Homeland Security Is Going to Get in Your Face

If you thought Homeland Security checkpoints were intrusive, just wait until they start getting in your face.  An oped in the New York Times:
the Department of Homeland Security is making considerable progress on a computerized tool called the Biometric Optical Surveillance System. The system, if completed, will use video cameras to scan people in public (or will be fed images of people from other sources) and then identify individuals by their faces, presumably by cross-referencing databases of driver’s license photos, mug shots or other facial images cataloged by name . . .

At the moment, there is little to no regulation or legal oversight of technologies like the Biometric Optical Surveillance System. We need to implement safeguards to protect our civil liberties — in particular, our expectation of some degree of anonymity in public.
The Department of Homeland Security is not the only agency developing facial-surveillance capacities. The Federal Bureau of Investigation has spent more than $1 billion on its Next Generation Identification program, which includes facial-recognition technology. This technology is expected to be deployed as early as next year and to contain at least 12 million searchable photos.

Facebook: "All Your Data Are Belong to Us"

Just in case there was any doubt, Facebook pwns your data.  From the WSJ:
Goaded by a court decision, Facebook just wants to make it clear: they really can use everything they know about you – including your face.
The company announced Thursday that it was updating its privacy policies to clarify how the personal information of its more than 1 billion users gets collected and used by advertisers. In a blog post, Chief Privacy Officer Erin Egan outlined section-by-section changes to two legal documents, the Data Use Policy and the Statement of Rights and Responsibilities.
“As part of this proposed update,” Egan says, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.”

The Data Security Defense Race

Are we in for a defense and arms race between tech firms or groups dedicated to user privacy and government or corporate entities that seek to undermine that privacy?  From Wired:
Technology companies are enabling security features that make certain types of government surveillance extremely difficult, and it’s a trend that’s set to continue. That’s why the U.S. government has long wanted laws that force tech companies to make their products wiretap friendly. . . .

In fact, advancements in the usability of cryptographic protocols have made anti-surveillance features relatively simple for technology companies to bake into their communications products. And public demand for greater security and privacy in the wake of Edward Snowden’s revelations may make it virtually obligatory for them to do so before new wiretapping laws can be introduced.

This heralds a looming standoff between technology companies and government . . . 

Password Security: Is Bigger Better?

From Ars Technica:
For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It's an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.
Until now, ocl-Hashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes, has limited guesses to 15 or fewer characters. (oclHashcat-lite and Hashcat have supported longer passwords, but these programs frequently take much longer to work.) Released over the weekend, ocl-Hashcat-plus version 0.15 can generally accommodate passwords with lengths of 55 characters. Depending on the hash that's being targeted and the types of cracking techniques being used, the maximum can grow as high as 64 characters or as low as 24.

New Gadget Provides Electrical Shock to Deter Facebook Use

From the LV Guardian:
Two PhD candidates were tired of being addicted to Facebook. They are after all, extremely busy with studying and need less interruptions and more focus. These two scholarly-aimed students decided to create an end to their Facebook distraction. Robert R. Morris and Dan McDuff put their collectively intelligent minds together, and devised a novel way to stop wandering minds and mouse clicks. The video at the end of this article, shows how the Pavlov Poke works. It is an accessory for the keyboard, where a user’s wrist rests upon it. Script is inputted for specific sites, say like Facebook; once the user has moved over to that site for a specific amount of time, the system releases a shock to jolt the user back to their studying habits . . .

Taxpayers Cover Costs of their Own Illegal Surveillance

From Engadget:
The mounting national debt? Yeah, you're probably better off just ignoring why exactly it's mounting. The Guardian is continuing the blow the lid off of the whole NSA / PRISM saga, today revealing new documents that detail how the NSA paid out "millions" of dollars to cover PRISM compliance costs for a multitude of monolithic tech outfits. As the story goes, the National Security Agency (hence, tax dollars from American taxpayers) coughed up millions "to cover the costs of major internet companies involved in the PRISM surveillance program after a court ruled that some of the agency's activities were unconstitutional." The likes of Yahoo, Google, Microsoft and Facebook are expressly named, and while Google is still angling for permission to reveal more about its side of the story, other firms have conflicting tales.

