We've already made it clear that we're quite concerned about how freedom of expression will fare under President Trump. He has a long history of threatening and/or suing those who cover him factually, but in a manner he dislikes. And while he hasn't (as far as I can tell) threatened to sue anyone since the election, he appears to have become somewhat obsessed with the NY Times. Since winning the election he's tweeted at least six times about the NY Times, insisting (incorrectly) that it was losing subscribers and (incorrectly) that it had "apologized" to readers for its Trump coverage. He also claimed (incorrectly) that it had said he hadn't spoken to foreign leaders -- when the actual article just said that his conversations with foreign leaders happened without State Department briefings (which is fairly stunning). Here's what the NY Times said:
One week after Mr. Trump scored an upset victory that took him by surprise, his team was improvising the most basic traditions of assuming power. That included working without official State Department briefing materials in his first conversations with foreign leaders.
But Trump claimed something entirely different:
And, yes, I know that there are some folks who just flat out hate the NY Times and think that it lies and such. And I've certainly complained my fair share about weak or misleading coverage by the NY Times over the years, but it's still problematic when a President or President-elect is directly attacking any publication. It creates serious chilling effects on reporters. And, it can be even worse than that. As Yashar Ali noted in a Twitter thread, attacking a company as "failing" has real consequences, especially one that is traded on the public markets, potentially harming all sorts of everyday investors.
I'm guessing that many who just hate the NY Times won't care about this, but it is serious. There's a reason why Presidents don't go around attacking companies or saying that they're "failing" or that their business is in trouble. Because that has real consequences. I still don't think that journalists should be suing Trump for defamation, as some have suggested, but it would be nice if our President-elect recognized that going around and attacking the press -- even if he disagrees with its coverage -- is entirely inappropriate.
We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.
That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to "isolate and destroy" a virus that was running amok across the hospital's IT systems:
"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."
In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service's Northern Lincolnshire and Goole Foundation Trust in the UK) couldn't be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it's likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:
"Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals — organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.
According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.
Twenty data loss incidents...per day, many of which aren't disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it's inevitable that as not-particularly-smart devices gain market share around the world, we'll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.
As you know, last week, large chunks of the internet spent hours writhing on the ground and totally inaccessible thanks to a giant DDoS attack that appears to have been launched via a botnet involving insecure DVR hardware (which can't be patched -- but that's another post for later). Of course, whenever this kind of thing happens, you know that some people on the politics side of things are going to come up with dumb responses, but there were some real whoppers on Friday. I'm going to focus on just two, because I honestly can't decide which one of these is dumber. I'll discuss each of them, and then you guys can vote and let us know: which of these is dumber.
On Friday she went on CNN to discuss a variety of things, and the first question from Wolf Blitzer was about the DDoS attacks, and her answer is the sort of nonsense word salad that is becoming all too common in politics these days, but where she appears to suggest that if we'd passed SOPA this kind of attack wouldn't have happened. She's not just wrong, she's incredibly clueless.
Here's what she said:
Wolf, you don't know who is behind this, you do not know if it's foreign or domestic. What I do know is over the years we have tried to pass a data security legislation. There's been bipartisan agreement in the House. It has not moved forward in the Senate. We also know that a few years ago we tried to do a bill called SOPA in the House which would require the ISPs to do some governance on these networks and to block some of the bad actors.
And of course, there were all of the cyberbots that took out after us that were trying to say 'no you can't do that you're going to impede our free speech.' We said 'no we're trying to keep the roadway clear and to keep some of these bad actors out of the system.'
So, what you have now, whether it is foreign or domestic, no one knows. No one knows who has released some ransomware, spyware, malware into the system that is cau... and bear in mind also this malware can live on your system for a year or much longer before it is detected.
And that is how you've had some of these extensive data breaches because the malware gets into the system, it rests there, it is pulling information and at some point, it activates. And as I tell my constituents, be careful what websites you go to, be careful what emails you open because you may be unintendedly inviting that malware or spyware into your system.
