[syndicated profile] eff_feed

Posted by gennie

Some of the most worrying kinds of attacks are ones that exploit users’ trust in the systems and softwares they use every day. Yesterday, Cisco’s Talos security team uncovered just that kind of attack in the computer cleanup software CCleaner. Download servers at Avast, the company that owns CCleaner, had been compromised to distribute malware inside CCleaner 5.33 updates for at least a month. Avast estimates that over 2 million users downloaded the affected update. Even worse, CCleaner’s popularity with journalists and human rights activists means that particularly vulnerable users are almost certainly among that number. Avast has advised CCleaner Windows users to update their software immediately.

This is often called a “supply chain” attack, referring to all the steps software takes to get from its developers to its users. As more and more users get better at bread-and-butter personal security like enabling two-factor authentication and detecting phishing, malicious hackers are forced to stop targeting users and move “up” the supply chain to the companies and developers that make software. This means that developers need to get in the practice of “distrusting” their own  infrastructure to ensure safer software releases with reproducible builds, allowing third parties to double-check whether released binary and source packages correspond. The goal should be to secure internal development and release infrastructure to that point that no hijacking, even from a malicious actor inside the company, can slip through unnoticed.

The harms of this hack extend far beyond the 2 million users who were directly affected. Supply chain attacks undermine users’ trust in official sources, and take advantage of the security safeguards that users and developers rely on. Software updates like the one Avast released for CCleaner are typically signed with the developer’s un-spoof-able cryptographic key. But the hackers appear to have penetrated Avast’s download servers before the software update was signed, essentially hijacking Avast’s update distribution process and punishing users for the security best practice of updating their software.

Despite observations that these kind of attack are on the rise, the reality is that they remain extremely rare when compared to other kinds of attacks users might encounter. This and other supply chain attacks should not deter users from updating their software. Like any security decision, this is a trade-off: for every attack that might take advantage of the supply chain, there are one hundred attacks that will take advantage of users not updating their software.

For users, sticking with trusted, official software sources and updating your software whenever prompted remains the best way to protect yourself from software attacks. For developers and software companies, the attack on CCleaner is a reminder of the importance of securing every link of the download supply chain.

[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

After finishing the Army Combat Readiness Test, a six-event assessment designed to reduce injuries and replace today’s physical fitness test, Spc. Efren Gandara and others ... Read more


Pluto's posse

Sep. 16th, 2017 10:07 pm
[syndicated profile] badastronomy_feed

Posted by Phil Plait

For 85 years, Pluto was pretty much a featureless dot.

Oh sure, some observations, particularly using Hubble, mapped out very broad regions, not much more than brighter and dimmer blotches*. But when the New Horizons space probe flew past Pluto on July 14, 2015, suddenly the tiny dot became a world.

 

New Horizons revealed plains and canyons, craters and mountains, and a passel of other weird features, too. Keeping them all straight as they were rapidly discovered was hard, so the planetary scientists on the New Horizons team gave them nicknames, with a theme of using the names of explorers, people related to the discovery and observation of Pluto, and different mythologies of the underworld (in keeping with the name Pluto itself). These were unofficial, and, in fact, it became a little bit of a joke during the flyby press conferences for scientists to mention that, since they had to say it every time.

But now, after more than two years, 14 of those names have become official. The New Horizons team proposed these names to the International Astronomical Union, the keepers of official cosmic names (among other duties), who mulled them over and have now approved them.

New features have been named on Pluto, based on the unofficial names used by the New Horizons team, many suggested by the public. Credit: NASA/JHUAPL/SwRI/Ross Beyer

New features have been named on Pluto, based on the unofficial names used by the New Horizons team, many suggested by the public. Credit: NASA/JHUAPL/SwRI/Ross Beyer

 

Some of the names include Tombaugh Regio, Pluto’s “heart,” a huge bright region nearly 1600 km across. It’s named after Clyde Tombaugh, who discovered Pluto in 1930. The left “lobe” of the heart is Sputnik Planitia, named after the Sputnik satellite, the first satellite ever launched into orbit by humans.

There’s Hillary Montes and Tenzing Montes, mountains named after the first two people known to have climbed to the very peak of Mount Everest and returned back down safely. There are other features named after underworld mythologies of the Inuit (Adlivun Cavus), Greek (Tartarus Dorsa), medieval Norwegians (Sleipnir Fossa), and aboriginal Australians (Djanggawul Fossae), which is very cool, and even two spacecraft that explored the solar system (Voyager Terra and Hayabusa Terra).