Huffington Post to Prohibit Anonymous Comments: Huffington Attacks Anonymous Speech

The Huffington Post, reportedly, will soon do away with the option of anonymous commenting on its website.  Justifying the change, Huffington herself cited the aggressiveness and ugliness of internet trolls and apparently argued that free speech rights essentially should not be extended to individuals who have not submitted to some kind of vetting process.  From the Boston Globe:
The days of anonymous commenting on The Huffington Post are numbered. Founder Arianna Huffington said in a question-and-answer session with reporters in Boston Wednesday that the online news site plans to require users to comment on stories under their real names, beginning next month.
“Freedom of expression is given to people who stand up for what they’re saying and not hiding behind anonymity,” she said. . . .
This last statement is highly offensive, no?  Freedom of expression is not "given" or granted to anyone, it is a human right.  I guess Huffington would have told the authors of the Federalist Papers to take a hike.

Facebook-Led Tech Group Seeks to Expand Internet Access

From the New York Times:
On Wednesday, Facebook announced an effort aimed at drastically cutting the cost of delivering basic Internet services on mobile phones, particularly in developing countries, where Facebook and other tech companies need to find new users. Half a dozen of the world’s tech giants, including Samsung, Nokia, Qualcomm and Ericsson, have agreed to work with the company as partners on the initiative, which they call Internet.org.
The companies intend to accomplish their goal in part by simplifying phone applications so they run more efficiently and by improving the components of phones and networks so that they transmit more data while using less battery power.

Mother Jones Profiles a Few Meshnets

From Mother Jones:
JOSEPH BONICIOLI mostly uses the same internet you and I do. He pays a service provider a monthly fee to get him online. But to talk to his friends and neighbors in Athens, Greece, he's also got something much weirder and more interesting: a private, parallel internet.

He and his fellow Athenians built it. They did so by linking up a set of rooftop wifi antennas to create a "mesh," a sort of bucket brigade that can pass along data and signals. It's actually faster than the Net we pay for: Data travels through the mesh at no less than 14 megabits a second, and up to 150 Mbs a second, about 30 times faster than the commercial pipeline I get at home. Bonicioli and the others can send messages, video chat, and trade huge files without ever appearing on the regular internet. And it's a pretty big group of people: Their Athens Wireless Metropolitan Network has more than 1,000 members, from Athens proper to nearby islands. Anyone can join for free by installing some equipment. "It's like a whole other web," Bonicioli told me recently. "It's our network, but it's also a playground."

Indeed, the mesh has become a major social hub . . . 

Google Eye Tracker: Watching You Watch Them

And you thought tracking your browser and search history was intrusive!  From The Verge:
Advertisers spend heaps of cash on branding, bannering, and product-placing. But does anyone really look at those ads? Google could be betting that advertisers will pay to know whether consumers are actually looking at their billboards, magazine spreads, and online ads. The company was just granted a patent for "pay-per-gaze" advertising, which would employ a Google Glass-like eye sensor in order to identify when consumers are looking at advertisements in the real world and online.

Google Goes Offline, Internet Traffic Drops 40%

What did you do during the blackout?  From The Register:
The event began at approximately 4:37pm Pacific Time and lasted between one and five minutes, according to the Google Apps Dashboard. All of the Google Apps services reported being back online by 4:48pm.

The incident apparently blacked out every service Mountain View has to offer simultaneously, from Google Search to Gmail, YouTube, Google Drive, and beyond.
Big deal, right? Everyone has technical difficulties every once in a while. It goes with the territory.

But then, not everyone is Google. According to web analytics firm GoSquared, worldwide internet traffic dipped by a stunning 40 per cent during the brief minutes that the Chocolate Factory's services were offline.

Depressed? Get Off Facebook

Concerned about your privacy?  You should probably logout of Facebook.  Concerned about your mental health and well being?  You should probably logout of Facebook.  From the BBC:
Using Facebook can reduce young adults' sense of well-being and satisfaction with life, a study has found.  Checking Facebook made people feel worse about both issues, and the more they browsed, the worse they felt, the University of Michigan research said.  The study, which tracked participants for two weeks, adds to a growing body of research saying Facebook can have negative psychological consequences.

Facebook has more than a billion members and half log in daily.  "On the surface, Facebook provides an invaluable resource for fulfilling the basic human need for social connection. Rather than enhancing well-being, however, these findings suggest that Facebook may undermine it," said the researchers.

