So, just last week we had a post by Kevin Bankston from the Open Technology Institute arguing for some basic steps towards much greater data portability on social media. The idea was that the internet platforms had to make it much easier to not just download your data (which most of them already do), but to make it useful elsewhere. Bankston's specific proposal included setting clear technical standards and solving the graph portability project. In talking about standards, Bankston referenced Google's data transfer project, but that project has taken a big step forward today announcing a plan to let users transfer data automatically between platforms.

The "headline" that most folks are focusing on is that Google, Facebook, Microsoft and Twitter are all involved in the project (along with a few smaller companies), meaning that it should lead to a situation where you could easily transfer data between them. As it stands right now, the various services let you download your data, but getting it into another platform is still a hassle, making the whole "download your data" thing not all that useful beyond "oh, look at everything this company has about me." Making a system where you can easily transfer all that data to another platform without having to manage the transition yourself or being left with a bunch of useless data is a big step forward -- and a huge step towards giving users much more significant control over their data.

But the really important thing that this may lead to is not so much about transferring your data between one of the giant platforms, but hopefully in opening up new businesses which would allow you to retain much greater control over your data, while limiting how much the platforms themselves keep. This is something we've talked about in the past concerning the true power of data portability. Rather than having it tied up in silos connected to the services you use, wouldn't it be much better if I could keep a "data bank" of my data in a place that is secure -- and where if and when I want to I can allow various services to access that data in order to provide the services I want?

In other words, for many years I've complained about how we've lost the promise of cloud computing in just building up giant silos of data connected to the various online services. If we can separate out the data layer from the service layer, then we can get tremendous benefits, including (1) more end-user control over their own data (2) more competitive services and (3) less power to dominate everything by the biggest platforms. Indeed, we could even start to move towards a world of protocols instead of platforms.

Of course, this is only one step in that direction, but it's a big one. And, yes, it's notable that the big platforms are all working on this together, since it has the potential to undermine their own powerful position. But it's absolutely the right thing for them to do, and hopefully we'll start to see much more interesting services pop up out of this. If it only ends up allowing people to shift between Google and Facebook that will be a failure. If it enables new services and more end user control over data -- forcing various services to compete and provide better value in exchange for accessing our data -- that would be a huge step forward in how the internet functions.

The Complete Raspberry Pi Hacker Bundle will teach you all you need to know about Raspberry Pi 3 for only $19. You'll learn how to easily prepare an SD card and flash it for any OS and how to work with GPIO pins and learn how to programmatically control them with Python. You'll be building a gaming system to play old Nintendo, Sega, and Playstation games, a personal digital assistant using the Google Assistant API, your own GPS tracking system, and much more.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

It didn't take long for numerous customers to complain they were the victim of the same scam, and for T-Mobile to send out a warning to users encouring them to add a few layers of additional security to their account.

But the problem appears to be even worse than originally believed. A new report takes a closer look at the problem, exploring how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. The entire process tap dances around protections like two-factor authentication, and highlights the peril of relying too heavily on a single cell phone number for identity verification in apps and other services.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's occasionally their employees that are helping to facilitate the scams for a little extra cash:

"Thug and Ace explained that many hackers now recruit customer support or store employees who work at T-Mobile and other carriers and bribe them $80 or $100 to perform a SIM swap on their target. Thug claimed they got access to the T-Mobile tool by bribing an insider, but Motherboard could not verify this claim. T-Mobile declined to answer questions on whether the company had any evidence of insiders being involved in SIM swap scams."

Quite often, those cellular carrier employees are more than happy to provide hackers with direct access to cellular carrier support systems:

"(One hacker) said they do SIM swaps by using an internal T-Mobile tool to look up subscribers’ data. During our chat, the hacker showed me a screenshot of them browsing the tool. I gave (the hacker) my phone number as a test, and the hacker sent back a screenshot that contained my home address, IMSI number (a standardized unique number that identifies subscribers), and other theoretically secret account information. Thug even saw the special instructions that I gave T-Mobile to protect my account.