I think my favorite of them all is Burney Crater, named after Venetia Burney. After Tombaugh discovered this new world in 1930, Burney — 11 at the time  — suggested calling it Pluto. Her father sent a note to astronomers, who liked it (especially since the first two letters of Pluto, PL, were the initials of Percival Lowell, the eccentric astronomer who funded the search for a new planet that led to Tombaugh’s discovery).

It’s nice that the IAU decided to make these 14 names official. I don’t envy their next task: There are hundreds of features on Pluto that still need designations. The New Horizons team plans on proposing many more (many of which were also named by the public, incidentally, which is pretty nifty). I hope they get approved, too.

But I do have another hope. Charon, Pluto’s oversized moon, was also mapped in detail, and the features there were given somewhat more, um, fanciful names. So we have the craters Organa and Skywalker. They sit not too far from the crater Vader, which is near Ripley Crater (which itself is split by the Nostromo Chasma). There’re also the craters Kirk, Spock, Uhura, and Sulu; chasms (still unofficially, mind you) named Serenity and Tardis; a highland named Oz; and an area called Gallifrey (I'll note, back on Pluto, there's also Cthulhu Regio). And, of course, there’s also the large, dark, reddish region around Charon’s north pole called Mordor Macula.

If they ever do, it may still take some time for the IAU to make these official, and that’s totally understandable. After all …

… one does not simply walk into naming Mordor Macula.

 * Not to downplay those observations; they were cutting-edge for the time, and very difficult to obtain. They wound up mapping to real features, too, indicating they were accurate.

4

Logo Format

Light Logo

Listicle Format

No Markers

Featured Post

Featured

Article Type

News

Is News

Breaking News

Normal

Standout Article

Image icon newhorizons_pluto_charon.jpg

Hide Comments

Listicle

Listicle Display Type

Default

Show the Media Gallery title

Video Hero Autoplay

Show on Hero

Hero Image
Hero Caption: 
Pluto and Charon, to scale in size and brightness. Credit: NASA/Johns Hopkins University Applied Physics Laboratory/Southwest Research Institute
[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

Could the flapping of a butterfly’s wings in Costa Rica set off a hurricane in California? The question has been scrutinized by chaos theorists, stock-market ... Read more


[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

People who tend to trust their intuition or to believe that the facts they hear are politically biased are more likely to stand behind inaccurate ... Read more


[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

A new study of children living in inner-city areas and at high risk of developing asthma suggests that exposure to certain pet and pest allergens ... Read more


[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

About three million people have viewed the YouTube video of the death of American collegiate basketball player Hank Gathers from cardiac arrest during a game ... Read more


[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

When Zika first buzzed into the continental United States during the 2016 outbreak, Florida was hit first—and hardest—with 1,174 documented cases to date. So, when ... Read more


Let's Play Telephone

Sep. 19th, 2017 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Ever wonder what could possibly go wrong with a simple inscription on a basic cake? Well, WONDER NO MORE. 

Below I've listed the inscriptions some of my trusty Wreckporters ordered from professional bakeries, followed by the cakes they actually received:

 

"God Bless Neal"

I hear it's His middle name.

 

"Welcome Baby Arnold"

The spacing is what really sells it.

 

"Happy Birthday Mom"

Now that's a cake only a mother named Bob could love.

[Btw, I'm starting to wonder if a baker named Bob is doing these on purpose. And if so, I want to shake Bob's hand.]

 

"Congrats British Lit"

I hope this starts a trend; I want to see all the ways bakers butcher "Kyrgyzstanian."

 

"Happy Bandwidth Upgrade Day"

"Band With Upgrade" is the name of my retro Steam Powered Giraffe cover band.

(I realize only about 3 people will get that joke... and I'm ok with that.)

 

"Grats to Dad"

I like to think this is the baker's revenge on everyone who shortens "congratulations" to "grats." "CONGRATS" IS SHORT ENOUGH, PEOPLE.

 

"Old Dirty Thirty"

At some point you stop being surprised. Or so I'm told.