Microsoft Sends DMCA Takedown Notices for Links to Open Source Competitors

From Torrent Freak:
Every week copyright holders send millions of DMCA takedown notices to Google in the hope of making pirated content harder to find.  Microsoft has been one of the most active senders and over the past month alone has asked Google to remove more than a million infringing URLs from its indexes. In addition the software giant also strips infringing links from its own search engine Bing.

While most of the submitted URLs do indeed link to infringing content, not all requests sent by Microsoft and other copyright holders are correct. Their often automated anti-piracy systems regularly trigger notices that include links to perfectly legitimate content, sometimes from direct competitors.

The latter happened with several recent DMCA takedown requests sent to Google on behalf of Microsoft. The notices, which contain references to unauthorized copies of Microsoft Office, also list many links to Apache’s open source office suite, OpenOffice . . .

Google: No Expectation of Privacy in Gmail Emails

From Slate:
If you happen to be one of the 400 million people who use Google's Gmail service for sending and receiving emails, you shouldn't have any expectation of privacy, according to a court briefing obtained by the Consumer Watchdog website. In a motion filed last month by Google to have a class action complaint dismissed, Google's lawyers reference a 1979 ruling, holding that people who turn over information to third parties shouldn't expect that information to remain private.

Users Scramble to Download Pirate Bay's Anti-Censorship Browser

From Torrent Freak:
Within three days of its launch The Pirate Bay’s PirateBrowser, which allows people to bypass ISP filtering and access blocked websites, has already been downloaded more than 100,000 times. The Pirate Bay team say they never expected the browser to catch on this quickly, while noting that they are determined to provide more anti-censorship tools.

On the occasion of its 10th anniversary last Saturday, The Pirate Bay sent out a gift to its users – the PirateBrowser.  Blocked by court orders all over the world, Pirate Bay is arguably the most censored website on the Internet. The PirateBrowser software allows people to bypass these restrictions.

It appears that the browser idea is right on the money. New statistics revealed today show that blocked users have been downloading the tool en masse . . .

Mega Encrypted Email Service in Progress

From ZDNet:
Kim Dotcom's "privacy company" Mega is developing secure email services to run on its entirely non-US-based server network as intense pressure from US authorities forces other providers to close.

Last week, Lavabit, which counted NSA leaker Edward Snowdon as a user, and Silent Circle both closed. Lavabit's owner, Ladar Levison, said he was shutting it down to avoid becoming "complicit in crimes against the American people".

Last week, Mega chief executive Vikram Kumar told ZDNet that the company was being asked to deliver secure email and voice services. In the wake of the closures, he expanded on his plans.

Kumar said work is in progress, building off the end-to-end encryption and contacts functionality already working for documents in Mega.

Wikimedia to FastTrack HTTPS in Response to Surveillance Leaks

From Wikimedia:
The Wikimedia Foundation believes strongly in protecting the privacy of its readers and editors. Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects. Thankfully, this is already a project that was being considered for this year’s official roadmap and it has been on our unofficial roadmap since native HTTPS was enabled. Our current architecture cannot handle HTTPS by default, but we’ve been incrementally making changes to make it possible. Since we appear to be specifically targeted by XKeyscore, we’ll be speeding up these efforts . . . 

Lavabit Shuts Down Email Service Rather Than Comply With Government

Lavabit is (or rather was) an email service that took its users' privacy seriously.  And for that reason it appears the service has been forced to shut down.  From owner Ladar Levison:
My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Ladar Levison
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

Federal Judge Rules that Bitcoin Is Money

A federal judge has ruled that bitcoin is money.  The suit before the court involves the case of Trendon Shavers, who is being prosecuted by the SEC for running what has been called a Bitcoin ponzi scheme.  In response to the SEC action, Shavers argued before the court that the SEC had no jurisdiction in the case because bitcoin is not money.  The court did not agree.  From the ruling:
First, the Court must determine whether the BTCST investments constitute an investment of money. It is clear that Bitcoin can be used as money. It can be used to purchase goods or services, and as Shavers stated, used to pay for individual living expenses. The only limitation of Bitcoin is that it is limited to those places that accept it as currency. However, it can also be exchanged for conventional currencies, such as the U.S. dollar, Euro, Yen, and Yuan. Therefore, Bitcoin is a currency or form of money, and investors wishing to invest in BTCST provided an investment of money.
Ironically, both Bitcoin enthusiasts and detractors see this ruling as a evidence in favor of their own positions.  Enthusiasts state that rulings like this will make the crypto-currency more palatable to the economic mainstream, while its detractors state that this is one more nail in the Bitcoin coffin.  Of course, only time will tell.  But the ruling does not seem to have affected the price of Bitcoin, which is currently trading at just over $100 per BTC.