Okay, so. Almost nothing that is said above has anything to do with the DDoS attack. Not at all. Not the "data protection" bill, which is basically about requiring companies to reveal breaches to those impacted. But most certainly not SOPA, which had nothing whatsoever to do with anything having to do with cybersecurity or online attacks or DDoS. And "cyberbots"? Is she implying that the millions of people who spoke out against SOPA were some sort of fake bots? SOPA wouldn't have done anything to stop this kind of attack at all. It had nothing to do with this issue in any way shape or form. Not that Wolf Blitzer seems to know or care about any of that as he just accepts that answer and moves on.
So that's the first dumb response. Now the second: the IANA transition. We've been discussing this for years, and as we've explained, the transition is a good thing in taking an argument away from countries like Russia and China who have been trying to get more control over internet governance, by dropping an almost entirely superficial connection between the fairly minor IANA function and the US Commerce Dept. The transition happened a few weeks ago and nothing on the internet has changed, nor will it, because of this transition. It's a non-story. But, Ted Cruz tried to make it a story and now it's become a partisan thing for no good reason at all. And thus, given an opportunity, partisan sites are blaming the IANA transition for the DDoS:
Today there was a major attack on a part of the Internet that few people pay any attention to. It’s critically important though, and any disruption threatens both our prosperity as Americans, but also our freedom to communicate with each other.
This is a great reminder of why President Obama’s Internet handover plans are so threatening to our way of life.
Probable foreign attackers effectively took thousands of companies off of the Internet today by attacking a major Domain Name Service (DNS) provider: Dyn. This two-hour outage surely cost many people, very much money.
What is DNS, and why is it so important? Put simply, DNS is the system that tells people how to find you online. It converts the names of servers and sites, into numbers that the Internet Protocol can find. It’s an essential service of the commercial Internet.
And yet Barack Obama is trying to hand control of DNS over to the Chinese and the Russians. Ted Cruz has been warning people about this, and so have I. People tend to tune it out, because it sounds like a very technical, obscure issue that isn’t very important.
Well, first of all, newsflash: the transition happened three weeks ago, and Neil Stevens at Red State is so concerned about this he didn't even notice. Damn. Sneaky Obama. Second, the hand over of the IANA functions has absolutely nothing to do with a DDoS attack or what it would take to prevent it. Yes, there are some ridiculous aspects to the DNS system, some of which are managed by ICANN. But (1) the IANA transition has nothing to do with "handing control" over to the Chinese or Russians (in fact, it's the opposite -- it takes a big argument away from the Russians and Chinese that they had been using to try to seize more control, and actually makes it much more difficult for them to take control by making sure nationstates actually have very little say in internet governance). And (2) the IANA transition has fuck all to do with DDoS attacks.
Both of these examples seem to be completely clueless, technically illiterate people using real problems (the fragility of DNS systems, the massive unsecured bot-infested systems out there, the ease of taking down important systems, overly centralized critical systems), and using them to pitch some entirely separate personal pet complaint or project. But both are completely ignorant. The only question is which one is worse:
The script for what to do following a tragedy like the one in Orlando over the weekend is now quite clear: politicians want to appear "serious" about the issue, and thus they say stuff to appease people, even if what they say makes no sense. There was a lot of senseless rhetoric going around, of course, and we'll leave the usual debates about issues we don't cover on Techdirt to lots of other sites. But an issue we do cover is surveillance and bogus ideas like "watch lists" where a mere accusation leads to basic rights being taken away. And, unfortunately, it appears that both major Presidential candidates are advocating for greater surveillance and denial of civil liberties as a response to someone shooting up a nightclub and killing dozens of people.
Clinton's plan? Expand the "terrorist watch lists" despite the fact that there are hundreds of thousands of people who appear to be on the list for no reason at all, and whose lives are basically a living hell because of it. No matter, Clinton says let's expand it:
"We need to look carefully at this," she said. "Should we have a broader database? If someone comes to the attention of the FBI not once, but three times, that suggests that law enforcement needs to know, that people need to be more aware."