 

"When I'm 64"

That's actually how John says it when he's singing in his "drunk McCartney" voice, so maybe Kit sang her order over the phone. Drunk. While imitating Paul McCartney. 

(Don't keep us in suspense, now, Kit: did you?)

 

Thanks to Colleen C., Suzanne R., Morgan & Eric, Katie D., Ethan D., Leslie C., Becky L., & Kit K. for really phoning it in today. ;)

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Apple's FaceID

Sep. 19th, 2017 11:44 am
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

This is a good interview with Apple's SVP of Software Engineering about FaceID.

Honestly, I don't know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it can't be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important:

I also quizzed Federighi about the exact way you "quick disabled" Face ID in tricky scenarios -- like being stopped by police, or being asked by a thief to hand over your device.

"On older phones the sequence was to click 5 times [on the power button], but on newer phones like iPhone 8 and iPhone X, if you grip the side buttons on either side and hold them a little while -- we'll take you to the power down [screen]. But that also has the effect of disabling Face ID," says Federighi. "So, if you were in a case where the thief was asking to hand over your phone -- you can just reach into your pocket, squeeze it, and it will disable Face ID. It will do the same thing on iPhone 8 to disable Touch ID."

That squeeze can be of either volume button plus the power button. This, in my opinion, is an even better solution than the "5 clicks" because it's less obtrusive. When you do this, it defaults back to your passcode.

More:

It's worth noting a few additional details here:

  • If you haven't used Face ID in 48 hours, or if you've just rebooted, it will ask for a passcode.

  • If there are 5 failed attempts to Face ID, it will default back to passcode. (Federighi has confirmed that this is what happened in the demo onstage when he was asked for a passcode -- it tried to read the people setting the phones up on the podium.)
  • Developers do not have access to raw sensor data from the Face ID array. Instead, they're given a depth map they can use for applications like the Snap face filters shown onstage. This can also be used in ARKit applications.
  • You'll also get a passcode request if you haven't unlocked the phone using a passcode or at all in 6.5 days and if Face ID hasn't unlocked it in 4 hours.

Also be prepared for your phone to immediately lock every time your sleep/wake button is pressed or it goes to sleep on its own. This is just like Touch ID.

Federighi also noted on our call that Apple would be releasing a security white paper on Face ID closer to the release of the iPhone X. So if you're a researcher or security wonk looking for more, he says it will have "extreme levels of detail" about the security of the system.

Here's more about fooling it with fake faces:

Facial recognition has long been notoriously easy to defeat. In 2009, for instance, security researchers showed that they could fool face-based login systems for a variety of laptops with nothing more than a printed photo of the laptop's owner held in front of its camera. In 2015, Popular Science writer Dan Moren beat an Alibaba facial recognition system just by using a video that included himself blinking.

Hacking FaceID, though, won't be nearly that simple. The new iPhone uses an infrared system Apple calls TrueDepth to project a grid of 30,000 invisible light dots onto the user's face. An infrared camera then captures the distortion of that grid as the user rotates his or her head to map the face's 3-D shape­ -- a trick similar to the kind now used to capture actors' faces to morph them into animated and digitally enhanced characters.

It'll be harder, but I have no doubt that it will be done.

More speculation.

I am not planning on enabling it just yet.

[syndicated profile] eff_feed

Posted by elliot

10:00 a.m.: In closing the hearing, Sen. Dan Sullivan speaks passionately about the need for the Department of Justice to invest more resources in prosecuting sex traffickers. Ms. Slater of the Internet Assocation echoes Sen. Sullivan, arguing that the Justice Department should have more resources to prosecute sex trafficking cases.

We could not agree more. Creating more liability for web platforms is, at best, a distraction. Experts in trafficking argue that, at worst, SESTA would do more harm than good.

Freedom Network USA, the largest network of anti-trafficking advocate organizations in the country, expresses grave concerns about lawmakers unwittingly compromising the very tools law enforcement needs to find traffickers (PDF): "Internet sites provide a digital footprint that law enforcement can use to investigate trafficking into the sex trade, and to locate trafficking victims. When websites are shut down, the sex trade is pushed underground and sex trafficking victims are forced into even more dangerous circumstances."

Thank you for following our live blog. Please take a moment to write to your members of Congress and ask them to defend the online communities that matter to you.

Take Action

Tell Congress: Stop SESTA.

