to it.

That's why we were quite happy to see a federal judge finally call out one of these questionable plots. Earlier this year, we wrote about Judge Otis Wright (whose name you may recall from the beatdown he gave Team Prenda) calling out one of the ATF's homegrown criminal plots for "outrageous government conduct" in creating a "made up crime." Wright detailed how the government picked details of the entirely fictional plot at levels to guarantee felony charges, and also accused it of "trawling... poverty-ridden areas" in a "fishing expedition" dangling huge riches on people who have no money. He further noted that nearly all of the elements of "the crime" were done by the ATF:

But for the undercover agent’s imagination in this case there would be no crime. The undercover agent invented his drug-courier persona, the stash house, the 20 to 25 kilograms of cocaine supposedly inside the stash house, the two individuals supposedly guarding the stash, the need to use weapons, and the idea of robbing the stash house. He even provided the putative safe house and getaway van. Dunlap brought little to the table besides his sheer presence and perhaps the hope of being able to obtain some quick cash.

[....] ...here, the undercover agent provided a getaway van, putative safe house, and�”most important of all�”the entire scheme and its fictitious components. He also alleviated Defendants’ logistical and safety concerns when he “proposed that he would be inside the stash house at the time of the robbery . . . .” ...

So, how did the DOJ respond to this setback? Well, via Brad Heath, we see that the DOJ has gone to the appeals court to demand a new judge, accusing Judge Wright of being biased. Seriously.

Reassignment is warranted “to ensure not only the existence, but the appearance, of impartiality,” such as when “the district judge . . . may be viewed as having assumed the role of advocate.” ... Here, as Dunlap himself has suggested..., the district court’s tone and actions have created the appearance of hostility to the government.

As set forth earlier, the court’s tone has not been one of impartiality. To be sure, a holding of “outrageous” conduct necessarily entails strong language�”condemnation is built into the very standard. But even so, the court’s comments are extreme: accusing the government of “lead[ing] us into temptation”; of “stoop[ing] to the same level as the defendants it seeks to prosecute” and “creating crime”; of targeting people simply for being poor or for having bad thoughts; and of being “cold-blooded and heartless.” Similar is the court’s refrain that the crimes of conviction were “fake,” “trumped up,” “cut from whole cloth,” or “made up”�”after all, it was Hudson who initiated contact, the defendants showed up with guns, one of which Whitfield boasted could cut a man in half.... Similar, too, is the court’s repeated criticism of the investigation as a “trawling” expedition where bait was “dangled” “irresistibl[y]” before poor, ignorant defendants.

It is not just that the substance of the court’s accusations is wrong: merely erring is not grounds for reassignment. It is that the tone creates the appearance of hostility toward a government “oppressor.” ... And that tone is not limited to the court’s description of historical facts: it has been also dismissive to government counsel during hearings.

In short: because the judge called out the ATF and the DOJ for its outrageous behavior, that proves that the judge is biased and therefore unfit to hear the case. Only judges that accept our outrageous behavior are reasonable and should be allowed to hear our cases.

This is the attitude of federal prosecutors. The entire system is already rigged to support us, so if a judge somehow actually pushes back on something we did, then clearly he's the problem, rather than our outrageous behavior.

Permalink | Comments | Email This Story

There are a lot of great courses and resources out there for learning Android development already, but what would be better than learning from the folks who created the mobile OS? That’s exactly what you have the opportunity to do thanks to Udacity’s newest course.

The course is named Developing Android Apps: Android Fundamentals, an 8 week ordeal that’ll have you learning everything from installing Android Studio and creating your first simple app to using advanced, responsive layouts, notifications, intents, content providers and more to make feature-filled Android apps. You’ll be learning all this from Googlers like Reto Meier, Katherine Kuan and Dan Galpin, all of whom have extensive experience with Android.

The best part is that it’s free to enroll and follow along if you aren’t interested in paying anything. Pay $150 per month and you’ll get the whole kit and kaboodle. Here’s the breakdown of what is and isn’t included in each track:

Sounds worth the money to me. I should note that this course won’t be meant for folks entirely new to software engineering and object oriented programming. You shouldn’t enroll if you don’t already have any development experience as they likely won’t be slowing down for anyone who doesn’t know what a class or a variable is.

In fact, they exclaim that you should have “strong” working knowledge of Java or any other object-oriented programming language (such as C#). Fortunately there are introductory programming courses (Computer Science 101 and Introduction to Java Development) available from the same site for those of you who aren’t quite “there” yet.

But if you think you’re up to the task and want to learn how to develop quality Android apps (so you can make the next “Yo” or something) then there’s no good reason you shouldn’t give it a try. Udacity has everything you need right here.

 

The schedule for the 2014 Linux Security Summit (LSS2014) is now published.

The event will be held over two days (18th & 19th August), starting with James Bottomley as the keynote speaker.  The keynote will be followed by referred talks, group discussions, kernel security subsystem updates, and break-out sessions.

