Techdirt Lite.
(Click here for full version)

Senators Burr & Feinstein Write Ridiculous Ignorant Op-Ed To Go With Their Ridiculous Ignorant Bill (Failures)

by Mike Masnick

from the learn-something-people dept on Friday, April 29th, 2016 @ 10:38AM
Senators Richard Burr and Dianne Feinstein are not giving up that quickly on their ridiculous and technically ignorant plan to outlaw real encryption. The two have now penned an op-ed in the WSJ that lays out all the same talking points they've laid out before, without adding anything new. Instead, it just continues to make statements that show how incredibly ignorant they are. The piece is called Encryption Without Tears (and may be paywalled, though by now everyone knows how to get around that), which already doesn't make any sense. What they're pushing for is ending basic encryption, which will lead to many, many tears.

It starts out with their standard ridiculous line, pretending that because a company builds end-to-end encryption, it's acting "above the law."
In an increasingly digital world, strong encryption of devices is needed to prevent criminal misuse of data. But technological innovation must not mean placing individuals or companies above the law.
People have gone over this time and time again: this is not about anyone being "above the law." It's about whether or not companies can be forced to directly undermine the safety and security of their products (and the public). A paper shredder can destroy evidence. A paper shredder maker is not "above the law" when it decides not to build a system for piecing back together the shreds.

And speaking of "above the law" I still don't see Feinstein or Burr commenting on the FBI/DOJ announcing that it will ignore a court order to reveal how it hacked into computers over Tor. That is being above the law. That involves a situation where a court has asked for information that the FBI absolutely has. The FBI is just saying "nope." If Burr and Feinstein are really worried about being "above the law," shouldn't they worry about this situation?
Over the past year the two of us have explored the challenges associated with criminal and terrorist use of encrypted communications. Two examples illustrate why the status quo is unacceptable.
I love this. They give two examples that have been rolled out a bunch in the last few weeks. The attack in Garland, Texas, where the attackers supposedly exchanged some messages with potential ISIS people, and the case of Brittney Mills, who was tragically murdered, and whose case hasn't been solved. Mills had her smartphone, but no one can get into it. Of course, it took nearly two years of fretting before law enforcement could dig up these two cases, and neither make a very strong argument for why we need to undermine all encryption.

It's a simple fact that law enforcement never gets to have all of the evidence. In many, many, many criminal scenarios, that's just the reality. People destroy evidence, or law enforcement doesn't find it or law enforcement just doesn't understand it. That's not the end of the world. This is why we have police detectives, who are supposed to piece together whatever evidence they do have and build a picture for a case. Burr and Feinstein are acting like in the past, law enforcement immediately was handed all evidence. That's never been the way it works. Yes, law enforcement doesn't get access to some information. That's how it works.

You don't go and undermine the very basis of computer security just because law enforcement can't find a few pieces of evidence.
Our draft bill wouldn’t impose a one-size-fits-all solution on all covered entities, which include device manufacturers, software developers and electronic-communications services. The proposal doesn’t define the technological solutions or tell businesses how to solve the problem.
This is also misleading. The bill requires an end to real encryption. That's it. Real encryption means that only one person has the key. This is what Burr and Feinstein don't seem to get. They seem to think it's trivial to leave a key with Apple or whoever. But as basically every crypto expert has explained, it is not. Doing so creates a vulnerability... and worse, it's a vulnerability that cannot be patched. That's hellishly dangerous. Sure, the bill doesn't tell them exactly how to do this, but it does make it clear: you cannot offer real encryption, you can only offer something that can be hacked. That's a problem.
We want to provide businesses with full discretion to decide how best to design and build systems that maintain data security while at the same time complying with court orders.
We want to provide businesses with full discretion to decide how best to travel back in time, in order to prevent crimes.

Seriously: this is basically the same thing that Burr and Feinstein are saying here. They're asking for something that's impossible, and acting like it's a routine suggestion. If they need to comply with these All Writs Act style orders, they cannot build systems that maintain data security. That's a fact. It's mind-boggling that Burr and Feinstein still can't understand this.
Critics in the industry suggest that providing access to encrypted data will weaken their systems. But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.
Argh. This paragraph shows that whatever poor staffer Burr and Feinstein assigned to write this drivel doesn't understand even the first thing about what he or she is talking about. Storing encrypted passwords, credit card info, bank account info, etc. is a totally different thing. Those are encrypted to keep them safe, and part of the reason they're encrypted is so that even those companies cannot reveal them. This point is making the opposite point of what Burr and Feinstein think. Companies encrypt passwords and credit card info and the like so that they're not storing the plaintext info, and there's no easy way for anyone to get that info. This protects user data, and the companies cannot actually provide the plaintext. They're comparing hashes. That's what keeps it safe.