As is their usual MO, wireless carriers don't much want to have a serious conversation about the problem, and often insist that it's only impacting a few, rare accounts (in stark contrast to the laundry list of increasing complaints seen over the last few years):

"Motherboard reached out to AT&T, Verizon, Sprint, and T-Mobile—the big four US cell phone providers—requesting data on the prevalence of SIM swapping. None of them agreed to provide such information. An AT&T spokesperson said this kind of fraud “affects a small number of our customers and this is rare for us,” but did not respond when asked to clarify what “small number” means.

There's some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time protecting their customers from security threats.

While the United States walks away from the concept of net neutrality, India just passed some of the toughest net neutrality rules in the world. You'll recall that net neutrality became a hot topic over in India when Facebook tried to roll out a walled-garden service known as "Free Basics." Free Basics provided users free, "zero rated" (usage cap exempt) access to a limited selection of curated content and services chosen by Facebook, something Facebook claimed would immeasurably benefit the nation's poor farmers.

In reality, many pointed out that Facebook's breathless concern for the poor really just masked the company's attempt to corner the ad markets in developing nations. Content providers didn't like Facebook being the one to dictate which services would or wouldn't be included for obvious reasons. Others (like Mozilla) noted that if Facebook was truly interested in connecting developing nations with broadband, it could, you know, actually do that. Others still weren't keen on another white, Western billionaire proclaiming that only he had the magical solution to the nation's problems.

Facebook's response to these concerns wasn't what you'd call impressive, with Zuckerberg insisting those opposed to his plans were simply hurting the poor. That behavior in turn only galvanized activist support for tougher net neutrality rules in the country, the foundations for which were laid last year. There too Facebook engaged in some shady behavior, at one point trying to trick Indian citizens into supporting its plans and opposing meaningful net neutrality protections.

That didn't work, and last week the Indian government put the finishing touches on what, by most measures, are considered some of the toughest net neutrality rules in the world:

Not only do the rules prohibit most of the standard bad behaviors you wouldn't want ISPs to engage in (throttling or blocking competitors, for example), it takes a hard stance against the practice of zero rating, or letting an ISP exempt its own (or say a deep-pocketed partner like Disney or ESPN) content from usage caps, while penalizing competitors. As we've seen in the states, ISPs in India were fine with the bans on blocking and throttling (since most ISPs know such a move would be PR suicide), but expressed disdain at portions of the rules that banned more nuanced, creative areas where anti-competitive behavior occurs today.

You'll also notice some now-common arguments from India's wireless carriers, including claiming that rules banning anti-competitive behavior will "hamper innovation," or insisting that net neutrality somehow prevents wireless carriers from deploying faster, better 5G networks:

“Where the net neutrality recommendations are concerned, we have already expressed our support on issues pertaining to non-discriminatory use of the Internet, including no blocking, no throttling and adoption of same service-same rules. That said, we reiterate our earlier position that a light touch regulatory approach should be adopted so that innovation is not hampered by the Net Neutrality rules,” Rajan S Mathews, director general, COAI, said in a statement.

In particular, COAI believes that industry practices with regard to traffic prioritisation should be reviewed to help “foster 5G-enabled applications”.

“Now that the commission has approved the recommendations, which are before the Cabinet for approval, we hope that the Cabinet will consider the concerns raised by the industry so that the Net Neutrality rules that are adopted in India benefit the consumers, incentivise innovation and adoption of new technologies, and enable the seamless spread of state of the art networks and service,” he added."

Again, if you're an ISP that doesn't engage in anti-competitive behavior, you have nothing to worry about. And the only "creative" or "innovative" behaviors banned by rules (assuming they're crafted properly) are efforts to further abuse a lack of competition in the space. Without them, ISPs have and will do everything in their power to abuse their gatekeeper positions to glean additional revenue. It's a lesson the United States appears intent on learning the hard way.

Once again, we find lawmakers who seemingly championed "strong privacy" rules like the GDPR suddenly freaking out when they realize such laws might apply to government bodies as well. Once again, we have Jason Smith at Indivigital to thank for highlighting the latest mess. This time it involves Irish lawmakers trying to figure out how different government agencies can share data between those agencies in order to provide better services. But, here's the problem: doing so without "consent" would seem to violate the basic concepts of the GDPR, so the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O'Donovan, decided to try to take the easy way out and say that the government should be able to "infer" consent, if someone made use of the government service in the past:

“That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.”