The refereed talks are:

• Verified Component Firmware – Kees Cook, Google
• Protecting the Android TCB with SELinux – Stephen Smalley, NSA
• Tizen, Security and the Internet of Things – Casey Schaufler, Intel
• Capsicum on Linux – David Drysdale, Google
• Quantifying and Reducing the Kernel Attack Surface -  Anil Kurmus, IBM
• Extending the Linux Integrity Subsystem for TCB Protection – David Safford & Mimi Zohar, IBM
• Application Confinement with User Namespaces – Serge Hallyn & Stéphane Graber, Canonical

Discussion session topics include Trusted Kernel Lock-down Patch Series, led by Kees Cook; and EXT4 Encryption, led by Michael Halcrow & Ted Ts’o.   There’ll be kernel security subsystem updates from the SELinux, AppArmor, Smack, and Integrity maintainers.  The break-out sessions are open format and a good opportunity to collaborate face-to-face on outstanding or emerging issues.

See the schedule for more details.

LSS2014 is open to all registered attendees of LinuxCon.  Note that discounted registration is available until the 18th of July (end of this week).

See you in Chicago!

UPDATE: Presumably satire. FAKE HAIR, DON'T CARE. Pubic hair, do care -- especially if it's in my fast food. This is a North Korean news report claiming the country made it to the World Cup final against Portugal (because why not lie about everything) after defeating Japan 7-0, the US 4-0 and China 2-0 in the group stage. I can only assume there was a news report after claiming North Korea won the cup. Plus has a base on Mars, has cured every kind of cancer, and invented toilet paper that never leaves butt crumbs no matter how vigorous you wipe. Keep going for the subtitled video. Thanks to Rhydonal, who is a fair and just ruler and would never lie to his subjects.

Note: Worthwhile larger version of the above pic HERE. This is the Enterprise, NASA's concept for a warp-drive spaceship capable of interstellar travel. Interstellar means between stars. So this is a spaceship that could travel between stars. Impressive, but I only need a spaceship that can get me to the surface of the sun and back. "There is no coming back from the sun." *wink* I know.

It's not a fantasy sci-fi ship but a concept based on the equations of Dr. Harold White--lead at NASA's Eagleworks Advanced Propulsion Physics Laboratory--who also works in ion engines and plasma thrusters. Dr. White--whose daily life is working in future propulsion solutions for interplanetary travel in the near future, like ion and plasma thrusters--developed new theoretical work that solved the problems of the Alcubierre Drive concept, a theory that allowed faster-than-light travel based on Einstein's field equations in general relativity, developed by theoretical physicist Miguel Alcubierre. A spaceship equipped with a warp drive would allow faster-than-light travel by bending the space around it, making distances shorter. At the local level, however, the spaceship wouldn't be moving faster than light. Therefore, warp drive travel doesn't violate the first Einstein commandment: Thou shall not travel faster than light.

The feasibility of building a space-bending warp-drive aside, I don't care how we get out of this solar system to go explore other worlds, just as long as we do it. If you told me you could shoot me out of a cannon to Alpha Centauri I would already have my crash helmet on. The sad fact is, NASA will never receive the funding to build an interstellar spaceship. People don't care enough. NASA would be lucky to receive the funding to build a model OF A MODEL of this spaceship OUT OF POPSICLE STICKS. Now I'm depressed, somebody come cheer me up. "I'll send a clown." Cool, I'll send a thank-you note with anthrax. Keep going for more shots. Thanks to maiaolorin, Wilmersama and John A, who already filled out the paperwork to be astronauts on the first interstellar journey but I ripped up their applications so mine will be the only one in the pile when it comes time to pick the crew.

Shortly after the Snowden leaks began exposing the NSA's massive collection efforts, the New York Times uncovered the DEA's direct access to AT&T telecom switches (via non-government employee "analysts" working for AT&T), from which it and other law enforcement agencies were able to gather phone call and location data.

Unlike the NSA's bulk records programs (which are limited to holding five years worth of data), the Hemisphere database stretches back to 1987 and advertises instant access to "10 years of records." And unlike the NSA's program, there's not even the slightest bit of oversight. All law enforcement needs to run a search of the Hemisphere database is an administrative subpoena -- a piece of paper roughly equivalent to calling up Hemisphere analysts and asking them to run a few numbers. Administrative subpoenas are only subject to the oversight of the agency issuing them.

It's highly unlikely these administrative subpoenas are stored (where they could be accessed as public records) considering the constant emphasis placed on parallel construction in the documents obtained by Dustin Slaughter of MuckRock -- documents it took the DEA ten months to turn over.

Unlike the documents obtained by the New York Times (possibly inadvertently), these do contain a few redactions, including some apparent success stories compiled at the end of the presentation. But like the earlier documents, the documents show that the DEA and law enforcement have unchecked access to a database that agents and officers are never allowed to talk about -- not even inside a courtroom.

It is expected that all Hemisphere requests will be paralleled with a subpoena for CDRs from the official carrier for evidentiary purposes.

It's spelled out more explicitly on a later slide, listed under "Official Reporting."

DO NOT mention Hemisphere in any official reports or court documents.