____

9:37 a.m.: "We have tried to listen to the industry," Sen. Blumenthal claims. But listening to major Internet industry players is not enough. It's essential that lawmakers talk to the marginalized communities that would be silenced under SESTA. It's essential that lawmakers talk to community-based or nonprofit platforms that will be most hurt by the increased liability, platforms like Wikipedia and the Internet Archive. In a letter to the Committee, the Wikimedia Foundation says point blank that Wikipedia would not exist without Section 230.

In writing off small startups as "outliers," Blumenthal misunderstands something essential about the Internet, that any platform can compete. Liability protections in Section 230 have led to the explosion of successful Internet businesses. Blumenthal claims that SESTA will "raise the bar" in encouraging web platforms to adopt better measures for filtering content, but he's mistaken. The developments in content filtering that SESTA's proponents celebrate would not have taken place without the protections in Section 230.

There is no such thing as a perfect filter. Under SESTA, platforms would have little choice but to rely far too heavily on filters, clamping down on legitimate speech in the process.

____

9:24 a.m.: Prof. Goldman argues that adding enforcement of state criminal law as an exception to Section 230 would effectively balkanize the Internet. One state would have the ability to affect the entire Internet, so long as it can convince a judge that a state law targets sex trafficking. Goldman has written extensively on the problems that would arise from excluding state law from 230 immunity.

____

9:09 a.m.: The committee's discussion about expanding federal criminal law liability for "facilitating" sex trafficking (by amending 18 USC 1591) misses an important point: under SESTA, platforms would be liable not if they knew sex trafficking was happening on their sites, but if they should have known (this is the "reckless disregard" standard set in 1591).

____

9:00 a.m.: Xavier Becerra is correct that Section 230 blocks state criminal prosecutions against platforms for illegal user-generated content (but not federal prosecutions). However, state prosecutors are not prevented from going after the traffickers themselves. As California AG, he should do that.

In Kiersten DiAngelo's letter to the Commerce Committee, she discusses her organization's exasperation at trying to work with California law enforcement to prosecute traffickers. That should be an Attorney General's first priority, not prosecuting web platforms that don't break the law themselves.

____

8:55 a.m.: Yiota Souras from NCMEC says that there should be a legal barrier to enter the online ads marketplace.  There already is one: Congress passed the SAVE Act in 2015 to create express liability for platforms that knowingly advertise sex trafficking ads.

Souras says that there needs to be more community intervention into the lives of children before they end up in online sex ads. We couldn't agree more.

____

8:40 a.m.: When Abigail Slater of the Internet Association speaks to platforms' ability to filter content related to trafficking, she's talking about large web companies. Smaller platforms would be most at risk under SESTA: it would be very difficult for them to absorb the huge increase in legal exposure for user-generated content that SESTA would create.

____

8:32 a.m.: Yiota Souras is confusing the issue. Victims of sex trafficking today can hold a platform liable in civil court for ads their traffickers posted when there is evidence that the platform had a direct hand in creating the illegal content. And victims can directly sue their traffickers without bumping into Section 230.

____

8:25 a.m.: Professor Eric Goldman is now testifying on the importance of Section 230:

SESTA would reinstate the moderation dilemma that Section 230 eliminated. Because of Section 230, online services today voluntarily take many steps to suppress socially harmful content (including false and malicious content, sexual material, and other lawful but unwanted content) without fearing liability for whatever they miss. Post-SESTA, some services will conclude that they cannot achieve this high level of accuracy, or that moderation procedures would make it impossible to serve their community. In those cases, the services will reduce or eliminate their current moderation efforts.

Proponents of SESTA have tried to get around this dilemma by overstating the effectiveness of automated content filtering. In doing so, they really miss the point of filtering technologies. Automated filters can be very useful as an aid to human review, but they're not appropriate as the final arbiters of free expression online. Over-reliance on them will almost certainly result in silencing marginalized voices, including those of trafficking victims themselves.

____

8:15 a.m.: Contrary to what Xavier Becerra suggested, we're not opposed to amending statutes in general. But Section 230 has included a reasonable policy balance, enabling culpable platforms to held liable while allowing free speech and innovation to thrive online. Amending it is unnecessary and dangerous.

____

8:12 a.m.: Ms. Yvonne Ambrose, the mother of a trafficking victim, is now speaking on the horrors her daughter went through.