Now, personally, I agree that this seems like a perfectly reasonable standard for inferring consent under most reasonable conditions. But the problem is that the GDPR generally does not view things that way. This is yet another example of where people who view privacy through a singular lens of "don't do anything at all with my data," often fail to realize how extreme that position is, and how it limits perfectly normal functions.

But, in this case, it comes across as just another example of where governments are saying, "do as I say, not as I do..."

Readers here will likely be aware of the tortured history of Texas A&M's "12th Man" trademark. If you're not, the term describes the fans of the team and their tendency to make so much noise to effect on-field play during games. A&M, which holds a trademark for the term, has made a name for itself as a trademark bully, going around and threatening basically anyone that uses anything remotely like that term, even as it has in the past infringed on the IP of others. The school has been so successful in locking down this term for use in anything sports related that the Seattle Seahawks, the NFL team that also refers to its fans as its "12th Man", pay a licensing fee to the school to do so.

And now that licensing arrangement appears to be part of the reasoning A&M's legal team used to sue a soap company based in Washington State for using the "12th Man" term as well. In the school's filing, embedded below, it argues that because the soap company resides in the same state as the Seahawks, and because the company's soap product "12th Man Hands" includes an image of a football on the packaging, this makes it an infringement on its trademark, despite soap and athletics not being in related marketplaces. The USPTO somehow actually bought this six-degrees-of-licensing-separation argument.

According to the trademark board, the soap company was trying to call to mind the Seahawks’ 12th Man thing when designing the soap. There’s even a football on the “12th Man Hands” soap bar, and the company acknowledged it was trying to reach Seahawks fans, which makes sense because it’s a Washington-based company.  But according to the board, the soap-makers didn’t clear their use of the 12th Man mark with A&M specifically. That appears to have hurt their case.

And the board ruled against the soap company. That's ridiculous for several reasons. First, no linkage in geography, nor the company's desire to reach Seahawks fans, creates confusion on its own in the public. Other than the image of a football, there is no other linkage to the Seahawks at all. It's just a puck of soap with something of a stock image of a football being held by a hand. Nobody is going to look at that and think it was soap branded by the Seahawks.

Secondly, even if the above weren't true, the confusion would be between the soap company and Seahawks, not Texas A&M. Whatever the licensing agreement between the Seahawks and the school, there is absolutely zero chance for anyone in the public thinking that Texas A&M has anything to do with this soap company. That, I'm confident saying, is completely inarguable. If anyone should have sued here, it should have been the Seahawks, and even that suit would have been ridiculous. A&M included information about past licensing deals for soap with other companies, but none of them were for "The 12th Man" use, and all of them were instead for university-specific terms and imagery, such as its logo.

How in the world the Trademark Board ever bought into this is beyond me.

The schadenfreude dripping from this case is positively delicious.

This story of the spectacularly swift rise and fall of a profitable drugs-and-guns bust comes to us via C.J. Ciarmella at Reason, who has his own particularly sumptuous line summing up the debacle.

[F]or police, what looked like a delicious nougat of a drug bust turned out to be the coconut cream of disappointment.

Let's head back to May 18, 2018, when a local media outlet breathlessly acted as law enforcement stenographers to "inform" their viewers about dangerous individuals being taken down by their fearless blue protectors.

A traffic stop by Miami-Dade Police lead to a stunning discovery this week: a car filled with a half dozen assault rifles and pistols, $20,000 in cash and more than 10 bottles with liquids that you normally need prescriptions for including promethazine with cocaine.

“It’s amazing how something as simple as a traffic stop can lead us to crack a lot of cases,” said Miami-Dade Police Detective Alvaro Zabaleta. “A lot of serial killers are behind bars because of traffic stops. These traffic stops lead to so many things in the criminal world and they are never routine. We warn our officers that there is no such thing as a routine traffic stop. You never know what you are going to get.”

First off, it was "promethazine with" codeine, not "cocaine." Second, this is all speculation because the seized bottles weren't tested -- not even with a shit $2 field drug test more prone to producing false positives than a drug dog. Third, the weapons were all legal, and the person who owned them had a permit to conceal them. Fourth, the other person in the car was a stripper.