Judging from the request date, it would appear that this version of the Hemisphere presentation possibly precedes the New York Times' version. However, this one does not name the cooperating telco, although that appears to be a deliberate choice of the person writing the presentation, rather than due to redaction. At one point the document declares Hemisphere can access records "regardless of carrier," but later clarifies that it will only gather info that crosses certain telecom switches -- most likely AT&T's. Additional subpoenas will be needed to gather info from other carriers, as well as to obtain subscriber information linked to searched numbers. This small limitation plays right into the DEA's insistence that Hemisphere be "walled off" from defendants, court systems and the public.

If exigent circumstances make parallel construction difficult, Hemisphere analysts (non-government liaisons within the telco) will "continue to work with the investigator throughout the entire prosecution process in order to ensure the integrity of Hemisphere and the case at hand." Analysts are allowed to advise investigators on report writing, presentations to prosecutors and issues occurring during the trial phase. The word "integrity" seems out of place when it describes non-government employees assisting government agencies in hiding the origin of evidence from other government agencies.

Cross-referencing what's been redacted in this one with the unredacted document published earlier, it appears as though the DEA is trying to (belatedly) hide the fact that its Hemisphere can also search IMSI and IMEI data (for wireless connections). Although this document states (after a long redaction) that Hemisphere does not collect subscriber information, that's only partially true. As of July 2012, subscriber information for AT&T customers can be obtained from the database. This information may have been redacted or it may be that this presentation pre-dates this added ability.

What this shows is that the DEA has access to loads of information and a policy of "parallel construction in all things." Tons of other government agencies, including the NSA, FBI and CIA are funneling information to the DEA and instructing it to hide the origin. The DEA then demands law enforcement agencies around the nation to do the same thing. This stacks the deck against defendants, who are "walled off" from the chain of evidence, preventing them from challenging sources, methods or the integrity of the evidence itself.

Permalink | Comments | Email This Story

So, yesterday we wrote about the already bizarre lawsuit filed by Jason Lee Van Dyke, a Texas lawyer, on behalf of Shelby Conklin, against a revenge porn site, Pinkmeth, and (even more ridiculous), the Tor Project. There were many, many problems with the lawsuit, starting with the cluelessness of Van Dyke in going after the Tor Project, when he clearly had no idea what it was or did, or any idea about how Section 230 of the CDA works (in fact, it appears he misrepresented a similar case, in which GoDaddy was protected by Section 230). There were also some problems with the First Amendment aspects of this, and Van Dyke's argument that aiding someone in being anonymous was some sort of aiding and abetting of law-breaking. Thankfully, this morning Van Dyke admitted that he was dropping the Tor Project from the lawsuit -- though he doesn't appear to have apologized or admitted to his own errors. Instead, it appears he's been doubling down -- which we'll get to later in this post.

But first, the story has taken a different twist, as Jay Wolman in our comments pointed to something even more bizarre: Van Dyke claimed that Pinkmeth's "address" (also where he had the lawsuit served) was the same address as Kyle Bristow, Esq. Pinkmeth had previously facetiously indicated that Bristow was its attorney (and uses a picture of Bristow on its Twitter account). But it's clear that whoever is behind Pinkmeth is joking. Bristow and Van Dyke have worked together to try to shut down revenge porn sites like Pinkmeth in the past, and Pinkmeth is clearly mocking Van Dyke by claiming that Bristow is its lawyer.

But Van Dyke still "served" Pinkmeth at Bristow's offices, knowing that it's bogus. As Wolman notes, since Van Dyke knows this is not actually Pinkmeth's offices, what he's done clearly borders on "fraud on the court." Meanwhile, our friends at Above the Law have even more on this situation, including the fact that Bristow was declared the leader of a hate group while he was in college, who has openly advocated racist and homophobic positions.

As for why Bristow, who appears to have rather stone-aged views of the world, is now focused on fighting revenge porn? Well, his argument kind of speaks for itself:

“Revenge pornography is nothing more than a manifestation of liberalism,” Bristow said. “Most victims on revenge pornography websites are young, white, blonde, middle class, American women. Women who the pornographers can link to conservatism or Christianity are especially targeted for harassment.”

Yes, as Above the Law notes, Bristow is against revenge porn because it's "defiling white blondes in an effort to undermine Christianity." As bad as we think revenge porn sites and their operators are, somehow I doubt that's the goal. Either way, Van Dyke pretending to believe that his buddy Bristow actually represents Pinkmeth is just the latest in a long line of problems with the lawsuit...

Meanwhile, as another commenter on our original story pointed out, Van Dyke appears to be freaking out on Facebook, threatening to sue people who are posting negative reviews of his firm: Sometimes, combined with the threats of lawsuits, he directly threatens physical harm on people: And, much of the rest of the time, he's displaying just the sort of "professionalism" we're sure that the Texas bar approves of: Separately, when someone sent him a copy of my original article, he laid out his own "legal strategy," in which he explains that he's filing this on the expectation that Pinkmeth will default and then he'll get his injunction (some of the companies that he's seeking the injunction to apply to may have a word or two to say about that). Oh, and at the end, he flat out admits that "it's my job to violate the civil rights of people like you." Lovely.

Permalink | Comments | Email This Story