It's specifically because of the horror of trafficking that Congress must be wary of bills that would do more harm than good. To quote anti-trafficking advocate (and herself a trafficking victim) Kristen DiAngelo (PDF), "SESTA would do nothing to decrease sex trafficking; in fact, it would have the opposite effect. [...] When trafficking victims are pushed off of online platforms and onto the streets, we become invisible to the outside world as well as to law enforcement, thus putting us in more danger of violence."

In DiAngelo's letter, she tells the horrific story of a trafficking victim who was forced by her pimp to work the street when the FBI shut down a website where sex workers advertised:

Since she was new to the street, sexual predators considered her fair game. Her first night out, she was robbed and raped at gunpoint, and when she returned to the hotel room without her money, her pimp beat her. Over the next seven months, she was arrested seven times for loitering with the intent to commit prostitution and once for prostitution, all while she was being trafficked.

Freedom Network USA, the largest network of anti-trafficking service providers in the country, expresses grave concerns about any proposal that would shift more liability to web platforms (PDF): "The current legal framework encourages websites to report cases of possible trafficking to law enforcement. Responsible website administrators can, and do, provide important data and information to support criminal investigations. Reforming the CDA to include the threat of civil litigation could deter responsible website administrators from trying to identify and report trafficking.

____

8:05 a.m.: Sen. Wyden is right. Sec. 230 made the Internet a platform for free speech. It should remain intact.

Wyden makes it clear that by design, Section 230 does nothing to protect web platforms from prosecution for violations of federal criminal law. It also does nothing to shield platforms' users themselves from liability for their own actions in either state or federal court. Wyden speaks passionately on the need for resources to fight sex traffickers online. Reminder: SESTA would do nothing to fight traffickers.

____

7:57 a.m.: Sen. Blumenthal is wrong. Section 230 does not provide blanket immunity to platforms for civil claims. Platforms that have a direct hand in posting illegal sex trafficking ads can be held liable in civil court.

SESTA is not narrowly targeted. It would open up online platforms to a "deluge" (Sen. Blumenthal's words) of state criminal prosecutions and federal and state civil claims based on user-generated content.

____

7:45 a.m.: Sen. Nelson asks: why aren't we doing everything we can to fight sex trafficking?

We agree. That's why it's such a shame that Congress is putting its energy into enacting a measure that would not fight sex traffickers. In her letter to the Committee, anti-trafficking advocate (and herself a trafficking victim) Kristen DiAngelo outlines several proposals that Congress could take to fight trafficking: for example, enacting protective measures to make it easier for sex workers to report traffickers.

Undermining Section 230 is not the right response. It's a political bait-and-switch.

____

7:33 am: The hearing is beginning now. You can watch it at the Commerce Committee website.

____

There’s a bill in Congress that would be a disaster for free speech online. The Senate Committee on Commerce, Science, and Transportation is holding a hearing on that bill, and we’ll be blogging about it as it happens.

The Stop Enabling Sex Traffickers Act (SESTA) might sound virtuous, but it’s the wrong solution to a serious problem. The authors of SESTA say it’s designed to fight sex trafficking, but the bill wouldn’t punish traffickers. What it would do is threaten legitimate online speech.

Join us at 7:30 a.m. Pacific time (10:30 Eastern) on Tuesday, right here and on the @EFFLive Twitter account. We’ll let you know how to watch the hearing, and we’ll share our thoughts on it as it happens. In the meantime, please take a moment to tell your members of Congress to Stop SESTA.

Take Action

Tell Congress: Stop SESTA.

[syndicated profile] eff_feed

Posted by danny

As part of an ongoing attempt to help law enforcement obtain data across international borders, the Council of Europe’s Cybercrime Convention— finalized in the weeks following 9/11, and ratified by the United States and over 50 countries around the world—is back on the global lawmaking agenda. This time, the Council’s Cybercrime Convention Committee (T-CY) has initiated a process to draft a second additional protocol to the Convention—a new text which could allow direct foreign law enforcement access to data stored in other countries’ territories. EFF has joined EDRi and a number of other organizations in a letter to the Council of Europe, highlighting some anticipated concerns with the upcoming process and seeking to ensure civil society concerns are considered in the new protocol. This new protocol needs to preserve the Council of Europe’s stated aim to uphold human rights, and not undermine privacy, and the integrity of our communication networks.