Why is number four relevant? Well, it has a lot to do with this case falling apart. And that makes this sentence from CBS Miami's obsequious coverage particularly hilarious.

The Miami-Dade Police narcotics bureau is taking a close look at this case and Zabaleta said it is one that shows how risky such traffic stops can be.

The closer look isn't going to help. Because a closer look has already revealed a number of problems with this daring roadside drug/gun bust.

Miami-Dade police is on the hook for legal bills after cops illegally seized a cache of guns — and nearly $20,000 in stripper cash.

The department has agreed to pay more than $3,000 to defense lawyers hired by Ras Cates, 33, and his wife, Lizmixell Batista, a 20-year-old stripper at Cheetah Gentleman's Club in Hallandale Beach.

Up at the top of the list of things that made this all fall apart under closer inspection is officers' decision to bypass the Fourth Amendment on their way to turning a moving violation (police claimed the driver cut them off when entering the road) into splashy drug/gun headlines (with bonus stripper!). That ended the prosecutor's case before it could even get started.

[B]ody-camera footage showed that an officer, while friendly with Cates, never got permission to search the trunk but instead "commanded defendant to pop the trunk," prosecutors wrote.

"Search of the trunk was illegal," prosecutor Johnathan Nobile said in a memo explaining why the state declined to press charges.

Then there was this, which produced an immediate and plausible explanation for the cash:

As for the money, the bills were discovered in Batista's purse. Body-camera footage obtained by the Miami Herald showed she immediately told cops about her cash-only job.

Goodbye, case. Goodbye alleged drug bust. Goodbye $20,000. Goodbye $3,000 in taxpayer funds. Goodbye self-congratulatory statements that probably would have aided the defense had this gone to trial.

But wait! Convictions are never much of an obstacle to legalized theft via civil asset forfeiture, right? Normally, no. But in this case, it appears the county would like to distance itself as quickly as possible from this embarrassment. Plus, there's a really good reason someone might have a ton of cash in small, unmarked bills just laying around. The lawyer for the violated couple says it best:

“I felt that the glitter on the seized cash was compelling evidence, but apparently the police department disagreed," said defense lawyer [Jude] Faccidomo.

The judge saw enough compelling evidence to block the illegal seizure. Another stripper testified on Batista's behalf and the body cam footage apparently did the rest. In less than sixty days, this drug bust has gone from a local triumph (as seen exclusively on CBS Miami!) to the city being $3,000 poorer than it was prior to this officer deciding he could turn a traffic stop into headlines and a cash payout.

Last week I received the following email with my name and a very, very, very old password that I haven't used in probably at least a decade in the subject line (even though I'm not longer using it, I'm editing it out of this because... it's still weird):

I am aware, ********, is your pass word. You don't know me and you're probably wondering why you're getting this mail, right?

In fact, I actually installed a malware on the adult videos (adult porn) site and there's more, you visited this site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) having a key logger which provided me with access to your screen and cam. Immediately after that, my software collected all of your contacts from your Messenger, FB, and email.

What exactly did I do?

I created a double-screen video. First part displays the video you were watching (you have a nice taste rofl), and 2nd part shows the recording of your web cam.

exactly what should you do?

Well, I believe, $2900 is a reasonable price for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address: [REDACTED] (It is cAsE sensitive, so copy and paste it)

Note:
You have one day to make the payment. (I've a specific pixel in this e mail, and right now I know that you have read through this email). If I don't receive the BitCoins, I will send your video recording to all of your contacts including members of your family, colleagues, and so forth. However, if I receive the payment, I will erase the video immidiately. If you really want evidence, reply with "Yes!" and I will send your video recording to your 9 friends. This is a non-negotiable offer, and thus do not waste my personal time and yours by responding to this message.

This was immediately obvious as a scam from a hacked database of passwords. Besides the fact that I haven't used that particular password in ages (and even when I did, it was the password I used for "unimportant" sites), there are a whole bunch of other reasons why it was obvious that the email was fake and it would be literally impossible for the person to have whatever it was they claimed to have on me. I found it funny enough that I reached out to some other folks to see if this was getting around, and a few people told me they'd seen similar ones, noting that the final note about sending it to "9 friends" appeared to be an increase from the usual of "5" that they had seen before.