Meanwhile, Trump, beyond the much publicized and repeated plan to stop anyone who is a Muslim from immigrating to the country (even though the shooter was born here), also encouraged a much broader version of the already idiotic "see something, say something" campaign:
He also said Americans need to be willing to call the authorities when they see friends, family and neighbors performing suspicious activities.
We must grieve and mourn and support each other, but in our grief and outrage we must resist any temptations to let this attack – or any attack – trigger anti-Muslim foreign policy, attacks on our civil liberties or as an excuse to descend into xenophobia and Islamophobia.
However, an attack like this is carefully planned and executed to maximize attention by inflaming the passions of a helpless public. Because of this, the response can be more dangerous than the attack. The refrains of “safety and security” have, for many years, been used as a tool by the powerful to justify curtailing civil liberties and emboldening backlash against immigrants, Muslim people and others.
Not for the first time, someone locked up on a questionable basis is making a lot more sense, and sounding a lot closer to the ideals of America, than either of people running to lead the country.
As the push to backdoor or ban encryption heats up, kneejerk politicians have rushed to embrace each and every recent attack and to immediately point fingers at encryption. Right after the Paris attacks, politicians started blaming encryption, even though evidence suggested they communicated by unencrypted SMS. Even months later, the press was ridiculously using the total lack of evidence of any encryption... as evidence of encryption. Then with the Brussels attacks from a few weeks ago politicians like Rep. Adam Schiff immediately tried to blame encryption insisting that "we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks."
Of course, now it's being reported that a laptop seized from one of the suicide bombers in Brussels shows little attempt to actually hide plans of attacks. In fact, it showed that attack plans were kept in an unencrypted folder titled "Target." And the only attempt to "hide" it was that the computer had been thrown in the trash.
The bomber referred to striking Britain, the La Defense business district in Paris, and the ultra-conservative Catholic organisation, Civitas, in a folder titled “Target,” written in English, according to the source.
The laptop was found in the trash by police in Brussels shortly after the suicide bombings on March 22 that killed 32 people at the city’s airport and on a Metro train.
I'm wondering if Rep. Adam Schiff will now talk about the need to ban "folders" in operating systems?
The knee-jerk response of politicians to terrorist attacks -- calling for more surveillance, more crackdowns, more displays of purposeless force -- is by now so routine that we don't even remark on it. We tend to go along with their plans because we are very poor at estimating risks, and thus often end up making bad decisions about trade-offs -- specifically, trading off liberty in the (misguided) hope that it will deliver security. That's not a new insight -- Bruce Schneier wrote two fascinating posts on what he called "The Psychology of Security" as far back as 2008. But maybe it's time to start challenging a strategy that hasn't worked, doesn't work and will never work. Maybe we should start pushing for an alternative response to terrorist attacks -- one based on logic and the facts, not rhetoric and fear. That's exactly what Björn Brembs, Professor of Neurogenetics at Regensburg University in Germany, has done in a short blog post about a more rational approach that avoids bad trade-offs. As he writes:
It is very difficult to prevent casualties such as those in the recent terror attacks in Madrid, London, Paris, Brussels or elsewhere, without violating basic human rights and abandoning hard-won liberties.
So what might we do instead? Brembs suggests a new kind of "death prevention program." Not one based on futile attempts to stop every terrorist attack, but a compensatory plan to save far more lives than terrorists ever take:
There are ~1.2 [million] preventable deaths in Europe alone every year. These deaths are due to causes such as lung cancer, accidental injuries, alcohol related diseases, suicides and self-inflicted injuries. With even in the 1970s and 1980s terrorist-related fatalities never exceeding 500 per year, we are confident that we will be able, from now on, to save at least 100 lives for every one that is being taken in a terrorist attack.
To reach this ambitious goal, we will start with increasing our efforts to prevent alcohol and tobacco-related deaths through effective public-health intervention programs as well as basic and applied biomedical research into the prevention, causes and treatment of these diseases and disorders. With about 30,000 annual fatalities in traffic-related accidents, we will also introduce European-wide speed limits, strong enforcement via speed-traps and an increased police force which collaborates across Europe. Drivers convicted of violating speed limits or DUI will have their driver's licenses withdrawn for extended periods of time. Should these activities fail to reach these goals, we will start targeting more areas.