How To Access Someone's Stored Passwords on Google Chrome

If a trouble-making friend gained access to your browser, what could they access?  Depending on your choice of browser and its security settings, the answer may be: everything.  From The Guardian:
A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.
Seeing the passwords is achieved simply by clicking on the Settings icon, choosing "Show advanced settings…" and then "Manage saved passwords" in the "Passwords and forms" section. A list of obscured passwords is then revealed for sites - but clicking beside them reveals the plain text of the password, which could be copied, or sent via a screenshot to an outside site.

Overcriminalization: Felony Streaming

Are you familiar with the term overcriminalization?  From Overcriminalized, a project of the Heritage Foundation:
“Overcriminalization” describes the trend in America – and particularly in Congress – to use the criminal law to “solve” every problem, punish every mistake (instead of making proper use of civil penalties), and coerce Americans into conforming their behavior to satisfy social engineering objectives. Criminal law is supposed to be used to redress only that conduct which society thinks deserving of the greatest punishment and moral sanction.
But as a result of rampant overcriminalization, trivial conduct is now often punished as a crime.  Many criminal laws make it possible for the government to convict a person even if he acted without criminal intent (i.e., mens rea). Sentences have skyrocketed, particularly at the federal level.
The Washington Post provides us with a perfect example of this creeping trend in US society and government.  The criminalization of online streaming.  Have you ever watched a streaming video on a site that may not have had all the proper licenses?  The federal government wants to make that a felony:
You probably remember the online outrage over the Stop Online Piracy Act (SOPA) copyright enforcement proposal. Last week, the Department of Commerce’s Internet Policy Task Force released a report on digital copyright policy that endorsed one piece of the controversial proposal: making the streaming of copyrighted works a felony.

As it stands now, streaming a copyrighted work over the Internet is considered a violation of the public performance right. The violation is only punishable as a misdemeanor, rather than the felony charges that accompany the reproduction and distribution of copyrighted material.

Fed Malware Takes Down Tor Host

From Wired:
Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

FBI "Harvests" Your Digital Information, Pressures ISP's to Install Surveillance Machines

New revelations of the breadth and scope of the federal government's digital spying and surveillance operations continue apace.  No one is safe from their prying eyes.  From CNET:
The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies' internal networks to facilitate surveillance efforts.

FBI officials have been sparring with carriers, a process that has on occasion included threats of contempt of court, in a bid to deploy government-provided software capable of intercepting and analyzing entire communications streams. The FBI's legal position during these discussions is that the software's real-time interception of metadata is authorized under the Patriot Act.

Attempts by the FBI to install what it internally refers to as "port reader" software, which have not been previously disclosed, were described to CNET in interviews over the last few weeks. One former government official said the software used to be known internally as the "harvesting program."

Government Increasingly Using Hacking Tools

From the Wall Street Journal:
Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.

People familiar with the Federal Bureau of Investigation's programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can't be wiretapped like a phone, is called "going dark" among law enforcement . . .

The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.'s GOOG +1.82% Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment. 

Surveillance Society Security Hysteria: Police Harrassing People for Their Internet Search Habits

We should be surprised to read stories like this, but unfortunately, it is not surprising at all.  From The Guardian:
It was a confluence of magnificent proportions that led to six agents from the joint terrorism task force to knock on my door Wednesday morning. Little did my husband and I know that our seemingly innocent, if curious to a fault, Googling of certain things were creating a perfect storm of terrorism profiling. Because somewhere out there, someone was watching. Someone whose job it is to piece together the things people do on the internet raised the red flag when they saw our search history.

Most of it was innocent enough. I had researched pressure cookers. My husband was looking for a backpack. And maybe in another time those two things together would have seemed innocuous, but we are in "these times" now. And in these times, when things like the Boston bombing happen, you spend a lot of time on the internet reading about it and, if you are my exceedingly curious, news junkie 20-year-old son, you click a lot of links when you read the myriad of stories. You might just read a CNN piece about how bomb making instructions are readily available on the internet and you will in all probability, if you are that kid, click the link provided.