How the Long Arm of Law Reaches into Foreign Servers

Thanks to the internet, individuals and their data increasingly reside in different jurisdictions: your email might be stored on a Google server in the United States, while your shared Word documents might be stored by Microsoft in Ireland. Law enforcement agencies across the world have sought to gain access to this data, wherever it is held. That means police in one country frequently seek to extract personal, private data from servers in another.

Currently, the primary international mechanism for facilitating governmental cross border data access is the Mutual Legal Assistance Treaty (MLAT) process, a series of treaties between two or more states that create a formal basis for cooperation between designated authorities of signatories. These treaties typically include some safeguards for privacy and due process, most often the safeguards of the country that hosts the data.

The MLAT regime includes steps to protect privacy and due process, but frustrated agencies have increasingly sought to bypass it, by either cross-border hacking, or leaning on large service providers in foreign jurisdictions to hand over data voluntarily.

The legalities of cross-border hacking remain very murky, and its operation is the very opposite of transparent and proportionate. Meanwhile, voluntary cooperation between service providers and law enforcement occurs outside the MLAT process and without any clear accountability framework. The primary window of insight into its scope and operation is the annual Transparency Reports voluntarily issued by some companies such as Google and Twitter.

Hacking often blatantly ignores the laws and rights of a foreign state, but voluntary data handovers can be used to bypass domestic legal protections too.  In Canada, for example, the right to privacy includes rigorous safeguards for online anonymity: private Internet companies are not permitted to identify customers without prior judicial authorization. By identifying often sensitive anonymous online activity directly through the voluntary cooperation of a foreign company not bound by Canadian privacy law, law enforcement agents can effectively bypass this domestic privacy standard.

Faster, but not Better: Bypassing MLAT

The MLAT regime has been criticized as slow and inefficient. Law enforcement officers have claimed that have to wait anywhere between 6-10 months—the reported average time frame for receiving data through an MLAT request—for data necessary to their local investigation. Much of this delay, however, is attributable to a lack of adequate resources, streamlining and prioritization for the huge increase in MLAT requests for data held the United States, plus the absence of adequate training for law enforcement officers seeking to rely on another state’s legal search and seizure powers.

Instead of just working to make the MLAT process more effective, the T-CY committee is seeking to create a parallel mechanism for cross-border cooperation. While the process is still in its earliest stages, many are concerned that the resulting proposals will replicate many of the problems in the existing regime, while adding new ones.

What the New Protocol Might Contain

The Terms of Reference for the drafting of this new second protocol reveal some areas that may be included in the final proposal.

Simplified mechanisms for cross border access

T-CY has flagged a number of new mechanisms it believes will streamline cross-border data access. The terms of reference mention a simplified regime’ for legal assistance with respect to subscriber data. Such a regime could be highly controversial if it compelled companies to identify anonymous online activity without prior judicial authorization. The terms of reference also envision the creation of “international production orders.”. Presumably these would be orders issued by one court under its own standards, but that must be respected by Internet companies in other jurisdictions. Such mechanisms could be problematic where they do not respect the privacy and due process rights of both jurisdictions.

Direct cooperation

The terms of reference also call for "provisions allowing for direct cooperation with service providers in other jurisdictions with regard to requests for [i] subscriber information, [ii] preservation requests, and [iii] emergency requests." These mechanisms would be permissive, clearing the way for companies in one state to voluntarily cooperate with certain types of requests issued by another, and even in the absence of any form of judicial authorization.

Each of the proposed direct cooperation mechanisms could be problematic. Preservation requests are not controversial per se. Companies often have standard retention periods for different types of data sets. Preservation orders are intended to extend these so that law enforcement have sufficient time to obtain proper legal authorization to access the preserved data. However, preservation should not be undertaken frivolously. It can carry an accompanying stigma, and exposes affected individuals’ data to greater risk if a security breach occurs during the preservation period. This is why some jurisdictions require reasonable suspicion and court orders as requirements for preservation orders.

Direct voluntary cooperation on emergency matters is challenging as well. While in such instances, there is little time to engage the judicial apparatus and most states recognize direct access to private customer data in emergency situations, such access can still be subject to controversial overreach. This potential for overreach--and even abuse--becomes far higher where there is a disconnect between standards in requesting and responding jurisdictions.