Indeed, Brian Krebs, who is always on top of these things, wrote a story about how a bunch of people got these emails last week. That one only asked for $1400, and also promised to send it to 5 friends. It has a few other slight differences to the one I received, but is pretty clearly sent by the same person/team of people with just a few modifications. Like the ones that Krebs reported on, mine appeared to come from an outlook.com email address. As Krebs notes, he expects that this particular scam is about to get a lot more popular, and will probably use a lot more recent set of passwords:

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

And, at the very least, this scam appears to be working. It's unclear just how many people are receiving these emails -- and how many people are pointed to the same Bitcoin wallet address to pay -- but the one that Krebs included in his post shows a single payment of approximately $2000. When I first got the email the Bitcoin wallet address in the email I received showed no transactions, but I just looked again and there are two transactions, both within a day of when I received the email (one for .23 Bitcoins or ~$1600 and another for 0.3 Bitcoins or ~$2,000).

Of course, this should be a warning for everyone on a variety of levels:

1. Use a password manager already, and stop saying they're too difficult to use. They are not.
2. Use 2 factor authentication wherever possible
3. Cover your webcam with a sticker or tape or something when not in use
4. Don't believe every stupid threat email you receive
5. Don't randomly pay money to every stupid emailer who pretends to threaten you

Anyway, it will be worth watching how this particular scam evolves, but as Krebs notes, it's likely we'll be seeing it a lot more often as it seems to hit all the key points for a popular internet scam these days.

More "fake news" legislation is on the way. The Cambodian government -- borrowing US presidential rhetoric and bad ideas from neighboring Vietnam (tbf, the Vietnamese government has bad ideas to spare) -- is going to censor local press outlets under the pretense of protecting the public.

The government of Cambodia recently announced a new directive aimed at combating “fake news” that will reportedly, among other restrictions, require all websites to register with Cambodia’s Ministry of Information or face additional scrutiny. The announcement follows a meeting between the prime minister of Vietnam and the prime minister of Cambodia, and comes just ahead of Cambodia’s general election later this month.

This is only the latest move in the Cambodian government's regulation of internet speech. Earlier initiatives created blockades for anything deemed to be a threat to national security and "specialized units" composed of Ministry personnel surfed social media platforms looking for things to prosecute citizens for.

This also follows a couple of incidents seen as contributing to the government's consolidation of power. The sale of the Phnom Pehn Post to a Malaysian businessman whose PR firm does work for the Cambodian prime minister suggested the government wanted to be in the news production business. Another independent press outlet was hit with a large fine and a short deadline, forcing it to close up shop.

One of Cambodia’s most stridently independent newspapers, the Cambodia Daily, published its last edition on Monday with the headline “Descent Into Outright Dictatorship” as it closed amid a crackdown on critics of prime minister Hun Sen.

The English-language paper had been given a deadline of one month to pay $6.3m in years of back taxes, which the publication disputed and described as “astronomical”.

The Daily was a frequent critic of the prime minister and had extensively covered high profile "treason" prosecutions of prominent government critics. This closure followed the government's shutdown of 18 radio stations and the institution of a ban on leasing time to foreign broadcasters like the Voice of America.

Given this backdrop, the new directive appears to have nothing to do with "fake news" as it would have been defined prior to the 2016 election. Instead of combating speculative reporting and outright fabrications, the term -- and the initiative -- will be used to attack anything the ruling class doesn't agree with… just like here in the good old US of A.

Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You'll recall that it's a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon's marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it's a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).

This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security’s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.

When Diachenko contacted the firm, he was told that they were a "small shop" and that "keeping track of everything can be tough." In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:

"In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years." He confirmed that the company is investigating the scope of the data that was accessible. "All exposed data was publically available information," he said, adding that he will contact affected customers "if required by law."

The problem: what's deemed "publicly available" varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you're a registered voter in the state. And while the data may have been stale, it still wasn't adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.

This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It's a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.