If we received a court order demanding our users' passwords, we couldn't provide them. Because they're encrypted. We don't know our users' passwords and can't give them to you. When someone logs in to our website, we can compare a hash of their password to our hashed version and then if they match, we let them in. But we don't know what their password is. So this is a terrible example that actually goes against what Burr and Feinstein are saying. Those encrypted stores of information would be illegal under this bill!
We are not asking companies to provide law enforcement with unfettered access to encrypted data. We aren’t even asking companies to tell the government how they gain access to this encrypted data. All we are doing is asking companies to find a way to keep their data secure while also cooperating with law enforcement in terrorism and criminal investigations.
Again, that last line is impossible. They're asking the impossible -- and in the process, making everyone less safe. The only way to provide such info to law enforcement is to no longer keep the data truly secure. And the big concern is not unfettered access for law enforcement, but rather whatever this backdoor means for those with malicious intent, who will be very, very, very focused on finding these vulnerabilities and exploiting them.
President Obama said earlier this year, “You cannot take an absolutist view on this.” We agree—and believe that strong data security and compliance with the justice system don’t have to be mutually exclusive.
Because you don't know what you're talking about.
American technology companies have done some amazing things that are the envy of the world. We think that finding a way to achieve both goals simultaneously is not beyond their capabilities.
So, in the end, despite basically every cryptography expert telling them this is impossible, Burr and Feinstein come back with "NERD HARDER, NERDS!"
18 Comments

Daily Deal: Keysmart Key Organizer (Deals)

by Daily Deal

from the good-deals-on-cool-stuff dept on Friday, April 29th, 2016 @ 10:32AM
End the jingling in your pockets with the $16 Keysmart Key Organizer. It fits fourteen keys into a small space and keeps them neatly folded away until they're needed. It's made in Chicago from stainless steel and comes in black or blue.


Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.
1 Comment

FBI Spent $1.3 Million To Not Even Learn The Details Of The iPhone Hack... So Now It Says It Can't Tell Apple ((Mis)Uses of Technology)

by Mike Masnick

from the wtf dept on Friday, April 29th, 2016 @ 9:29AM
Once the DOJ told the court in San Bernardino that it had succeeded in hacking into the iPhone of Syed Farook, the big question people asked is whether or not the FBI would then tell Apple about the vulnerability. After all, the administration set up the so-called "Vulnerabilities Equities Policy" (VEP) with the idea of sharing most vulnerabilities it discovers with companies. The White House directly stated:
One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.

This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.
Of course, there's a big "but" there -- and it's that there's an "exception" for law enforcement. Last fall, after (yet another) big legal fight, the good folks over at the EFF finally got access to the VEP details and you can now read a (heavily redacted) version.

Still, one could make a strong case that this vulnerability should be disclosed... even if almost no one expected it to be. Amusingly, just a few days ago, Apple revealed that the FBI used the VEP to disclose a vulnerability for the very first time, on April 14th, just as everyone was arguing about this. Of course, the flaw it revealed was not about hacking into the iPhone, and was actually about a flaw that Apple had discovered and fixed... nine months ago. But, again, if this is the very first time the FBI has disclosed something to Apple, it certainly suggests that the VEP process generally means nothing gets disclosed. In fact, the timing of this really suggests that someone in the DOJ recently flipped out and realized that there's now going to be scrutiny on the VEP, so they might as well disclose something. Thus, they found an old bug that had already been patched and "revealed" it.

Either way, things got stranger a couple of days later, when the FBI -- which had already admitted to paying over $1 million to access Farook's iPhone, said that, for all that money, the people it hired never explained the vulnerability. They just opened the phone. Really.
“The F.B.I. purchased the method from an outside party so that we could unlock the San Bernardino device,” Amy S. Hess, executive assistant director for science and technology, said in a statement.