Direct cooperation in identifying customers can be equally controversial. Anonymity is critical to privacy in digital contexts. Some data protection laws (such as Canada’s federal privacy law) prevent Internet companies from voluntarily providing subscriber data to law enforcement voluntarily.

Safeguards

The terms of reference also envisions the adoption of “safeguards". The scope and nature of these will be critical. Indeed, one of the strongest criticisms against the original Cybercrime Convention has been its lack of specific protections and safeguards for privacy and other human rights. The EDRi Letter calls for adherence to the Council of Europe’s data protection regime, Convention 108, as a minimum prerequisite to participation in the envisioned regime for cross-border access, which would provide some basis for shared privacy protection. The letter also calls for detailed statistical reporting and other safeguards.

What’s next?

On 18 September, the T-CY Bureau will meet with European Digital Rights Group (EDRI) to discuss the protocol. The first meeting of the Drafting Group will be held on 19 and 20 September. The draft Protocol will be prepared and finalized by the T-CY, in closed session.

Law enforcement agencies are granted extraordinary powers to invade privacy in order to investigate crime. This proposed second protocol to the Cybercrime Convention must ensure that the highest privacy standards and due process protections adopted by signatory states remain intact.

We believe that the Council of Europe T-CY Committee — Netherlands, Romania, Canada, Dominica Republic, Estonia, Mauritius, Norway, Portugal, Sri Lanka, Switzerland, and Ukraine — should concentrate first on fixes to the existing MLAT process, and they should ensure that this new initiative does not become an exercise in harmonization to the lowest denominator of international privacy protection. We'll be keeping track of what happens next.

[syndicated profile] eff_feed

Posted by sophia

The First Amendment protects the right of members of the public to record first responders addressing medical emergencies, EFF argued in an amicus brief filed in the federal trial court for the Northern District of Texas. The case, Adelman v. DART, concerns the arrest of a Dallas freelance press photographer for criminal trespass after he took photos of a man receiving emergency treatment in a public area.

EFF’s amicus brief argues that people frequently use electronic devices to record and share photos and videos. This often includes newsworthy recordings of on-duty police officers and emergency medical services (EMS) personnel interacting with members of the public. These recordings have informed the public’s understanding of emergencies and first responder misconduct.

EFF’s brief was joined by a broad coalition of media organizations: the Freedom of the Press Foundation, the National Press Photographers Association, the PEN American Center, the Radio and Television Digital News Association, Reporters Without Borders, the Society of Professional Journalists, the Texas Association of Broadcasters, and the Texas Press Association.

Our local counsel are Thomas Leatherbury and Marc Fuller of Vinson & Elkins L.L.P.

EFF’s new brief builds on our amicus brief filed last year before the Third Circuit Court of Appeals in Fields v. Philadelphia. There, we successfully argued that the First Amendment protects the right to use electronic devices to record on-duty police officers.

Adelman, a freelance journalist, has provided photographs to media outlets for nearly 30 years. He heard a call for paramedics to respond to a K2 overdose victim at a Dallas Area Rapid Transit (“DART”) station. When he arrived, he believed the incident might be of public interest and began photographing the scene. A DART police officer demanded that Adelman stop taking photos. Despite Adelman’s assertion that he was well within his constitutional rights, the DART officer, with approval from her supervisor, arrested Adelman for criminal trespass.

Adelman sued the officer and DART. EFF’s amicus brief supports his motion for summary judgment.

[syndicated profile] eff_feed

Posted by kim

Since 2014, our digital security guide, Surveillance Self-Defense (SSD), has taught thousands of Internet users how to protect themselves from surveillance, with practical tutorials and advice on the best tools and expert-approved best practices. After hearing growing concerns among activists following the 2016 US presidential election, we pledged to build, update, and expand SSD and our other security education materials to better advise people, both within and outside the United States, on how to protect their online digital privacy and security.

While there’s still work to be done, here’s what we’ve been up to over the past several months.

SSD Guide Audit

SSD is consistently updated based on evolving technology, current events, and user feedback, but this year our SSD guides are going through a more in-depth technical and legal review to ensure they’re still relevant and up-to-date. We’ve also put our guides through a "simple English" review in order to make them more usable for digital security novices and veterans alike. We've worked to make them a little less jargon-filled, and more straightforward. That helps everyone, whether English is their first language or not. It also makes translation and localization easier: that's important for us, as SSD is maintained in eleven languages.