Although it could be argued that some of those measures are themselves restrictions on freedom (and things like speed traps haven't been shown to make the roads any safer), against the background of today's harsh anti-terror laws, and plans for even more surveillance -- the UK's Snooper's Charter, for example -- those don't look as bad. In any case, implementation details are less important than shifting emphasis to this very different approach. The idea of focusing on stopping preventable deaths caused by known factors, rather than chasing after unpredictable events is a good one. Moreover, as Brembs writes, a "death prevention program" would not only preserve basic human rights and civil liberties better than today's response, it would also benefit the economy and boost employment:
Our investment in basic and applied research will yield discoveries that will benefit all of humanity long after the last terrorist has sacrificed his life in vain. With our new program, every single terrorist attack will save the lives of countless more citizens than it has cost, turning terrorism into a net life-saving activity.
That, surely, is the way to truly defeat the terrorists -- rather than handing them an easy victory by accepting disproportionate measures that destroy the very freedoms politicians claim to defend.
You may remember that, right after the Paris attacks late last year, politicians rushed in to demonize encryption as the culprit, and to demand backdooring encryption before the blood was even dry. Of course, it later turned out that there was no evidence that they used encryption at all, but rather it appears that they communicated by unencrypted means. Just yesterday, we noted that the press was still insisting encryption was used, and using the lack of any evidence as evidence for the fact they must have used encryption (hint: that's not how encryption works...).
So, it should hardly be a surprise that following this morning's tragic attacks in Brussels that have left dozens dead and many more injured, that encryption haters, based on absolutely nothing, have rushed in to attack encryption again. The first up was Rep. Adam Schiff, who quickly insisted that he had no actual facts on the matter, but we should be concerned about encryption:
“We do not know yet what role, if any, encrypted communications played in these attacks,” Rep. Adam Schiff (D-Calif.) said in a statement.
“But we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks,” he added.
Schiff, of course, is the same guy who just a few months ago was loudly promoting CISA, saying we needed it to protect our privacy from hackers. Of course CISA doesn't do that. You know what does? Encryption. The very encryption Schiff now wants to blame.
Not one to be left out, Senator Dianne Feinstein jumped in with a thinly veiled statement in support of her supposedly soon to be released bill, mandating backdoors in encryption:
“We must use all the tools at our disposal to fight back,” Sen. Dianne Feinstein, California Democrat and vice chairwoman of the Senate Intelligence Committee, said in a statement on Tuesday. “The way to prevent attacks like this is to develop good intelligence and always be vigilant.”
"All the tools" likely means including her plans to break encryption.
And, of course, the many in the press are no help at all. There have been reports that a talking head on NPR blamed encryption this morning, while a NY Times reporter, Rukmini Callimachi -- who was the lead reporter on that ridiculous article yesterday insisting that the lack of encryption was evidence of encryption -- is tweeting up a storm claiming that ISIS is now encouraging the use of encryption, even though the questionably-sourced document she links to (which is written in English?!?) isn't actually recommending encryption, but things like Tor and VPNs, which are designed to merely mask your IP address.
It's like she sees encryption in absolutely anything. Meanwhile, as a number of other commenters have pointed out, if "ISIS brothers" actually follow the advice in that document, it will only likely help them get caught, as a sudden and abrupt change in behavior is a pretty good way for law enforcement to make you a suspect. And, really, encouraging people to jump onto tools like Tor that they don't understand, but which they think will keep them safe, almost certainly will lead to ridiculously bad implementations that make it easier to spot what they're doing.
Either way, in the wake of yet another attack we're left with people who don't understand and dislike encryption, rushing to demonize it for no good reason at all.