“We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review” by the White House examiners, she said.
Now, some are arguing that this suggests absolutely terrible bargaining on the side of the DOJ/FBI. But, another interpretation is that it's how the DOJ knew that it wouldn't have to reveal the flaw to Apple. Of course, this might also explain why the DOJ at one point appeared to claim that the hack in question only worked for Farook's phone. They later claimed that was a misstatement, and it really meant that it only applied to that iPhone configuration. But, if the FBI never actually got the details, then in some sense they'd be right that for the FBI the crack only worked for that one phone. And if they wanted to do it on another phone, they'd have to shell out another ~$1 million or so...
11 Comments

Reputation Management Revolution: Fake News Sites And Even Faker DMCA Notices (Copyright)

by Tim Cushing

from the the-dishonest-leading-the-dishonest-into-a-new-world-of-unaccountability! dept on Friday, April 29th, 2016 @ 8:32AM

Pissed Consumer has uncovered another apparent case of bad reputation management, this one revolving around bogus websites facilitating bogus DMCA takedowns. It previously exposed a pair of lawyers using shell companies and highly-questionable defamation lawsuits to force Google to delist negative reviews hosted around the web. These faux litigants always managed to not only find the supposed "defamers," but to also obtain a signed admission within 48 hours of the lawsuit being filed -- a process that usually takes weeks or months, especially if the alleged "defamer" utilizes anything other than their real name when posting negative reviews.

In this case, the reputation management scheme involves the use of hastily-set up "news" sites that contain a blend of scraped content and negative reviews hosted at sites like Yelp, Ripoff Report and Pissed Consumer.

Frankfort Herald, frankfortherald.com is a newspaper website that, despite its trustworthy name, has never really existed, for all intents and purposes, before January 2016 (according to archive.org). However, this did not stop them from sending a DMCA notice to Google claiming that they were the owners of the copyrighted material from Pissed Consumer that was published back in 2012.

On April 15, 2016 Pissed Consumer received a takedown notice for a review where frankfortherald.com claimed that they originally wrote the piece of news in question back on January 5, 2012. The review is about Brad Kuskin, and they claimed they had it published only 2 days prior to the article appearing on PissedConsumer.com.
Here's the supposed news article Frankfort Herald claims it owns in its bogus DMCA takedown notice.

The scheme is just as stupid as convicted fraudster Sean Gjerde's rep management Hail Mary: post copies of reviews or articles you want to see vanished at your own website and then issue DMCA notices claiming you own the words of others. It seldom works and tends to draw more attention to the content someone's trying to hide. (Of course, Sean Gjerde went the extra mile and tried to have the FBI's press release about his conviction delisted by Google…)

That's not the only negative content masquerading as "news" at the Frankfort Herald. There's also a negative Yelp review about a Spanish language school, a Ripoff Report review of a Georgia law firm and a CBS story about an apparent scam artist who suckered parents into shelling out thousands of dollars by pretending he was scouting talent for Disney. Disney disavowed any connection to the event. All of these have been targeted by bogus takedown notices under several names linked to the definitely-not-a-local-news-site "Frankfort Herald."

Whoever's behind that site has issued bogus takedown notices under the name "Heart Broadcasting" (a name that can only be found in the Frankfort Herald's site footer), "Frankfort Herald News Corp.," and "Frankfort News Corp." Perhaps most idiotically, it has co-opted the name of one of the world's biggest publishers in hopes of giving its bogus takedowns a veneer of respectability: "Hearst Media LLC."

Other fake "news" sites containing a jumble of scraped content and completely unrelated negative reviews have also issued bogus takedown notices within the last 30 days.

AthaNews sent one on March 25th where the sender claims the following is the result of their journalistic efforts:

Bought a house from Lala Ragimov and her “Developer” Husband “Tod”. On the surface their renovatinos seem solid but there were several red flags that I now wish we listened to. 1) “The Ragimov’s” are effectively the same entity. The claim of a seperate relator vs. develoiper and the games they play about “checking with the developer” are a joke. They are husband and wife! 2) We were told our roof was new but the condition was listed as “unknown” in discolsures. We were told this is common since the roof was repaired not replaced. The building was also conviently too tall to bring an inspector with a ladder without a special fee. The result? Leaks almost immideatley! [...]
Of course, the alleged infringer is none other than Ripoff Report, which shamelessly claimed this "journalist's" misspelling-laden "exposé" into a local realtor as its own. [eyeroll] AthaNews' mission statement -- found in the website's footer -- is lorem ipsum translated into English.

SEI World News is doing the same thing. It issued a DMCA notice to Google on April 7th, claiming one of its "news articles" was being "copied."

I am senior editor and my article is copied . Just to harm my reputation online . The article owner anonymously copied my content . Please look into this matter .
Once again, Ripoff Report is home to the targeted URL. SEI World has been playing this game for several months now, targeting negative reviews at other site with bogus claims of "copied" articles.