Many of these changes are based on reader feedback. We'd like to thank everyone for all the messages you've sent and encourage you to continue providing notes and suggestions, which helps us preserve SSD as a reliable resource for people all over the world. Please keep in mind that some feedback may take longer to incorporate than others, so if you've made a substantive suggestion, we may still be working on it!

As of today, we’ve updated the following guides and documents:

Assessing your Risks

Formerly known as "Threat Modeling," our Assessing your Risks guide was updated to be less intimidating to those new to digital security. Threat modeling is the primary and most important thing we teach at our security trainings, and because it’s such a fundamental skill, we wanted to ensure all users were able to grasp the concept. This guide walks users through how to conduct their own personal threat modeling assessment. We hope users and trainers will find it useful.

SSD Glossary Updates

SSD hosts a glossary of technical terms that users may encounter when using the security guide. We’ve added new terms and intend on expanding this resource over the coming months.

How to: Avoid Phishing Attacks

With new updates, this guide helps users identify phishing attacks when they encounter them and delves deeper into the types of phishing attacks that are out there. It also outlines five practical ways users can protect themselves against such attacks.

One new tip we added suggests using a password manager with autofill. Password managers that auto-fill passwords keep track of which sites those passwords belong to. While it’s easy for a human to be tricked by fake login pages, password managers are not tricked in the same way. Check out the guide for more details, and for other tips to help defend against phishing.

How to: Use Tor

We updated How to: Use Tor for Windows and How to: use Tor for macOS and added a new How to: use Tor for Linux guide to SSD. These guides all include new screenshots and step-by-step instructions for how to install and use the Tor Browser—perfect for people who might need occasional anonymity and privacy when accessing websites.

How to: Install Tor Messenger (beta) for macOS

We've added two new guides on installing and using Tor Messenger for instant communications.  In addition to going over the Tor network, which hides your location and can protect your anonymity, Tor Messenger ensures messages are sent strictly with Off-the-Record (OTR) encryption. This means your chats with friends will only be readable by them—not a third party or service provider.  Finally, we believe Tor Messenger is employing best practices in security where other XMPP messaging apps fall short.  We plan to add installation guides for Windows and Linux in the future.

Other guides we've updated include circumventing online censorship, and using two-factor authentication.

What’s coming up?

Continuation of our audit: This audit is ongoing, so stay tuned for more security guide updates over the coming months, as well as new additions to the SSD glossary.

Translations: As we continue to audit the guides, we’ll be updating our translated content. If you’re interested in volunteering as a translator, check out EFF’s Volunteer page.

Training materials: Nothing gratifies us more than hearing that someone used SSD to teach a friend or family member how to make stronger passwords, or how to encrypt their devices. While SSD was originally intended to be a self-teaching resource, we're working towards expanding the guide with resources for users to lead their friends and neighbors in healthy security practices. We’re working hard to ensure this is done in coordination with the powerful efforts of similar initiatives, and we seek to support, complement, and add to that collective body of knowledge and practice.

Thus we’ve interviewed dozens of US-based and international trainers about what learners struggle with, their teaching techniques, the types of materials they use, and what kinds of educational content and resources they want. We’re also conducting frequent critical assessment of learners and trainers, with regular live-testing of our workshop content and user testing evaluations of the SSD website.

It’s been humbling to observe where beginners have difficulty learning concepts or tools, and to hear where trainers struggle using our materials. With their feedback fresh in mind, we continue to iterate on the materials and curriculum.

Over the next few months, we are rolling out new content for a teacher’s edition of SSD, intended for short awareness-raising one to four hour-long sessions. If you’re interested in testing our early draft digital security educational materials and providing feedback on how they worked, please fill out this form by September 30. We can’t wait to share them with you.

 

[syndicated profile] science_blog_feed

Posted by ScienceBlog.com

Cells secrete nanoscale packets called exosomes that carry important messages from one part of the body to another. Scientists from MIT and other institutions have ... Read more


Profile

turol

September 2017

S M T W T F S
     12
3456789
10111213141516
17181920212223
24252627282930

Style Credit

Expand Cut Tags

No cut tags