Early last year, Tor suffered a massive attack that compromised the anonymity of its users over a period of at least six months. Soon after, the FBI launched Operation Onymous, which dismantled yet another round of darknet markets and left Tor developers and supporters desperately wondering what went wrong. Last month, Tor then dropped a bit of a bombshell: it claimed the FBI paid researchers at Carnegie Mellon $1 million to conduct a Sybil attack on the network. Running from January to July of 2014, CERT used just $3,000 in hardware to flood the Tor network with additional new relays that then modified Tor protocol headers to do traffic confirmation attacks.
Both the FBI and the university continue to deny the claims, for whatever that's worth:
“The allegation that we paid CMU $1 million is inaccurate,” said a FBI spokesperson.
Meaning, if you're familiar with semantic FBI parlance, that it probably paid a few specific researchers (not the University itself) $999,999.
Regardless, Hill's new report provides a lot more insight into the attack by Tor chief architect Nick Mathewson, who admits it wasn't the developers' finest hour, noting that he originally overlooked the threat because he believed it was too ham-fisted to actually be performed in the wild:
"I don’t think this is the best response we’ve ever done to an attack situation,” said Mathewson by phone... "It didn’t occur to me that they would run the attack in the wild on random users," said Mathewson. “The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was very easy to block. It didn’t seem to me like a deep threat."
Of course, the end result of this oversight was not only the arrests and darknet site closures from Operation Onymous, but Operation Shrouded Horizon -- which targeted the Darkode black marketplace. And the markets are still reeling. Though it's always hard to differentiate an exit scam (where the site just runs away with the money held in escrow) from security concerns, numerous markets (like Middle Earth Marketplace) recently went offline claiming they're trying to implement upgrades that will make their drug bazaars more secure.
But Mathewson is quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody. And the use of supposed objective academics as attackers, the lack of warrants, and the lack of institutional oversight by Carnegie Mellon's Institutional Review Board sets a disgusting precedent for the security community:
"There’s an argument that this attack hurts all of the bad users of Tor so it’s a good thing,” said Mathewson. “But this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could without determining whether it was legal or illegal." "Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don’t harm human research subjects."
For what it's worth, Mathewson says the Tor team has made numerous code changes to better scan the Tor network for potential threats, and are working on an as-yet unfinished revamp of the hidden services design over the last year. Tor is also working on what Mathewson calls a "new cryptographic trick" that will allow a hidden services directory to send Tor users to a hidden site -- without the directory knowing where it's sending them. The developers have also apparently learned a thing or two about trust, Mathewson stating they're no longer "extending security researchers the benefit of the doubt on anything." Good idea.
The central question of course is whether Tor has the manpower needed to keep such an integral technology operational and secure. Eighty percent of Tor's $2.5 million budget still comes from the government, so Tor is operating a crowdfunding campaign to expand the funding base for obvious reasons. But Tor only has 22 full- and part-time employees, and 10 volunteers and academics who consistently contribute code, which directly contributed to the attack not being taken seriously earlier. As such we're left wondering if Tor can be trusted moving forward and, if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?
Up until now, the NSA really hasn't discussed its policies regarding software vulnerabilities and exploits. A few months after the Snowden leaks began, the White House told the NSA to start informing software companies of any exploits/vulnerabilities it had discovered. The quasi-directive set no time limit for doing so and allowed the agency to withhold discovered exploits if there was a "clear national security or law enforcement" reason to do so.
While other parties have discussed the NSA's hoarding of software exploits, the agency itself hasn't. All information gathered to date has come from outside sources. Snowden provided some of the documents. The EFF knocked a couple more loose with an FOIA lawsuit against James Clapper's office.
The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
Disclosing nine out of ten exploits sounds good, but these disclosures are likely only occurring after the vulnerability or exploit is no longer useful.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
Status remains quo. National security interests still override the security interest of millions of affected users. The NSA can't keep criminals from using the same security holes it's discovered. The only way to prevent a vulnerability from being exploited by malicious parties or unfriendly state actors is to disclose it. Eventual disclosure is better than no disclosure, but it's not nearly as altruistic as the NSA's 90% disclosure rate would make it appear.