Searching Google's DMCA database using Ripoff Report as the target uncovers all sorts of "news" sites claiming negative reviews hosted elsewhere are the genuine byproduct of their journalistic endeavors. "Mass Communications Inc.?" Bogus takedown of a Ripoff Report review. Some site called "Global Girl Magazine" wants Ripoff Report to stop ripping off its "journalist's" work -- which is apparently something about a fund manager with an alleged penchant for scamming clients after taking their retainer fees, written in the first person. The same thing goes for the "Lewisburg Tribune." And so on...

The clustering of DMCA notices seems to point to a single reputation management bozo pulling the strings on multiple websites like a more focused Patrick Zarrelli. On the other hand, the scattershot approach and slippery grasp of the English language exhibited in the DMCA notices may indicate this is nothing more than a bunch of Fiverr freelancers making reputation management promises they can't keep. In some cases, it appears to have worked. Several of the bogus takedowns show Google has taken action and delisted links. But those victories will only be temporary. Any challenge from a legitimate site should see these decisions swiftly reversed.

9 Comments

The Cable Industry Threatens To Sue If FCC Tries To Bring Competition To Cable Set Top Boxes ((Mis)Uses of Technology)

by Karl Bode

from the you-see,-we-don't-really-do-competition dept on Friday, April 29th, 2016 @ 6:37AM
Back in February the FCC voted on a new plan to open up the traditional cable box to competition. According to a fact sheet being circulated by the agency (pdf), under the FCC's plan you'd still pay your cable company for the exact same content, cable operators would simply have to design systems -- using standards and copy protection of their choice -- that delivered this content to third-party hardware. The FCC's goal is cheaper, better hardware and a shift away from the insular gatekeeper model the cable box has long protected.

Given this would obliterate a $21 billion captive market in set top box rental fees -- and likely direct consumers to more third-party streaming services -- the cable industry has been engaged in an utterly adorable new hissy fit. This breathless hysteria has primarily come in the form of an endless stream of editorials -- most of which fail utterly to disclose financial ties to cable -- claiming that the FCC's plan will boost piracy, hurt privacy, "steal the future," and even harm ethnic diversity.

And now, the industry is also threatening a lawsuit. As the industry argued with Title II, net neutrality, and everything else, former FCC boss turned top cable lobbyist Michael Powell is arguing that the FCC has once again overstepped its regulatory authority:
"An agency of limited jurisdiction has to act properly within that jurisdiction," Powell said, making it abundantly clear the NCTA does not believe the FCC has not done so in this case. He said that the statute empowers the FCC to create competition in navigation devices, not new services. "Every problem does not empower an FCC-directed solution. The agency is not an agency with unbridled plenary power to roam around markets and decide to go fix inconveniences everywhere they find them irrespective of the bounds of their authority.
Except unlike net neutrality, telecom policy wonks like Public Knowledge's Harold Feld (who probably spends more time wading through FCC policy and legal issues than anybody on earth) notes there's absolutely no doubt the FCC has the authority to act here:
"First, it’s important to recognize that the cable folks were already in front of the D.C. Circuit three times on this issue, and lost each time. See General Instrument Corp. v. FCC, 213 F.3d 724 (D.C. Cir. 2000); Charter Communications Corp. v. FCC, 461 F.3d 31 (D.C. Cir. 2006); and Comcast Corp. v. FCC. In each of these cases, the cable industry made similar statutory arguments about the limits of FCC authority in Section 629. On each occasion, the D.C. Cir. — which was a lot more pro-business and anti-FCC back then, rejected them.

Despite being 0-3 on all challenges to the FCC’s 629 rules to date, NCTA’s cadre of lawyers assures us that this time will be totally different because FCC, overreach, regulation, power mad, Title II, Google too, Leonard Bernstein Leonid Brezhnev, Lenny Bruce, and Tom Wheeler END OF THE WORLD AS WE KNOW IT!! Or something like that.
So if the cable industry's lawsuit goes nowhere, its only other hope is that it can convince the public via editorials, sockpuppetry and astroturfing that the FCC's plan isn't actually about helping consumers, it's just a power-crazed attempt by "big tech" (read: Google, Amazon) to treat poor, under-appreciated cable companies unfairly. The problem with this effort, as usual, is that the cable industry remains the least liked industry in America thanks to a generation of anti-competitive behavior. Therefore the only folks likely to buy the cable industry's argument here are those with a political axe to grind (conflating government over-reach in other areas with the FCC's attempts to fix a broken telecom market), or those that tend to profit from said broken telecom and TV market.

If there's any question at all about the FCC's effort, it's whether or not the agency would find its time better spent focusing its regulatory calories on shoring up broadband competition, since the rise of Internet video is inevitably destined (even though it may take another decade) to put the lame old cable box out to pasture without government intervention.
16 Comments

Older Stories >>