A few weeks ago, Brian Krebs published a fantastic article entitled how not to start an encryption company, which detailed the rather questionable claims of a company called Secure Channels Inc (SCI). The post is long and detailed and suggests strongly that (1) SCI was selling snake oil pretending to be an "unbreakable" security solution and (2) that its top execs had pretty thin skins (and in the case of the CEO, a criminal record for running an investment ponzi scheme). The company also set up a bullshit "unwinnable" hacking challenge, and then openly mocked people who criticized it.
Now enter Asher Langton, who has an uncanny ability to spot all sorts of scams (he was the one who initially tipped me off to the Walter O'Brien scam, for example). He seems to especially excel at calling out bullshit security products and companies. He's spent the past few weeks tweeting up a storm showing just how bogus Secure Channels is -- including revealing that they're just rebranding someone else's free app. He also noted that the company appeared to be (not very subtly) astroturfing its own reviews, noting that the reviews came from execs at the company:
So, uh, how did SCI respond? Let's just say not well. As detailed by Adam Steinbaugh at Popehat, a bunch of anonymous Twitter accounts magically appeared attempting to attack Langton, claiming that he was violating various computer crime and copyright laws. The accounts ridiculously argued that by posting screenshots of Secure Channel's source code, he was violating various statutes, including copyright law. This is wrong. Very wrong. Laughably wrong. In one of the screenshots posted by one of these "anonymous" accounts, other browser tabs were left visible -- and you'll notice the other two tabs.
You'll note Asher's tweet, but also a primer on "computer crime laws" and a "how to take screenshots" tab (apparently it didn't include a lesson on cropping). Oh, but more important, this tweet from a supposedly anonymous Twitter user also showed that the person taking the screenshot is logged in from a different account, that just happens to be the account of... SCI's director of Marketing Deirdre Murphy. It even uses the same photo.
This same Deirdre Murphy, back in Krebs' original article, used Twitter to attack another well recognized security expert who had been mocking SCI's claims:
James said he let it go when SCI refused to talk seriously about sharing its cryptography solution, only to hear again this past weekend from SCI’s director of marketing Deirdre “Dee” Murphy on Twitter that his dismissal of their challenge proved he was “obsolete.” Murphy later deleted the tweets, but some of them are saved here.
Right. It's entirely possible that Murphy is not behind the anonymous accounts, but she's pretty clearly connected to the screenshots that showed up on those anonymous accounts -- so even if it's not her directly... it seems likely that she's associated with whoever is doing the posting.
Oh, and then it gets worse. Right about the time Steinbaugh's article was published, someone claiming to be SecureChannels' CEO Richard Blech, sent Twitter a DMCA notice over some of Langton's tweets -- and Twitter took them down:
Twitter did this despite the fact that the DMCA claim itself was pretty clearly invalid. As summarized by Steinbaugh:
About an hour and a half after this post went live, SecureChannels CEO Richard Blech (or someone claiming to be him) sent a DMCA notice to Twitter for two of Langton's tweets, complaining that they consisted of "employee pics, company and personnel, posts copyright material, hacks products and posts copyright code from products, using trademarks, targeted harassment, slander to destroy commerce." As for the description of the "original work," Blech blathered: "Cracked an app and placed code online, uses trademarked logos to attack company."
This is a censorious abuse of copyright law to suppress criticism. It is, in essence, an attempt to use copyright law for everything except copyright. That SecureChannels would use copyright law to shield criticism on the basis that its trademarks are being used and because of "slander" is, well, hysterical. This is not a company interested in permitting people to criticize it.
A little while ago, I tweeted about how ridiculous it was that Twitter's legal team would go forward with the takedown on an obviously bogus takedown notice, and within 10 minutes, I was told by someone on Twitter's legal team that the notice had been reviewed and the posts had been restored.
Either way, for a company bragging that its "security" solution is "unhackable" -- you'd think the company would be more open to actual criticism. Instead, it seems to spend an inordinate amount of time attacking critics and abusing the law to try to silence them. Odd.